P2P终结者&[网络管理]

[网络管理] 用acl来防止一般的网络发包病毒
by leihuan posted at Nantaihu on 2004-11-5 9:51:39 Weather: 晴这几天主交换机CPU负载一直都很高,100%,领导电话打个不停,由于忙着论文的事情,所以也一直没有好好做这个事情.今天早上,一早就来了,GOOGLE一把,然后做了一个ACL:
deny tcp any any eq echo
    deny tcp any any eq chargen
    deny tcp any any eq 135 (3467 matches)
    deny tcp any any eq 136
    deny tcp any any eq 137
    deny tcp any any eq 138
    deny tcp any any eq 139 (3322 matches)
    deny tcp any any eq 389
    deny tcp any any eq 445 (302741 matches)
    deny tcp any any eq 4444
    deny tcp any any eq 6655 (15 matches)
    deny udp any any eq tftp
    deny udp any any eq 135
    deny udp any any eq 136
    deny udp any any eq netbios-ns (5253 matches)
    deny udp any any eq netbios-dgm (882 matches)
    deny udp any any eq netbios-ss
    deny udp any any eq 389
    deny udp any any eq 445
    deny udp any any eq 1434
    deny udp any any eq 1433
    deny icmp any any (539 matches)
    permit ip any any (3168057 matches)
看样子基本上是发445的包比较多,呵呵,现在主交换CPU负载已经下到10%了,网络病毒包真是恐怖的说.

Read More,Comments(0)
 

 [网络管理] 封电骡和BT都可以的写法
by leihuan posted at Nantaihu on 2004-11-4 12:28:29 Weather: 晴晕,昨天策略写错,我的精心大意啊
刚刚做了一个电驴和BT的,只是可惜对于EMULE,虽然国外的BBS上说EDONKEY最新version2.0的包括了emule,可我实验了一下,不行,只能对edonkey本身有用.
ip nbar pdlm bittorrent.pdlm
ip nbar pdlm eDonkey.pdlm
 class-map match-any bittorrent
  match protocol bittorrent
  match protocol edonkey
!
!
 policy-map bittorrent-policy
  class bittorrent
   drop
!
是match-any 不是用match-all
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap

Read More,Comments(0)
 

 [网络管理] 封emule还不行
by leihuan posted at Nantaihu on 2004-11-3 15:52:35 Weather: 晴刚刚做了一个电驴和BT的,只是可惜对于EMULE,虽然国外的BBS上说EDONKEY最新version2.0的包括了emule,可我实验了一下,不行,只能对edonkey本身有用.
ip nbar pdlm bittorrent.pdlm
ip nbar pdlm eDonkey.pdlm
 class-map match-all bittorrent
  match protocol bittorrent
  match protocol edonkey
!
!
 policy-map bittorrent-policy
  class bittorrent
   drop
!

Read More,Comments(0)
 

 [网络管理] 在路由器封BT方法大全
by leihuan posted at Nantaihu on 2004-11-3 14:29:24 Weather: 晴
QQ:7581276  MAIL:lh@hutc.zj.cn [请转贴时保留我的EMAIL]

