常用的网路管理工具课件

1、常用的網路管理工具 : 以桃園區網中心為例中央大學 電算中心 楊素秋Email: 報告大綱1. 動機2. 自動寄信 (Sendmail.pm)3. IP 管理資訊查詢 (Rwhoisd )4. Abuse complain 的自動通告5. 區網異常訊務的偵測與通告6. 結語與展望1. 動機持續的網路異常抱怨Copyright Infringement (違反智慧財產權)*Spam(廣告/色情信)PortScan (弱點port 掃描)Virus, mail virus (445/TCP, 139/TCP, 135/TCP, )DoS 攻擊 (80/TCP,554/TCP) Password c

2、racking22/TCP, 4899/TCP1433/TCP, 3306/TCPPhishing/Fraud1. 動機 (cont.)網路安全現況IDS / Firewall / Anti-virus 逐漸普及worm (malicious) codes 仍存在頻繁的 updates仍無法完全保護 end system不被virus感染Windows 弱點警告仍頻繁MicroSoft約半各月後才有 UpdatesVirus mail (.doc, .ppt attach files)非常依賴 firewall & anti-virus 保護user Infect PC through soc

3、ial engineeringVirus mail (Bagle, NetSky, )Attach execution fileLure user click the compromise end systemToxic spyware P2P, IRC, 1. 動機 (cont.)Security Education Educate usersAnomaly Detection (Technique)Based on service logmail log, http log, syslog,Based on traffic logNetflow data (router/ sitch ro

4、uter)layer 2 packet content( snooped by snort / tcpdump)Automatic Abuse Notification2. 自動寄信 (Sendmail perl module)Sendmail.pm的安裝安裝cd /usr/ports/mail/p5-Mail-Sendmailmakemake installyang# pwd/usr/ports/mail/p5-Mail-Sendmailyang# make.Mail-Sendmail-0.79.tar.gz 100% of 15 kB 21 kBps= Extracting for p5-

5、Mail-Sendmail-0.79= Patching for p5-Mail-Sendmail-0.79= p5-Mail-Sendmail-0.79 depends on file: /usr/local/bin/perl5.8.7 - found= Configuring for p5-Mail-Sendmail-0.79Checking if your kit is complete.Read the docs, and have fun.*= Building for p5-Mail-Sendmail-0.79cp Sendmail.pm blib/lib/Mail/Sendmai

6、l.pmManifying blib/man3/Mail:Sendmail.3yang# make install= Installing for p5-Mail-Sendmail-0.79= p5-Mail-Sendmail-0.79 depends on file: /usr/local/bin/perl5.8.7 - found= Generating temporary packing list= Checking if mail/p5-Mail-Sendmail already installedInstalling /usr/local/lib/perl5/site_perl/5.

7、8.7/Mail/Sendmail.pmInstalling /usr/local/lib/perl5/5.8.7/man/man3/Mail:Sendmail.3Writing /usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Mail/Sendmail/.packlist= Compressing manual pages for p5-Mail-Sendmail-0.79= Registering installation for p5-Mail-Sendmail-0.79yang# 2. 自動寄信 (cont.)Mail:sendmail 自

8、動寄信程式#! /usr/bin/perluse strict;use Mail:Sendmail;my $ip_addr = ;my $email_mgr = ,; my $boundary = =; print $ip_addr, ,$email_mgr,n; my %mail =( smtp = localhost, To = $email_mgr, From = , subject = Detect Spamming from $ip_addr , Content-Type = text/plain; charset=Big5, );my $body.=$boundaryn; $bod

9、y.=The IP machine over your campus with the address of ; $body.=$ip_addr; $body.= machine may be an Open Mail Relay Or Spam sender. n; $body.=$boundaryn; $body.= Please help owner of ; $body.= the machine n; $body.= to check and fix its Open Mail Relay Problem or Patchn; $body.= Please refer the det

10、ail traffic log on nn; $body.= n; $body.= ( user:guest & password: guest ) n; $body.= Many Thanks !n From : Susna Yangnnn; $mailbody = $body; sendmail(%mail) | print Error sending mail: $Mail:Sendmail:errorn;3. IP 管理資訊查詢 :Rwhoisd IP 管理資訊的建立(a) IP管理資訊來源通訊網頁Moe 區網管理人 ()Moe abuse 主機( l)Tyc區網管理人 ()Ncu S

