ºìÁªLinuxÃÅ»§
Linux°ïÖú

ÈçºÎ½¨Á¢°²È«µÄProFTPDÓ¦Óþ­Ñé̸

·¢²¼Ê±¼ä:2005-12-27 20:40:43À´Ô´:ºìÁª×÷Õß:CMK
ProFTPDÊÇÕë¶ÔWu-FTPµÄÈõÏî¶ø¿ª·¢µÄ£¬³ýÁ˸ĽøµÄ°²È«ÐÔ£¬»¹¾ß±¸Ðí¶àWu-FTPûÓеÄÌص㣬ÄÜÒÔStand-alone¡¢xinetdģʽÔËÐеȡ£ProFTPÒѾ­³ÉΪ¼ÌWu-FTPÖ®ºó×îΪÁ÷ÐеÄFTP·þÎñÆ÷Èí¼þ£¬Ô½À´Ô½¶àµÄÕ¾µãÑ¡ÓÃËü¹¹Öþ°²È«¸ßЧµÄFTPÕ¾µã£¬ProFTPÅäÖ÷½±ã£¬²¢ÓÐMySQLºÍQuotaÄ£¿é¿É¹©Ñ¡Ôñ£¬ÀûÓÃËüÃǵÄÍêÃÀ½áºÏ¿ÉÒÔʵÏÖ·ÇϵͳÕ˺ŵĹÜÀíºÍÓû§´ÅÅ̵ÄÏÞÖÆ¡£

Ò»¡¢ ProFTPD·þÎñÃæÁٵݲȫÒþ»¼

ProFTPD·þÎñÃæÁٵݲȫÒþ»¼Ö÷Òª°üÀ¨£º»º³åÇøÒç³ö¹¥»÷£¨Buffer Overflow£©¡¢Êý¾ÝÐá̽ºÍÄäÃû·ÃÎÊȱÏÝ¡£

1¡¢»º³åÇøÒç³ö¹¥»÷

³¤ÆÚÒÔÀ´£¬»º³åÇøÒç³öÒѾ­³ÉΪ¼ÆËã»úϵͳµÄÒ»¸öÎÊÌâ¡£ÀûÓüÆËã»ú»º³åÇøÒç³ö©¶´½øÐй¥»÷µÄ×îÖøÃûµÄ°¸ÀýÊÇĪÀï˹Èä³æ£¬·¢ÉúÔÚ1988Äê11Ô¡£µ«¼´Ê¹ÆäΣº¦ÈËËù¹²Öª£¬»º³åÇøÒç³öÈÔÈ»ÊÇÏÖÔÚÈëÇÖµÄÒ»¸öÖØÒªÊֶΡ£

»º³åÇøÒç³öµÄ¸ÅÄ»º³åÇøÒç³öºÃ±ÈÊǽ«Ò»°Ù¹«½ï»õÎï·Å½øÒ»¸öÖ»ÄÜ×°Ê®¹«½ïµÄÈÝÆ÷Àï¡£»º³åÇøÒç³ö©¶´ÊÇÒ»¸öÀ§ÈÅÁË°²È«×¨¼Ò30¶àÄêµÄÄÑÌâ¡£¼òµ¥À´Ëµ£¬ËüÊÇÓÉÓÚ±à³Ì»úÖƶøµ¼Öµġ¢ÔÚÈí¼þÖгöÏÖµÄÄÚ´æ´íÎó¡£ÕâÑùµÄÄÚ´æ´íÎóʹµÃºÚ¿Í¿ÉÒÔÔËÐÐÒ»¶Î¶ñÒâ´úÂëÀ´ÆÆ»µÏµÍ³Õý³£µØÔËÐУ¬ÉõÖÁ»ñµÃÕû¸öϵͳµÄ¿ØÖÆȨ¡£

