Unix advanced security settings

zhaozj2021-02-16  100

Article reading The Big Green Discussion Area [Software]

-------------------------------------------------- ------------------------------ Sender: Mars (FangQ), Word Area: Software Title: UNIX Advanced Security Settings [ ZZ] Sending Station: The Big Green (sat Oct 5 16:58:10 2002), transfer

Http://www.20cn.net/ns/wz/sys/data/20020822032035.htm

UNIX advanced security settings (338 times)

Unix advanced security settings

Author: KCN

The first part of UNIX history and development

1.1 Unix Introduction UNIX has been several decades of history. During this period, its change even without hundreds of millions, thousands of individuals and companies have achieved thousands of different versions. There are millions of system administrators installed it from miniature embedded systems to supercomputers. Uncontroduced, no two actual UNIX operating systems are identical. "The word is a trademark belonging to Open Group. The organization is a requirement to get the correct assignment of the international association. In the decades, the logo has been diluted without a specific meaning. Though, the Open Group is still released. "The Single Unix Specification", this can be seen on http://www.unix-systems.org/online.html. "UNIX" is a double language, indicating the name Multics, which was originally written "Unics", indicating Uniplexed Information and computing system. "UNIX" and "UNIX" are now widely used. For a while, Dennis Ritchie tried to announce the use of lowercase version, because "Unix" is not the beginning of the letter. Many people running Linux and other Unix systems It is believed that they are running UNIX. Formal Unix systems and informal UNIX systems are often considered to belong to a class -, whether it is in the book, medium, online or socially recognized. According to UNIX FAQ, Unix is ​​"a C language Written operating system, it has a hierarchical file system and integrates files and devices I / O. The system call interface includes services such as Fork () and PIPE (), and the user interface includes CC, TROFF, GREP, AWK and other tools and one SELL ". You can add some, Unix provides a consistent manner for multitasking, and built-in operation of creation, synchronization, and terminating processes, which can be transplanted between different types of computers.

. In 10 years, UNIX has experienced several versions in the development of AT & T. V4 (1974) is rewritten with C language, which has become a milestone in the system operating system. V6 (1975) is used outside the Bell Laboratory to become the foundation of the first UNIX version developed by the University of California. Bell Lab continued to work on UNIX to the 1980s, with the 1983 SYSTEM V ("Five", not a letter) version and 1989 SYSTEM V, Release 4 (abbreviated as SVR4) version. At the same time, the University of California has changed the source code released by AT & T release, which has triggered a lot of major topics. Berkeley Standard Distribution (BSD) has become the second primary "UNIX" version. The 1984 BSD 4.2 was widely used in university and company computing departments, and some of its features were absorbed into SVR4. Since the 1990s, AT & T source code licenses have created the prosperity of the market, and different developers have developed hundreds of UNIX versions. AT & T sold the UNIX industry to Novell in 1993, and Novell sold it to Santa Cruz Operation for two years. At the same time, UNIX trademarks were transferred to the X / Open Association, and the X / Open Association later became Open Group. When UNIX's operation passes from an entity to another, several long-term development begins to harvest fruit. Traditionally, to get a running BSD system, the user needs to get the source code license from AT & T. But by the early 1990s, Berkeley's developers did a lot of work in BSD, which was changed by most of the original AT & T source code. Subsequent programmers, from William and Lynne Jolitz to develop BSDs in the network distribution environment, which later became 386BSD version 0.1 in 1992. This initial "free source code" BSD has three branches, namely: NET BSD, Free BSD, and Open BSD, all based on BSD 4.4. In 1984, programmers Richard Stallman began to develop free GNU (GNU NOT UNIX) from UNIX. By the 1990s, the GNU project has several programming milestones, including the release of the GNU C library and Bourne Again Shell (Bash). The entire system is basically completed in addition to a key factor. Next is a student in the University of Helsinki, Finnish, Linus Torvalds. Linus saw a small UNIX system called Minix, I feel that I can do better. In the fall of 1991, he issued a source code called "Linux" free software kernel - a combination of his last name and Minux. By 1994, Linus and a kernel development team issued a Linux version 1.0. Linus and friends have a free kernel, Stallman and friends have a free part of a free UNIX clone system. It is called "Linux", which is called "Linux", although Stallman is more willing to name "GNU / Linux System" [6].

There are several different categories of GNU / Linux: Some can be used by the company to support commercial use, such as Red Hat, Caldera Systems and S.U.E; others, such as Debian GNU / Linux, closer to the initial free software concept. Linux has now developed to the kernel version 2.2. Linux can run on a few different architectural chips and have been accepted or supported by each community. Its supporters have HP, Silicon Valley images and Sun, etc. have longer historical UNIX suppliers, as well as PC suppliers such as Kangbia and Dell and other main software suppliers such as Oracle and IBM. Perhaps the most ironic is that Microsoft recognizes the competitive threat of freely free software, but it doesn't want or not public code of your software. Later Microsoft began to launch Windows NT (Windows 2000). By the end of the 1990s, many suppliers have begun to give up the UNIX server platform and turn to Windows NT. For example, Silicon Graphics has decided to use Intel hardware and NT as a future graphics platform. The second part Unix typical safety hazard 2.1 RPC daemon's error enables intruders to get root privileges to the Unix threat to the rpc, the remote process call (Remote Procedure Call) allows a computer to go to a computer Perform a program on another computer. They are widely used in a variety of network services, such as file sharing services NFS. There are many vulnerabilities that are the defects of the RPC itself, they are constantly emerging. There is a significant evidence that many victims as an attacking board are due to the presence of RPC vulnerabilities in the late 1990-year distributed refusal service attack. During the Solar Sunrise event, a successful attack of the US Army is because a RPC vulnerability is found in the system of hundreds of Ministry of Defense. 2.2 Remote Vulnerabilities for Some Applications You can get some permissions or root privileges for remote attackers. For example: the problem of Bind programs, using nxt, qinv, in .named, you can get the root permission Bind (Berkeley Internet Name Domain) package is the most widely implemented software of the Domain Name Service (DNS) - all of us Through it to locate the system on the Internet, just know the domain name (such as www.cnns.net) without knowing the IP address, it can understand its importance - this makes it the most popular attack target. 2.3 Local Vulnerability Local Vulnerability Although there is no two kinds of vulnerabilities, he is an important factor in assessing system security or not, it can enable system users with permissions to enhance their system privileges, or make one get some permissions. Remote attackers, expand their results, improve permissions. For example, a ff.core buffer overflows a vulnerability, one normal user can overflow the buffer to a root shell as long as a simple script is executed. 2.4 Exposure System Information is strictly said that this is not a vulnerability, but he checks your system security. For example, Finger exposes the system legal user name, default shell, etc., which can be used by an attacker to use the guess code. As a software version number is exposed, the attacker will attack the attacker, which makes the attacker more easily intrusion.

Part III Frequent Unix Security Settings 3.1 Solaris Series 3.1.1 PROM OpenBoot and Physical Security 3.1.1.1 OpenBoot Security Level None: No passwords are required. All OpenBoot settings can be modified, and anyone can completely control as long as it is physically to contact the main control station. Command: In addition to all commands outside Boot and Go requires a password. Full: All commands except the Go command require a password. 3.1.1.2 Change the OpenBoot Security Level First Use the EEPROT Password command to set the OpenBoot password, then use the EEPROM Security-mode = command command in the root login status to change the security level as command or in OK Status: OK SETENV Security-Mode = Command password Protection is achieved. 3.1.2 Security of File System 3.1.2.1 Basic Knowledge File System is the core of UNIX system security. In UNIX, all things are files. The basic file type in UNIX has a formal file, directory, special file, link, sockets, etc. These different types of files tissue in a layered tree structure, with a directory called "root" as the starting position ("/"). The whole is a file system. Each file corresponds to a "I Node", "I Node" includes UID (file owner), GID (where the file is located), the file size, the file type, CTIME ("i node" last time Modification time), MTIME (file last modified time), atime (file last time access time), NLINK (number of links). It represents the basic properties of the file. Everyone noticed that there are many directorys under "/", then what is these directories? The following is a brief introduction to the directory structure. The following: / bin user command executable / dev special device file / etc system execution file, configuration file, management file, mainly the configuration file / home user start directory / lib boot system, and running the command in the root file system The required shared library file / Lost Found is disconnected from the specific file system to the missing file / MNT temporary installation file system (such as a CD-ROM, Soft Drive) / PROC, used as a kernel data structure or is running The interface (for debugging) / sbin only ROOT's executable and only the file / TMP temporary file / usr required to boot or install / usr is the executable file, header file, shared library used by the user and system command, Help files, local programs (in / usr / local) / var for email, printing, cron, etc., statistics, log file file systems have multiple types, UNIX kernel supports the following file system: 1) EXT2 fixation And a high-performance file system supported by mobile disks for Linux 2) MSDOS is used by MS-DOS and Windows 3) UMSDOS Linux uses an expanded DOS file system, supports long file name, permission setting 4) ISO9660 CD-ROM file system in accordance with ISO9660 standard 5) HPFS High Performance FileSystem, high performance file system, OS / 2 use 6) Minix uses in Minux OS, the earliest Linux file system 7) NFS is used to access the disk in the remote computer Network File System 8) SWAP is used as a switch-free disk partition 3.1.2.2 file permission file permissions is the key to UNIX file system security. Each user in UNIX has a unique username and UID (user ID number), each of which belongs to one or more groups. The basic group members are defined in / etc / passwd, and the additional group members are defined in / etc / group.

For example, the UID of the user Tiger is 225, the group is 11 (Students), and he is a member of Packet 185 (postgraduates). Each file and directory have three sets of permissions, a group is the owner of the file, a group is a member of the file owned, a group of all other users. "R" means readable, "w" means writable, "x" means executable. A total of 9 bits (3 digits per group), together, called mode bits. The mode bit is typically represented by a column 10 characters, each character represents a mode setting, the first specified file type, such as (D represents the directory, - means a normal file, L means a link file, etc.). For example, using the ls -l command as follows: drwxr-xr-x 2 root root 1024 AUG 13 09:22 Backup / -rw-r - r - 1 root root 1824 APR 21 18:45 client.c -rw- ------ 1 Root root 65536 APR 22 17:56 Core -RW-R ----- 1 root root 2351 APR 22 14:01 Cry1.bak -rwxr-xr-x 1 root root 27492 APR 21 18 : 47 CRYPT * -RW-R ----- 1 Tiger Tiger 2450 APR 22 15:16 CRYPTION_SERVER.C -RW-R ----- 1 Tiger Tiger 1544 APR 22 15:02 MyinClude.h -RWXR-XR -x 1 root root 8280 May 3 10:35 Test * For example, the last line begins with "-", indicating that Test makes a normal file, file owner can read and write, other members of this group can read, other users can read execution . We can use the chmod and umask command to change the permissions, which is very simple, and check how to modify the permissions. 3.1.2.3 SUID / SGID Why do they separate them from file permissions? Because this is an intrusion entry that the network invaders is very loved. SuID represents "Set User ID", SGID indicates "setting group ID". When the user performs a SUID file, the user ID is set to the user ID of the file owner during the program run. If the file belongs to root, the user becomes a super user. Similarly, when a user performs an SGID file, the user's group is set to the group. For example, the PS command runs in SUID root, and he reads from system memory, which is generally not possible. The SUID program represents important security vulnerabilities, especially the SuID set to root program. UNIX actually has two types of user IDs. "REAL User ID" is the user ID established during the login process. "Effective User ID" is modified by SUID and SGID bits during the session after login. When a user runs a command, the process inherits the user's login of the SHELL, then "Real User ID" and "Effective User ID" are the same. When the SUID bit is set, the process inherits the permission of the command owner. For example, when a normal user runs the passwd command, he can modify the / etc / passwd file, although the file is ROOT. This is possible because the passwd command runs with ROOT's SUID permission. So how do I identify the SUID program? We check the permission mode of the file, if it is not "X" in its fourth bit, but "s" is a SUID program.