11、nmg club)連線學校的 IP 使用列表宿舍用戶IP列表Network-Name: 中央大學IP-Network:/24Admin-Contact:吳維漢Address:中央大學:Tel: 65136Updated-By: ,Created:200605121041 Network-Name: 中央大學IP-Network:/24Admin-Contact:陳鎰鋒Address:中央大學:Tel: 65340Updated-By: ,Created:200605121041 Network-Name: 中央大學IP-Network:/24Admin-Contact:陳鎰鋒Address:中

12、央大學:Tel: 65340宿舍用戶IP列表,19,6,37,01,97,9,6,5,2,4,59,02,4,1,5,3,9,75,Network-Name: 中央宿網 IP-Network:Admin-Contact:Address: NCU Dorm User Updated-By:Created:200405051149 Network-Name: 中央宿網 IP-Network:Admin-Contact:Address: NCU Dorm User Updated-By:Created:200405051149 Network-Name: 中央宿網 IP-Network:Admin-

13、Contact:Address: NCU Dorm User Updated-By:Created:200405051149IP 管理資訊查詢 :Rwhoisd (cont.)(b)IP Routing Table & Responsible managersSNMP ipRouter MIB & Tyc_manager_listsnmpwalk -v1 -c community 21 .1.1.11 $infilesnmpwalk -v1 -c community 21 .1.1.7 $infile snmpwalk : fetch a SNMP sub-tree data需安裝 net-s

14、nmp3. IP 管理資訊查詢 :Rwhoisd (cont.)(c) Data extractionWget web content/usr/local/bin/wget -O /netflow/spam/spam.html.1Extract the wanted data entriesif (/(0-9+.0-9+.0-9+.0-9+)(S+)s+(S+)s+(S+)s+(S+)s+/) if ($4 eq “桃園區網-中央大學”) printf (FNO %s, %s n,$1,$4); Convert the text file Correspondence to rwhoisd d

15、ata schemesnmpwalk -v1 -c community 21 .1.1.11 $infileRFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRout

16、eMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteMask. = IpAddress: RFC1213-MIB:ipRouteNextHop.20 = IpAddress: 1RFC1213-MIB:ipRouteNextHop. = IpAddress: 1RFC1

17、213-MIB:ipRouteNextHop. = IpAddress: 1RFC1213-MIB:ipRouteNextHop. = IpAddress: 21RFC1213-MIB:ipRouteNextHop.08 = IpAddress: 22RFC1213-MIB:ipRouteNextHop. = IpAddress: 33RFC1213-MIB:ipRouteNextHop. = IpAddress: 21RFC1213-MIB:ipRouteNextHop. = IpAddress: 7RFC1213-MIB:ipRouteNextHop. = IpAddress: 7RFC1

18、213-MIB:ipRouteNextHop. = IpAddress: 21RFC1213-MIB:ipRouteNextHop. = IpAddress: 21RFC1213-MIB:ipRouteNextHop. = IpAddress: 21snmpwalk -v1 -c community 21 .1.1.7 $infileInterf_IP = Sub_network_IP :NetMask : Segments05= :():1, 4= :():4,:():1, 95= :():2, 80= :(52):1,:():1,:():1,:():1,:():2,

19、:():4,:():4,:():2,:():1,:():2,:():1, 97= :():1, 06= :():1, 5, , , 16 5, , , 16 5, , , 16 5, , , 16 5, , , 16 5, , , 169, , , 329, , , 329, , , 329, , , 329, , , 329, , , 329, , , 329, , , 329, , , 32Tyc_manager 檔37; 中央大學(1); 戴元任; ; 422715157504; 4252561; 桃園縣(320)中壢市中大路300號;

20、37; 元智大學; 蔣國強; ; 4638800325; ; 桃園縣(320)中壢市內壢遠東路135號; 1; 中原大學; 葉平;,; 45631712910; 2652999; 桃園縣(320)中壢市普仁里二十二號; ; 中正理工學院; 鄭大力; ; 3809331; 3806737; 桃園縣(335)大溪鎮員樹林中正理工學院; 99; 國防大學; 鄭大力; ; 3809331; 3806737; 桃園縣(335)大溪鎮員樹林中正理工學院; 45; 國防大學; 黃麗燕; ; 4890513; 4890513; 桃園縣(325) 龍潭鄉中興路56號; Network-Name: 中央大學(1)

21、IP-Network: /16Admin-Contact: 戴元任Address: 中央大學(1)Tel: 422715157504Updated-By: ,Created:200606051537 Network-Name: 中正理工學院IP-Network: /16Admin-Contact: 鄭大力Address: 中正理工學院Tel: 3809331Updated-By: Created:200606051537 Network-Name: 中正理工學院IP-Network: /24Admin-Contact: 鄭大力Address: 中正理工學院Tel: 3809331Updated