最近为了封BT，几乎把NBO的网络论坛找遍了，呵呵，实验了几种方法，得出几个结论（说实话，也就是把网上的方法总结小小一把），
第一是常用的封端口的方法：
呵呵，常用的命令如下：
1限速∶
access-list 102 permit tcp any any range 6881 6890
access-list 102 permit tcp any range 6881 6890 any
access-list 102 deny ip any any
rate-limit input access-group 102 712000 8000 8000 conform-action transmit exceed-action drop
rate-limit output access-group 102 712000 8000 8000 conform-action transmit exceed-action drop
2禁止∶
access-list 102 deny tcp any any range 6881 6890
access-list 102 deny tcp any range 6881 6890 any
access-list 102 permit ip any any
这种方法有其局限性，一是现在有的bt软件，再封锁后会自动改端口二是我仔细研究过好几个BT下载软件，它们现在的announce端口现在已经用8000、8080的说，如果连这个也封，那网络使用就有可能不正常（我这样做过，呵呵，后来N多人打电话找我，吓得我马上DEL掉了）
第二种方法:就是用NBAR (Network-Based Application Recognition)网络应用识别
NBAR是一种动态能在四到七层寻找协议的技术,它不但能做到普通ACL能做到那样控制静态的TCP UDP的报,也能做到控制一般ACLs不能做到动态的端口的那些协议(如BT)之类.
NBAR包含了一种叫做发现特征的协议(a Protocol Discovery feature ),用它可以轻易发现那些不能传输过程中的应用协议,它能端口上做到进出流量统计\流速统计,最重要的它还有一种叫做
An external Packet Description Language Module (PDLM)的文件用来扩展NBAR识别的协议。（具体我也翻译不出来，只看了个大概），
我就说说过程：
1到http://www.cisco.com/pcgi-bin/tablebuild.pl/pdlm 下载bittorrent.pdlm，（要CCO的）
2放到TFTP，然后用copy tftp disk2(大多数应该是flash)
拷到路由器中，
route7206#conf t
Enter configuration commands, one per line. End with CNTL/Z.
route7206(config)#ip nbar pdlm bittorrent.pdlm
route7206(config)#
!
ip nbar pdlm bittorrent.pdlm
!
1.) 创建一个 a class-map and policy map 并且把它应用到相应的端口:
route7206(config)#ip nbar
route7206(config)#ip nbar pd
route7206(config)#ip nbar pdlm bitt
route7206(config)#ip nbar pdlm bittorrent.pdlm
route7206(config)#class-map match-all bittorrent
route7206(config-cmap)#match proto
route7206(config-cmap)#match protocol bittorrent
route7206(config-cmap)#polic
route7206(config-cmap)#policy-map bittorrent-policy
route7206(config-pmap)#class bittorrent
route7206(config-pmap-c)#drop
route7206(config-pmap-c)#exit
route7206(config-pmap)#exit
route7206(config)#interface GigabitEthernet0/2
route7206(config-if)#servi
route7206(config-if)#service-policy input bi
route7206(config-if)#service-policy input bittoreent-policy
% policy map bittoreent-policy not configured
route7206(config-if)#service-policy input bittorrent-policy
route7206(config-if)#service-policy output bittorrent-policy

#show runn
得到关于BT的部分是
class-map match-all bittorrent
  match protocol bittorrent
!
!
 policy-map bittorrent-policy
  class bittorrent
   drop
!        
interface GigabitEthernet0/2
 description CONNECT INSIDE
 ip address 192.168.168.1 255.255.255.252 secondary
 ip address 192.168.21.1 255.255.255.0
 ip nat inside
 [B]service-policy input bittorrent-policy
 service-policy output bittorrent-policy[/B]
 duplex full
 speed 1000
 media-type rj45
 no negotiation auto
 我实验了一下，这样的话，BT就不能下载，呵呵
 感觉目前这样的技术比较好，我正在实验去掉EMULE的方法，
 

Read More,Comments(0)
 