For example, the ls -l / bin / su command is displayed: -RWSR-XR-X 1 root root 14888 AUG 15 1999 / bin / su * indicates that the SU is a SUID program. A typical attack in UNIX system is to create a SUID is a root shell copy and then hides him. By calling the back door, the attacker gains root rights. For example, a system administrator forgot to close a root shell, a bad person runs as follows:

CP / bin / bash /Home/badman/.bash; Chmod 4777 /Home/badman/.bash badman now has a Bash's Suid root to copy any of them. He has a complete root authority. Therefore, the system administrator should regularly see which SUIDs and SGID files in the system. With the following command: Find / -Type F / (-perm -4000 -o -perm -2000 /) -LS Of course, the attacker can escape detection by modifying the find command, so run a specialized detection software (such as TripWire) to check. 3.1.2.4 Encryption and Verify The TripWire tool proposes to use password checksum to determine if the file has passed the unauthenticated modification, and the encryption technology can be used to protect the confidential file or even the entire file system. Encryption is transformed into a pile of garbled ciphertext by the key, which is a role in protecting the content of the file. UNIX commonly used encryption algorithm has Crypt (earliest encryption tool), DES (currently most common), IDEA (International Data Encryption Algorithm), RC4, Blowfish, RSA, and so on. The specific encryption algorithm is no longer elucidated, you need to understand the book of "Application Cryptology" of Bruce Schneier. Note One-way HASH function, and he handles information of any length and returns a fixed length HASH value (128 bits). Commonly used MD5, SHA, HAVAL, SNEFRU, etc. One-way Hash function often creates a digital signature together with the public key algorithm, providing identity prove. Compared to traditional signatures, digital signatures can also indicate whether the file has been modified. The PGP is a tool for protecting information, especially email, using UNIX. He uses the IDEA algorithm to encrypt data, using the RSA algorithm to perform key management and digital signatures, using MD5 as a single-way HASH function. It is characterized by security: not only the content is being disguised, but the signature of the sender is also encrypted. PGP can also be used to encrypt local files. The PGP tool under common Linux is now: PGPE (Encrypted), PGPS (Signature), PGPV (Confirm / Decryption), PGPK (Management Key). Please refer to the corresponding help. The story of "Trojan Horse" didn't know if you have heard of it. The ancient Greeks a long time to attack Troy City, so they pretended to ask, and sent a huge Trojan as a gift, expressed reconciliation to the city master Minerva. Troys entered the city in the city, and the Greek soldiers hidden in the Trojan, and the outer correspondence should be brought to Troy City. In the field of computer security, this spoofing skill has become a standard way to attack computer security. In your computer, he may break out at any time if the attacker needs. Therefore, once a system is loaded with Trojan horses, he can't trust and must be installed from the new installation. How to avoid good habits, for example: limit download, only download things from the prestigious site; check the downloaded file; avoid running the compiled binary code, start compiling from the source code; do not implement untrusted Email sent programs; Java Applets and Java Script, which are not executed from non-credit Web sites. MD5 checks and sometimes distributed with software, users can use him to verify a package. The user can run the MD5Sum tool included in the Red Hat Linux, such as: md5sum cops.1.04.tar.gz Results: LFA416872934E5BEE99068F9989CB8BEE99068F9989CB8BEE99068F9989CB8BEE99068F9989CB8BEE99068F9989CB8B0 cops.1.04.tar.gz and software package self-contained checksum comparison In the transmission process, there is a problem, it is best to download, this document is unreliable.

MD5SUM can also be used to verify system files, check the important LILO system binary files after the first installation system: MD5SUM LILO, the result should remain unchanged, unless the upgrade. 3.1.2.5 Integrity Check Integrity is the core properties of the security system. Users need to know that the files written yesterday and the file opened today is not changed. An attacker can use many way to destroy the file system, benefit from the permissions that rely on the wrong configuration to place Trojan and viruses. LINUX executes 16-bit checksum of 16-bit checksum with a CKSUM command, the above MD5SUM is also a command. RPM (Red Hat Package Manager) is developed by Red Hat Software and contains multi-function software installation managers among its Linux products. He can be used to establish, install, query, inspect, upgrade, and uninstall a separate package. 3.1.2.6 Encryption File System Encryption File System is a more compelling method for file system security. He according to a simple manifest: If a system saves confidential data, then it should be saved in encryption. The core idea of ​​encryption file system (CFS) is: CFS provides a transparent interface for directory and file, and automatically encrypts the user's key. A separate command associates a key and a directory, from this time, the content of the directory is automatically encrypted when writing, and automatically decrypts when turned on. A transparent encryption file system (TCFS) developed by Italians, users don't even know that their files are encrypted. Download from the address: http: //tcfs.dia.unisa.it/ 3.1.2.7 Backup Backup Importance I don't need to say more, then have those strategies for backup? Commonly known: backups, regular backup, incremental backup (backup modified), special backup (for certain file backups), and so on. The Linux system provides the following backup tools: 1) CP: Copy, such as copy all content in DIR1 to Dir2: cp -r Dir1 Dir2 2) TAR: can be created, add files to or unwave from a TAR file . The archive itself is also a file, which contains many other files and related information. TAR was originally used for tape drives. 3) CPIO: Copy the file into or copy a CPIO file or TAR file, similar to TAR 4) Dump: Get the entire file system and copy him on the backup medium, one to ensure the full backup of the formal way is to follow the periodic increment Backup Run a 0-level or fully backed up, DUMP supports 10 levels and backed up all files after the last backup is changed at a lower level. The default DUMP will back up to disk media. For example, a SCSI hard disk (/ DEV / RSD0A) is backed up to the tape (/ dev / RST0). Dump 0F0 / DEV / RST0 1500 / DEV / SD0A 5) RESTORE: Used to recover the entire file system or extract a single file. Compared with DUMP. Note that the restore command specially adventures, because he runs Suid Root, like any Suid root program, can run Restore according to your own risks. 3.1.2.8 Other Common System Security Tools Navigation 1) Crypt Breakers Workbench A platform for integrated multiple tools helps an encrypted person to read the BSD4.2 encrypted file. FTP: //coast.cs.purdue.edu/pub/tools/unix/cbw 2) hobgoblin ftp://coast.cs.purdue.edu/pub/tools/unix/hobgoblin/3) TripWire, strongly recommended, is A File System Integrity Check Tool. http://www.tripwiresecurity.com/4) Trojan, a Perl program that can be run by any user to check Trojan horses.

ftp://coast.cs.purdue.edu/pub/tools/unix/trojan/trojan.pl 5) PGP, popular emails and file encryption programs. http://ruffus.w3.org/linux/rpm/pgp.html 6) Libdes creates a tool for DES encryption libraries and a DES encryption program. Includes a quick implementation of a Crypt (3).

FTP: //ftp.psy.uq.oz.au/pub/crypto/des/ 3.1.3 User account and environment security 3.1.3.1 Password management enhancement method You can use the following command and its parameters to enhance the management of user passwords : 1) Passwd -n 30 User # Forced users to modify a password every 30 days; 2) Passwd -f user # forced users to modify passwords when they log in; 3) Passwd -n 2 -x 1 user # Disable users from modifying passwords; 4) Passwd -l user # block the user account and disable login. 3.1.3.2 CRACKCRACK You can find the passwords that are easy to guess in / etc / shadow, although running Crack will increase the load of the CPU, but it can give a password of 10% system account at the first runtime. URL: ftp: //sable.ox.ac.uk/pub/comp/security/software/crackers/ 3.1.3.3 Cancel ROOT remote login default in / etc / default / login plus "console" line, in / ETC / ftpusers plus root. 3.1.3.4 Configuring root Environment 1) Set Umask to 077 or 027. 2) View your environment path settings, don't have ./3.1.3.5 Delete unnecessary account to remove or lock those not a must-have account, For example, sys / uucp / nuucp / listen, etc., simple way is to put NP characters in the / etc / shadow's Password domain. 3.1.3.6 NIS security issues NIS never a secure service, if the configured, Nis will be better, just like the violent crack password, if the NIS domain name is guess, it will provide intruders to provide quite rich information. To turn off this vulnerability, you can put the address of the trusted host in / var / yp / securenets. And consider using NIS or Secure RPC. 3.1.3.7 Cancel the Rlogin / RSH service to remove /tc/hosts.equiv and /.rhosts and the.rhosts under each directory, and kill the R series service in /etc/inetd.conf, then find inetd The process number and restart it. 3.1.3.8 Limiting to enter the system Telnet and FTP daemon through the network, starting from the inetd process, inetd's profile is /etc/inetd.conf, and other services, so you can simply move this file, Newly built only two lines of files: ftp stream tcp noait root / usr / local / bin / tcpd / usr / local / bin / wu-ftpdtelnet stream TCP NOWAIT ROOT / USR / LOCAL / BIN / TCPD / USR / SBIN / In.Telnetd, this is based on you need Telnet and FTP, if you don't even have these two services, you can comment out or delete it, so inetd doesn't start when INTD is started. . TCPD access control is controlled by /etc/hosts.allow and /etc/hosts.deny file, TCPD first look for /etc/hosts.allow, if you allow a few host Telnet or FTP access So Deny Access is the other machine.

This is the "default refusal" access control policy. Here is a sample of a hosts.allow file: All: 172.16.3.0/255.255.255.0 This will allow any user to access your Telnet and FTP services on the 172.16.3.0 network host. Remember to place an IP address here because the domain name is easier to spoof attack ... Now we are ready to reject the remaining people, put the following statements in /etc/hosts.deny: All: / usr / bin / Mailx -s "% D: Connection Attempt from% C" root@mydomain.com This instruction not only rejects all other connections, but also allows TCPD to send email to root - once there is a connection attempt to occur. Now you may want to record all access records with syslog, then put it in /etc/syslog.conf as follows: auth.Auth.notice; auth.info / var / log / authlog pay attention to the blank between the two statements is Tab Key, otherwise syslog may not work properly. 3.1.3.9 Configuring S / KEY S / KEY is a software for implementing a secure disposable instruction scheme, which is formed by a series of information (including a secret password) by MD5 processing, the initial key is handed over. MD4 is processed, funding 128-bit digital signatures to 64 bits, the 64-bit information is transmitted to the MD5 function, this process continues until the expected value ... When you start using S / Key, you want to build a use / usr / local / bin / keysh is the account: Access: x: 100: 100: access: x: 100: 100: Access Account: / TMP: / usr / local / bin / keysh and joining Access: NP: NP: NP: NP: NP: NP: NP: NP: 6445 :::::: The use passwd access command to set the user's access password. Since / usr / local / bin / keys is not a standard shell, so your / etc / shells file is as follows: / sbin / sh / usr / local / bin / keysh only allows users using these two login shells Access. Then create a file / etc / sKeyKeys and give certain permissions: Touch / ETC / SKEYKEYSCHMOD 600 / ETC / SKEYKEYSCHOWN ROOT / ETC / SKEYKEYSCHOWN ROOT / ETC / SKEYKEYSCHOWN ROOT / etc / sKeySchgrp root / etc / skeykeys use the keyinit access command to initialize the S / KEY secret password. Now you can configure the user to become a super user through the keysu command, first change the / etc / group: root :: 0: root, Access only listed here is allowed to be superuser through Keysu. It is now possible to use the keyinit root command to initialize the S / Key secret password of the superuser. It is recommended that the password is to be different from the user. Originally, you can delete / bin / su to determine that users can only use Keysu ..., but unfortunately, many scripts use / bin / su to turn on the process, so simply use CHMOD 500 / BIN / SU to change its Permissions will be. 3.1.3.10 X Security Configuration Use Sun-Des-1 option to call Secure RPC to authenticate by X, you can use Xhost User @ Host to pass access requests.

3.1.3.11 Open Sun-DES-1 authentication mechanism SET DisplayManager * Authorize: True Set DisplayManager._0.authname: Sun-des-1 RM ~ / .xAuthority Adds license permission to localhost, via xauth local / unix: 0 sun- DES-1 Unix.local@nisdomainxauth local: 0 Sun-des-1 unix.local@nisdomain start x via xinit - -Auth ~ / .xauthority Add yourself, and remove others: Xhost user @ Unix.local@nisdomain -local -localhost gives the user foo to enter the host "Node" permission: Allow FOO to enter Node: Xhost foo @ to create the appropriate foo XAUTHORITY: XAUTH ADD Node: 0 Sun-des-1 unix.node @ NisDomain Foo now connects "Node": XLoad -Display Node: 0 3.1.4 System startup and close 3.1.4.1 Change Unnecessary Startup files Normally, you have to check all in /etc/rc2.d And /etc/rc3.d start with S, all the necessary devices or services can be renamed (don't start with S), then you can restart, from / var / adm / messages to observe self-start The situation is checked from the output of PS -elf. 3.1.4.2 Strip in the system Under Solaris, you can modify the startup action by modifying the /etc/rc[s0-3].d file. Considering the service that is not used in /etc/rc2.d, I also recommend that you remove /etc/init.d in addition to all the following list in the following list: K15RRCD S05RMTMPFILES K15SOLVED S20SYSETUPS72INETSVC S99AUDIT S21PERF S99dtlogin K25snmpd S30sysid.net S99netconfigK50pop3 S74syslog S75cron S92rtvc-config K60nfs.server K65nfs.client S69inet K92volmgt README S95SUNWmd.syncS01MOUNTFSYS S71sysid.sys S88utmpd S95rrcd these files may be different from yours - depending on your graphics card in the machine / whether Solaris Disksuits, etc. Remove the file in /etc/rc3.d ......... 3.1.4.3 Cancel The shared output of the NFS service NFS is managed by / etc / dfs / dfstab file. You can delete it. To turn off the NFS server's daemon, you can rename /etc/rc3.d/s15nfs.server. To prevent one machine from becoming an NFS client, you can rename files /etc/rc2.d/s73nfs.client - When rename these self-starting files, be careful not to set the first letter of the file to "S". 3.1.4.4 Security issues in RPCBind are programs that allow RPC requests and RPC services, but the standard RPC is unsafe: (, it is "auth_unix" verification, that is, it relies on The IP address of the remote system and the remote user's UID are verified. The general system may require some RPC existence, but it is best to close the RPC service for various servers, ETCs. You can also By some security tools to determine if the RPC service will affect your system security. RPC can be disabled by renameting /etc/rc2.d/s71rpc.