2¡¢Êý¾ÝÐá̽

FTPÊÇ´«Í³µÄÍøÂç·þÎñ³ÌÐò£¬ÔÚ±¾ÖÊÉÏÊDz»°²È«µÄ£¬ÒòΪËüÃÇÔÚÍøÂçÉÏÓÃÃ÷ÎÄ´«ËÍ¿ÚÁîºÍÊý¾Ý£¬±ðÓÐÓÃÐĵÄÈ˷dz£ÈÝÒ׾ͿÉÒԽػñÕâЩ¿ÚÁîºÍÊý¾Ý¡£¶øÇÒ£¬ÕâЩ·þÎñ³ÌÐòµÄ°²È«ÑéÖ¤·½Ê½Ò²ÊÇÓÐÆäÈõµãµÄ£¬¾ÍÊǺÜÈÝÒ×Êܵ½"ÖмäÈË"£¨man-in-the-middle£©ÕâÖÖ·½Ê½µÄ¹¥»÷¡£

Ëùν"ÖмäÈË"µÄ¹¥»÷·½Ê½£¬¾ÍÊÇ"ÖмäÈË"ð³äÕæÕýµÄ·þÎñÆ÷½ÓÊÕÄã´«¸ø·þÎñÆ÷µÄÊý¾Ý£¬È»ºóÔÙð³äÄã°ÑÊý¾Ý´«¸øÕæÕýµÄ·þÎñÆ÷¡£·þÎñÆ÷ºÍÄãÖ®¼äµÄÊý¾Ý´«Ëͱ»"ÖмäÈË"תÊÖºó×öÁËÊÖ½ÅÖ®ºó£¬¾Í»á³öÏÖºÜÑÏÖصÄÎÊÌâ¡£ ½Ø»ñÕâЩ¿ÚÁîµÄ·½Ê½Ö÷ҪΪ±©Á¦Æƽ⡣ÁíÍâʹÓÃsniffer³ÌÐò¼àÊÓÍøÂç·â°ü²¶×½FTP¿ªÊ¼µÄ»á»°ÐÅÏ¢£¬±ã¿É˳ÊֽػñrootÃÜÂë¡£

3. ÄäÃû·ÃÎÊȱÏÝ

ÄäÃû·ÃÎÊ·½Ê½ÔÚFTP·þÎñµ±Öб»¹ã·ºµÄÖ§³Ö£¬µ«ÊÇÓÉÓÚÄäÃûFTP²»ÐèÒªÕæÕýµÄÉí·ÝÑéÖ¤£¬Òò´ËºÜÈÝÒ×ΪÈëÇÖÕßÌṩһ¸ö·ÃÎÊͨµÀ£¬ÅäºÏ»º³åÇøÒç³ö¹¥»÷£¬»áÔì³ÉºÜÑÏÖصĺó¹û¡£

4. ¾Ü¾ø·þÎñ¹¥»÷

¾Ü¾ø·þÎñÊÇÒ»ÖÖ¼¼Êõº¬Á¿µÍ£¬µ«¹¥»÷Ч¹ûÃ÷ÏԵĹ¥»÷·½Ê½£¬Êܵ½ÕâÖÖ¹¥»÷ʱ£¬·þÎñÆ÷»òÍøÂçÉ豸³¤Ê±¼ä²»ÄÜÕý³£Ìṩ·þÎñ£¬²¢ÇÒÓÉÓÚijЩÍøÂçͨѶЭÒé±¾Éí¹ÌÓеÄȱÏÝ£¬ÄÑÒÔÌá³öÒ»¸öÐÐÖ®ÓÐЧµÄ½â¾ö°ì·¨¡£·À·¶¾Ü¾ø·þÎñ¹¥»÷ÐèÒªÎÒÃÇ´ÓÈ«¾ÖÈ¥²¿Êð·ÀÓù¾Ü¾ø·þÎñ¹¥»÷²ßÂÔ£¬¶àÖÖ²ßÂÔÁª¶¯·À·¶£¬½«¾Ü¾ø·þÎñ¹¥»÷µÄΣº¦½µÖÁ×îµÍ¡£

