Astaro Security Gateway V8.300 Released

admin

1.大家最关注的，翻墙，防止DNS被劫持。
资深不资深的玩家肯定都知道某墙的事情。用了OpenDNS之类后，真的能防止被某墙劫持域名吗？恐怕太小看某墙了吧。只要是DNS的UDP包经过旁路设备，直接就会被篡改。不信？看看结果
正常请求一个被劫持的域名，当然是劫持没商量了

Sam@Bra:~$ dig hen.bao.li
8 C0 }6 K( I6 q0 s9 P- Z" P; <<>> DiG 9.6.0-APPLE-P2 <<>> hen.bao.li
;; global options: +cmd
. z2 a( m2 D  V% I  X;; Got answer:
5 j" }7 M9 B+ t;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50859
3 c8 C! ^& z) O# }( K;; flags: qr rd ra
7 Q! s8 B  y$ t; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
5 `9 R7 A& t" V5 `2 |7 c;; QUESTION SECTION: ;hen.bao.li. IN A
3 D/ ^& q! S1 t  u3 M/ M;; ANSWER SECTION: hen.bao.li. 85697 IN A 78.16.49.15
" W9 I5 f# x- k8 J$ s' t8 s" r;; Query time: 0 msec
- d$ k8 U! Z+ [- R;; SERVER: 127.0.0.1#53(127.0.0.1)
5 I) J& ~1 D. o9 N;; WHEN: Mon Dec  7 23:18:48 2009
: k1 x' }3 D6 A  z; v& p1 S;; MSG SIZE  rcvd: 44

Sam@Bra:~$ dig hen.bao.li
1 i& O, `1 t6 j8 M' x; <<>> DiG 9.6.0-APPLE-P2 <<>> hen.bao.li
" G  l0 V* u# c4 \2 d/ [* d. s;; global options: +cmd
5 ^- Z( d+ D, I- _; g1 c4 q$ }& ^;; Got answer:
1 h- d* K$ c* k% ^$ X;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50859
;; flags: qr rd ra
+ Q8 c  u6 `/ J# e2 l; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
! e6 E$ a& i; J6 v& ?;; QUESTION SECTION:
, e9 y* g$ Q( U;hen.bao.li. IN A
;; ANSWER SECTION:
hen.bao.li. 85697 IN A 78.16.49.15
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec  7 23:18:48 2009
;; MSG SIZE  rcvd: 44

7 p  l0 ]* X& w# H  M- `4 c4 y然后再看用了Google Public DNS后，照样劫持你没商量
1 Y9 S( e+ h/ y. b0 x
2 G( x6 ]) k1 }5 VSam@Bra:~$ dig @8.8.8.8 hen.bao.li
% ]6 U1 J' [! M6 H+ w4 W  L; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 hen.bao.li
, a0 T6 y  u$ ~0 {8 }7 C. W; (1 server found)
;; global options: +cmd
2 m4 j+ [5 ?! @9 F6 E;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15485
$ o) h+ }( i$ r5 s% ~;; flags: qr aa rd ra
; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
# _6 c; i; `% v8 V$ O;; QUESTION SECTION: ;hen.bao.li. IN A
;; ANSWER SECTION: hen.bao.li. 86400 IN A 78.16.49.15
;; Query time: 75 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
9 i9 H8 N* E9 ]/ N;; WHEN: Mon Dec  7 23:20:58 2009
' s6 ^' d& x7 o: n: I9 f8 b* b;; MSG SIZE  rcvd: 54
/ q1 z5 E) Q* y: ]
我们看看国外机器得出的真实结果