3.1.4.5 In.finger security issues In.Finger have some security issues in the past, if you want to provide a finger tool, use Nobody to run it. 3.1.4.6 Set / usr / lib / sendmail daemon does not open because you don't have to always monitor the Mail list request at the 25-port, you can add: 0 * * * / usr / lib / sendmail -q> /var/adm/sendmail.log 2> & 1 This command is to call the sendmail process to process messages in the Sendmail process per hour. 3.1.5 CRON and AT3.1.5.1 Notes of CRON Task 1) View all CRON Tasks - you can find them in the / var / spool / cron / crontabs file. 2) The "cronlog = YES" must be set in / etc / default / cron to record the action of Corn. 3.1.5.2 CRON User Configuration /etc/cron.d/cron.Allow and /etc/cron.d/cron.deny Two files determine if a particular user can run the crontab command. DAEMON, BIN, SMTP, NUCP, LISTEN, NOBODY, NOACCESS do not have CRONTAB permissions. 3.1.5.3 AT User Configuration /etc/cron.d/at.allow and /etc/cron.d/at.deny Two files determine if a particular user can run the AT command. Daemon, Bin, SMTP, NUCP, LISTEN, NOBODY, and NoAccess should not have AT permissions. 3.1.5.4 Cron and TripWiretripwire should be configured to check the following files and directories: /etc/cron.d (ketc/Default/cron/cron.d/cron.Allow , / Etc / cron.d / at.denow, / etc / cron.d / at.dey3.1.6 System log creation all important log files Hard copy guaranteed to complete different log files in the / var / log directory Sex is a very important aspect to ensure system security. If we have added a lot of security measures on the server, hackers can also be invaded, then log files are our final prevention measures. Therefore, it is necessary to consider what method used to ensure the integrity of the log file. If the printer is already installed on the server or other server in the network, you can print it out. This requires a printer that can be printed continuously, and uses syslog to pass all important log files to "/ dev / lp0" (printing device). Hackers can change files, programs, etc. on the server, but after printing out important log files, he will not force. For example, record all Telnet, Mail, boot information, and SSH connections on the server and printed to the printer connected to this server. Need to add a line in the "/etc/syslog.conf" file. Edit the syslog.conf file (vi /etc/slog.conf), add this line below: Authpriv. *; Mail. *; Local7. *; Auth. *; Daemon.info / dev / lp0 "mail" is Receive the computer host name of the log file. If someone tries to black your computer and threaten all important system log files, you don't have to be afraid, because you have already printed or have a copy in other places. This will analyze where hackers can be analyzed according to these log files and then at this invasion.

Authpriv. *; mail. *; local7. *; auth. *; daemon.info@mail3.1.7 Solaris NDD Command NDD command can easily modify the core and TCP / Some parameters of the IP device. Use the following command to see the corresponding help.

[root @ /]> NDD / DEV / ARP / ?? (READ ONLY) ARP_DEBUG (READ AND WRITE) ARP_CLEANUP_INTERVAL (ROOT @ /]> NDD / DEV / ICMP / ?? ( read only) icmp_wroff_extra (read and write) icmp_def_ttl (read and write) icmp_bsd_compat (read and write) icmp_xmit_hiwat (read and write) icmp_xmit_lowat (read and write) icmp_recv_hiwat (read and write) icmp_max_buf (read and write) icmp_status (read only) [root @ /]> ndd / dev / ip / ?? (read only) ip_forwarding (read and write) ip_respond_to_address_mask_broadcast (read and write) ip_respond_to_echo_broadcast (read and write) ip_respond_to_timestamp (read and write) ip_respond_to_timestamp_broadcast (read and write) ip_send_redirects ( read and write) ip_forward_directed_broadcasts (read and write) ip_debug (read and write) ip_mrtdebug (read and write) ip_ire_cleanup_interval (read and write) ip_ire_flush_interval (read and write) ip_ire_redirect_interval (read and write) ip_def_ttl (read and write) ip_forward_src_routed (read and Write) IP_WROFF_EXTRA (R ead and write) ip_ire_pathmtu_interval (read and write) ip_icmp_return_data_bytes (read and write) ip_send_source_quench (read and write) ip_path_mtu_discovery (read and write) ip_ignore_delete_time (read and write) ip_ignore_redirect (read and write) ip_output_queue (read and write) ip_broadcast_ttl (read and write) ip_icmp_err_interval (read and write) ip_reass_queue_bytes (read and write) ip_strict_dst_multihoming (read and write) ip_addrs_per_if (read and write) ip_ill_status (read only) ip_ipif_status (read only) ip_ire_status (read only) ip_ipc_status (read only) ip_rput_pullups (read and Write) ip_enable_group_ifs (read and write) [root @ /]> NDD / DEV / TCP /??

(Read only) tcp_close_wait_interval (read and write) tcp_conn_req_max_q (read and write) tcp_conn_req_max_q0 (read and write) tcp_conn_req_min (read and write) tcp_conn_grace_period (read and write) tcp_cwnd_max (read and write) tcp_debug (read and write) tcp_smallest_nonpriv_port (read and write) tcp_ip_abort_cinterval (read and write) tcp_ip_abort_linterval (read and write) tcp_ip_abort_interval (read and write) tcp_ip_notify_cinterval (read and write) tcp_ip_notify_interval (read and write) tcp_ip_ttl (read and write) tcp_keepalive_interval (read and write) tcp_maxpsz_multiplier (read and write) tcp_mss_def (read and write) tcp_mss_max (read and write) tcp_mss_min (read and write) tcp_naglim_def (read and write) tcp_rexmit_interval_initial (read and write) tcp_rexmit_interval_max (read and write) tcp_rexmit_interval_min (read and write) tcp_wroff_xtra (read and write) tcp_deferred_ack_interval ( Read and write_lowat_fraction (read and write) TCP_STH_RCV_HIWAT (READ AND WRITE) TCP_STH_RCV_LOWAT (Read An d write) tcp_dupack_fast_retransmit (read and write) tcp_ignore_path_mtu (read and write) tcp_rcv_push_wait (read and write) tcp_smallest_anon_port (read and write) tcp_largest_anon_port (read and write) tcp_xmit_hiwat (read and write) tcp_xmit_lowat (read and write) tcp_recv_hiwat (read and write ) tcp_recv_hiwat_minmss (read and write) tcp_fin_wait_2_flush_interval (read and write) tcp_co_min (read and write) tcp_max_buf (read and write) tcp_zero_win_probesize (read and write) tcp_strong_iss (read and write) tcp_rtt_updates (read and write) tcp_wscale_always (read and write) tcp_tstamp_always (read and write) TCP_TSTAMP_IF_WSCALE (READ AND WRITE) TCP_REXMIT_INTERVAL_EXTRA (READ AND WRITE) TCP_DEFERRED_ACKS_MAX (Read and Write) TCP_SLOW_START_AFTER_IDLE (Read)

and write) tcp_slow_start_initial (read and write) tcp_co_timer_interval (read and write) tcp_extra_priv_ports (read only) tcp_extra_priv_ports_add (write only) tcp_extra_priv_ports_del (write only) tcp_status (read only) tcp_bind_hash (read only) tcp_listen_hash (read only) tcp_conn_hash (read only) TCP_QUEUE_HASH (Read Only) TCP_HOST_PARAM (READ AND WRITE) TCP_1948_PHRASE (WRITE "TCP_1948_PHRASE (Write ONLY) Display Current Value #ndd / dev / arp_debug 00: Representative Features Forbidden NDD -SET / DEV / ARP ARP_DEBUG 11: Representative Features Allows that these parameters are generally passed Optimized, and once changing the mistake, it may result in an abnormal operation of the system. So SUN does not provide documentation for free adjustment. 3.1.8 System Patch Like all complex systems, Sun has its vulnerability, some of which are quite serious from nature. Sun provides a good tradition of providing a patch to its customers or even non-technical support. These patches are present in the form of a set package or in a single patch. Unfortunately, to completely repair your system, both require a large patch set package, requiring a single patch. However, we will introduce a method of combining a patch package and a single patch. Use the PATCHADD -P or SHOWREV -P command to see the installation of the patch in the system, on the host you want to protected, and the host you can access, you should find the relevant patch package to find the relevant packets on the Sun's homepage. And you should often view the latest patch release. Patch step: 1) Type Umask 022 to set your license mode - to make a patch to the system not only require all patches to be read by "Nobody", and all directories before the patch (don't ask why, anyway It is usually so dry). 3) Create a directory called "patch" and enter it, I usually do: mkdir / var / tmp / patch cd / var / tmp / patch must guarantee in the file system of "Patch" directory Sufficient disk space (Tip: You can try to type: DF -K to see the disk space available on the file system, do not use / TMP! 4) Use FTP to connect the sunsolve station ftp sunsolve.sun.com Your login user name Is "anonymous", the password is your email address. 5) Go to binary mode, type: bin Close prompt, type: prompt you don't need to answer each patch, I need that patch. 6) The patch is located in the SUNSOLVE station / PUB / PATCHES directory, so type: CD / PUB / PATCHES7) Get the PatchReport file corresponding to your operating system version, you can list those texts: ls * .patchreport, for example: - = = - = = - = = - = = - = = - = = - = = - = = - = & # 43

; = - = = - = = - = = - = = - = = - = = - = = - ftp> ls * .patchreport200 port command successful.150 opening ascii mode data connection for File List .Solaris1.1.1.PatchReportSolaris1.1.2.PatchReportSolaris1.1.PatchReportSolaris2.3.PatchReportSolaris2.4.PatchReportSolaris2.4_x86.PatchReportSolaris2.5.1.PatchReportSolaris2.5.1_x86.PatchReportSolaris2.5.PatchReportSolaris2.5_x86.PatchReportSolaris2.6.PatchReportSolaris2.6_x86. PatchReportSolaris7.PatchReportSolaris7_x86.PatchReport226 Transfer complete.remote: * .PatchReport360 bytes received in 0.0044 seconds (79.16 Kbytes / s) - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - pair x86 and SPARC files have different patch report files, and the SPARC version is those who do not have "x86". 8) Get a patch report, such as: get solaris2.6.patchreport9) Get a recommended patch set package corresponding to your system version and its readme file, you can use the following command to list the recommended files: ls * recommented * Output may be like this: - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - ftp> ls * recomment * 200 port command successful.150 opening ascii mode data connection for File List .2.3_Recommended.README2.3_Recommended.tar.Z2.4_Recommended.README2.4_Recommended.tar.Z2.4_x86_Recommended.README2.4_x86_Recommended.tar.Z2.5.1_Recommended.README2.5.1_Recommended.tar.Z2.5.1_x86_Recommended.READ

ME2.5.1_x86_Recommended.tar.Z2.5_Recommended.README2.5_Recommended.tar.Z2.5_x86_Recommended.README2.5_x86_Recommended.tar.Z2.6_Recommended.README2.6_Recommended.tar.Z2.6_x86_Recommended.README2.6_x86_Recommended.tar.Z7_Recommended.README7_Recommended .zip7_x86_recommended.readme7_x86_recommended.zip - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - You can use the MGET command to take the recommended file and readme, such as: MGET 7_X86_RECOMMENDED * This possum Have wait for a while. 10) When downloading the recommended document, you can open the patch report file to see, there will be such a section of the security patches may be like this: - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = -Solaris 2.5.1 Patches Containing Security Fixes: ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------

103594-19 SUNOS 5.5.1: Sendmail fixes103603-10 Sunos 5.5.1: ftp, in.ftpd, in.rexecd and in.rshd patch103627-11 Sunos 5.5.1: Linker Patch103630-14 Sunos 5.5.1: IP ifconfig ARP UDP ICMP PATCH106689-01 * SUNOS 5.5.1: /usr/sbin/in.uucpd Patch106905-01 * Sunos 5.5.1: Apropos / Catman / Man / Whatis Patch103566-43 OpenWindows 3.5.1: Xsun Patch106411-06 * OpenWindows 3.5 .1: XDM Patch (& c.) - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - = = - "*" tag patch is not included in the recommended patch set package, we have to include them . 11) When the recommended patch set package is overloaded, you need to download the single patch marked in the patch report, the fastest way is to use MGET, so use: MGET 106689 * 106905 * 106411 * Important: You may want to use a MGET command Get all patches, but the number of MGET parameters is limited! Moreover, I didn't specify the version number, which is not only for less input characters and the related readme file, but also because the version number may change during the patch report release. 12) After downloading all things, type: quit to end the FTP session. 13) Go now, you have downloaded the patch collection package and a single patch, because we will continue to play a single patch bag toopely, we will first consolidate the patch packs and individual patches. First unzip the patch package: If you use Solaris 2.6 or earlier, uncompress 2 * recommended.tar.ztar -xvf 2 * recommended.tar If you use Solaris 7, unzip 7 * Recommended.zip, put all Single patch is moved to your created Recommended directory: mv 1 * * Recommende D then, enter the recommended directory with all patch: cd * recommented14) Now we can add all a single patch to the patch_order file, in this file All patchs that will be installed by the Install_Cluster script, you can manually add them (Tips: This is the wrong choice) or use UNIX command tools to help you do this. If you are Solaris 7, use the following command: ls * .zip | cut -d "." -F1 >> patch_order if Solaris 2.6 or previous: ls * .tar.z | cut -d "." -F1 >> Patch_order15) Now is the time when all single packets are extracted, because they are still compressed.

