第第PAGE10NUMPAGES133 ISP)〔2016〕108號39號TheSSLProtocolVersionHarnL,XuY,PerersenH.DesignofElGamaltypedigitalschemebasedondiscretelogarithm[J].Electronicsletters,1994,31(24):2025-2026.D.Johanson,A.Menezes,S.Vanstone.Theellipticcurvedigitalsignaturealgorithm(ECDSA).InternatinalJournalonInformationSecurity,2001,1:36-63.NybergK,RueppelRA.Messegerecoveryforsignatureschemsbasedonthediscretelogarithm[C].AdvancesinCryptology-Eurocrypt'94,Berlin:Springer-Verlag,1994.175-190IT基礎架構的安全建設，優化、調整和挖掘潛力，提升整體信息安全的保\h\h\hIPRDPchecklistRouterconfigtRouter(config)#servicepassword-encryptionRouter(config)#usernamenormaluserpassword3d-zirc0niaRouter(config)#usernamenormaluserprivilege1Router(config)#linevty0Router(config-line)#loginlocalRouter(config-line)#exec-timeout50Router(config-line)#endIVTYshowrunning-configrouter#showrunning-configBuildingconfiguration...Currentconfiguration:servicepassword-usernamenormaluserpassword3d-zirc0niausernamenormaluserprivilege1linevty04loginlocal安全要求-設備-通用-配置-Router#configureterminalEnterconfigurationcommands,oneperline.EndwithCNTL/Z.Router(config)#aaanew-modelRouter(config)#aaaauthenticationlogindefaultgroupRouter(config)#aaaauthenticationenabledefaultgroupRouter(config)#tacacs-serverhost8Router(config)#tacacs-serverkeyIr3@1yh8n#w9@swD與外部TACACSserver8TACACS+serveryaTACACS+serverRouterconfigtRouter(config)#servicepassword-encryptionRouter(config)#usernamenormaluserpassword3d-zirc0niaRouter(config)#usernamenormaluserprivilege1Router(config)#privilegeexeclevel15connectRouter(config)#privilegeexeclevel15telnetRouter(config)#privilegeexeclevel15rloginRouter(config)#privilegeexeclevel15showaccess-listsRouter(config)#privilegeexeclevel15showloggingRouter(config)#!ifSSHissupported..Router(config)#privilegeexeclevel15sshRouter(config)privilegeexeclevel1showipconnect、telnet、rlogin、showipaccess-lists、showshowrunning-configrouter#showrunning-configBuildingCurrentusernamenormaluserpassword3d-zirc0niausernamenormaluserprivilege1privilegeexeclevel15connectprivilegeexeclevel15telnetprivilegeexeclevel15rloginprivilegeexeclevel15showipaccess-listsprivilegeexeclevel15showaccess-listsprivilegeexeclevel15showloggingprivilegeexeclevel15sshprivilegeexeclevel1showRouterconfigtEnterconfigurationcommands,oneperline.EndwithCNTL/ZRouter(config)#loggingonRouter(config)#loggingtrapinformationRouter(config)#logging00Router(config)#loggingfacilitylocal6Router(config)#loggingsource-interfaceloopback0Router(config)#exitRouter#showSysloglogging:enabled(0messagesdropped,11flushes,Consolelogging:levelnotifications,35messagesloggedMonitorlogging:leveldebugging,35messagesloggedBufferlogging:levelinformational,31messagesloggedLoggingto00,28messagelinesloggedIrouter00syslog配置完成可以使用“showlogging”驗證Syslog#Saveroutermessagestorouters.loglocal6.debug/var/log/routers.log#touch Router#configtRouter(config)#loggingtrapinformationRouter(config)#snmp-servertrap-sourceloopback0Router(config)#snmp-serverenabletrapssyslogRouter(config)#exitSyslogloggingSNMPlogging showloggingRouter#showloggingSysloglogging:enabledConsolelogging:disabledMonitorlogging:leveldebugging,266messageslogged.Loggingto38SNMPlogging:disabled,retransmissionafter30seconds0messagesloggedDNSRouter(config)access-list140permitudpanyhosteqRouter(config)access-list140denyudpanyanylogRouter(config)#access-list140permittcpanyRouter(config)access-list140denyipanyanylogaccess-listlist-number{deny|permit}source[source-wildcard][log]access-listlist-number{deny|permit}protocolsourcesource-wildcardsource-qualifiersdestinationdestination-wildcarddestination-qualifiers