 [网络管理] windows改变机器本身的路由
by leihuan posted at Nantaihu on 2004-11-2 13:39:26 Weather: 晴我的机器有两块网卡,一块是千M的,一块是百M的,千M的联在内网,百M的联在外网,本时用的时候都是用外网的机器上网的.但是如果要进行管理和一些特殊的需要的时候,我就要用到内网的网卡进行联接了,可是现在问题有了,除非平时禁用内网,要不然机器总是先从内网的网卡进行上网.这样的网速大受影响.我知道是路由的问题,后来到运行---cmd --route print
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      61.153.52.1    61.153.52.81       20
          0.0.0.0          0.0.0.0       172.20.7.1     172.20.7.80       10
      61.153.52.0  255.255.255.128     61.153.52.81    61.153.52.81       20
     61.153.52.81  255.255.255.255        127.0.0.1       127.0.0.1       20
   61.255.255.255  255.255.255.255     61.153.52.81    61.153.52.81       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.20.7.0    255.255.255.0      172.20.7.80     172.20.7.80       10
      172.20.7.80  255.255.255.255        127.0.0.1       127.0.0.1       10
   172.20.255.255  255.255.255.255      172.20.7.80     172.20.7.80       10
  218.168.201.121  255.255.255.255      61.153.52.1    61.153.52.81       20
   221.219.29.168  255.255.255.255      61.153.52.1    61.153.52.81       20
        224.0.0.0        240.0.0.0     61.153.52.81    61.153.52.81       20
        224.0.0.0        240.0.0.0      172.20.7.80     172.20.7.80       10
  255.255.255.255  255.255.255.255     61.153.52.81    61.153.52.81       1
  255.255.255.255  255.255.255.255      172.20.7.80     172.20.7.80       1
Default Gateway:       61.153.52.1
===========================================================================
Persistent Routes:
0
由于千M的网卡快,所以机器就默认用这块网卡进行上网了,所以把默认路由的METRIC设成了20,百M的设成了10,所以要先删除现在的一条路由,然后把61的那条METRIC改小就可以了.
C:\WINDOWS>route delete 0.0.0.0 Mask 0.0.0.0 61.153.52.1
C:\WINDOWS>route -p add 0.0.0.0 Mask 0.0.0.0 61.153.52.1 metric 2
C:\WINDOWS>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 a0 c9 e7 6e 6d ...... Intel(R) PRO/100+ PCI Adapter
0x30004 ...00 08 74 12 c3 50 ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      61.153.52.1    61.153.52.81       2
          0.0.0.0          0.0.0.0       172.20.7.1     172.20.7.80       10
      61.153.52.0  255.255.255.128     61.153.52.81    61.153.52.81       20
     61.153.52.81  255.255.255.255        127.0.0.1       127.0.0.1       20
   61.255.255.255  255.255.255.255     61.153.52.81    61.153.52.81       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.20.7.0    255.255.255.0      172.20.7.80     172.20.7.80       10
      172.20.7.80  255.255.255.255        127.0.0.1       127.0.0.1       10
   172.20.255.255  255.255.255.255      172.20.7.80     172.20.7.80       10
  218.168.201.121  255.255.255.255      61.153.52.1    61.153.52.81       20
   221.219.29.168  255.255.255.255      61.153.52.1    61.153.52.81       20
        224.0.0.0        240.0.0.0     61.153.52.81    61.153.52.81       20
        224.0.0.0        240.0.0.0      172.20.7.80     172.20.7.80       10
  255.255.255.255  255.255.255.255     61.153.52.81    61.153.52.81       1
  255.255.255.255  255.255.255.255      172.20.7.80     172.20.7.80       1
Default Gateway:       61.153.52.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      61.153.52.1       2
C:\>route -p add 172.0.0.0 mask 255.0.0.0 172.20.7.1

Read More,Comments(0)
 

 [网络管理] 最常用的端口
by leihuan posted at Nantaihu on 2004-11-2 8:24:02 Weather: 晴Service Port
FTP 20,21
SSH 22
telnet 23
SMTP 25
DNS
53
DHCP 67,68
TFTP 69
HTTP 80
POP3 110
NNTP 119
NTP 123
IMAP4 143
LDAP
389
HTTPS 443
IMAPS 993
RADIUS
1812
AIM
5190
最常用的端口

Read More,Comments(0)
 

 [网络管理] ACL允许DHCP
by leihuan posted at Nantaihu on 2004-11-2 8:00:30 Weather: 晴真是晕啊,昨天晚上加班搞到十一点,图书馆说要让一部份机器只能上内网,不能上外网,我原来以为是很SIMPLY的事情,没想到,搞到后来,ACL是有用的,但是DHCP却不能获得IP地址,没了IP地址怎么用ACL啊,呵呵,想想以前我做实验的时候好像行的吗?呵呵,忽然想起来了,我以前做的实验都是在已经DHCP获得地址的情况下运用ACL的,所以正常的说,
access-list 102 permit tcp any 192.0.0.0 0.255.255.255
access-list 102 permit udp any 192.0.0.0 0.255.255.255
access-list 102 permit tcp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any 172.0.0.0 0.255.255.255
access-list 102 permit igmp any any
access-list 102 permit icmp any any
access-list 102 deny ip any any
最后一句access-list 102 deny ip any any
把DHCP给做掉了,当时一想到这个问题,也晕了,DHCP到底用的是什么,我以前在TCP/IP三卷中是看到过,但现在给记了,真是晕啊,后来找到了下面的标准模块,呵呵,看到REMARK的DHCP,呵呵,就把上面的DHCP给改了
access-list 102 permit tcp any 192.0.0.0 0.255.255.255
access-list 102 permit udp any 192.0.0.0 0.255.255.255
access-list 102 permit tcp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any any range 67 69
access-list 102 permit tcp any any range 67 69
access-list 102 permit igmp any any
access-list 102 permit icmp any any
access-list 102 deny ip any any
一切运行正常后,才敢回家,呵呵,
上面的事情给我一个教训:做事情不能想当然,要仔细