If you use Solaris 7, you can use unzip once decompressed one file: unzip 108723.zip, you can't use "unzip * .zip", because unzip can't work this, in order to avoid multiple new Unzip, you can use The following UNIX command allows Unzip to extract all things for you: ls * .zip | xargs -n1 unzip If you use Solaris 2.6 or lower, type: uncompress * .tar.z now you must use Tar to separate a single Patch, you can use the following command to handle a file at a time: Tar -xvf 108723.tar is annoying, you can't use "tar -xvf * .tar", because Tar can't work like this, in order to avoid entering Tar multiple times, you can Use the UNIX command to let TAR separate all things for you: ls * .zip | xargs -n1 tar -xvf16) All patch is ready, turn off the computer: / usr / sbin / shutdown -y -g0 - I0 is enabled to the single user mode, when the sparc: boot -s is started, type: b -s system boot, type: MountAll to mount all file systems after the prompt is entered after the Root password is entered after the prompt. Then enter: cd / var / tmp / patch / * recomment to save all patch catalogs, now you can type the following command to install "all" patches: ./ install_cluster follows the prompt to do it. If this is a Solaris 2.5.1 or a Solaris 2.6 system, you can walk away from coffee to drink, because it takes time. Don't worry too much about the error in the installation process, many times the error is because you don't have a specific software or have already played a patch. After finishing the patch, turn it off, enter: / usr / sbin / shutdown -y -g0 -i63.1.9 Advanced Guide 3.1.9.1 How to prevent code in the stack? One way to use the system vulnerability in invaders is The stack overflows, they inserted a piece of code in the stack, using their overflow to obtain some permission to the system. To make your system in the stack buffering attack, you can add the following statement in / etc / system: set noexec_user_stack = 1set noexec_user_stack_log = 1 The first sentence can prevent the inserted code in the stack, second The sentence will be recorded when the invader wants to run Exploit, once the machine is restarted, and these changes will take effect. If this is not a system you can close, then you use ADB to change the parameters of a running system. Of course, some legal use of executable stacks cannot be running normally after you change as above. Fortunately, there are not many such procedures, and we know that there is only a GNU Ada compiler. 3.1.9.2 ARP For details on the ARP protocol, we will no longer be introduced in detail. For Sun's system, the core default ARP table expires for 5 minutes, and can be adjusted. The other table is the routing table of the IP layer, it and the ARP table cooperate with record dynamic routing information, 20 minutes expire, the last feature is "Free ARP", that is, the system broadcasts its hardware address. This feature is used to diagnose whether there is the same hardware address, which is also used to generate change notifications for hardware addresses. 1) ARP attack mainly has two main attacks, one is DOS, one is SPOOF. ARP deception is often applied to an internal network, we can use it to expand an existing network security vulnerability.

If you can invade a machine in a subnet, other machine safety will also be threatened by ARP. Similarly, using the APR's DOS can even make the entire subnet. 2) Protection of ARP attacks to prevent ARP attacks is more difficult, and the modification agreement is also unlikely. But some work is to improve the security of the local network. First, you have to know that if a wrong record is inserted into the ARP or IP ROUTE table, you can use both ways to delete: a. Use arp -d host_entryb. Auto expire, removed by the system, can take the following methods: 1). Reduce expiration time #ndd -set / dev / arp arp_cleanup_interval 60000 # ndd -set / dev p i i n = 60000 millisecond default is 300000 to speed up expiration time, do not avoid attacks, but make attacks more difficult, bring The impact is that ARP requests and replies will appear in the network, please do not use on busy networks. 2). Establishing a static ARP table This is a very effective way, and the impact on the system is not much. The disadvantage is to destroy the dynamic ARP protocol. You can establish as follows: Test.cnns.net 08: 00: 20: BA: A1: F2User. Cnns.net 08: 00: 20: EE: DE: 1F Using ARP-F FileName to load, such ARP mapping Will not expire and be refreshed by new ARP data unless you use ARP -D to delete. But once the network card hardware address of the legal host, this ARP file must be manually. This method is not suitable for frequent changes in network environments. 3). The ARP can be prohibited by IFConfig Interface -arp, so that the NIC does not send ARP and accept ARP packages. But use the premise is to use a static ARP table, and if the computer is not in the APR table, it will not be able to communicate. This method does not apply to most network environments because this increases the cost of network management. But it is still effective and feasible for small-scale security networks. 3) IP Forwarding (IP forwarding) IP is the underlying protocol used to transfer data. IP forwarding is a process of routing packet data between different NICs. It is generally implemented with a router, but hosts with multi-network interfaces can also be implemented. When there are two network interfaces, the SOLAIRS system opens IP forwarding by default. 1) Turning off IP forwarding For multi-hosted hosts, there may be possible security issues, and attackers may access private networks through IP forwarding. In the Solaisr system, the package is easy to close. Simply generate a file / etc / notrouter, turn off the IP forwarding when started next time. In addition, the IP forwarding is also turned off when the NDD command is running: #ndd -set / dev / ip ip_forwarding 02) Strictly limited Multi-host host, if it is a multi-hockey, you can also add more stringent definition to prevent IP Spoof Attack #dd -set / dev / ip ip_strict_dst_multihoning 1 Default is Off (value 0) 3) Forward Pack Broadcasting is permitted by default in the forwarding state, in order to prevent the implementation of the SMURF attack, close this feature. (See CERT-98.01) #ndd -set / dev / ip ip-forward_directed_broadcasts 04) The process of routing is to check routing information, which determines which interface to transfer packets from which interface. Even if a desktop system, there must be routing settings. Routing tables require real-time upgrade. There are now a variety of routing protocols to routing data.

The Solaris system uses the In.routed daemon to support RIP VERSION 1. Using the In.rDisc daemon to support ICMP routing updates. When the Solairs system is configured to forward the packet, it dynamically updates routing information through both ways. 5) Attacking a variety of ways to threaten dynamic routing protocols. Attackers can falsify false routing updates to send it to achieve DOS effects; the same method, the data packets can be forwarded to other networks to enable attackers to listen to data. The default Solairs system uses system daemons dynamic management routing information. Static routing is good to prevent routing information from being remotely changing. Use / etc / defaultRouter to set the route of the local subnet. Use the route command to set other routing information. But for a simple network, use static routes is suitable, once there are more route devices in the network, dynamic routes must be used. The Solairs system will continue to support dynamic routing protocols in the future. l The forward source routing package contains information about how the specified data is routed. Therefore, an attacker may use the source routing around some specific routers and firewall devices, or may be used to avoid a known IdS system monitoring range. This feature is not required on most Solairs' application systems. Since SOLAIRS is reversed by default after opening IP forwarding, we must manually close it: #ndd -set / dev / ip ip_forward_src_routed 06) ICMPICMP: Network Control Information Protocol. The ICMP feature of Solaris is configured in IP driving below. 1) Broadcast: ICMP broadcast often brings trouble, there is a principle to prevent broadcast storm - the error message control ICMP is not generated. To prevent attackers from implementing DOS attacks using ICMP, it is best to prevent local network respond to ICMP broadcasts. The SOLAIRS system can adjust the parameters of three ICMP broadcasts. 2) Response Echo Broadcast: Echo Broadcast is usually used to diagnose the survival of the network host, once the host receives an ECHO request for the broadcast address, all systems will reply to this broadcast request by default. When someone maliciously customizes an excess Echo package, the traffic in the system will increase greatly. So we can close the response to Echo broadcast #dd -set / dev / ip ip_respond_to_echo_boadcast 03) The response timestamp broadcast timestamp is usually used to synchronize the clock of two different systems, but the system does not have to reply the timestamp request sent to the broadcast address. So we can close this response. #ndd -set / dev / ip ip_respond_to_timestamp_broadcast 04) Address Mask Broadcast Address Mask Request is used to determine a local mask, usually transmitted during the network. The following command can prohibit the response of such a request #dd -set / dev / ip ip_respind_to_address_mask_broadcast 07) Redirect error 1) Redirection error is usually used to notify the host using another router to transmit data indication messages. The report of the report must connect the same subnet as the send router, and the host that receives the message must add a route to that subnet in its own routing table. Unlike ARP packages, this route will not expire without expire. Many systems detect such packets to find errors and potential issues, thus prioritizing their routing tables. 2) Accepting redirect error An attacker can fake packets that redirect the wrong error to load a new route to the target host, and this route may be more wrong, so the host will not communicate with some specific hosts or network communication. This is a DOS attack. Although the redirect message itself has some verification rules, these rules can be easily deceived. And there are currently a large number of tools to achieve this. Most of the default routing hosting systems do not need this packet, so we can use the NDD command to ignore the ICMP redirection error message.

(SOLAIRS default is not ignored) #ndd -set / dev / ip ip_ignore_redirect 13) Send redirect error packets Only routers need to redirect errors, any host even more host hosts do not need to send this message, so We can use NDD to prohibit this unit from sending an error redirection message. #ndd -set / dev / ip ip_send_redirects 04) The timestamp response is like the previous mentioned, timestamp broadcasted packets are unnecessary in most environments. The Solaris system can also do not accept this message at all. #ndd -set / dev / ip ip_respond_to_timestamp 0 After closing this feature, the UNIX host that uses the RDATE system command will not synchronize the clock. But Solaris 2.6 and 7 use a better clock synchronization mode -NTP (Network Time Agreement), see the help of XNTPD. 8) SYN_FLOOD Attack TCP-SYN FLOOD is also known as a semi-open connection attack, whenever we conduct a standard TCP connection (such as WWW browsing, download file, etc.) There will be a three-time handshake process, the first is the request direction service party A SYN message, after receiving SYN, the request party will send a SYN-ACK to the request party. When the request party receives the SYN-ACK, send an ACK message to the server again, once a successful TCP connection Established, you can follow up, as shown: Request Services --------------------> SYNSYN-ACK <------- -------------------------------> ACK and TCP-SYN FLOOD is only the first two steps during its implementation. When the service party receives the requestor's SYN and returns the SYN-ACK confirmation message, the requester cannot receive the ACK response due to the source address spoof and other means, so that the service party will wait for a request to receive the request for a certain period of time. The status of the ACK message is limited. If the malicious attack is fast continuously sends such a connection request, the server can use the TCP connection queue will soon block, the system can use resources, network available bandwidth drastically decreased Unable to provide users with normal network services. For Solaris 2.5.1, only PATCH 103582-1 (or more) can prevent syn_flood. Before Synflood is not popular, the connection queue and backlog queues are the same, Solairs 2.6 / 7 and 2.5.1 system after installing PATCH. There are now two queues, one is a connected queue, one is the unconnected queue. When SYN attacks can only populate a queue, and once the queue is full, the old SYN package will be randomly discarded. The system also monitors the case where this queue is filled in a short time. Once suspect is SYN_FLOOD, it will be recorded in the system's Messages. Mar 8 19:24:01 Example UNIX: WARNING: High TCP Connect Timeout Rate! System (port 80) May Be Under A Syn Flood Attack! The size of the new queue is also adjustable, busy web server needs to improve unconnected queues. size. The default size is 1024, we can increase to 4096. #ndd -set / dev / tcp TCP_CONN_REQ_MAX_Q0 4096 Of course, in general, the core queue increases, and the system's memory should also be increased. 9) Different from the connection depletion attack and SYN FLOOD attacks, the connection depletion attack is not common. Because this attack must use real IP, the target of the attack is the connected queue.