22、-By: 3. IP 管理資訊查詢 :Rwhoisd (cont.)IP 管理資訊查詢clientyang# telnet 0 4321Trying 0.Connected to yang.Escape character is .%rwhois V-1.5:003fff:00 .tw (by Network Solutions, Inc. V-) network:Auth-Area:/16network:Class-Name:networknetwork:Network-Name:中央大學network:IP-Network:/24network:Admin-Contact;I:許健平net

23、work:Address:中央大學:network:Tel:57504network:Updated-By:,network:Created:2006060517093. IP 管理資訊查詢 :Rwhoisd (cont.)Rwhois directory service的建置(a) 安裝 Rwhoisd tar xvf rwhoisd-.tar cd rwhoisd- ./configure prefix=/usr/local/rwhoisd -enable-ipv4 make make instal3. IP 管理資訊查詢 :Rwhoisd (cont.)(b) 產生/定義DataBase

24、 (Schema)cd /usr/local/rwhoisdmkdir net-mkdir net-/datamkdir net-/data/networkcp etc/rwhoisd/samples/rwhoisd.* /usr/local/rwhoisd/cp etc/rwhoisd/samples/net-8/* net-/ cp etc/rwhoisd/samples/net-8/data/network/* net-/data/network/3. IP 管理資訊查詢 :Rwhoisd (cont.)(c) 設定 database schema & soa 檔more /usr/lo

25、cal/rwhoisd/net-/schemaname:networkattributedef:net-/attribute_defs/network.tmpldbdir:net-/data/networkSchema-Version: 20060601000000000name:referral attributedef:net-/attribute_defs/referral.tmpl dbdir:net-/data/referralSchema-Version: 20060601000000000yang# more /usr/local/rwhoisd/net-/soaSerial-N

26、umber:20060608000000000Refresh-Interval:3600Increment-Interval:1800Retry-Interval:60Time-To-Live:86400Primary-Server:4321Hostmaster:.twdatabase soa 檔3. IP 管理資訊查詢 :Rwhoisd (cont.)(d) 產生index & 執行 rwhoisdSetup.sh#!/bin/sh# cleanup rwhois dictionary filesfind . ( -name index* -o -name local* -o -name *

27、.txt.* ) -print | xargs rm -f# reindex both organizational and networkecho reindexing network information/usr/local/rwhoisd/bin/rwhois_indexer -C network -i -v -s txt# rwhoisd daemon /usr/local/rwhoisd/sbin/rwhoisd -c /usr/local/rwhoisd/etc/rwhoisd/samples/rwhoisd.conf & 4. Abuse complain 的通告TANet a

28、buse 處理程序Original complain send to MOE網管人工分送各區網abuse contact , ,.各區網管再分送連線學校abuse contact , , 連線學校網管再分送 abuse IP 使用者 4. Abuse complain 的通告(cont.)自動化分送abuse complain的必要時效性收到 moe 轉來的通告時,已經delay區網若再delay, 抱怨信已經滿天飛超大量的complainMOE ( 600 pieces/day)區網 ( 20 pieces/day)重複地轉送信工作 (枯燥)4. Abuse complain 的通告(con

29、t.)自動分送abuse complain的工作模組Parsing 信件檔Catalog, Fragment個別信件與存檔spam, mail proxy, unsolicited mailAttack, port scan, DoSInfringement, copyright, fraud, phishExtract 抱怨的 IP source address遠端查詢 rwhoisd 管理資訊轉寄抱怨信 the contact person4. Abuse complain 的通告(cont.)system ( /bin/cp /var/mail/yang $sessdir/yang_$h

30、our$min );system ( /bin/mv /var/mail/yang $sessdir/yang );# $c : switch of each mail item #open INF,cat $sessdir/yang |;$q=0;while () # / Start of a Email / # if (/Froms(.*.*)s/) | (/Froms/) $q+; $outmail_pre = sprintf (%s/%d, $sessdir, $q); close( $outmail_pre); sleep 1; $outmail = sprintf (%s/%d,

31、$sessdir, $q); open(MAIN, $outmail); $new_mail=0; $fraud_cause$q=0; $inf_cause$q=0; $spam_cause$q=0; $scan_cause$q=0; $check_sw=0; 4. Abuse complain 的通告(cont.)if ($new_mail=0 & ($inf_cause$q=0 & $fraud_cause$q=0 & $spam_cause$q =0 & $scan_cause$q=0) if ($check_sw=0) if (/(Fraud|FRAUD|fraud|PHISH|Phi

