2018/5/3

HP-UX使用ipfilter來限定連線


hpux與linux不同,hpux 並未使用 IPTABLES 作為防火牆套件,不過我們可以使用ipfilter來限定連線。以下文章測試在HP-UX B.11.31可以運作!


1. 檢查 /etc/rc.config.d/ipfconf 中 IPF_START=1 是否有設定。

2. 啟動kernal module
# /sbin/init.d/ipfboot start

3. 編寫規則
# vi /etc/opt/ipf/ipf.conf
4. 把2381 2301 TCP都關掉

block in quick proto tcp from any to 10.184.17.37 port = 2381

block in quick proto tcp from any to 10.184.17.37 port = 2301

5. 重讀設定黨
#ipf -Fa -f /etc/opt/ipf/ipf.conf

6. 檢查是否吃進去
hostname:root:/> ipfstat -io
block out quick on lo0 from any to any
block in quick proto udp from any to 10.184.17.37/32 port = 177
block in quick proto tcp from any to 10.184.17.37/32 port = 2381
block in quick proto tcp from any to 10.184.17.37/32 port = 2301

7. 打包收工





This is a quick introduction to Ipfilter on HP-UX:
First we have to start the daemons and load the DLKM module
in the file /etc/rc.config.d/ipfconf
we set the IPF_START to 1
IPF_START=1
Then we load the kernel module
# /sbin/init.d/ipfboot start
Set 0 now inactive
Set 0 now inactive
0 entries flushed from NAT table
0 entries flushed from NAT list
we can check the kernel module is loaded:
# kcmodule| grep ipf
ipf loaded explicit auto-loadable, unloadable
then we check ipf is working ok:
# ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.23.15.01) (376)
Kernel: HP IP Filter: v3.5alpha5 (A.11.23.15.01)
Running: yes <---- br="" ok="" style="box-sizing: border-box;">Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
know we can write the firewall rules to our config file:
# vi /etc/opt/ipf/ipf.conf
we are going to use a very easy example, we we block any incoming conections from the server 0189 to our HP-UX box
block in quick on lan0 from 0189 to any
pass in from any to any
using the quick keyword makes the package that matches that rule will be applied inmediatly, no going trough anymore rules.
We load the new config:
#ipf -Fa -f /etc/opt/ipf/ipf.conf
Check if our rules are active:
# ipfstat -io
empty list for ipfilter(out)
block in quick on lan0 from 1.7.2.3/23 to any
pass in from any to any
Now i can't ssh,ping,etc the HPUX_BOX from my pc desktop:
P:\>ping HPUX_BOX
Haciendo ping a HPUX_BOX [1.7.2.23] con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Estadísticas de ping para 1.7.2.23 :
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),
We can check out the stats and see how the blocked counter increases:
[root@vmfcont:~]# ipfstat | grep -i blocked
input packets: blocked 7 passed 13677 nomatch 1 counted 0 short 0
output packets: blocked 0 passed 570 nomatch 268 counted 0 short 0
If we wan't to flush the rules and delete them from the active ipf:
# ipf -Fa
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)



SSL/TLS  五個協定(protocol):

SSLv2 不安全
SSLv3 不安全
TLSv1.0 不安全  參考
TLSv1.1 安全
TLSv1.2 安全



檢測 web server 支援哪些協定 protocol

$ nmap --script ssl-enum-ciphers -p 443  www.xxx.com

Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-04 18:37 CST
Nmap scan report for www.xxx.com (35.194.x.x)
Host is up (0.00076s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds




Apache httpd 設定


httpd-ssl.conf
SSLProtocol all -SSLv2 -SSLv3




Nginx

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;




線上檢測網站的 SSL 功能

會給 A+ / A  ~~ F 的分數,有詳細的檢測報告,SSL 設定完 必測試
www.ssllabs.com



Test SSL Protocol Support ( foundeo.com )
檢測網站的SSLv2 and SSLv3 / TLS 各版本的支援狀況


憑證SSL小工具 ( www.sslbuyer.com )


如何修補網站上SSL的相關漏洞! ( www.sslbuyer.com )
For more info:

https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW404

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02779574&docLocale=zh_CN

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02779574&docLocale=zh_CN

沒有留言:

張貼留言

如果您喜歡我的文章風格,歡迎加入FB粉絲專頁 [ kira3c產品評測團] !