[root@WS-10267 ~]# dig @8.8.8.8 hen.bao.li
; <<>> DiG 9.3.4-P1 <<>> @8.8.8.8 hen.bao.li
) G1 J; j# g. y" n* S/ y; (1 server found)
: t) h" G/ d) J# X- |;; global options:  printcmd
;; Got answer:
0 B, c, F3 H. i0 X# b;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20845
;; flags: qr rd ra
; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;hen.bao.li. IN A
5 i( O1 M4 X8 p8 I;; ANSWER SECTION: hen.bao.li. 14400 IN A 69.163.142.44
;; Query time: 252 msec
, E$ u4 F7 ^0 d;; SERVER: 8.8.8.8#53(8.8.8.8)
$ m, Q2 Z& J! R2 A6 F, H: ?;; WHEN: Mon Dec  7 23:25:12 2009
' q# v  {$ S/ Y4 Y% D$ D7 I;; MSG SIZE  rcvd: 44
1 U4 U4 y4 m9 `) H8 u
可以看到，此路不通。想靠换国外DNS来翻墙的可以醒醒了。

2.解析速度快

, g2 ~& @, @5 XGoogle Public DNS解析速度是挺快的，但OpenDNS就未必了
' N) Q3 E- k) ^
Sam@Bra:~$ dig @208.67.222.222 http://www.dnspod.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> @208.67.222.222 http://www.dnspod.com
5 g; r  H6 E. o# S# E# z; (1 server found)
6 K( k& O5 l# M/ a) s! M;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17404
;; flags: qr rd ra
; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
4 X& n! U+ U% M0 W9 K0 V;; QUESTION SECTION: ;www.dnspod.com. IN A
8 X3 ?& l2 a6 d; T;; ANSWER SECTION: http://www.dnspod.com. 600 IN CNAME http://www.dnspod.com.cdnudns.com. http://www.dnspod.com.cdnudns.com. 300 IN A 61.172.249.96 http://www.dnspod.com.cdnudns.com. 300 IN A 218.244.147.137
- X# F; D  y( I5 l;; Query time: 608 msec
2 E1 p4 D* Z# f- n# {1 O;; SERVER: 208.67.222.222#53(208.67.222.222)
/ i# b3 \' T0 b8 g; g9 S# _; [;; WHEN: Mon Dec  7 23:29:01 2009
;; MSG SIZE  rcvd: 101
: s% g) h' g& w
3.最重要的问题，访问网站真的快吗？

相信不少人一定记得之前QQ用户出现过一次“免费出国”，当然，现在这个情况也会出现在用了OpenDNS和Google Public DNS用户的身上。

; |# K# l3 d. f' U- u大家都知道中国特色的互联网，南北分家，互访速度巨慢无比，网站的维护人员绞尽脑汁的想办法解决互联互通的问题，加速大家的网站访问速度。

网站加速访问有好几种办法，有钱的大公司就用BGP AnyCast，但并不是人人都做得起（有自己的IP段，做一次BGP广播X-XX万，要达到最佳访问效果必须要做N次BGP广播，最后费用有可能达到 XXX万）。没钱的公司就只能用智能DNS了，包括自建的DNS，或者直接用DNSPod这样的现成方案，其实原理都一样。
! K3 `, i/ j1 T  `3 [! R0 }
5 l- `1 }( }7 J& c0 C& L8 Z0 j! ~智能DNS其实并不是太智能，它靠的预先分配好几个区域，然后根据用户请求的IP来判断用户属于哪个区域，之后返回对应区域的服务器IP。正常情况下，用户在国内上网，用的是ISP自动分配的DNS，用户域名解析请求发给ISP的DNS，ISP的DNS又发给DNSPod这样的域名授权DNS。 DNSPod这时候拿到的IP地址基本是ISP的DNS地址，所以很方便的就能判断出用户所在的区域，并把结果返回给用户。
1 }6 H3 y  I/ r% j. D! `; n& p
但如果这个时候，用户用的是OpenDNS或者Google Public DNS，因为这些服务器的IP地址是在国外，并且N多老外都在用，智能DNS就不好判断该怎么返回了。返回国外的IP，影响国内用户的访问速度。

如果返回国内的IP，影响到其他老外的访问速度。并且如果返回国内的IP，那么该到底返回电信还是网通的IP呢？用户属于哪个省份？无从判断。那么最后只能人多决定人少，返回国外的服务器IP。