32、sh|phish|scam|BF)/) $fraud_cause$q+; print $q, , $fraud_cause$q,Fraud n ; $cause$q=Fraud/Phish; $check_sw=1; next; elsif (/(Infringe|infringe|P2P|unauthor|Unauthor)/) $inf_cause$q+; print $q, , $inf_cause$q,Infringer n ; $cause$q=Infringement; $check_sw=1;.4. Abuse complain 的通告(cont.)elsif (/(SpamCo

33、p|Spamb|spamb).*(0-9+.0-9+.0-9+.0-9+)/) & $c=0 ) print rule_4_SP1 n; print $&, n; $_ = $&; if (/(0-9+.0-9+.0-9+.0-9+)/) $ip_addr = $1; if ($notified$ip_addr .tw, Port = 4321 ); $client-open(); $result_set = $client-execute_query(Query_String = $ip_addr, Limit = 60 ); results = $result_set-get_object

34、s(); $buf = $client-results_to_string(results); return $buf; Abuse complain 的通告(cont.)$fn_in = sprintf (%s/fl_no,$indir); open (FD0,cat $fn_in |); while () if (/(d+)s+(S+)/) $fn=$1; $ip=$2; print $fn,: ,$ip,n; $buf1= rwhois($ip); ($tmp1, $unit)=split(network-name:,$buf1); ($school, $tmp2)=split(ip-n

35、etwork:,$unit); ($tmp3, $manager)=split(updated-by:,$tmp2); ($email_tmp,$tmp4)=split(created:,$manager); ($email_mgr_1,$tmp5)=split(updated:,$email_tmp); chomp ($school); chomp ($email_mgr_1); $email_mgr= $email_mgr_1 . ,center7.tw; $date1=$mon$mday; &mail_tyc($ip,$email_mgr,$date1,$fn); #end_if #en

36、d_whileclose (FD0);sub mail_tyc () my ($ip_addr, $email_mgr, $date1,$fn) = _; use strict; use Mail:Sendmail; my %mail =( smtp = localhost, To = $email_mgr, From = , subject = Scan/Spam/Infrinfement Complaint about $ip_addr , Content-Type = text/plain; charset=Big5, ); my $body.=$boundaryn; $body.= S

37、can/Spam/Infrinfement Complaint about IP: ; $body.=$ip_addr; $body.= The system that might had been infected by hacker,n; $body.= Please help the owner check & fix the system.n; $body.= Many Thanks !n From : Susna Yangn; $body.=/bin/cat /netflow/spam/$date1/$fn ; $body.=$boundaryn; $mailbody = $body

38、; sendmail(%mail) | print Error sending mail: $Mail:Sendmail:errorn; 5. 區網異常訊務的偵測與通告Flooding Detection System, FDS網路訊務量測能提供良好的網路監測能偵測網路安全問題協助診斷/解決網路問題協助網路的規劃與擴充網路異常訊務偵測Flow FloodingDoS attack, PortScan, Ssh cracking, SpamICMP/UDP Packet FloodingSource_socketDestination_SocketSrc_IP src_port/TCP dest

39、_IP dest_port/TCPConnection RequestAccept Connectionsend/recv dataClose connection5. 區網異常訊務的偵測與通告(cont.)open IN,$infile;while () if (/(S+)s+(S+)s+(d+)s+(d+)+s+(S+)s+(S+)s+(S+)/) $src_ip=$1; $dst_ip=$2; $src_p=$4; $dst_p=$5; $proto=$3; $pkts=$7; $bytes=$6/1000; if ( $pkts 0 ) $pkt_size= $bytes/ $pkts

40、; # / sitem=split(/./,$src_ip); ditem=split(/./,$dst_ip);if ( $proto!=6 ) next; if ( $pkt_size 0.060 ) next; $evil_flow=$src_ip.#.#.#.#.(.$dst_p.); elsif ( $pkt_size 0.046 ) $6.flow$evil_flow +; $6.sum_pkt$evil_flow +=$pkts; $6.sum_byte$evil_flow +=$bytes; #end_while5. 區網異常訊務的偵測與通告(cont.)5. 區網異常訊務的偵

41、測與通告(cont.)5. 區網異常訊務的偵測與通告(cont.)sub mail_tyc () my ($ip_addr, $email_mgr, $date1) = _; use strict; use Mail:Sendmail; print $ip_addr, ,$email_mgr,n; my %mail =( smtp = localhost, To = $email_mgr, From = , subject = Detect Spamming Host $ip_addr from Your Campus , Content-Type = text/plain; charset=Big5, ); my $body.=$boundaryn; $body.=The IP machine over you