Many systems have a maximum of simultaneous connections, depending on the core parameters and system memory. As a usual web server, this upper limit is difficult because the HTTP connection is a typical short-time connection. But an attacker may quickly send a large number of connection requests while keeping the connection, so that the connection of the normal visitor may be rejected by the server. We can mitigate system cores and increase memory, but not fundamental methods. Because the attacker may simultaneously attack multiple machines at the same time. Of course, we can reject the connection of these IP sources on the firewall or router after discovering attacks. If you do not pass the network device, just adjust the system parameters to alleviate the attack. On the one hand, you can adjust the web server, such as Apache's Timeout parameters, decrease the connection hold time, on the other hand, we can increase the core to the connection queue parameter (default 128). #ndd -set / dev / tcp TCP_CONN_REQ_MAX_Q 1024 The above method can prevent most of the connection depletion attack attempts, unless the attacker mobes more resources, launching large-scale DDOS, but this will make attackers more easily exposed. 10) IP spoof IP spoofing basic principle: TCP connection creation: In order to use TCP connection to exchange data, the main unit must first establish a connection. TCP can be divided into three steps when establishing a connection, called a three-step grip. If host A runs the rlogin client, and you want to connect to the Rlogin Daemon server program on host B, the connection process is shown in Figure 2. 1 a --- SYN ---> B2 A - SYN / ACK --- B3 A --- Ack ---> B Need to remind everyone, the TCP modules of hosts A and B use their sequences, respectively. serial number. At time 1, the client tells the server by setting the flag bit SYN = 1. It needs to be connected. At the same time, the client places its initial sequence number (ISN) in the sequence number of its TCP header, and tells the server serial number marking domain to be valid and should be checked. At time 2, after receiving the above SYN, the response is to send its own ISN and the client's ACKA to the client and inform the next data serial number (ISN 1). The client is confirmed to the server's ISN at the first-rate moment. At this time, the data transmission can be made. How is the incremental number of ISN and serial numbers to select the initial serial number and how to change according to time change. It seems that there should be this situation that the sequence number is initialized to 1 after the host is started, but it is not true. The initial serial number is determined by the TCP_INIT function. ISN adds a serial number 128000 per second, and if there is a connection, each connection increases the value of the inverse counter 64000. Obviously, this allows the 32-bit counter to indicate the ISN to reset once every 9.32 hours without connection. This is because this is conducive to minimizing the opportunity to interfere with the current connection. It is used here that the concept of 2MSL waiting time (not within the scope of this article is discussed.) If the initial sequence number is freely selected, the existing serial number cannot be guaranteed is different from previous. It is assumed to have such a situation, and the packet in a routing circuit finally jumps out of the loop, returning to the "old" connection (which is actually different from the existing connection of the former (, obviously will occur Interference. In order to provide parallel access to the TCP module, the TCP provides a user interface called port. The port is operated by the operating system kernel utilization to mark different network processes, which is the mark of the strictly divided into the transport layer entrance (ie, IP is not Caring for their existence) .TCP ports with IP addresses to provide network-ended communications.

In fact, any i NTERNET connection can be determined by four elements at any time: source IP address, source address port number, destination IP address, and destination address. The TCP serial number issued by the sampling target host, guess its data serial number. Then, disguise into trusted hosts, and establish an application connection with the target host based address verification. If successful, hackers can use a simple command to place a system back door for unauthorized operations. Currently, RFC 1498 defines a better random ISN generation method that makes this attack difficult. There are three ways to generate the Solaris system ISN. 0: Predictable ISN1: Enhanced ISN Random Generation 2: RFC 1948 Description ISN Generating Method All Version Solaris Default Generating Method Value is 1.2.5.1 There are only 0, 1 ways, 2.6 / 7 has 0, 1 , 2 three ISN generation methods. We can modify the / etc / default / inetinit file to increase the build intensity of the ISN. Change TCP_STRONG_ISS = 1 to TCP_STRONG_ISS = 2 revolutionary system makes him take effect. For Solair 2.5.1, this method is invalid. 11) Increasing private ports, 1-1024 ports are referred to as private ports, only process connections with root permissions. However, some ports are more than 1024, even if such restrictions are needed, they cannot be defined, such as NFS server port 2049, of course, there are some other defined private ports above 1024. Used in Solairs 2.5.1 / 2.6 / 7, use as follows, you can customize the smallest non-private port NDD -SET / DEV / TCP TCP_SMALLEST_NONPRIV_PORT 205, and 0-2049 is defined as private ports. In Solaris 2.6 / 7, another parameter can also specify a private port separately. #ndd / dev / tcp tcp_extra_priv_ports20494045 Used to display the defined extension private port #ndd -set / dev / tcp tcp_extra_priv_ports_add 6112 to add new private port definitions. Use NDDRA_PRIV_PORTS_DEL to delete the definition. It should be noted that not to define a private port because some of the non-rooted processes use these ports. In particular, change the minimum non-private port parameter, often cause problems. You should carefully analyze your demand again with the extension of private ports. 3.2 Linux Series 3.2.1 Physical Security 3.2.1.1 BIOS Safe, Set the boot password prohibited from the floppy disk, and add a password to the BIOS. Hand manually check the BIOS every time you start, this can improve the security of the system. It is forbidden from the floppy disk to prevent someone from starting your computer with a special floppy disk; add a password to the BIOS, preventing someone from changing the parameters of the BIOS, such as: Allow the startup from the floppy disk or not enter the password to boot the computer. 3.2.1.2 Safety Strategy is a little important and you must point out: If you don't know what to protect, then there is no way to ensure the safety of the system. So there must be a security policy that can determine which things allow others to access them based on such strategies. How to develop a security policy is fully dependent on your definition of security.

These issues are provided with some general guidelines: 1) How to define confidential and sensitive information? 2) Key Prevention 3) Is there a need to access your system? 4) Do you have confidential or sensitive information in the system? 5) What consequences if this information is leaked to your competitors and people outside? 6) Can passwords and encryption offer sufficient protection? 7) Do you want to access the Internet? 8) Do you allow the system how much accesses are thereon on the INTERNET? 8) If the system is found to be invaded by hackers, what should I do next? This list is very short, the real security policy may contain more content than this. The first one you have to do is: Assess your own parallelism. Nothing a certain degree of "bias": It is determined how to believe in others, including people and outside people. Security policies must find balance between information that allows users to use information that can be completed and completely disabled from user use information. This balance point is determined by the system policy. 3.2.1.3 Password The Linux security profile of this chapter will start from the security of the password. Many people save all things on a computer, preventing others from viewing this information is to protect your computer with passwords. Nothing is absolutely safe. Contrary to common sense is that the password that cannot be cracked is not existed. As long as you give your foot and resources, all passwords can be used to use social engineering (translator Note: the original isocial engineering, can't find better translation, the general meaning is the use of social and psychological knowledge, not to use pure Technical means) or forced calculation methods guess. Getting a server through a social engineering or other method is the easiest and most popular intrusion server. Most technical supporters are easy to get other users 'passwords, because users' safety awareness is very poor and easily believe in their colleagues, especially those who help them solve problems. There are many successful invasions in the case because some don't have the use of safe management to succeed. Sometimes, at a specific location, the superior or boss is possible to disclose the confidentiality, leading to terrible consequences. Because the cracking password is a very time and resource work, it should make the password file difficult to crack, so even if the hacker acquires a password file, it cannot be easily cracked. As a system administrator, you have a good way to ensure the security of your system every weekend. This is conducive to finding and replacing the passwords that are easily gueled as soon as possible. Moreover, there must be a good password inspection mechanism that eliminates the passwords with security hazards when the user chooses a new password or change the old password. The words in those dictionaries, or all uppercase or strings that do not contain numbers or special characters are not used. I recommend using the rules below to select a valid password: there are at least 6 characters in the password, preferably more than one number or special character. The password is not too simple. The so-called simple is easy to guess, which is to use his own name, phone number, birthday, occupation or other personal information as a password. The password must be valid, and the password is replaced after a period of time. The password must be invalidated or reset in this case: If someone finds that someone tries to guess your password, and have tried many times. The default minimum password length is 5 after installation of the Linux system. That is to say that a new user can access the server, then his password must be more than 5 characters. However, this is not safe enough, and the length of the best password can be greater than 8. You can force users to use passwords above 8 characters. Edit the "/etc/login.defs" file, change the minimum password length from 5 to 8. Locate Pass_min_len 5, change to: Pass_min_len 8. "Login.defs" is a very important profile.

Some other security policies can be set in this file, such as the validity period of the password. 3.2.1.4 Root Account "root" account is an account with privileges in the UNIX system. The "root" account is not subject to any restrictions and constraints. Because the system thinks that root knows what you are doing, and you will do it according to root, don't ask any questions. Therefore, it may cause an important system file to be deleted because of a command to be knocked. It is very careful when using the root account. For security reasons, do not log in with the root account without absolutely necessary. It is important to pay attention to: Don't log in to your own server with "root" in other computers when you are not on your own server. This is very very very very bad. 3.2.1.5 Encryption Encryption When you use a key, the key is a special number, after encrypting the key and needs encrypted information, only knows that the key can read the information. If all the computer hosts are under your control, the encryption is of course a good way, however, if one of the "trusted" host is controlled by hackers, you are dangerous. This is not just the user's account and password. Under normal circumstances, encryption is the security used to ensure confidential information in the system. If a computer is controlled, these encrypted information will make people know or disclose. There is a good security strategy that the possibility of danger will minimize, but if the keystill's key is leaked, the danger always exists. 3.2.2 Secure Configuration 3.2.2.1 "/ etc / exports" file If you share the file through NFS, you must configure the "/ etc / exports" file so that the access restriction is as strict. That is to say, do not use wildcards, not allowing write permissions to the root directory, and only gives read only privileges as much as possible. Edit the Exports file (VI / ETC / EXPORTS). For example: / dir / to / export host1.mydomain.com (ro, root_squash) / dir / to / export host2.mydomain.com (ro, root_squash) "/ dir / to / export" is the directory you want to share, Host.mydomain.com is a computer that allows access to this directory. On behalf of read-only, the representative does not allow the root directory to be written. Enable these changes, you have to run the "/ usr / sbin / exportfs -a" command. Note: In the server, the NFS service is safe, and I personally don't recommend you to use NFS. 3.2.2.2 "/etc/inetd.conf" file inetd, also called "Super Server", and loads the network program based on the network request. "Inetd.conf" file tells Inetd which network ports are listening to which service is started for each port. Putting the Linux system in any network environment, the first thing to do is to understand which services needed to provide the server. Unwanted services should be banned, it is best to uninstall, so hackers have less opportunities to attack the system. Check out "/etc/inetd.conf" files to find out which services are available in inetd. Use the following notes (plus ## in one line), prohibiting any unwanted services, and send an SIGHUP signal to the inetd process. The first step: change the license permission of the file to 600. [root @ cnns] # chmod 600 /etc/inetd.conf Step 2: Confident, the owner of the file is root.

[root @ cnns] # stat /etc/inetd.conf This command is displayed in: file: "/etc/inetd.conf "size: 2869 FILETYPE: Regular Filemode: (0600 / -RW ----- -) Uid: (0 / root) GID: (0 ​​/ root) Device: 8,6 inode: 18219 LINKS: 1ACCESS: WED SEP 22 16:24:16 1999 (00000.00: 10: 44) Modify: MON SEP 20 10:22:44 1999 (00002.06: 12: 16) Change: MON SEP 20 10:22:44 1999 (00002.06: 12: 16) Step 3: Edit "inetd.conf" file (vi /etc/inetd.conf ), Prohibiting all unwanted services, such as: FTP, Telnet, Shell, Login, Exec, Talk, NTalk, IMAP, POP-2, POP-3, Finger, Auth, and so on. If you think some services are useful, you can not prohibit these services. However, for these services, the possibility of the system is small.