返回国外IP的结果是，用户被指向网站在国外的服务器，访问网站巨慢。

本来想找几个典型例子的，但找了一圈回来，发现国内的大公司在这上面烧钱可是一点都不心痛，全部是BGP。要么就是不搭理国外用户，没针对国外用户单独进行解析，一概解析到电信的服务器去。

拿Google来当例子吧。我是网通用户，使用网通自带的DNS，解析www.google.com得到以下结果
/ A4 a3 {. ^- \0 Y- w
+ S' m$ M% k  j% oSam@Bra:~$ dig http://www.google.com
......
;; ANSWER SECTION:
http://www.google.com. 48102 IN CNAME http://www.l.google.com.
http://www.l.google.com. 300 IN A 216.239.61.104
+ N2 F' e1 i9 o% \4 U, I/ C
如果我用了OpenDNS的话，那么我得到下面的结果
: N" Z: w) x4 `8 p  J# v
Sam@Bra:~$ dig @208.67.222.222 http://www.google.com
......
;; ANSWER SECTION:
http://www.google.com.        30    IN    CNAME    google.navigation.opendns.com.
3 J: U4 a* G* |- m' K1 V9 I  u9 bgoogle.navigation.opendns.com. 30 IN A 208.67.219.230
google.navigation.opendns.com. 30 IN A 208.67.219.231
  W7 Z" U; Z! ?0 F9 i* ]
ping一下得出的IP地址，看看速度，其实并不快

( [6 j8 {! p/ ?: u. F4 l3 `Sam@Bra:~$ ping 208.67.219.230 PING 208.67.219.230 (208.67.219.230): 56 data bytes
# t1 j$ L$ W  z0 W4 ^64 bytes from 208.67.219.230: icmp_seq=0 ttl=51 time=213.828 ms
( [# o+ @* o) _% _64 bytes from 208.67.219.230: icmp_seq=1 ttl=51 time=213.779 ms
8 K1 k2 Z; u- M2 ?+ \" p) ?64 bytes from 208.67.219.230: icmp_seq=2 ttl=51 time=214.716 ms
0 N1 v" U7 B8 n9 C. J( W^C
--- 208.67.219.230 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
: H( z* D' Z- }/ ^round-trip min/avg/max/stddev = 213.779/214.108/214.716/0.431 ms

我们可以再看看kaixin001.com的，如果我是网通用户，用了OpenDNS或者Google Public DNS，那么我会被解析到kaixin001的电信IP去。当然，kaixin001的电信机房线路很好，网通用户访问其实影响不大。
  H. Z4 u; [4 _9 Z! D6 h
% P4 x2 s+ X0 U, K7 M  n我网通DNS直接解析
5 @: {  t: A/ d
) G/ i% _" T' x+ p& qSam@Bra:~$ dig kaixin001.com
......
/ N* x0 \& ?& p$ R, k, Z! K;; ANSWER SECTION:
kaixin001.com.        120    IN    A    220.181.100.31
kaixin001.com.        120    IN    A    220.181.100.32
% d9 P- j5 g% B7 {& ]kaixin001.com.        120    IN    A    220.181.100.33
kaixin001.com.        120    IN    A    220.181.100.34
kaixin001.com.        120    IN    A    220.181.100.35
+ h6 U+ y' a; G& Y& J: w6 N8 Gkaixin001.com.        120    IN    A    220.181.100.30
% t- i5 u! K! ]- H3 M3 L& f
/ R' o) A: @8 o/ S+ Y  b如果我换用了OpenDNS，我得到的是kaixin001在电信服务器的IP
0 L; I8 l& O6 r, A+ G/ z: A% f
Sam@Bra:~$ dig @208.67.222.222 kaixin001.com ......
. K2 ]- z+ X# p;; ANSWER SECTION:
kaixin001.com. 60 IN A 123.125.58.247
1 J  k% I! g( H7 e5 _kaixin001.com. 60 IN A 123.125.56.246
kaixin001.com. 60 IN A 123.125.56.247
' ]- y0 V9 J8 j& [6 ekaixin001.com. 60 IN A 123.125.56.245
kaixin001.com. 60 IN A 123.125.56.248
# y3 r& |! b+ w% m! D- m8 N5 ~kaixin001.com. 60 IN A 123.125.59.20
kaixin001.com. 60 IN A 123.125.59.16
2 g4 v7 d3 ^+ I& j+ E4 ?kaixin001.com. 60 IN A 123.125.58.248
kaixin001.com. 60 IN A 123.125.58.246
kaixin001.com. 60 IN A 123.125.58.245
0 y# m% V* I# ~9 w7 \( S! E: R
中小网站就没这么幸运了。中小网站没有太多的钱去买昂贵的BGP线路，只能用很低廉的智能DNS方案，比如我们经常去找字幕的射手网

