常用的网路管理工具课件

常用的網路管理工具

:以桃園區網中心為例中央大學電算中心楊素秋Email:報告大綱1.動機2.自動寄信(Sendmail.pm)3.IP管理資訊查詢(Rwhoisd)4.Abusecomplain的自動通告5.區網異常訊務的偵測與通告6.結語與展望1.動機持續的網路異常抱怨CopyrightInfringement(違反智慧財產權)***Spam(廣告/色情信)PortScan(弱點port掃描)Virus,mailvirus(445/TCP,139/TCP,135/TCP,…)DoS攻擊(80/TCP,554/TCP)Passwordcracking22/TCP,4899/TCP1433/TCP,3306/TCPPhishing/Fraud1.動機(cont.)SecurityEducationEducateusersAnomalyDetection(Technique)Basedonservicelogmaillog,httplog,syslog,…BasedontrafficlogNetflowdata(router/sitchrouter)layer2packetcontent(snoopedbysnort/tcpdump)AutomaticAbuseNotification2.自動寄信(Sendmailperlmodule)Sendmail.pm的安裝安裝cd/usr/ports/mail/p5-Mail-Sendmailmakemakeinstallyang#pwd/usr/ports/mail/p5-Mail-Sendmailyang#make.Mail-Sendmail-0.79.tar.gz100%of15kB21kBps===>Extractingforp5-Mail-Sendmail-0.79===>Patchingforp5-Mail-Sendmail-0.79===>p5-Mail-Sendmail-0.79dependsonfile:/usr/local/bin/perl5.8.7-found===>Configuringforp5-Mail-Sendmail-0.79Checkingifyourkitiscomplete...Readthedocs,andhavefun...**********************************************************************===>Buildingforp5-Mail-Sendmail-0.79cpSendmail.pmblib/lib/Mail/Sendmail.pmManifyingblib/man3/Mail::Sendmail.32.自動寄信(cont.)Mail::sendmail自動寄信程式#!/usr/bin/perlusestrict;useMail::Sendmail;my$ip_addr="";my$email_mgr=',';my$boundary="===============================";print$ip_addr,"",$email_mgr,"\n";

my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"DetectSpammingfrom$ip_addr",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="TheIPmachineoveryourcampuswiththeaddressof";$body.=$ip_addr;$body.="machinemaybeanOpenMailRelayOrSpamsender.\n";$body.="$boundary\n";$body.="Pleasehelpownerof";$body.="themachine\n";$body.="tocheckandfixitsOpenMailRelayProblemorPatch\n";$body.="Pleasereferthedetailtrafficlogon\n\n";$body.="\n";$body.="(user:guest&password:guest)\n";$body.="ManyThanks!\nFrom:SusnaYang\n\n\n";

$mail{body}=$body;

sendmail(%mail)||print"Errorsendingmail:$Mail::Sendmail::error\n";3.IP管理資訊查詢:RwhoisdIP管理資訊的建立(a)IP管理資訊來源通訊網頁Moe區網管理人()Moeabuse主機(l)Tyc區網管理人()NcuSnmgclub)連線學校的IP使用列表宿舍用戶IP列表Network-Name:中央大學IP-Network:/24Admin-Contact:吳維漢Address:中央大學:Tel:65136Updated-By:,,Created:2---Network-Name:中央大學IP-Network:/24Admin-Contact:陳鎰鋒Address:中央大學:Tel:65340Updated-By:,,,Created:2---Network-Name:中央大學IP-Network:/24Admin-Contact:陳鎰鋒Address:中央大學:Tel:65340宿舍用戶IP列表,19,,6,,37,,01,,97,,9,,,,6,,5,,2,,4,,59,,02,,4,,1,,5,,3,,9,,75,Network-Name:中央宿網IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2---Network-Name:中央宿網IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2---Network-Name:中央宿網IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2IP管理資訊查詢:Rwhoisd(cont.)(b)IPRoutingTable&ResponsiblemanagersSNMPipRouterMIB&Tyc_manager_listsnmpwalk-v1-ccommunity

