May 17, 2011

test

test post

Dec 14, 2010

Important Points to Know About IPV6

We are slowly approaching the implementation of IPv6 in a mass scale and thus we must be ready to learn some significant differences over IPv4. Also, some IP addressing terms will start to appear with increasing frequency in our day to day work. So let’s see some notable concepts that you need to know about IPv6.
– IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers.
– IPv4 addresses are 32 bits long and are represented as four octets separated by periods. Each octet of the address is represented in decimal, taking a possible value between 0 and 255.
Example: 192.168.1.1
–  IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers. Every four hexadecimal characters are separated by a colon.
Example: 2001:75b: a12c: 6: c0: a8: 1:1
– IPv6 uses different IP address types. One of those types is the link local address that configures itself at every interface that has enabled the IPv6 protocol. The local link interface addresses always begin with FE80.
– Similarly, multicast addresses always start with FF0x (the x represents a hexadecimal digit letter between 1 and 8).
Zeros at the beginning of each portion of the address may be deleted. IPv6 addresses are expressed as 32 hexadecimal digits separated into 8 groups of 4 digits separated by a colon. When one of these 8 groups of digits begins with zero, it can be eliminated.
For example:
FE80: CD00: 0000: 0CDE: 1234: 0000: 5678: 0009
If we delete the zeros at the beginning of each section the address becomes:
FE80: CD00: 0: CDE: 1234: 0: 5678: 9
–  When there are zeros in several positions, they may also be deleted.
We often find addresses that have multiple sections of zero. These sections can also be suppressed to a single zero.
For example:
FE80: CD00: 0000:0000:0000:0000:0010:0127
In this scenario we can eliminate consecutive groups of zeros and also suppress leading zeros in some groups. Thus, the address becomes:
FE80: CD00 :: 10:127
The double colon expression :: tells the operating system that everything between them are all zeros.
You must be careful because you can delete an entire section only when fully made up with zeros. Also remember that the double colon expression :: can be used only once in each IP address representation.
– There is only one loopback address. IPv4 has reserved the entire network 127.0.0.0 / 8 (it is customary to use address 127.0.0.1) as the loopback address to point to the local machine.
In IPv6 there is also a loopback address, but in this case is only one and represented with :: 1
Or to put it in the conventional way (full format):
0000:0000:0000:0000:0000:0000:0000:0001
– No subnet mask is needed.
In IPv4, each port is identified by an IP address and subnet mask.
In IPv6 you can also implement subnets but this is not necessary. Of the total of 128 bits that make up an address, the first 48 identify the network prefix, the next 16 are the subnet ID, and the last 64 are the interface identifier. Since 16 bits are reserved for the local portion of subnets, in an IPv6 network it is possible to generate 65536 subnets.
– DNS service is also available in IPv6.
In IPv4 DNS service uses the A records to map IP addresses to names. In IPv6 AAAA records are used (also called Quad A). The domain ip6.arpa is used for reverse name resolution.
– IPv6 addresses can connect over IPv4 networks.
The design of IPv6 allows multiple forms of transition, enabling the development of IPv6 networks even when the route must pass through IPv4 networks. These transitional forms use tunneling over IPv4 networks. The two most popular technologies for this are Teredo and 6to4.The basic idea is that IPv6 packets are encapsulated within IPv4 packets to traverse these networks.
– Many vendors are already able to use IPv6.
Microsoft operating systems from Windows Vista and Windows 7 have IPv6 installed by default together with IPv4 (also can be installed on Windows XP, but is not there by default).
Also, Unix and Linux operating systems support IPv6 for years.
Regarding network vendors, Cisco IOS supports IPv6 many years ago, but it is not enabled by default and needs to be explicitly enabled with the command “ipv6 unicast routing”.
– Windows support for IPv6 has some peculiarities.
When a client wants to address a specific port, for example, an IP Address and Port number in Internet Explorer is separated by a colon:
http://172.16.100.1:8543
In IPv6, as the colon is part of the description of the IP address, the IP and Port separation is done using square brackets:
http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]: 8543
This format is not supported on Windows machines because when you use colons this is interpreted as referencing an internal drive in the computer.
To solve this problem, Microsoft has established a special domain for the IPv6 address representation in Windows machines. In this way, if you reference an IPv6 address using Universal Naming Convention, the digits must be separated by dashes instead of colons and at the end of the address you must add the domain name “ipv6-literal.net”.
An example, instead of:
http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]
You should use:
http://FE80-CD00-0-CDE-1234-0-2567-9AB.ipv6-literal.net