¶þ¡¢ ¼Ó¹ÌProFTPD·þÎñ¶Ë

1.Éý¼¶°æ±¾

Éý¼¶³Â¾ÉµÄProFTPD°æ±¾£¬ÒòΪÔçÆÚµÄProFTPD°æ±¾´æÔڵݲȫ©¶´¡£¶ÔÓÚÒ»¸öÐÂÅäÖõÄProFTPD·þÎñÆ÷À´ËµÊ¹ÓÃ×îÐÂÎȶ¨°æ±¾ÊÇ×îÃ÷ÖǵÄÑ¡Ôñ£¬¿ÉÒÔÔÚÆä¹Ù·½ÍøÕ¾ÏÂÔØÆäÔ´´úÂë½øÐбàÒë¡£ProFTPD×îа汾ÊÇ1.2.10£¬¹Ù·½ÍøÖ·£ºhttp://www.ProFTPD.org ¡£

2.ʹÓÃxinetd·½Ê½ÔËÐÐProFTPD

ProFTPDÄÜÒÔStand-alone¡¢xinetdÁ½ÖÖģʽÔËÐУ¬µ±Óû§Õ˺űȽÏÉÙÓÖ¾­³£ÐèÒªÁ¬½Óµ½ProFTPD·þÎñÆ÷ʱÍƼöʹÓÃxinetdģʽÔËÐС£Ê¹ÓÃxinetd·½Ê½ÔËÐÐProFTPD¿ÉÒÔÓÐЧ·À·¶DoS¹¥»÷¡£

´Ó´«Í³µÄÊØ»¤½ø³ÌµÄ¸ÅÄî¿ÉÒÔ¿´³ö£¬¶ÔÓÚϵͳËùҪͨ¹ýµÄÿһÖÖ·þÎñ£¬¶¼±ØÐëÔËÐÐÒ»¸ö¼àÌýij¸ö¶Ë¿ÚÁ¬½ÓËù·¢ÉúµÄÊØ»¤½ø³Ì£¬Õâͨ³£Òâζ×Å×ÊÔ´ÀË·Ñ¡£ÎªÁ˽â¾öÕâ¸öÎÊÌ⣬һЩLinuxÒý½øÁË"ÍøÂçÊØ»¤½ø³Ì·þÎñ³ÌÐò"µÄ¸ÅÄî¡£

Redhat Linux 8.0ÒÔºóµÄ°æ±¾Ê¹ÓõÄÍøÂçÊØ»¤½ø³ÌÊÇxinted£¨eXtended InterNET daemon£©¡£ºÍstand£­aloneģʽÏà±ÈxintedģʽҲ³Æ Internet Super£­Server£¨³¬¼¶·þÎñÆ÷£©¡£

xinetdÄܹ»Í¬Ê±¼àÌý¶à¸öÖ¸¶¨µÄ¶Ë¿Ú£¬ÔÚ½ÓÊÜÓû§ÇëÇóʱ£¬ËûÄܹ»¸ù¾ÝÓû§ÇëÇóµÄ¶Ë¿Ú²»Í¬£¬Æô¶¯²»Í¬µÄÍøÂç·þÎñ½ø³ÌÀ´´¦ÀíÕâЩÓû§ÇëÇ󡣿ÉÒÔ°Ñxinetd¿´×öÒ»¸ö¹ÜÀíÆô¶¯·þÎñµÄ¹ÜÀí·þÎñÆ÷£¬Ëü¾ö¶¨°ÑÒ»¸ö¿Í»§ÇëÇ󽻸øÄǸö³ÌÐò´¦Àí£¬È»ºóÆô¶¯ÏàÓ¦µÄÊØ»¤½ø³Ì¡£xinetdģʽ¹¤×÷Ô­Àí¼ûͼ1¡£
ÎÄÕÂÆÀÂÛ

