限制突岩通入与ISA 2004/2006
如果您调查了“洋葱圈”或者”突岩“您大概想知道阻拦通入从这些是否是明智的 匿名 服务器(或可能出口结)。 我不谈论怎么被加密的突岩网络运作,因为很多信息可以被发现“那里”。 主要来源应该是: www.torproject.org 或许-和 WikiPedia.
作为安全人(或 ISA 管理员可能),您要求自己“为什么 这些人是否想要是匿名的" ? 在这种情况下““他们”在互联网不要目标看发源的IP地址的匿名”手段(来源)。 “目标”典型地是网站或一些其他网服务。
答复? 很好,您首先得到要求自己: "谁 是 他们"? 并且那里真正地不适当回答到我猜测-的那个问题谁真正地知道? 我们可以做的所有是猜测,因此让我扭转这些问题: 如果我将试验a 文丐或者新的一些 盘剥会我做它直接地在我的个人WAN IP ? 或我是否会设法“掩藏”我发源的IP ? 如果您看它透视突岩网络为掩藏起来是伟大的-整体想法是跟踪通信不应该是可能的。 您不知道什么能伤害您,正确? 我不说所有突岩用户是黑客或任何,因为他们不是,但是您必须看可能性… 您认为怎样? 我倾斜帮助认为,那,如果您从您需要掩藏的某事的人掩藏(坏) -,但嘿,它可能是圣诞节礼物,权利?
无论如何-您必须决定-我是否要这些人能访问我的网站和服务? 我不决定您的代表-是政治!
如此,如果我们想要他们,我们可以做什么对此? 很好,在读书托马斯Shinders以后 Blog词条“HammerOfGod计算机设置-阻拦并且采伐按Country” 我有想法。 下载突岩服务器名单怎么样,进口它入a 计算机集合 (CS)并且切记CS是 例外 在你们大家出版了服务? 这个方式黑客那里,在突岩服务器之后,不会能在您的IIS服务器附近戳或什么您有。
So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven’t got. I’m just a scripting kinda guy… The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).
But, then I found a list on Proxy.org - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft… Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!
So, I created a simple script for:
a) Downloading the latest Tor server list from Proxy.org
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters
You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I’ve tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).
If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).
Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you’re on your own :)
The dynamically created/updated ISA Computer Set:
The ISA Rule/Publishing Exceptions:
What’s missing?
I can think of a lot of things I’d like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.
Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there’s a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.
Hope you can use this :)
.
Popularity: 4%
Written by Jakob H. Heidelberg. Read more great feeds at is source WEBSITE
no comments.
Read more articles on exploit and otherSoftware and scripting and script and Microsoft and Hacking and Security.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