The contents of the "inetd.conf" file are as follows: # to re-read this file at change, just do a 'killall -hup inetd' ## echo stream tcp noetait root interface # echo dgram udp wait root internal #discard stream tcp nowait root internal # discard dgram udp wait root internal # daytime stream tcp nowait root internal # daytime dgram udp wait root internal # chargen stream tcp nowait root internal # chargen dgram udp wait root internal # time stream tcp nowait root internal # Time DGRAM UDP WAIT ROOT INTERNAL ## THESE ARE Standard Services. ## ftp stream tcp notpd -l-sa # telnet stream tcp noait root / usr / sbin / tcpd in.telnetd ## Shell, Login, Exec, Comsat and Talk Are Bsd Protocols. ## shell stream tcp noait root / usr / sbin / tcpd in.rshd # login stream tcp NoWait Root / usr / sbin / tcpd in.rlogind # Exec Stream TCP NOWAIT ROOT / usr / sbin / tcpd in.rexecd # comsat dgram udp wait root / usr / sbin / tcpd in.comSat # talk dgram udp wait root / usr / sbin / tcpd in.talkd # ntalk dgram udp wait root / usr / sbin / Tcpd in.ntalkd # dtalk stream TCP Wait nobody / usr / sbin / tcpd in.dtalkd ## pop and imap mail services et al ## pop-2 stream tcp NOWAIT ROOT / USR / SBIN / TCPD IPOP2D # POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAP Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAPD ## THE Internet Uucp Service. ## uucp stream TCP NOWAIT UUCP / USR / SBIN / TCPD / USR / LIB / UUCP / UUCICO -L ## TFTP Service IS Provided PRIMARILY for Booting. MOT SITES # Run This Only on Machines Acting As "Boot Servers." Do Not Uncomment # this unless YOU * NEED * IT. ## TFTP DGRAM UDP WAIT ROOT / USR / SBIN / TCPD in.tftpd # bootps DGRAM UDP WAIT ROOT / USR / SBIN / TCPD BOOTPD ## finger, SYSTAT AND NETSTAT GIVE OUT USER Information Which May Be # Valuable to Potential "System Crackers."

Many sites choose to disable # some or all of these services to improve security. ## finger stream tcp nowait root / usr / sbin / tcpd in.fingerd # cfinger stream tcp nowait root / usr / sbin / tcpd in.cfingerd # systat stream TCP NOWAIT GUEST / USER SBIN / TCPD / BIN / PS -AUWWX # netstat stream TCP NOWAIT GUEST / USER SBIN / TCPD / BIN / NETSTAT -F INET ## Authentication ## Auth Stream TCP NOWAIT NOBODY / USR / SBIN / IN .identd in.Identd -l -e -o # e e in 注意 Note: After changing the "inetd.conf" file, don't forget to send an SIGHUP signal to the inetd process (KILLALL-HUP INETD). [root @ cnns / root] # killall -hup inetd fourth step: In order to ensure the security of the "inetd.conf" file, you can set it into non-changed. Setting the files to unable to use the following command: [root @ cnns] # chattr I /etc/inetd.conf can avoid any changes (accident or other reason). A file with "I" attribute is not changed: cannot be deleted or renamed, and the connection to this file cannot be created, and data cannot be written to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear this not allowed change mark: [root @ cnns] # chattr -i /etc/inetd.conf3.2.2.3 TCP_WrapPERS By default, Redhat Linux allows all services. request. Use TCP_WrapPers to protect the security of the server, so that they are avoided from external attacks, much easier and relaxed than imagination. Add "all: all @ all, paranoid" file in the "/etc/hosts.deny" file to prohibit all your computer to access your server, and then add one of the allowed access to your server in the "/etc/hosts.allow" file Computer. This method is the safest. TCP_WrapPers is controlled by two files, in turn: "/ etc / hosts.allow" and "/etc/hosts.deny". The judgment is in turn, the specific rules are as follows: If there is a match in the /etc/hosts.allow file (daemon, client), then allow access; otherwise, view /etc/hosts.deny, if you find a match The access is disabled; otherwise, access is allowed. Step 1: Edit Hosts.Deny file (vi /etc/hosts.deny) Add these lines: Access is Denied by Default. # Deny access to everyone.all: All @ all, parames not Match ITS Address, See Bellow. This means: all services, access location, if it is not explicitly allowed, it is not found in "/etc/hosts.allow", it is forbidden .

Note: After adding the "paraNid" parameter, if you want to use a Telnet or FTP service on the server, add the name and IP address that allows client computers allowing the use of Telnet and FTP services in the server's "/ etc / hosts" file. . Otherwise, before the login prompt is displayed, because DNS domain name resolution, it may be necessary to wait a few minutes. Step 2: Edit "Hosts.Allow" file (vi /etc/hosts.allow). For example, you can join these rows (authorized access to the computer to be explicit): sshd: 208.164.186.1 Gate.openarch.com IP address of the authorized access computer is: 208.164.186.1, host name is: Gate .openarch.com, the service allowed is: sshd. Step 3: TCPDCHK is a program that checks TCP_WAPPERS configuration. It checks the configuration of TCP_WAPPERS and reports the problem or potential problem it can discover. After all the configurations are completed, run the TCPDCHK program: [root @ cnns] # tcpdchk3.2.2.4 "/ etc / aliases" file AliaSS file If the management error or management is too careful, it will cause security hidden dangers. For example: a lot of software manufacturers put "decode" alias in the aliases file. The purpose of this is to facilitate transfer binary files via Email. When sending an email, the user turns the binary file into the ASCII file, and then send the result to the "decode" of the receiving end. This alias allows email information to reclassify the binary into an ASCII file via the "/ usr / bin / uuencode" program. If "Decode" is allowed to appear in the AliaSes file, you can imagine what kind of security hazards will be. Remove the row of the definition "decode" from the AliaSes file. Similarly, each alias that will run the program has to look at it, it is very likely to delete them. To make changes to take effect, you must also run: [root @ cnns] # / usr / bin / newaliases Edit Aliases file (vi / etc / aliases), delete or comment out of these lines: # Basic System Aliases - these Must Be Present .MAILER-DAEMON: postmasterpostmaster: root # General redirections for pseudo accounts.bin: rootdaemon: root # games: root remove or comment out # ingres:?. root remove or comment out.nobody:? root # system:? root remove or Comment out. # to: root? remove or comment out.

#uucp: root? Remove or Comment Out. # Well-known aliases. # Manager: root? remove or comment out. # Dumper: root? remove or comment out. # operator: root? remove or comment out. # trap decode to To Catch security attacks # decode: root # Person WHO SHOULD GET ROOT'S Mail # root: Marc Don't forget to run "/ usr / bin / newaliase" to make a change in effect. 3.2.2.5 Preventing the latest version of the latest version of the latest version of the unauthorized user's abuse of users to integrate very powerful to prevent the spam (Anti-spam), prevent the mail server from being abused by the unauthorized user. To implement this feature, you can change the profile by editing the "/etc/sendmail.cf" file to prevent people from spam. Edit the "sendmail.cf" file (vi /etc/sendmail.cf), change this line: o privacyOptions = authwarnings to: o PrivacyOptions = Authwarnings, NoExpn, Novrfy These changes can prevent spam from using Sendmail " Expn "and" vrfy "commands. These commands are often used by people who are not authorized. Refer to this book Sendmail Configure this section to get more information. Edit the "Sendmail.cf" file (vi /etc/sendmail.cf), put this line: o SMTPGREETINGMESSAGE = $ J Sendmail $ V / $ z; $ b change to: o SMTPGREETINGMESSAGE = $ J Sendmail $ V / $ z; $ B NO UCE C = XX L = XX This will change the prompt information displayed when Sendmail accepts the connection. You have to change "XX" in "C = XX L = XX" to your country and region code. For example: I wrote this "C = CN L = JL", represents China, Jilin. This change does not affect the meaning of Sendmail, but the news.admin.net-abuse.Email Newsgroup's suggests that this is mainly to prevent legal issues. 3.2.2.6 Do not display the system prompt information If you don't want the remote login user to see the system's prompt information, you can change the Telnet settings in the "/etc/inetd.conf" file: Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd -h plus "-h" parameters at the end, let Daemon do not display any system information, only display the login prompt. Of course, there is only necessary to do this only in the server. 3.2.2.7 "/etc/host.conf" file Linux uses the resolver library translates the host name into the IP address. "/Etc/host.conf" file defines how the host name is resolved. The items in the "/etc/host.conf" file tell the parser library what services use, and analyze the host name in any order. Edit "Host.conf" file (vi /etc/host.conf) Add: # lookup names via DNS first the fall back to /etc/hosts.order bind, Hosts # we have machine with multiple ip addresss.multi The ON # check for ip address spoofing.nospoof onorder option indicates the order in which the service is selected.

The "Order Bind, Hosts" is said to query the domain name server when the parser library resolves the file name, and then view the "/ etc / hosts" file. Because of performance and security reasons, it is best to set the sequence of parser libraries to first check the domain server (BIND). Of course, DNS / BIND software must be installed first, otherwise this configuration does not have any effects. The MULTI option determines that the host appearing in the "/ etc / hosts" file can have multiple IP addresses (multiple network interfaces). Hosts with multiple IP network interfaces are called multi-network interfaces, because there are multiple IP addresses, which means that this host has multiple network interfaces. For example: The gateway server has multiple IP addresses, and this option must be set to ON. The Nospoof option indicates that IP camouflage is not allowed. IP camouflage is to deceive other computers into other computers to get their trust. This attack method puts itself to other servers and establishes network connections or other types of network activities with other clients, servers, and large data storage systems. This option is ON regardless of any type of server. 3.2.2.8 Routing Protocol The routing and routing protocols will lead to some problems. IP source routing, that is, the detailed path information of the IP package contains the address of the bottom destination, because the destination host must return such an IP package according to the original path according to RFC 1122. If the hacker is able to fake the original path routing packet, then it can intercept the returned packet and deceive your computer, let it feel that the information is being trusted. I strongly recommend that you prohibit IP original path routes to avoid this security vulnerability. Use the following command to disable IP original path routing on your server: for f in / proc / sys / net / ipv4 / conf / * / accept_source_route; doecho 0> $ fdone adds the above command to "/ ETC / RC. D / rc.local files, you don't have to knock these commands again after the system is restarted. Note that the above command will disable the original path routing package of all network interfaces (LO, Ethn, PPPN, and the like). If you plan to install the iPchains firewall, you don't have to use these commands because these commands have been included in the firewall script file. 3.2.2.9 Making TCP SYN Cookie Protecting "SYN Attack" is an anti-service (DOS) attack mode, which consumes all resources in the system, forcing the server to restart. Denial of service (this attack method consumes the resources of the system with huge information flow, so that the server is not able to respond to the normal connection request) is very easy to be hacked. In the 2.1 series of kernels, "SYN Cookie" is just an option and does not take effect. If you want to take effect, you must use the following command: [root @ cnns] # echo 1> / proc / sys / net / ipv4 / tcp_syncookies put this command in the "/etc/rc.d/rc.local" file, etc. When the next system is restarted, you don't have to be retrieved. If you intend to install the IPChains firewall, you don't have to use this command because it is already included in the firewall's script file. 3.2.2.10 Another solution for firewall security issues is to transfer information between computer hosts and internal computers to external networks, allowing only information between internal networks and external networks to communicate through a secure gateway. Such a gateway is called a firewall. In some chapters, we will introduce firewalls with a large space. 3.2.2.11 "/ etc / service" file number and standard services have detailed definitions in RFC 1700 "Assigned NumBers". The "/ etc / service" file enables the server and client program to convert the name of the service to the port number, which exists on each host, and its file name is "/ etc / services".

Only "root" users have permissions to modify this file, and in general this file is not necessary to modify, because this file already contains the port number corresponding to the common service. In order to improve security, we can protect this file to avoid unauthorized deletions and changes. In order to protect this file, you can use the following command: [root @ cnns] # chattr I /etc/services3.2.2.12 "/ etc / securetty" file "/ etc / securetty" file allows you to specify "root" users can That TTY device login. The login program (usually "/ bin / login") needs to read the "/ etc / securetty" file. Its format is that the listed TTY devices are allowed to log in, comment out or in this file is not allowed to log in. Comment (with the beginning of this line plus ##) All TTY devices you want to log in. Editing SecureTty files (vi / etc / securetty) Like below, comment out some lines: TTY1 # Tty2 # Tty3 # Tty4 # Tty5 # Tty6 # Tty7 # Tty8 The above means only allow root to log in on TTY1. I recommend only allow root to log in on a TTY device. If you log in from other TTY, use the "su" command to "root". 3.2.2.13 Special accounts prohibit unnecessary preset accounts in the operating system (check each upgrade or installation). This will provide such a preset account you may not need in the Linux system. If you don't need these accounts, you can delete them. The more accounts are available in the system, the easier it is to be attacked. We assume that you have used Shadow passwords in your system. If this is not the case, it is best to support the support of Shadow password in the system because it will be safer. If you are installing a server in accordance with the method described in the previous chapter, then "Enable Shaow Passwords" option has been selected in the "Security Verification Configuration".