¹²ÓÐ 1 ÌõÆÀÂÛ

  1. CMK ÓÚ 2005-12-27 20:42:03·¢±í:



    ͼ1 xinetdģʽÍøÂç·þÎñ


    ºÍstand£­alone¹¤×÷ģʽÏà±È£¬ÏµÍ³²»ÏëҪÿһ¸öÍøÂç·þÎñ½ø³Ì¶¼¼àÌýÆä·þÎñ¶Ë¿Ú¡£ÔËÐе¥¸öxinetd¾Í¿ÉÒÔͬʱ¼àÌýËùÓзþÎñ¶Ë¿Ú£¬ÕâÑù¾Í½µµÍÁËϵͳ¿ªÏú£¬±£»¤ÏµÍ³×ÊÔ´¡£µ«ÊǶÔÓÚ·ÃÎÊÁ¿´ó¡¢¾­³£³öÏÖ²¢·¢·ÃÎÊʱ£¬xinetdÏëҪƵ·±Æô¶¯¶ÔÓ¦µÄÍøÂç·þÎñ½ø³Ì£¬·´¶ø»áµ¼ÖÂϵͳÐÔÄÜϽµ¡£²ì¿´ÏµÍ³ÎªLinux·þÎñÌṩÄÇÖÖģʽ·½·¨ÔÚLinuxÃüÁîÐпÉÒÔʹÓÃpstreeÃüÁî¿ÉÒÔ¿´µ½Á½ÖÖ²»Í¬·½Ê½Æô¶¯µÄÍøÂç·þÎñ¡£

    xinetdÌṩÀàËÆÓÚinetd+tcp_wrapperµÄ¹¦ÄÜ£¬µ«ÊǸü¼ÓÇ¿´óºÍ°²È«¡£ÄÜÓÐЧµÄ·ÀÖ¹¾Ü¾ø·þÎñ¹¥»÷(Denial of Services)£º

    1¡¢ÏÞÖÆͬʱÔËÐеĽø³ÌÊý¡£

    ͨ¹ýÉèÖÃinstancesÑ¡ÏîÉ趨ͬʱÔËÐеIJ¢·¢½ø³ÌÊý£º



    instances£½20




    µ±·þÎñÆ÷±»ÇëÇóÁ¬½ÓµÄ½ø³ÌÊý´ïµ½20¸öʱ£¬xinetd½«Í£Ö¹½ÓÊܶà³ö²¿·ÖµÄÁ¬½ÓÇëÇó¡£Ö±µ½ÇëÇóÁ¬½ÓÊýµÍÓÚÉ趨ֵΪֹ¡£

    2.ÏÞÖÆÒ»¸öIPµØÖ·µÄ×î´óÁ¬½ÓÊý£º

    ͨ¹ýÏÞÖÆÒ»¸öÖ÷»úµÄ×î´óÁ¬½ÓÊý£¬´Ó¶ø·Àֹij¸öÖ÷»ú¶Àռij¸ö·þÎñ¡£



    per_source£½5




    ÕâÀïÿ¸öIPµØÖ·¿ÉÒÔÁ¬½Óµ¥¸öIPµØÖ·µÄÁ¬½ÓÊýÊÇ5¸ö¡£

    3.ÏÞÖƸºÔØ¡£

    xinetd»¹¿ÉÒÔʹÓÃÏÞÖƸºÔصķ½·¨·À·¶¾Ü¾ø·þÎñ¹¥»÷¡£ÓÃÒ»¸ö¸¡µãÊý×÷Ϊ¸ºÔØϵÊý£¬µ±¸ºÔØ´ïµ½Õâ¸öÊýÄ¿µÄʱºò£¬¸Ã·þÎñ½«ÔÝÍ£´¦ÀíºóÐøµÄÁ¬½Ó£º