21..1.1.11>$infilesnmpwalk-v1-ccommunity21..1.1.7>$infilesnmpwalk:fetchaSNMPsub-treedata需安裝net-snmp3.IP管理資訊查詢:Rwhoisd(cont.)(c)DataextractionWgetwebcontent/usr/local/bin/wget-O/netflow/spam/spam.html.1Extractthewanteddataentriesif(/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+/){if($4eq“桃園區網-中央大學”){

printf(FNO"%s,%s\n",$1,$4);}}ConvertthetextfileCorrespondencetorwhoisddataschemesnmpwalk-v1-ccommunity21..1.1.11>$infileRFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:Interf_IP==Sub_network_IP::NetMask::Segments---------------------------------------------------------------------------------05==::()::1,4==::()::4,::()::1,95==::()::2,80==::(52)::1,::()::1,::()::1,::()::1,::()::2,::()::4,::()::4,::()::2,::()::1,::()::2,::()::1,97==::()::1,06==::()::1,5,,,165,,,165,,,165,,,165,,,165,,,169,,,329,,,329,,,329,,,329,,,329,,,329,,,329,,,329,,,32Tyc_manager檔37;中央大學(1);戴元任;;4227151~57504;4252561;桃園縣(320)中壢市中大路300號;37;元智大學;蔣國強;;4638800~325;;桃園縣(320)中壢市內壢遠東路135號;1;中原大學;葉平;,;4563171~2910;2652999;桃園縣(320)中壢市普仁里二十二號;;中正理工學院;鄭大力;;3809331;3806737;桃園縣(335)大溪鎮員樹林中正理工學院;99;國防大學;鄭大力;;3809331;3806737;桃園縣(335)大溪鎮員樹林中正理工學院;45;國防大學;黃麗燕;;4890513;4890513;桃園縣(325)龍潭鄉中興路56號;3.IP管理資訊查詢:Rwhoisd(cont.)IP管理資訊查詢clientyang#telnet04321Trying0...Connectedtoyang.Escapecharacteris'^]'.%rwhoisV-1.5:003fff:00.tw(byNetworkSolutions,Inc.V-)

network:Auth-Area:/16network:Class-Name:networknetwork:Network-Name:中央大學network:IP-Network:/24network:Admin-Contact;I:許健平network:Address:中央大學:network:Tel:57504network:Updated-By:,network:Created:23.IP管理資訊查詢:Rwhoisd(cont.)(c)設定databaseschema&soa檔more/usr/local/rwhoisd/net-/schemaname:networkattributedef:net-/attribute_defs/network.tmpldbdir:net-/data/networkSchema-Version:200000---name:referralattributedef:net-/attribute_defs/referral.tmpldbdir:net-/data/referralSchema-Version:200000yang#more/usr/local/rwhoisd/net-/soaSerial-Number:200000Refresh-Interval:3600Increment-Interval:1800Retry-Interval:60Time-To-Live:86400Primary-Server::4321Hostmaster:.twdatabasesoa檔3.IP管理資訊查詢:Rwhoisd(cont.)(d)產生index&執行rwhoisdSetup.sh#!/bin/sh######cleanuprwhoisdictionaryfilesfind.\(-nameindex\*-o-namelocal*-o-name\*.txt.\*\)-print|\xargsrm-f######reindexbothorganizationalandnetworkecho'reindexingnetworkinformation'/usr/local/rwhoisd/bin/rwhois_indexer-Cnetwork-i-v-stxt######rwhoisddaemon/usr/local/rwhoisd/sbin/rwhoisd-c/usr/local/rwhoisd/etc/rwhoisd/samples/rwhoisd.conf&4.Abusecomplain的通告TANetabuse處理程序OriginalcomplainsendtoMOE網管人工分送各區網abusecontact,,...各區網管再分送連線學校abusecontact,,…連線學校網管再分送abuseIP使用者4.Abusecomplain的通告(cont.)自動化分送abusecomplain的必要時效性收到moe轉來的通告時,已經delay區網若再delay,抱怨信已經滿天飛超大量的complainMOE(>600pieces/day)區網(>20pieces/day)重複地轉送信工作(枯燥)4.Abusecomplain的通告(cont.)自動分送abusecomplain的工作模組Parsing信件檔Catalog,Fragment個別信件與存檔spam,mailproxy,unsolicitedmailAttack,portscan,DoSInfringement,copyright,fraud,phishExtract抱怨的IPsourceaddress遠端查詢rwhoisd管理資訊轉寄抱怨信thecontactperson4.Abusecomplain的通告(cont.)system("/bin/cp/var/mail/yang$sessdir/yang_$hour$min");system("/bin/mv/var/mail/yang$sessdir/yang");###$c:switchofeachmailitem###openINF,"cat$sessdir/yang|";$q=0;while(<INF>){###//StartofaEmail//###