Qos Interview Questions?

1. What is QOS and why it is required?
2. What is layer2 qos and layer3 qos?
3. What is tail drop?
4. Describe methods of QOS?
5. What is hardware QOS and Software QOS?
6. Difference between a policer and a shaper?
7. What is token bucket algorithm?
8. Where to define the markings?
9. Does QOS increase the load of the equipment?
10. What is TOS and IP DSCP?
11. what are the different classes available?
12. How to calculate the decimal value of classess?
13. What is the difference between priority and bandwidth command?
14. What is low latecy queueing?
15. what is class based weighted fair queuing?
16. What is first in first out queue (FIFO)?
17. What is fair queue?
18. If I give teh ip precendence five to data traffic, what will happen?

Dec 13, 2010

Ubuntu下ssh服务的安全增强

原文地址:http://www.td2.us/blog/2010-11/103.html 

虽然ssh将联机的封包通过加密的技术来进行资料的传递,能够有效地抵御黑客使用网络侦听来获取口令和秘密信息,但是仍然不乏大量入侵者进行密码尝试或其他手段来攻击ssh服务器以图获得服务器控制权。Ubuntu下面一些配置将进一步加强其安全性:
    1.修改sshd服务器的配置文件/etc/ssh/sshd_config,将部分参数参照如下修改,增强安全性。
Port 4321
系统缺省使用22号端口,将监听端口更改为其他数值(最好是1024以上的高端口,以免和其他常规服务端口冲突),这样可以增加入侵者探测系统是否运行了sshd守护进程的难度。
ListenAddress 192.168.0.1
对于在服务器上安装了多个网卡或配置多个IP地址的情况,设定sshd只在其中一个指定的接口地址监听,这样可以减少sshd的入口,降低入侵的可能性。
PermitRootLogin no
如果允许用户使用root用户登录,那么黑客们可以针对root用户尝试暴力破解密码,给系统安全带来风险。
PermitEmptyPasswords no
允许使用空密码系统就像不设防的堡垒,任何安全措施都是一句空话。
AllowUsers sshuser1 sshuser2
只允许指定的某些用户通过ssh访问服务器,将ssh使用权限限定在最小的范围内。
AllowGroups sshgroup
同上面的AllowUsers类似,限定指定的用户组通过ssh访问服务器,二者对于限定访问服务器有相同的效果。
Protocol 2
禁止使用版本1协议,因为其存在设计缺陷,很容易使密码被黑掉。
禁止所有不需要的(或不安全的)授权认证方式。
X11Forwarding no
关闭X11Forwarding,防止会话被劫持。
MaxStartups 5
sshd服务运行时每一个连接都要使用一大块可观的内存,这也是ssh存在拒绝服务攻击的原因。一台服务器除非存在许多管理员同时管理服务器,否则上面这个连接数设置是够用了。
注意:以上参数设置仅仅是一个示例,用户具体使用时应根据各自的环境做相应的更改。
    2.修改sshd服务器的配置文件/etc/ssh/sshd_config的读写权限,对所有非root用户设置只读权限,防止非授权用户修改sshd服务的安全设置。
chmod 644 /etc/ssh/sshd_config
    3.设置TCP Wrappers。服务器默认接受所有的请求连接,这是非常危险的。使用TCP Wrappers可以阻止或允许应用服务仅对某些主机开放,给系统在增加一道安全屏障。这部分设置共涉计到两个文件:hosts.allow和hosts.deny。
将那些明确允许的请求添加到/etc/hosts.allow中。如系统仅允许IP地址为192.168.0.15和10.0.0.11的主机使用sshd服务,则添加如下内容:
sshd:192.168.0.15 10.0.0.11
将需要禁止使用的信息添加到/etc/hosts.deny中。如对除了在hosts.allow列表中明确允许使用sshd的用户外,所有其他用户都禁止使用sshd服务,则添加如下内容到hosts.deny文件中:
sshd:All
注意:系统对上述两个文件的判断顺序是先检查hosts.allow文件再查看hosts.deny文件,因此一个用户在hosts.allow允 许使用网络资源,而同时在hosts.deny中禁止使用该网络资源,在这种情况下系统优先选择使用hosts.allow配置,允许用户使用该网络资 源。
    4.尽量关闭一些系统不需要的启动服务。系统默认情况下启动了许多与网络相关的服务,因此相对应的开放了许多端口进行LISTENING(监听)。我们知 道,开放的端口越多,系统从外部被入侵的可能也就越大,所以我们要尽量关闭一些不需要的启动服务,从而尽可能的关闭端口,提供系统的安全性。

