校园网安全管理与CCERT应急响应

柠檬沙冰
0 ℃
2019-10-01

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

URL:@cernet.edu.cnTel:010-62784301CCERTCCERT•2003••CCERT•CERNET211•(SQLServer)03/08DvlDr3203/19CodeRed@F06/10BBSDDOS06/12Bugbear()07/0608/12Blaster()08/19Nachi08/16SoBig@F09/10Worm_Swen.A:28,424()API5.redhat6.sunsolairstelnet7.IE8.IIS9.Linux10.Sendmail11.Oracle12.Sendmail13.MicrosoftIIS5.014.SunSolaris/bin/login…L…L•2003••CCERT•CERNET211••–––––––•––––––•Policy–//–AUP/•––//–//–•–––––•ISO17799•1.2./3.4.5.6.1.2.•1.2.3.4.5.6.•––PKI•–•IP–—IP—MAC/–•Web–•PPPoE•802.1X•••••TCP•––ACL–()a.b.c.diproutea.b.c.dnull0….•iBGP+BackboneiBGP••••/•Misuse–snort–•Anomaly–tcpdstat/NAISnifferpro–•topNhosts/talkers•••–Snort(Unix,Windows)CERNETRouterSwitch/splittersnortmirror•–tcpdump(Unix)–Ethereal(Unix,Windows)–SnifferPro(Windows)•–nmap(Unix)–SuperScan(Windows)•–Nessus(Linux)–X-Scan(Windows)•–netstat-an–fport(Windows)–lsof(Unix)•–google•Perl•CiscoIOSCiscoIOSNetFlowNetFlow•NetFlowiproute-cacheflow•tcp135(0x87)••Routershowipcacheflow|include0087SrcIfSrcIPaddressDstIfDstIPaddressPrSrcPDstPPktsFa2/0XX.XX.XX.242Fa1/0XX.XX.XX.119060B8800871Fa2/0XX.XX.XX.242Fa1/0XX.XX.XX.169060BF800871Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.63060E8000871Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.111060CB000871Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.95060CA000871Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.79060C9000871•CiscoCatOSwithSup2MLS•NetFlowfullflow•Router(enable)setmlsflowfull•••Routershowmlsstatisticsentryipdst-port135DestinationIPSourceIPProtDstPrtSrcPrtStat-PktsStat-Bytes--------------------------------------------------------------------XX.XX.XX.28XX.XX.XX.10TCP135232900XX.XX.XX.58XX.XX.XX.28TCP135234200XX.XX.XX.141XX.XX.XX.223TCP135233300XX.XX.XX.189XX.XX.XX.1TCP135234700XX.XX.XX.12XX.XX.XX.19TCP135232800XX.XX.XX.245XX.XX.XX.137TCP135234300XX.XX.XX.29XX.XX.XX.22TCP135231800|include00000800SrcIfSrcIPaddressDstIfDstIPaddressPrSrcPDstPPktsFa2/0XX.XX.XX.242Fa1/0XX.XX.XX.11901000008001Fa2/0XX.XX.XX.242Fa1/0XX.XX.XX.16901000008001Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.6301000008001Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.11101000008001Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.9501000008001Fa2/0XX.XX.XX.204Fa1/0XX.XX.XX.7901000008001•2003••CCERT•CERNET211•••–•/––CERNET–•–•••••••802.1X•PKI••Email:report@ccert.edu.cn•Telephone:010-62784301•–advisory@ccert.edu.cn————————————————••Nichi–200337CERNETTCP/445TCP/6667IP255–3812:30–CCERT88.11%82.44%OTHERS1.18%1.69%ICMP1.14%0.91%UDP9.57%14.96%TCP[root@snifferdump]#tcpdump-n-c10-ieth2tcpdump:listeningoneth210:55:07.710733a.a.38.3562.145.94.235:ip-proto-2556010:55:07.710740b.b.93.24213.134.37.11:ip-proto-25560......10:55:07.710877b.b.93.24213.134.37.11:ip-proto-2556010:55:07.710880a.a.38.3562.145.94.235:ip-proto-2556010:55:07.710927a.a.38.3562.145.94.235:ip-proto-25560[root@scaninprotect]#nmap-sS-Oa.a.38.35Startingnmap3.27()at2003-07-0410:24CSTInterestingportsona.a.28.35:(The1613portsscannedbutnotshownbelowareinstate:closed)PortStateService21/tcpopenftp135/tcpopenloc-srv139/tcpopennetbios-ssn445/tcpopenmicrosoft-ds1433/tcpfilteredms-sql-s1434/tcpfilteredms-sql-m1483/tcpfilteredafs1998/tcpopenx25-svc-port5800/tcpopenvnc-http5900/tcpopenvncRemoteoperatingsystemguess:WindowsMillenniumEdition(Me),Win2000,orWinXPNmapruncompleted--1IPaddress(1hostup)scannedin4.728seconds•X-Scan…………TCP0.0.0.0:58000.0.0.0:0LISTENINGTCP0.0.0.0:59000.0.0.0:0LISTENINGTCP127.0.0.1:439580.0.0.0:0LISTENINGTCP202.112.100.20:1390.0.0.0:0LISTENINGTCP202.112.100.20:1667155.186.170.0:445SYN_SENTTCP202.112.100.20:1673155.186.170.6:445SYN_SENT......TCP202.112.100.20:167463.226.170.0:445SYN_SENTTCP202.112.100.20:168063.226.170.3:445SYN_SENT……TCP202.112.100.20:218163.226.170.255:445SYN_SENTTCP202.112.100.20:273861.182.210.26:83ESTABLISHEDTCP202.112.100.20:4899166.111.232.177:3332ESTABLISHEDTCP202.112.100.20:4948166.111.232.177:139TIME_WAITTCPx.x.x.x:4505210.159.30.250:6667CLOSE_WAIT….TCPx.x.x.x:4811198.65.147.245:6667CLOSE_WAITTCPx.x.x.x:4887149.156.9