网通直接查询，可以得到网通服务器的IP
2 b; R. y+ P! y+ q
Sam@Bra:~$ dig shooter.cn ......
;; ANSWER SECTION:
4 {0 Z$ V: R" V& g6 k: B' Ashooter.cn. 800 IN A 218.21.130.42

网通套用OpenDNS进行查询，得到的是射手在国外服务器的IP

7 I# i+ w2 X: W+ y" E0 }5 qSam@Bra:~$ dig @208.67.222.222 shooter.cn ......
  r; H5 h9 T- n8 z% n;; ANSWER SECTION:
shooter.cn. 750 IN A 74.207.252.170

这样，你就“被出国”了。用了OpenDNS或者Google Public DNS后，你访问的将是一个速度并不快的射手网。

国内类似射手网这样的中小网站有几十万甚至上百万，不少游戏运营商也采用这样的方案。虽然他们不一定有国外的服务器，但如果你被解析到并不属于自己网络的服务器上，访问速度或多或少都会受到影响。所以，如果你最近访问网站速度有所下降，或者玩游戏的时候经常掉线，那么你就该把DNS给换回来了。

admin

How to uninstall Sophos Endpoint Security &amp; Control from the command line or with a batch file
1 n7 u) `7 p' N5 b4 n9 @" jArticle ID: 109668
Rating:            
58 customers rated this article 4.4 out of 6
Updated: 10 Apr 2013
This article explains how to uninstall Sophos endpoint security software via a batch script or command line.

3 \! x8 Q0 `. u- _+ JThe instructions explain what to do on one computer however once the batch file has been created you can run it on any number of computers and if the same components are found they will be removed.
+ p2 m( g2 a4 D$ u. F6 R5 J5 T6 i) T
$ k. Z  h# z) ^- D1 f: `3 [4 INote:
3 A* j  j: P. r  P
This article does not troubleshoot errors or problems when uninstalling and is intended for guidance on correctly removing endpoint software with a Windows batch script.  Other articles document how to resolve corrupt or broken installations (e.g., Troubleshooting and resolving problematic Sophos endpoint upgrade and uninstall issues).
The instructions below have limited testing and are therefore provided &#39;as is&#39; and without full support.  You must fully test the batch file created on a test system before using in your production environment.
; _! `2 K2 j9 G! m- r/ v" i) jRead this article fully before attempting the instructions.
! e2 W- U: a  P0 d; hDo not run batch file uninstalls on the Sophos management server, message relay servers, or computers running server-side components such as Sophos Update Manager (SUM), Sophos PureMessage, etc.
) }) \& ?  |% |$ S9 c0 RBefore using the Windows registry editor read article 10388.
- i, ?9 ^0 l% s7 `+ NIf you encounter a problem when running your script we recommend you test uninstalling the components manually with Add/Remove Programs to ensure the normal method works correctly before troubleshooting further or contacting technical support.
+ X9 N; ^1 c/ L6 TNote: Different product version may have different uninstall strings and hence this can mean the script does not uninstall components as expected.

