或者查看哪个用户导致安全通知发生/etc/spwd.db
更改?
我正在阅读本指南,它允许我为应用程序创建自定义 SELinux 策略并限制对内核系统文件的无限制访问。
在步骤 9 中,我需要向类型强制文件 (mydaemon.te) 添加规则,并通过运行mydaemon.sh脚本重建并重新安装策略。不幸的是,我在标记“;”处遇到了错误“未知类型var_log_t” 如下所示。
[ec2-user@ip-172-31-6-46 ~]$ sudo ./mydaemon.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile mydaemon.pp
Compiling targeted mydaemon module
mydaemon.te:26:ERROR 'unknown type var_log_t' at token ';' on line 4010:
allow mydaemon_t var_log_t:file { open write getattr };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/mydaemon.mod] Error 1
+ exit
我尝试使用另一种类型,例如var_t,但这也不起作用。
我跑:
gpg --list-keys
我得到:
pub rsa1024 2014-01-26 [C]
<REMOVED>
uid [ unknown] Totally Legit Signing Key <[email protected]>
这会危险吗?这是什么?地址[电子邮件受保护]令人困惑。
我喜欢nano
并且经常使用它。一个相关的应用程序是rnano
.
从rnano
手册中:
DESCRIPTION
rnano runs the nano editor in restricted mode. This allows editing
only the specified file or files, and doesn't allow the user access to
the filesystem nor to a command shell.
In restricted mode, nano will:
• not allow suspending;
• not allow saving the current buffer under a different name;
• not allow inserting another file or opening a new buffer;
• not allow appending or prepending to any file;
• not make backup files nor do spell checking.
我应该什么时候使用rnano
?
我正在 Kali linux 主机中使用 KVM Qemu,并尝试练习 ARP 欺骗。在 Kali Linux(连接到有线以太网)中,我设置了以下配置(来自我遵循的教程),以将/etc/network/interfaces
我的 KVM 虚拟机配置为使用桥接网络模式。
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.10.12
broadcast 192.168.10.255
netmask 255.255.255.0
gateway 192.168.10.1
bridge_ports eth0
bridge_stp off
bridge_waitport 0
bridge fd 0
ip a
为了提供更多信息,以下是在我的主机上运行的结果:
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 10:7b:44:35:45:29 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 56:1b:f4:e4:1e:67 brd ff:ff:ff:ff:ff:ff permaddr 34:f6:4b:ff:c2:01
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 10:7b:44:35:45:29 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.12/24 brd 192.168.10.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::127b:44ff:fe35:4529/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:07:00:25 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:d6:07:c1 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fed6:7c1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:f4:dd:55 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fef4:dd55/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
现在,在创建 KVM 虚拟机时,我将其设置为使用桥接网络模式,如以下屏幕截图所示。
192.168.10.301
然后在虚拟机内部,我通过在文件中执行以下配置为其提供静态 IP /etc/network/interfaces
:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
#The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet static
address 192.168.10.30
netmask 255.255.255.0
gateway 192.168.10.1
主机和虚拟机都能互相ping通。但是,当我尝试arpspoof
通过sudo arpspoof -i eth0 -t 192.168.10.30 192.168.10.1
在主机上执行来运行时,我得到了arpspoof: couldn't arp for host 192.168.10.30
. 问题是为什么以及我该如何解决它?
我尝试过的:
当然,我在发帖之前尝试搜索它,我发现了大量的结果,包括这个论坛上的结果,但它们是针对 VMWare 或 Virtual Box 的,OP 要么尝试跨不同的子网,要么不会采用桥接模式网络等。我负责所有这些事情。
今天我收到了来自阿里云的警报,libprocesshider.so
安装在我的堡垒服务器上。他们告诉我这是一个后门 Rootkit。
我研究了一下,发现libprocesshider.so
通常用于隐藏后门进程并且将模块添加到 是一种常见的做法/etc/ld.so.preload
,并且它确实被添加到我的服务器上。
问题:
我可以跟踪使用 libprocesshider 模块运行的所有隐藏进程吗?
我如何跟踪它对我的服务器造成的损害?我查看了
journalctl
,/var/log/secure
和history
, 但找不到任何攻击痕迹。安装的会话
libprocesshider.so
仍然存在。我认为会话是从合法的远程用户那里劫持/窃取的。由于此人当前未连接到堡垒服务器。我应该尽快终止会话,还是可以从中追踪一些信息?是否有可能
libprocesshider.so
由非恶意软件应用程序自动安装?