if((/^From\s(.*@.*)\s/)||(/^From\s/)){$q++;$outmail_pre=sprintf("%s/%d",$sessdir,$q);close($outmail_pre);sleep1;$outmail=sprintf("%s/%d",$sessdir,$q);open(MAIN,">$outmail");$new_mail=0;$fraud_cause[$q]==0;$inf_cause[$q]=0;$spam_cause[$q]=0;$scan_cause[$q]=0;$check_sw=0;}4.Abusecomplain的通告(cont.)if($new_mail==0&&($inf_cause[$q]==0&&$fraud_cause[$q]==0&&$spam_cause[$q]==0&&$scan_cause[$q]==0)){if($check_sw==0){if(/(Fraud|FRAUD|fraud|PHISH|Phish|phish|scam|<B6>B<C4>F)/){$fraud_cause[$q]++;print$q,"",$fraud_cause[$q],"Fraud\n";$cause[$q]="Fraud/Phish";$check_sw=1;next;}elsif(/(Infringe|infringe|P2P|unauthor|Unauthor)/){$inf_cause[$q]++;print$q,"",$inf_cause[$q],"Infringer\n";$cause[$q]="Infringement";$check_sw=1;….4.Abusecomplain的通告(cont.)elsif((/(SpamCop|Spam\b|spam\b).*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/)&&$c==0){print"rule_4_SP1\n";print$&,"\n";$_=$&;if(/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/){$ip_addr=$1;if($notified{$ip_addr}<1){$notified[$ip_addr]++;print$ip_addr,"\n";printf("%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);printf(FNO"%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);printf(FN_MON"%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);$qq++;$c++;next;}}4.Abusecomplain的通告(cont.)ayang#more/home/qos/Spam/spam_06===========================AbuseComplaimMail[06-01]---------------------------330Spamming-----105Spamming|Spam119Spamming|Spam1333Spamming|Spam21Spamming|Spam2231Spamming|Spam===========================AbuseComplaimMail[06-02]---------------------------27Infringement2708Infringement2869Infringement2997Infringement4.Abusecomplain的通告(cont.)ayang#more/netflow/spam/0620/fl_spam-----159Infringement21Infringement31Infringement483Infringement54Infringement659Infringement724Infringement899Infringement9Spamming4.Abusecomplain的通告(cont.)安裝Net::RwhoisperlmoduletarxvfNet-Rwhois-0.09.tarcd/usr/local/src/Net-Rwhois-0.09

perlMakemakemakeinstallManifyingblib/man3/Net::Rwhois::Transfer.3Installing/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/ResultSet.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/Connection.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/WhoisQuery.pmAbusecomplain的通告(cont.)subrwhois(){my($ip_addr)=@_;my$unit;my$school;my$email_mgr;

require5.003;useNet::Rwhois;$client=newNet::Rwhois(Host=>".tw",Port=>4321);$client->open();$result_set=$client->execute_query(Query_String=>$ip_addr,Limit=>60);@results=$result_set->get_objects();$buf=$client->results_to_string(@results);return$buf;}Abusecomplain的通告(cont.)$fn_in=sprintf("%s/fl_no",$indir);open(FD0,"cat$fn_in|");while(<FD0>){if(/(\d+)\s+(\S+)/){$fn=$1;$ip=$2;print$fn,":",$ip,"\n";

