host1:root:/etc/opt/ipf>ipfstat -io
IPFilter is enabled but not filtering, module is not present in stack
host1:root:/etc/opt/ipf>ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.31.18.10) (488)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.18.10)
Enabled: yes
Filtering: no <==== 被disable
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
ipf: HP IP Filter: v3.5alpha5 (A.11.31.18.10) (488)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.18.10)
Enabled: yes
Filtering: no <==== 被disable
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
host1:root:/etc/opt/ipf>ipfilter -e
No pools to flush
Set 0 now inactive
Set 0 now inactive
0 entries flushed from NAT table
0 entries flushed from NAT list
IPFilter Enabled
Verify HP-UX IPFilter is running:
ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.31.18.00) (488)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.18.00)
Enabled: yes
Filtering: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
hpux與linux不同,hpux 並未使用 IPTABLES 作為防火牆套件,不過我們可以使用ipfilter來限定連線。以下文章測試在HP-UX B.11.31可以運作!
1. 檢查 /etc/rc.config.d/ipfconf 中 IPF_START=1 是否有設定。
2. 啟動kernal module
# /sbin/init.d/ipfboot start
3. 編寫規則
# vi /etc/opt/ipf/ipf.conf
1. 檢查 /etc/rc.config.d/ipfconf 中 IPF_START=1 是否有設定。
2. 啟動kernal module
# /sbin/init.d/ipfboot start
3. 編寫規則
# vi /etc/opt/ipf/ipf.conf
4. 把2381 2301 TCP都關掉
block in quick proto tcp from any to 10.184.17.37 port = 2301
5. 重讀設定黨
#ipf -Fa -f /etc/opt/ipf/ipf.conf
6. 檢查是否吃進去
hostname:root:/> ipfstat -io
block out quick on lo0 from any to any
block in quick proto udp from any to 10.184.17.37/32 port = 177
block in quick proto tcp from any to 10.184.17.37/32 port = 2381
block in quick proto tcp from any to 10.184.17.37/32 port = 2301
7. 打包收工
This is a quick introduction to Ipfilter on HP-UX:
First we have to start the daemons and load the DLKM module
in the file /etc/rc.config.d/ipfconf
we set the IPF_START to 1
IPF_START=1
Then we load the kernel module
# /sbin/init.d/ipfboot start
Set 0 now inactive
Set 0 now inactive
0 entries flushed from NAT table
0 entries flushed from NAT list
Set 0 now inactive
Set 0 now inactive
0 entries flushed from NAT table
0 entries flushed from NAT list
we can check the kernel module is loaded:
# kcmodule| grep ipf
ipf loaded explicit auto-loadable, unloadable
ipf loaded explicit auto-loadable, unloadable
then we check ipf is working ok:
# ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.23.15.01) (376)
Kernel: HP IP Filter: v3.5alpha5 (A.11.23.15.01)
Running: yes <---- br="" ok="" style="box-sizing: border-box;">Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
ipf: HP IP Filter: v3.5alpha5 (A.11.23.15.01) (376)
Kernel: HP IP Filter: v3.5alpha5 (A.11.23.15.01)
Running: yes <---- br="" ok="" style="box-sizing: border-box;">Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
know we can write the firewall rules to our config file:
# vi /etc/opt/ipf/ipf.conf
we are going to use a very easy example, we we block any incoming conections from the server 0189 to our HP-UX box
block in quick on lan0 from 0189 to any
pass in from any to any
pass in from any to any
using the quick keyword makes the package that matches that rule will be applied inmediatly, no going trough anymore rules.
We load the new config:
#ipf -Fa -f /etc/opt/ipf/ipf.conf
Check if our rules are active:
# ipfstat -io
empty list for ipfilter(out)
block in quick on lan0 from 1.7.2.3/23 to any
pass in from any to any
empty list for ipfilter(out)
block in quick on lan0 from 1.7.2.3/23 to any
pass in from any to any
Now i can't ssh,ping,etc the HPUX_BOX from my pc desktop:
P:\>ping HPUX_BOX
Haciendo ping a HPUX_BOX [1.7.2.23] con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
EstadÃsticas de ping para 1.7.2.23 :
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),
We can check out the stats and see how the blocked counter increases:
[root@vmfcont:~]# ipfstat | grep -i blocked
input packets: blocked 7 passed 13677 nomatch 1 counted 0 short 0
output packets: blocked 0 passed 570 nomatch 268 counted 0 short 0
input packets: blocked 7 passed 13677 nomatch 1 counted 0 short 0
output packets: blocked 0 passed 570 nomatch 268 counted 0 short 0
If we wan't to flush the rules and delete them from the active ipf:
# ipf -Fa
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)
SSL/TLS 五個協定(protocol):
SSLv2 不安全
SSLv3 不安全
TLSv1.0 不安全 參考
TLSv1.1 安全
TLSv1.2 安全
檢測 web server 支援哪些協定 protocol
$ nmap --script ssl-enum-ciphers -p 443 www.xxx.com
Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-04 18:37 CST
Nmap scan report for www.xxx.com (35.194.x.x)
Host is up (0.00076s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Apache httpd 設定
httpd-ssl.conf
SSLProtocol all -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
線上檢測網站的 SSL 功能
會給 A+ / A ~~ F 的分數,有詳細的檢測報告,SSL 設定完 必測試
www.ssllabs.com
Test SSL Protocol Support ( foundeo.com )
檢測網站的SSLv2 and SSLv3 / TLS 各版本的支援狀況
憑證SSL小工具 ( www.sslbuyer.com )
如何修補網站上SSL的相關漏洞! ( www.sslbuyer.com )
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)
SSL/TLS 五個協定(protocol):
SSLv2 不安全
SSLv3 不安全
TLSv1.0 不安全 參考
TLSv1.1 安全
TLSv1.2 安全
檢測 web server 支援哪些協定 protocol
$ nmap --script ssl-enum-ciphers -p 443 www.xxx.com
Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-04 18:37 CST
Nmap scan report for www.xxx.com (35.194.x.x)
Host is up (0.00076s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Apache httpd 設定
httpd-ssl.conf
SSLProtocol all -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
線上檢測網站的 SSL 功能
會給 A+ / A ~~ F 的分數,有詳細的檢測報告,SSL 設定完 必測試
www.ssllabs.com
Test SSL Protocol Support ( foundeo.com )
檢測網站的SSLv2 and SSLv3 / TLS 各版本的支援狀況
憑證SSL小工具 ( www.sslbuyer.com )
如何修補網站上SSL的相關漏洞! ( www.sslbuyer.com )
For more info:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02779574&docLocale=zh_CN
沒有留言:
張貼留言