如果您需要更多信息,请随时询问。
我试图在我的 Ubuntu 22.04 服务器上使用 OWASP 规则和 ModSecurity 来保护我的 Apache2 安装,但是当我安装 v3.3.4 规则并激活 modsecurity 时,Apache2 不会启动。
安装的软件包:
apache2 2.4.52-1ubuntu4.3
apache2-bin 2.4.52-1ubuntu4.3
apache2-data 2.4.52-1ubuntu4.3
apache2-dev 2.4.52-1ubuntu4.3
apache2-utils 2.4.52-1ubuntu4.3
apachetop 0.19.7-3
libapache2-mod-perl2 2.0.12-1build1
libapache2-mod-php 2:8.2+93+ubuntu22.04.1+deb.sury.org+2
libapache2-mod-php8.1 8.1.16+repack-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-php8.2 8.2.3-1+ubuntu22.04.1+deb.sury.org+1
libapache2-mod-security2 2.9.5-1
libapache2-mod-wsgi 4.6.8-1ubuntu3.1
libapache2-reload-perl 0.13-3
python3-certbot-apache 1.21.0-1
libpcre16-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre2-16-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre2-8-0:amd64 10.40-1+ubuntu22.04.1+deb.sury.org+1
libpcre3:amd64 2:8.39-13ubuntu0.22.04.1
libpcre3-dev:amd64 2:8.39-13ubuntu0.22.04.1
libpcre32-3:amd64 2:8.39-13ubuntu0.22.04.1
libpcrecpp0v5:amd64 2:8.39-13ubuntu0.22.04.1
安装的规则:
https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
我在 apache 错误日志中得到了这个:
systemd[1]: Starting The Apache HTTP Server...
apachectl[632035]: AH00526: Syntax error on line 43 of /etc/modsecurity/rules/REQUEST-922-MULTIPART-ATTACK.conf:
apachectl[632035]: Error creating rule: Unknown variable: &MULTIPART_PART_HEADERS
apachectl[632032]: Action 'start' failed.
apachectl[632032]: The Apache error log may have more information.
systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 17 14:33:40 belleville systemd[1]: Failed to start The Apache HTTP Server.
这是有问题的文件和行:
1 # ------------------------------------------------------------------------
2 # OWASP ModSecurity Core Rule Set ver.3.3.4
3 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
4 # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
5 #
6 # The OWASP ModSecurity Core Rule Set is distributed under
7 # Apache Software License (ASL) version 2
8 # Please see the enclosed LICENSE file for full details.
9 # ------------------------------------------------------------------------
10
11 #
12 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
13 #
14
15 # This file is to address the 3UWMWA6W vulnerability.
16 # It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
17 # of the security fixes in these versions) or a compatible engine supporting these changes.
18 #
19 # If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
20 # In that case, you can temporarily delete this file. However, you will be missing
21 # protection from these rules. Therefore, we recommend upgrading your engine instead.
22
23 # The rules in this file will be part of the 920 / 921 in the future.
24
25 # Only allow specific charsets when using "_charset_"
26 # Note: this is in phase:2 because these are headers that come in the body
27 SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
28 "id:922100,\
29 phase:2,\
30 block,\
31 t:none,\
32 msg:'Multipart content type global _charset_ definition is not allowed by policy',\
33 logdata:'Matched Data: %{ARGS._charset_}',\
34 tag:'application-multi',\
35 tag:'language-multi',\
36 tag:'platform-multi',\
37 tag:'attack-multipart-header',\
38 tag:'OWASP_CRS',\
39 tag:'capec/1000/255/153',\
40 tag:'paranoia-level/1',\
41 ver:'OWASP_CRS/3.3.4',\
42 severity:'CRITICAL',\
43 chain"
44 SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
45 "t:lowercase,\
46 setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
47
但我的问题是:系统如何知道这一点?我已经做好了
sudo chmod o-r /var/run/utmp
sudo chmod o-r /var/log/wtmp
我验证了我的用户无法运行w
或who
不再运行:命令输出为空,因为 utmp 和 wtmp 中的读取权限被拒绝。
那么系统如何知道这一点呢?信息泄露在哪里?
我目前正在使用 XINU 学习操作系统课程,我可以控制操作系统上运行的每个进程,因此,我可以完全预测其随机数生成器的输出。这是代码。
我很清楚,即使是这种简单的方法,在桌面操作系统上使用时,也能够创建真正的随机数,因为有很多进程根据用户、位置或时间的不同而表现不同。但是,在启动时,在有任何用户输入之前呢?
Linux 的加密随机数生成器要复杂得多,但它似乎仍然依赖于用户输入。OpenSSH 在许多 Linux 系统中在启动时运行。我敢肯定有很多公司运行的配置非常接近库存,如果您可以模拟相同的硬件、软件,并设置与您正在攻击的服务器相同的时间和位置,您就不能利用它吗?
在许多托管服务上也有预制部署,开发人员可以在其中上传他们的代码(dockerfile、ruby on rails 项目等),服务器会设置它。这些服务器具有预制软件、已知硬件、位置和时间。我假设他们在现实世界中具有硬件随机性,但如果他们没有呢?