Remove a user in the system You can use this command: [root @ cnns] # Userdel username Remove a group in the system You can use this command: [root @ cnns] # GroupDel username first step by using the following command to delete some unnecessary User: [root @ cnns] # Userdel adm [root @ cnns] # Userdel LP [root @ cnns] # Userdel sync [root @ cnns] # Userdel shutdown [root @ cnns] # Userdel Halt [root @ cnns] # Userdel News [root @ cnns] # Userdel uucp [root @ cnns] # Userdel Operator [root @ cnns] # Userdel games (if you don't have to use the X Window server, you can delete this user) [root @ cnns] # Userdel gopher [root @ cnns] # Userdel FTP (If no anonymous FTP server is installed, you can delete this user) Second step into the following command to delete some unnecessary groups: [root @ cnns] # groupdel adm [root @ cnns] # GroupDel LP [root @ cnns] # GroupDel news [root @ cnns] # GroupDel uucp [root @ cnns] # GroupDel games (delete this group if you don't use x window server). [root @ cnns] # GroupDel Dip [root @ cnns] # GroupDel PPPUsers [root @ cnns] # GroupDel Popusers (Delete this group if you don't use pop server for email). [root @ cnns] # GroupDEL SLIPUSERS Step 3 Add the necessary users in the system: Add users to the system, use This command: [root @ cnns] # UserAdd UserName Adds or change the password to the user in the system, with this command: [root @ cnns] # passwd username, for example: [root @ cnns] # UserAdd Admin [root @ cnns] # Passwd The output of these orders is like this. : Changing Password for User AdminneW Unix Password: SomePasswdpasswd: All Authentication Tokens Updated SuccessFully Fourth Step "Do not change" bits can be used to protect files that are not accidentally deleted or rewritten, or some people can create this file. Symbol connection. Delete "/ etc / passwd", "/ etc / shadow", "/ etc / group" or "/ etc / gshadow" is a hacker's attack method. Set to the password file and group file settings can not be changed, you can use the following command: [Root @ cnns] # chattr I / etc / passwd [root @ cnns] # chattr I / etc / shadow [root @ cnns] # chattr I / etc / group [root @ cnns] # chattr I / etc / gshadow Note: If you want to add or delete a user in a password or group file in the future, you must first clear these files, otherwise you can't do it. Any change.

If you do not clear these files, you install those RPM packages that will automatically add new users in the password file and group files, there will be an error in the installation process. 3.2.2.14 Prevent anyone can use the su command to become root If you don't want anyone to use the "su" command to be root or only some users have the right to use the "su" command, then "/etc/pam.d/ The following two rows are added to the SU file. I suggest that the user will become root through the "su" command. Step 1: Edit the Su file (vi /etc/pam.d/su) Add the following two lines in the head of the file: auth sufficient /lib/security/pam_rootok.so debugauth Required /Lib/security/pam_wheel.so group = After the next two lines, the "/ etc / pam.d / su" file becomes: #% pam-1.0auth sufficient /lib/security/pam_rootok.so debugauth request /lib/security/pam_wheel.so group = Wheelauth Required /lib/security/pam_pwdb.so shadow nullokaccount required /lib/security/pam_pwdb.sopassword required /lib/security/pam_cracklib.sopassword required /lib/security/pam_pwdb.so shadow use_authtok nulloksession required /lib/security/pam_pwdb.sosession optional /lib/security/pam_xauth.so means that only members of the "Wheel" group can be used to use the su command to become root. Note that the "WHEEL" group is a special account for this purpose in the system. Can't use other group names. Combining the methods described in this section and the method described in "22." / etc / securetty "file" can better enhance system security. Step 2: If you define the "WHEEL" group in the "/etc/pam.d/su" configuration file, let's introduce how to let some users can use the "su" command to become "root". Here is an example, let the Admin user become a member of the "WHEEL" group, so you can use the "su" command to become "root": [root @ cnns] # usermod -g10 admin "g" is the other group where the user is located. "10" is the ID value of the "Wheel" group, "admin" is the user we add to the "Wheel" group. Use the same command to make other users can use the su command to be root. 3.2.2.15 Resource restriction limits the use of system resources to avoid denial of services (such as creating many processes, consuming system memory, etc.) This kind of attack. These restrictions must be set before the user is logged in. For example, the user can be used in the system with the following method. Step 1: Edit Limits.conf file (vi /etc/security/limits.conf), join or change the following line: * Hard Core 0 * Hard RSS 5000 * Hard Nproc 20 The meaning of these rows is: "Core 0 "Expand it forbidden to create an ORE file;" NPROC 20 "limit the maximum number of processes to 20;" RSS 5000 "means that other users can only use 5M memory in addition to root. The above is only valid for users who log in to the system. By the above limitations, you can better control the usage of users in the system on the process, core file, and memory. The asterisk "*" is indicated by users who log in to the system.

The second step must edit the "/etc/pam.d/login" file, add the following line at the end of the file: session request /lib/security/pam_limits.so Add this line "/etc/pam.d/login" file is this: #% PAM-1.0auth required /lib/security/pam_securetty.soauth required /lib/security/pam_pwdb.so shadow nullokauth required /lib/security/pam_nologin.soaccount required /lib/security/pam_pwdb.sopassword required / lib / security / pam_cracklib.sopassword required /lib/security/pam_pwdb.so nullok use_authtok md5 shadowsession required /lib/security/pam_pwdb.sosession required /lib/security/pam_limits.so#session optional /lib/security/pam_console.so3. 2.2.16 Better Controlling the file system on MOUNT can use some options, such as: NOEXEC, NODEV, and Nosuid to better control file systems on MOM, such as "/ home" and "/ tmp". These are set in the "/ etc / fstab" file. The FSTAB file contains the description of each file system. If you want to know which options can be set in this file, use the man command to view the help of Mount. Edit the FSTAB file (vi / etc / fstab) and put these two lines as needed: / dev / sda11 / tmp ext2 defaults 1 2 / dev / sda6 / home extra2 defaults 1 2 change to: / dev / sda11 / tmp ext2 Nosuid , Nodev, Noexec 1 2 / DEV / SDA6 / Home Ext2 Nosuid, Nodev 1 2 "Nodev" means that there is a character or special block device that is not allowed on this file system. "NOSUID" means the SUID (SET-USER-Identifier) ​​license bit that does not allow the setting files. "NOEXEC" means that there is no other executable binary file on the file system. Note: In the example above, "/ dev / sda11" on the "/ TMP" directory, and "/ dev / sd6" mount to the "/ home" directory. Of course, this will be different from your actual situation, depending on how you are partitioning and what kind of hard drive, for example: IDE hard drive is HDA, HDB, and so on, and the SCSI hard disk is SDA, SDB, and more. 3.2.2.17 Transfer the RPM program to a safe place, and change the default access license Once all the required software is installed with the rpm command on the Linux server, it is best to transfer the RPM program to a safe place, such as: floppy or Other places you think safely. Because if someone invades your server, he can't use the rpm command to install those harmful software. Of course, if you need to install new software in the future, you have to copy the RPM program to the original directory.

Move the RPM program to the floppy disk, with the following command: [root @ cnns] # mount / dev / fd0 / mnt / floppy / [root @ cnns] # mv / bin / rpm / mnt / floppy / [root @ cnns] # umount / mnt / floppy Note: Do not unload the RPM program from the system, otherwise it cannot reinstall it, because the RPM program or other package itself will use the RPM command. It is also important to note that the access license of the RPM command is changed from the default 755 to 700. Such non-root users cannot use the RPM command. In particular, it is necessary to make this more necessary to move the RPM program to a safe place after installing the new software. Change "/ bin / rpm" default access, with the following command: [root @ cnns] # chmod 700 /bin/rpm3.2.2.18 Log in to Shell In order to easily referend the input, Bash Shell can "~ /.bash_history file ("~ /" is a home directory, each user is not the same) save 500 commands that have been entered. Every user with your own account, there will be ".bash_history" file in his own directory. There may be this situation, and the user enters a password where the input password is not entered, and the input password will be saved in the ".bash_history" file. And the greater the ".bash_history" file, the greater this possibility. In the "/ etc / profile" file, HistfileSize and HISTSIZE determines how many commands can save all users in the system. I recommend that HistFileSize and HISTSIZE in the "/ etc / profile" file are set to a relatively small value, such as: 20. Edit the Profile file (vi / etc / profile), change these rows: histfilesize = 20HISTSIZE = 20 This ".bash_history" under each user's home can only save up to 20 commands. If a hacker tries to find some passwords in the user's "~ / .bash_history" file, he has no chance. 3.2.2.19 "/etc/lilo.conf" file LILO is a multi-function boot program on Linux. It can be used in a variety of file systems, or booting Linux from a floppy disk or hard disk and loads the kernel, and can be used as "boot manager" for other operating systems. The root (/) file system is very important to LILO, with the following two reasons: First: LILO To tell the kernel to find the root file system; second: some things to use by Lilo, such as: Guide fan The area, "/ boot" directory and kernel are stored in the root file system. The guiding sector includes the first part of the LILO boot program, which also loads a larger boot program in the second half of the boot phase. These two boot procedures typically exist in the "/boot/boot.b" file. The kernel is loaded and started by the boot program. In the Redhat Linux system, the kernel is usually in the root directory or "/ boot" directory. Because LILO is very important to the Linux system, we have to protect it as much as possible. LILO's most important profile is the "lilo.conf" file under the "/ etc" directory. With this file we can configure or improve the LILO program and the security of the Linux system. Below is the three important options for the LILO program. 1) Add: Timeout = 00 This setting sets LILO to wait for the user before booting the default system. The C2 security level specifies that this time interval must be set to 0 because multiple boots will make the system's security measures are also done. It is best to set this item unless you want to use multiple guidance.

2) Join: Restricted When LILO boots, enter the parameter Linux Single, enter the single user (SINGLE) mode. Since the single user mode has no password verification, you can boot in LILO, plus password protection. "Restricted" option can only be used with "Password". Note To give each kernel to include password protection. 3) Join: Password = When starting the Linux system with a single user mode, the system requires the user to enter this password. The password is sensitive, but also pay attention to let the "/etc/lilo.conf" file, in addition to root, other users do not read permissions, which will not see the password. Below is a specific example of LILO to protect LILO with "lilo.conf" file. Step 1: Edit the lilo.conf file (vi /etc/lilo.conf), plus or change the three settings described below: boot = / dev / sdamap = / boot / mapinstall = / boot / boot.bprompttimeout = 00 • Change this line to 00.default = Linuxrestricted? add this line.password =? add this line and put your password.image = / boot / vmlinuz-2.2.12-20label = linuxinitrd = / boot / initrd-2.2.12- 10. IMGROOT = / dev / sda6read-only second step in the "/etc/lilo.conf" configuration file, there is no encrypted password, so only root can have read permissions. Use the following command to change the permissions of the file: [root @ cnns] # chmod 600 /etc/lilo.conf (will be no longer world readable). The third step makes the changed "/etc/lilo.conf" profile take effect : [Root @ cnns] # / sbin / lilo -v (to update the lilo.conf file). Fourth Step For more secure, you can use the chattr command to add an uncharged permissions to the "lilo.conf" file. Let the files can not change with the following command: [root @ cnns] # chattr i /etc/lilo.conf This can avoid "lilo.conf" files to be changed due to accidents or other reasons. If you want to change the "lilo.conf" file, you must first clear its uncharacted flag. Clear the unmodified tag with the following command: [root @ cnns] # chattr -i /etc/lilo.conf3.2.2.20 Enable the control-alt-delete shutdown button to take a note in the "/ etc / initTab" file Fall out can be prohibited from shutting down the computer with Control-Alt-delete. This is very important if the server is not placing a safe place. Edit the inittab file (vi / etc / inittab) to turn this line: ca :: ctrlaltdel: / sbin / shutdown -t3 -r Now change to: #CA :: ctrlaltdel: / sbin / shutdown -t3 -r Now use the following command Make changes to change: [root @ cnns] # / sbin / init Q3.2.2.21 Change the access license of the script file in the "/etc/rc.d/init.d/" directory to change the launch and stop Daemon's script file Permission. [root @ cnns] # chmod -r 700 /etc/rc.d/init.d/* This only root can read, write, and execute scripts in this directory.