[log|log-input]showipaccess-list[access-list-number|nameRouter#showipaccess-listExtendedIPaccesslist101denyudpanyanyeqntppermittcpanyanypermitudpanyanyeqtftppermiticmpanyanypermitudpanyanyeqrouter#configtrouter(config)#hostnameRouterRouter(config)#ipdomain-nameRouter.domain-Router(config)noaccess-list12Router(config)#access-list12permithostRouter(config)#linevty04Router(config-line)#access-class12inRouter(config-line)#Router(config)#servicepassword-encryptionRouter(config)#usernamenormaluserpassword3d-zirc0niaRouter(config)#usernamenormaluserprivilege1Router(config)#linevty04Router(config-line)#loginlocalRouter(config-line)#exec-timeout50Router(config)#cryptokeygenerateThenameforthekeyswillbe:Router.domain-Choosethesizeofthekeymodulusintherangeof360to2048foryourGeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytakeafewminutes.Howmanybitsinthemodulus[512]:2048GeneratingRSAKeys...sshRouter(config)#linevty04Router(config-linetransportinputsshRouter(config-line)#exit第第PAGE27NUMPAGES13300sshrsasshdrsasshdHP-UX-配置-第第PAGE28NUMPAGES133#useraddusername#創建賬號#passwdusername#設置密碼#chmod750directory#其中755際情況設置相應的權限，directoryHP-UX-配置-刪除用戶：#userdelusername;#passwd-l只有具備超級用戶權限的使用者方可使用，#passwd-lusername#passwddusername效，登錄需輸入新密碼，修改/etc/shadowHP-UX-配置- chownroot:sys/etc/securettychmod600/etc/securettysshdrootNotonsystemconsole”；rootrootssh限制rootssh/etc/ssh/sshd_configPermitRootLoginyesPermitRootLoginnosshd#groupaddgGIDgroupnameGIDGIDGID#usermodggroupusername#將用戶usernamegroupGID：#idusername可以使用-g選項設定新組的GID0到499之間的值留給如果新組名或者GID已經存在，則返回錯誤信息。groupaddnewgrp命令進行更改，如#newgrpsyssys#idusername查看組文件：cat/etc/groupforuserinwwwsyssmbnulliwwwowwwsshd\hpsmhnameduucpnuucpadmdaemonbinlp\nobodynoaccesshpdbuseradm;dopasswd–l/usr/sbin/usermod-s/bin/false"$user"if[["$(uname-r)"=B.10*]];then/usr/lbin/modprpw-w"*"/usr/lbin/modprpw-w刪除賬號：#userdelusername;wwwsyssmbnulliwwwowwwsshdhpsmhnameduucpnuucpadmdaemonbinlpnobodynoaccesshpdbuseradm.例：oracle createuserabc1identifiedbycreateuserabc2identifiedby connectabc1/password1 alteruserusernamelock;dropuserusernamecascade; SYSDBASYSDBAsqlplus/assysdbasqlplus/assysdbasqlplusshowparameterShowparameterSQLNET.AUTHENTICATION_SERVICESNONE。grant權限tousername;revoke權限fromusername;CreateRoleDBARoleROLECREATEPROFILEapp_user2LIMITFAILED_LOGIN_ATTEMPTSPASSWORD_LIFE_TIMEPASSWORD_REUSE_TIMEPASSWORD_REUSE_MAXPASSWORD_VERIFY_FUNCTIONverify_functionPASSWORD_LOCK_TIME1/24PASSWORD_GRACE_TIME90;ALTERUSERjdPROFILE查詢視圖dba_profilesdba_usresprofileO7_DICTIONARY_ACCESSIBILITY=select*fromsysx$ksppi;sqlplus/assysdbasqlplusshowparameterShowparameter\h\h\h\hGB/T18336-2001OSSTMM-Open-SourceSecurityTestingMethodologyISSAF-InformationSystemsSecurityAssessmentOWASP-OpenWebApplicationSecurityWASC-WebApplicationSecurity確定透目標范在取得授權后，透測試方需要就詳細的透測試范圍和測試對象與客戶進行商議，并IP確定透測試的人在透測試準備階段應確定好透測試人員的名單、透測試人員的詳細介紹，并征得入侵檢測規則試探、規避測試、無線網安全、不同網段Vlan之間的透、端口掃描等存在系統很多高危服務和端口會被默認開放，例如，80，443，843，8001–8010，其中FTP、TFTPwinntwindows(admin$)資源可共享，存在一定的安全風險。SQLSQLXSSCSS(CrossSiteScriptExecution)，是指服務器端的CGIHTMLWEBHTMLSQLwebshellPCPCURLCSRFXSSXSSURL，而導致用戶信息受損。URLXSSSessionSession jsABC2 XSSSQLXSS DOS（拒絕服務）/DDOSWebshellwebwebwebadmin。webshellwebshellwebshellweb操作。Webshellphp、asp、aspx、jspwebshellPHPwebshellASP/ASPXJSP/JSPXISMSISO/IEC27001:2005信息技術-安全技ISMSISO/IEC27001:2005《信息安全管理體系》，和行業管ISMS1、信息安全管理體系建設和落實2、體系培訓ISO27001標準知識培訓，此培訓主要針對信息安全管理人員。1IP（IP）2、現狀調研34、ISO27001ISMSISO27001ISO2700111391335、風險評估ISMSIT12ISO27001ISO270023、總體安全方針建設4、信息安全策略體系建設56、審計與考核體系建設7、信息安全組織體系建設ISO27001A6A8“人力資源安全”的要求進行建設，建立用12、制度試用工作內容：ISMS3、巡檢和審計4、運行監控應用系統的所有安全需求都需要在項目需