Dec 10, 2010

凯撒的加密术

原文地址: http://songshuhui.net/archives/46557

送上开场诗一首:我用相思作玉杯,真情当酒意相随,爱心已醉何时醒,你似蝴蝶梦里飞。

你可以把这首诗发给你女友,聪明的她一定能看出这是首藏头诗,从而明白你的心意。其实,藏头诗就是一种加密术,它通过坐标变换的方式隐藏了秘密,这个例子虽然很简单,但它反映出了加密术的本质–变换坐标系。

加密术最早应用于古代战争,当时是靠士兵随身携带的信件来传递情报,但总是免不了被敌方俘虏,从而使情报落入敌手,这对作战部队而言可是生死悠关的 大事。传说当时的凯撒大帝有一个能加密的办法,就在写命令前做一个对应表,明码:A B C D E F….W X Y Z,密码:D E F G H I….Z A B C,如果他想写BABY,就用EDEB来表示。

当大将收到了EDEB这个密码后,向前推3个字母,就得到了明文。这个对应表的移位数是3,当然别的数也可以,作战前由凯撒定好移位数后通知大将 们,战时就可以进行保密通信了。这种加密方式其实就是把坐标系横移了3格。但是,这种简单的加密方法也很容易被敌方猜到,敌人从1到25推25次,得到 25组新编码,必有一种编码是真实的情报内容,把这组编码区别出来非常容易,因为其它24组都是毫无意义的字母组合,只有这一组是有意义的句子,找个识字 的人就可以看得出来。
既然这种加密手段并不安全,那凯撒该怎么办呢?有个聪明人给他出了个主意,对应表不按字母顺序写,搞个乱序的。例如A对Q,B对F,随意配对,只要 保证26个明密码一一对应没有重复就行了。每次出征前,凯撒就会搞个非常杂乱的明密码对应表,然后发给大将。这招很不错,敌人即使截获了密文,由于不知道 明密码对应表,也很难搞明白,这其实也是坐标系统的一种变换,这种方法被后人称为“单表系统”。

这种乱序的加密术比顺序的安全多了,但它还是有一个明显的漏洞。以英文为例,一篇文档里每个字母的出现次数是不同的,例如E出现的次数最多,甚至可 以搞出个频次表来,如果一份密文中R出现的次数最多,那这个R会不会就是E呢?这个猜想很合理,即使代表的不是E,那它代表的也应是明文中出现次数较多的 字母。按照这种思路试试吧,卖糕的,密码解开了。