& B( o; A! C$ T7 l. wWe do not accept responsibility for any loss of data resulting from following these instructions.
Known to apply to the following Sophos product(s) and version(s)
4 m, E. J) \* Z" H! t9 U
Sophos Endpoint Security and Control
) l1 T' h. \$ g0 CSophos Endpoint Security

: y$ w  H* [: v& q/ eWhat To Do
You need to collect all the required uninstall strings from a typical endpoint computer (so you get the correct commands), copy them into a new text file (one per line), save the file as a .bat extension (batch file) and fully test it works as desired.
+ L7 u( q/ W* I+ a! X  y
Note: If enabled, the Sophos Tamper Protection policy must be disabled on the endpoints involved before attempting to uninstall any component of Sophos Endpoint Security and Control.  See article 119175 for more information.

! v8 m# g) g" P  u# k7 Z- pGather the uninstall commands

4 k" N# Y- Q  N3 c( O; t1 o2 \, POn an endpoint computer open the registry editor (Start | Run | Type: regedit.exe | Press return).
Expand the left hand tree to the following key:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\
! @% A& x4 w4 j, p8 E: ~) ~8 INote: On a 64-bit computer you will need to check both the key above and the following key:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall
! _+ b+ W8 _# e6 D& wClick through the list and locate the first Sophos component you need to uninstall.
; A( a) J( n( v. o7 c) ?% WIn the list of values find the &#39;UninstallString&#39;, right-click it and select &#39;Modify&#39;.
Copy the string into a text editor.
% [2 b: T6 M4 K! G) P5 @' nRepeat steps three to five for all other component you need to remove.
8 ~) t' z/ P0 c/ G  i; j/ ~+ VWindows installer parameters
3 }8 s- ^) ^& O+ m) X' D; J. D
The uninstall strings copied from the registry may contain MSIEXEC.exe parameters or you may want to add your own parameters to control what the end user sees on screen and how the computer behaves.  For example the uninstall string for Sophos Anti-Virus v10 is:
$ _' E% V2 e& j! A, q/ B. C  F
MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA}
2 T: W/ W+ `1 w, B+ C: ?3 S1 D
But can be modified so that the uninstall is silent:
6 T, C7 c# h1 X- H5 q0 Z: I
MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn

7 x$ ~0 P3 ^1 vOr to suppress a reboot (A restart is normally required for Sophos Client Firewall and Sophos Anti-Virus) so that you may perform it at a later time:
# p$ b" w! _7 |$ o& q6 X9 d7 o
* \3 W8 Y; \) h2 S& _/ }MsiExec.exe /X{9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn REBOOT=SUPPRESS

It is advisable to create a log file (a separate file is needed for each component) as part of this process for each component being removed to help facilitate troubleshooting should an issue arise:
" P2 Y; l- d# z7 a- K: a) q
MsiExec.exe /X{9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn REBOOT=SUPPRESS /L*v %windir%\\Temp\\Uninstall_SAV9-10_Log.txt
/ V! s' L/ @9 B& g+ H
If you need further information on Windows Installer (MSIEXEC.exe) and associated parameters we recommend you consult up to date Microsoft documentation.
  u) V) P  h" b  U2 C( x
Create a batch file
5 L9 m9 Y- j" y% \% W3 j) d  F
; w9 c" M0 h. G  ^. G& E- @Prior to uninstalling the endpoint components, you should stop the Sophos AutoUpdate Service to prevent a potential update of the endpoint software during the removal.  A command line such as the following can be used.

net stop &quot;Sophos AutoUpdate Service&quot;

! J4 {; }; h1 m# z0 SThe order in which the endpoint components are removed is important.  Therefore reorder your uninstall strings (that you extracted from the registry editor) as shown below.

Sophos Patch Agent
5 _4 k; i. E% R* VSophos Compliance Agent
Sophos Remote Management System
: l- N6 X9 m3 lSophos Client Firewall
* U6 v8 Q+ k% p3 S4 I% ]Sophos Anti-Virus
; B* h1 G6 J4 F6 _Sophos AutoUpdate
Then save the file and change the file extension from .txt to .bat

admin

卸载WINDOWS 客户端Endpoint Security &amp; Control 得先将数个SOPHOS服务全部停止掉才可以删除掉，集大成的安全客户端，包括数个组件，非ISA客户端可比拟的