    max_load = 2.8




    ÉÏÃæµÄÀý×ÓÖе±Ò»Ïîϵͳ¸ºÔØ´ïµ½2.8ʱ£¬ËùÓзþÎñ½«ÔÝʱÖÐÖ¹£¬Ö±µ½ÏµÍ³¸ºÔØϽµµ½É趨ֵÒÔÏ¡£ËµÃ÷ҪʹÓÃÕâ¸öÑ¡Ï±àÒëʱҪ¼ÓÈë--with-loadavg£¬xinetd½«¶øÒÑ´¦Àímax-loadÅäÖÃÑ¡Ïî¡£´Ó¶øÔÚϵͳ¸ºÔعýÖØʱ¹Ø±ÕijЩ·þÎñ½ø³Ì£¬À´ÊµÏÖijЩ¾Ü¾ø·þÎñ¹¥»÷¡£

    4.ÏÞÖÆËùÓзþÎñÆ÷ÊýÄ¿£¨Á¬½ÓËÙÂÊ£©¡£xinetd¿ÉÒÔʹÓÃcpsÑ¡ÏîÉ趨Á¬½ÓËÙÂÊ£¬ÏÂÃæµÄÀý×Ó£º



    cps = 25 60




    µÚÒ»¸ö²ÎÊý±íʾÿÃë¿ÉÒÔ´¦ÀíµÄÁ¬½ÓÊý£¬Èç¹û³¬¹ýÁËÕâ¸öÁ¬½ÓÊýÖ®ºó½øÈëµÄÁ¬½Ó½«±»ÔÝʱֹͣ´¦Àí£»µÚ¶þ¸ö²ÎÊý±íʾֹͣ´¦Àí¶àÉÙÃëºó¼ÌÐø´¦ÀíÏÈÇ°ÔÝÍ£´¦ÀíµÄÁ¬½Ó¡£¼´·þÎñÆ÷×î¶àÆô¶¯25¸öÁ¬½Ó£¬Èç¹û´ïµ½Õâ¸öÊýÄ¿½«Í£Ö¹Æô¶¯Ð·þÎñ60Ãë¡£ÔÚ´ËÆڼ䲻½ÓÊÜÈκÎÇëÇó¡£

    ʹÓÃxinetd·½Ê½ÔËÐÐProFTPDµÄ²½Ö裺

    £¨1£©¼ì²éÈ·Ê¡ÔËÐÐÇé¿ö

    È·Ê¡Çé¿öÏÂProFTPDÒÔstand£­alone¹¤×÷ģʽÔËÐУ¬¿ÉÒÔʹÓÃ"ps aux| grep proftpd"ÃüÁî²é¿´½ø³ÌºÅ£¬È»ºóʹÓÃkillÃüÁîÖÐÖ¹ÔËÐС£

    £¨2£©ÐÞ¸ÄÅäÖÃÎļþ

    ÐÞ¸Ä/etc/proftpd.confÎļþµÄServerTypeÑ¡ÏîÓÉ"standalone"¸ÄΪ"inetd"¡£

    £¨3£©½¨Á¢Óû§×é

    groupadd nogroup

    £¨4£©´´½¨ÅäÖÃÎļþ/etc/xinetd.d/proftpd£¬´úÂëÈçÏ£º



    service ftp { flags = REUSE socket_type = stream instances = 30 cps = 25 60max_load = 3.0wait = no user = root server = /usr/local/sbin/proftpd log_on_success = HOST PID log_on_failure = HOST RECORD disable = no }




    £¨5£©ÖØÐÂÆô¶¯xinetdÅäÖÃ

    killall -USR1 xinetd

    £¨6£©Ê¹ÓÃÃüÁîÁ¬½Ó·þÎñÆ÷

    ¿ÉÒÔʹÓÃ"ftp localhost"Á¬½Ó±¾µØ·þÎñÆ÷£¬Èç¹ûÁ¬½Ó±»¾Ü¾ø£¬¿ÉÒÔʹÓÃÃüÁ

    tail -f /var/log/messages

    ²é¿´´íÎóÐÅÏ¢¡£