 

Read More,Comments(0)
 

 [网络管理] Cisco ACL Template - Border Ro
by leihuan posted at Nantaihu on 2004-11-1 22:21:42 Weather: 晴
Following is a basic access control list (using Cisco ACL syntax) template for use on a border router that is positioned between your local site and the Internet. I recommend you implement an ACL of this type to filter all inbound traffic from the Internet. Please be sure to review RFC1918, RFC2196, RFC2827, and RFC3013 when planning your network security policies. A current list of the bogons is maintained by Rob Thomas who also maintains a full IOS template here.
remark *** bogons (bogus outside networks)
deny ip 0.0.0.0 1.255.255.255 any log-input
deny ip 2.0.0.0 0.255.255.255 any log-input
deny ip 5.0.0.0 0.255.255.255 any log-input
deny ip 7.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 23.0.0.0 0.255.255.255 any log-input
deny ip 27.0.0.0 0.255.255.255 any log-input
deny ip 31.0.0.0 0.255.255.255 any log-input
deny ip 36.0.0.0 1.255.255.255 any log-input
deny ip 39.0.0.0 0.255.255.255 any log-input
deny ip 41.0.0.0 0.255.255.255 any log-input
deny ip 42.0.0.0 0.255.255.255 any log-input
deny ip 49.0.0.0 0.255.255.255 any log-input
deny ip 50.0.0.0 0.255.255.255 any log-input
deny ip 58.0.0.0 1.255.255.255 any log-input
deny ip 60.0.0.0 0.255.255.255 any log-input
deny ip 70.0.0.0 1.255.255.255 any log-input
deny ip 72.0.0.0 7.255.255.255 any log-input
deny ip 82.0.0.0 1.255.255.255 any log-input
deny ip 84.0.0.0 3.255.255.255 any log-input
deny ip 88.0.0.0 7.255.255.255 any log-input
deny ip 96.0.0.0 31.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 197.0.0.0 0.255.255.255 any log-input
deny ip 198.18.0.0 0.1.255.255 any log-input
deny ip 201.0.0.0 0.255.255.255 any log-input
deny ip 222.0.0.0 1.255.255.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
remark *** protocols
remark *** legacy small services no longer used
deny tcp any any range 0 19 log-input
deny udp any any range 0 19 log-input
remark *** snmp
deny tcp any any range 161 162 log-input
deny udp any any range 161 162 log-input
deny tcp any any eq 199 log-input
deny udp any any eq 199 log-input
deny tcp any any eq 391 log-input
deny udp any any eq 391 log-input
deny tcp any any eq 705 log-input
deny udp any any eq 705 log-input
deny tcp any any eq 1993 log-input
deny udp any any eq 1993 log-input
remark *** lan-only dhcp and tftp
deny udp any any range 67 69 log-input
deny tcp any any range 67 69 log-input
remark *** microsoft netbios
deny tcp any any range 135 139 log-input
deny udp any any range 135 139 log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
remark *** unix rpc
deny tcp any any eq 111 log-input
deny udp any any eq 111 log-input
remark *** lan-only unix services
deny tcp any any range 511 515 log-input
deny udp any any range 511 515 log-input
remark *** ircd
deny tcp any any eq 6667 log-input
deny udp any any eq 6667 log-input
remark *** icmp fragments
deny icmp any any fragments log-input
remark *** inbound ping
permit icmp any any echo
remark *** inbound ping response
permit icmp any any echo-reply
remark *** path MTU to function
permit icmp any any packet-too-big
remark *** flow control
permit icmp any any source-quench
remark *** time exceeded messages for traceroute and loops
permit icmp any any time-exceeded
remark *** block all other ICMP packets
deny icmp any any log-input
remark *** permit everything else
permit ip any any