现在又轮到加密方纠结了,他们想,破解方是在拿明密文中字母出现的频次做文章,如果我们能把频次的区别消除掉,他们不就没办法了吗?道理虽然很好,但怎样才能消除这种频次的差别呢,毕竟明文中字母的频次就是不一样,这本身没法改变啊。

功夫不负有心人,有一天加密方终于找到了解决问题的关键,这个关键就是“多表”,每个明文都对应多个密文,例如图上的A分别对应着XGV,这三个密 文的选择取决于明文的位置,A在第一位时选X,第二位时选G,第三位时选V。将整个一段明话按三位一段进行分组后就可以加密了。这个例子是三维的,维数还 可以更多,那就更难破译了。这种多表系统非常有效,但其实还是有统计规律可循的,只是短短一段密文是不足以找到规律的。

这种对应规律相对固定的多表系统,还是给破解带来了突破口。随着技术的发展,人们开始尝试用机械改良这种多表系统,通过引入更多的变化来增大破解的难度。二战期间德军有一种 加密转轮机,四个轮子负责把输入的明码置乱成密码,其对应规律是动态变化的,使破译难度大大增加。有一个负责管理加密转轮机的德军军官汉斯.施密特,为了 钱与盟军情报人员勾搭上了,他提供了该机的技术资料,得到了相当于现在1千万法郎的报酬,后来他害怕了想退出,但已经由不得他了,他先后与盟军情报人员接 头34次,波兰顶级数学家里杰斯基等人在这些绝密情报的帮助下终于将该转轮机完全破解。

还是回到凯撒吧,他当然知道自己的加密术并不很安全,送情报的士兵被抓后受刑不过就会把密信交出来,如果防止传令兵被俘后泄露情报呢?有人又给他出 了一招:把一批士兵的头发剃光,并用火烙铁在脑顶上烙上不同的印迹,并对哪个兵烙上什么样的疤做好记录,被烙的士兵一头雾水,不明白这是为什么。大战之 前,凯撒召集大将,并要求他们牢记一组对应关系,梅花疤代表“马上率部向我驰援”,三角疤代表“固守阵地”等等。

战斗中凯撒被围困了,情况很危机,他拿来了记录本,把烙梅花疤的几个人都点了出来,命令他们沿不同的路线到大将处报到,“不用我们传个口信或带个情 报吗?”这些人很不解,“不用,你们到大将处报个到就算完成了任务”凯撒说到。这些人出发了,有的人成功地找到了大将报到,大将二话不说,立即给他剃头查 疤。也有的人被俘,严刑拷打也问不出情报,因为他的确不知道情报。距离剃头烙疤的时间已经很久了,士兵新长出的头发已经遮盖了烙疤,敌人也轻易察觉不到这 个蹊跷。
加密后的密文即使摆在敌人面前,他们也搞不清楚其真实内容,但让他们知道了这是件隐藏着重要情报的密文,就会拼命破解,这总归不是好事。如果密文摆 在他们面前,他们竟然毫无察觉,那当然更好了,这就是隐写术。凯撒给传令兵头上烙疤就是隐写术的鼻祖。谍报小说里经常会介绍到这样的场景,潜伏者用淀粉水 写情报,晾干后再在上面写一封信作为掩护,收信者并不关注信的内容,而是在信纸上涂上一层碘,淀粉水情报就会变成蓝色显示出来了。这样的一封信,即使让特 务机关拆开审查,只要不知道这个门道,那什么也查不出来。

很多加密术看起来非常巧妙,但随着计算机的诞生,这些被称为古典密码术的方法全部失效,因为它们根本抵挡不住计算机的穷举分析。现代密码学的思路跟 古典密码术非常不同,它是先找出一个数学难题,然后把加密方法归结到这个难题,若解不出这个数学难题就破解不了他的密码。隐写术也逐渐脱离了物理和化学反 应,而是与加密术结合了起来,把秘密隐藏在数据中,现代密码学更加引人入胜,且等以后慢慢道来。

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Powered by Blogger