$buf1=rwhois($ip);

($tmp1,$unit)=split("network-name:",$buf1);($school,$tmp2)=split("ip-network:",$unit);($tmp3,$manager)=split("updated-by:",$tmp2);($email_tmp,$tmp4)=split("created:",$manager);($email_mgr_1,$tmp5)=split("updated:",$email_tmp);chomp($school);chomp($email_mgr_1);$email_mgr=$email_mgr_1.",center7\@.tw";$date1="$mon$mday";

&mail_tyc($ip,$email_mgr,$date1,$fn);}#end_if}#end_whileclose(FD0);submail_tyc(){my($ip_addr,$email_mgr,$date1,$fn)=@_;usestrict;useMail::Sendmail;my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"Scan/Spam/InfrinfementComplaintabout$ip_addr",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="Scan/Spam/InfrinfementComplaintaboutIP:";$body.=$ip_addr;$body.="Thesystemthatmighthadbeeninfectedbyhacker,\n";$body.="Pleasehelptheownercheck&fixthesystem.\n";$body.="ManyThanks!\nFrom:SusnaYang\n";

$body.=`/bin/cat/netflow/spam/$date1/$fn`;$body.="$boundary\n";

$mail{body}=$body;

sendmail(%mail)||print"Errorsendingmail:$Mail::Sendmail::error\n";}5.區網異常訊務的偵測與通告FloodingDetectionSystem,FDS網路訊務量測能提供良好的網路監測能偵測網路安全問題協助診斷/解決網路問題協助網路的規劃與擴充網路異常訊務偵測FlowFloodingDoSattack,PortScan,Sshcracking,SpamICMP/UDPPacketFloodingSource_socket Destination_Socket{Src_IPsrc_port/TCP}{dest_IPdest_port/TCP}ConnectionRequestAcceptConnectionsend/recvdataCloseconnection5.區網異常訊務的偵測與通告(cont.)openIN,"<$infile";while(<INF>){if(/(\S+)\s+(\S+)\s+(\d+)\s+(\d+)+\s+(\S+)\s+(\S+)\s+(\S+)/){$src_ip=$1;$dst_ip=$2;$src_p=$4;$dst_p=$5;$proto=$3;$pkts=$7;$bytes=$6/1000;if($pkts>0){$pkt_size=$bytes/$pkts;}##//@sitem=split(/\./,$src_ip);@ditem=split(/\./,$dst_ip);if($proto!=6){next;}if($pkt_size>0.060){next;}$evil_flow=$src_ip.">#.#.#.#.(".$dst_p.")";elsif($pkt_size<0.060&&$pkt_size>0.046){${"6".flow}{$evil_flow}++;${"6".sum_pkt}{$evil_flow}+=$pkts;${"6".sum_byte}{$evil_flow}+=$bytes;}}#end_while5.區網異常訊務的偵測與通告(cont.)5.區網異常訊務的偵測與通告(cont.)5.區網異常訊務的偵測與通告(cont.)submail_tyc(){my($ip_addr,$email_mgr,$date1)=@_;usestrict;

useMail::Sendmail;print$ip_addr,"",$email_mgr,"\n";my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"DetectSpammingHost$ip_addrfromYourCampus",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="TheIPmachineoveryourcampuswiththeaddressof";$body.=$ip_addr;$body.="machinemaybeanOpenMailRelayOrSpamsender.\n";$body.="\nSRC_IP>#.#.#.#.(Serv_port)Flowspk_si