I think the user doesn't know what the script file is known. Note: If you install or upgrade a program, you want to use the System v script in "/etc/rc.d/init.d/", don't forget to check the license to change and check this script file. 3.2.2.22 "/etc/rc.d/rc.local" files By default, when logging in with a Linux system computer, the system will tell you the name, version number, kernel version, and server name of the Linux release. This leaked too much system information. It is best to display only a "login:" prompt information. The first step editing "/ECT/rc.d/rc.local" file, plus "#" in front of these rows: - # this will overwrite / etc / Issue at Every Boot. So, make any changes you # Want to make to / etc / issue here or you will lose theme you reboot. # echo "> / etc / Issue # echo" $ r ">> / etc / ipsue # echo" kernel $ (uname) On $ a $ (uname -m) >> / etc / issue ## cp -f / etc / issue /etc/issue.net#echo >> / etc / issu - second step deletion "/ etc" directory "Issue.Net" and "Issue" files under: [root @ cnns] # rm -f / etc / issue [root @ cnns] # rm -f /etc/issue.net Note: "/ etc / ssue.net "The file is the login prompt when the user logs in from the network (for example: telnet, ssh). Also in the "/ etc" directory, there is a "issue" file, which is the prompt seen from the local login. Both files are text files, which can be changed as needed. However, if you want to delete these two files, you must take the line of the "/etc/rc.d/rc.local" script as described above, otherwise the system will re-start every time you restart. Create these two files. 3.2.2.23 The program with the "S" bit with the file listed in the LS -L command, if "s" appears in the permission bit of the file, the SUID (-RWSR-XR-X) or SGID of these files (-R- The XR-SR-X) bit is set. Because these programs give some privileges, if they do not need to use these privileges, it is best to remove the "S" displacement of these programs. You can remove the "s" bit of the corresponding file "CHMOD A-S " with the following command. Programs that can be cleared by "S" bits include, but are not limited to, programs that never need to be used. The following is an asterisk (*) program, I personally think it is necessary to remove the "S" bit. Note that the system may require some SUID program to run normally, so be careful. Use the following command to find all procedures with "S" bit: [root @ cnns] #find / -type f / (-perm -04000-perm -02000 /) / -EXECLS -LG {} /;

* -RWSR-XR-x 1 root root 35168 Sep 22 23:35 / usr / bin / chage * -rwsr-xr-x 1 root root 36756 Sep 22 23:35 / usr / bin / gpasswd * -R-XR- SR-x 1 root tty 6788 Sep 6 18:17 / usr / bin / wall-rwsr-xr-x 1 root root 33152 AUG 16 16:35 / usr / bin / at-rwxr-sr-x 1 root man 34656 Sep 13 20:26 / usr / bin / man-rs - x - x 1 root root 22312 Sep 25 11:52 / usr / bin / passwd-rws - x - x 2 root root 518140 aug 30 23:12 / usr / bin / suidperl-rws - x - x - x 2 root root 518140 AUG 30 23:12 /usr/bin/sr-x 1 root slocate 24744 Sep 20 10:29 / usr / bin / slocate * -rws - x - x 1 root root 14024 Sep 9 01:01 / usr / bin / chfn * -rts - x - x 1 root root 13768 Sep 9 01:01 / usr / bin / chsh * -rws - x - x 1 root root 5576 Sep 9 01:01 / usr / bin / newgrp * -rwxr-srin / newgrp * -rwxr-SR-x 1 root tty 8328 Sep 9 01:01 / usr / bin / write-rwsr-xr -x 1 root root 21816 Sep 10 16:03 / usr / bin / crontab * -RWSR-XR-x 1 root root 5896 NOV 23 21:59 / usr / sbin / usernetctl * -RWSR-XR-x 1 root bin 16488 JUL 2 10:21 / usr / sbin / traceroute-rwXR-SR-X 1 root utmp 6096 Sep 13 20:11 / usr / sbin / utempter-rwsr-xr-x 1 root root 14124 AUG 17 22:31 / Bin / Su * -RWSR-XR-x 1 root root 53620 Sep 13 20:26 / bin / mount * -rwsr-xr-x 1 root root 26700 Sep 13 20:26 / bin / umount * -RWSR-XR-X 1 root root 18228 Sep 10 16:04 / bin / ping * -rwxr-srin / ping * -rwxr-srin / ping * -rwxr-SR-x 1 root root 3860 NOV 23 21:59 / sbin / netreport-r-SR-XR-x 1 root Root 26309 Oct 11 20:48 / sbin / pwdb_chkpwd Use the following command to ban the SUID of the selected SUID: [Root @ cnns] # chmod as / usr / bin / chage [root @ cnns] # chmod as / usr / bin / gpasswd [root @ cnns] # chmod as / usr / bin / wall [root @ cnns] # chmod as / usr / bin / chfn [root @ CNNS] # chmod as / usr / bin / chsh [root @ cnns] # Chmod as / usr / bin / newgrp [root @ cnns] # chmod as / usr / bin / write [root @ cnns] # chmod as / usr / sbin / usernetctl [root @ cnns] # chmod as / usr / sbin / traceroute [root @

CNNS] # chmod as / bin / mount [root @ cnns] # chmod as / bin / umount [root @ cnns] # chmod as / bin / ping [root @ cnns] # chmod as / sbin / netreport If you want to know these What is the use of the program, you can use the Man command to view help. For example: [root @ cnns] # man netreport3.2.3 Advanced Security 3.2.3.1 Enable the system to prevent your system from responding to your system from responding to ping requests, which is very good for network security, because no one can ping your server and Require it. The TCP / IP protocol itself has a lot of weaknesses, and hackers can use some technologies to use channels of transfer normal packets to secretly transfer data. Make your system no response to ping requests to minimize this danger. After running this command with the following command: echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all, the system does not respond to PING. You can add this line to the "/etc/rc.d/rc.local" file so that it will run automatically when the system restarts. There is no reaction to the ping command, at least most of the hackers can be excluded from the system because hackers can't know where your server is. Re-recovering the response to the PING, you can use the following command: echo 0> /proc/sys/net/ipv4/ICP_echo_ignore_all"3.2.3.2 Prohibition of using the console program is the simplest and most common guarantee system security method to use All console programs such as Shutdown and Halt. You can implement the following command: [root @ cnns] # rm -f /etc/security/console.apps/ServiceName here ServiceName is the console program you want to ban Unless you use XDM, don't delete the xserver file, if you don't have ROOT, no one can start the X server. (If you use the XDM to start the X server, then root is the only user who needs to start the X server. It is necessary to delete the xserver file). For example: [root @ cnns] # rm -f /etc/security/console.apps/halt[Root@cnns]# rm -f /etc/security/console.apps/poweroff [root @ cnns] # rm -f /etc/security/console.apps/reboot[Root@cnns]# rm -f /etc/security/console.apps/shutdown[Root@cnns]# RM -F / ETC / Security / console.apps / xserver (if you delete, only root can start X). These commands can prohibit all console procedures: Halt, Poweroff, Reboot and Shutdown. Remember, only XWindow, delete Xerver files There is an effect. Note: According to our previous chapter, install the server, XWindow is not installed, those files mentioned above may not appear in the "/ etc / security" directory, if so, you can no matter what this section Methods of introduction. 3.2.3.3 Forbidden console access to prohibit all console access, including programs and files, in all files in the "/etc/pam.d/" directory, to those containing PAM_CONSOLE.SO Plus a comment. This step is the last section "Prohibiting Using the Console Program". The following script can automate this work.

Create a root identity, create a disabling.sh script file (Touch Disabling.sh), then join these lines: #! / Bin / shcd /etc/pam.dfor i in *; dosed '/[ ^#].*pam_console .so / s / ^ / # / '<$ i> Foo && mv foo $ IDODENE uses the following command to make the script with executable permissions, and execute it: [Root @ cnns] # chmod 700 disable.sh [root @ CNNS] # ./disabling.sh This "/etc/pam.d" directory all files contain "PAM_CONSOLE.SO" rows are added. After this script runs, you can delete it from the system. 3.2.3.4 Creating a hard copy of all important log files To ensure that the integrity of different log files in the / var / log catalog is a very important aspect of ensuring system security. If we have added a lot of security measures on the server, hackers can also be invaded, then log files are our final prevention measures. Therefore, it is necessary to consider what method used to ensure the integrity of the log file. If the printer is already installed on the server or other server in the network, you can print it out. This requires a printer that can be printed continuously, and uses syslog to pass all important log files to "/ dev / lp0" (printing device). Hackers can change files, programs, etc. on the server, but after printing out important log files, he will not force. For example: Record all Telnet, Mail, boot information, and SSH connections on the server, and printed to the printer connected to this server. Need to add a line in the "/etc/syslog.conf" file. Edit the syslog.conf file (vi /etc/slog.conf), add this line below: Authpriv. *; Mail. *; Local7. *; Auth. *; Daemon.info / dev / lp0 restart Syslog daemon Make changes to the change: [root @ cnns] # /etc/rc.d/init.d/syslog rest, for example: record all Telnet, Mail, boot information, and SSH connections on the server, and print other servers in the local network To the upper-connected printer, join the line in the "/etc/syslog.conf" file of the server of the receiving log file. If there is no printer in the local network, all log files can be copied to other servers, as long as ignore the first step below, add "/ dev / lp0" to the "syslog.conf" file of other servers, jump directly to Set the "-r" parameter on other servers. Copy all log files to other computers so you can manage multiple computers on a computer to simplify management work. Edit the syslog.conf file (for example: mail.openarch.com) on the server (for example: mail.openarch.com), add this line below: Authpriv. *; Mail. *; Local7. *; auth. *; daemon.info/dev/lp0 Because Syslog Daemon's default configuration is refusing to receive information from the network, we must enable it to receive information from the network, in syslog daem's script file (referring to The following "-r" parameter is added to the server on the server that receives the log file).

Edit the syslog script file (vi 24 /etc/rc.d/init.d/syslog), change this line: daemon syslogd -m 0 to: daemlogd -r -m 0 Restart Syslog daemon makes changes to take effect: [ Root @ mail] # /etc/rc.d/init.d/syslog restart If there is a firewall on the server of the log file, you can check if there is a few lines in the firewall's script file (no plus): ipchains -A INPUT -I $ EXTERNAL_INTERFACE -P UDP / -S $ syslog_client / -d $ ipaddr 514 -j Accept defines external_interface = "eth0" in this example firewall's script file. Ipaddr = "208.164.186.2"; syslog_client = "208.164.168.0/24" Restarts the firewall on the server that receives the log file, enables the change to take effect: [Root @ mail] # /etc/rc.d/init.d/firewall RESTART This firewall rule allows the receiving log file to receive UDP packets from port 514 (port) of Syslog. Finally, edit the "syslog.conf" file (vi /etc/slog.conf) on the server that sends a log file, plus this line at the end: Authpriv. *; Mail. *; Local7. *; Auth. *; Daemon.info @mail "Mail" is the computer host name of the receiving log file. If someone tries to black your computer and threaten all important system log files, you don't have to be afraid, because you have already printed or have a copy in other places. This will analyze where hackers can be analyzed according to these log files and then at this invasion. Restart Syslog Daemon to make changes to change: [root @ cnns] # /etc/rc.d/init.d/syslog resta also look at these lines in the script file of the server of the send log file ( No added). Ipchains -a output -i $ external_interface -p UDP / -s $ ipaddr 514 / -d $ syslog_server 514 -j accept This firewall's script file is defined in the script file: external_interface = "Eth0" ipaddr = "208.164.186.1" syslog_server = " Mail.openarch.com "Restart the firewall to make a change in effect: [root @ cnns] # /etc/rc.d/init.d/firewall rest Rule of this firewall This firewall is allowed to send log files through port 514 (Syslog port) Send a UDP package. Note: Don't use the gateway server to collect and manage all system log information. For other parameters and policies for the syslogd program, you can use the Man command to view help: syslogd (8), syslog (2) and syslog.conf (5). 3.2.4 System Patch http://www.redhat.com website provides the latest kernel and application upgrades or patches. You can use the.rpm package to the server / var / tmp and then use the command rpm -ivh software to upgrade the package, or use rpm? Cuvh Soft.pkg.rpm? Onion, onion, low  Bump

砑 ? 3.2.5 Appendix Linux download URL 1) FTP: ftp: //ftp.wu-ftpd.org/pub/wu-ftpd/ 2) ssh: ftp: //ftp.ssh. COM / PUB / SSH / 3) DNS: ftp: //ftp.isc.org/isc/bind/ 4) DHCP: ftp://ftp.isc.org/isc/DHCP/DHCP-3.0B2PL18-SOLARIS-2.6 .tar.gz 5) SMTP: ftp://ftp.sendmail.org/pub/sendmail/6) SSL: ftp://ftp.openssl.org/source/7) IMAP / POP: ftp: // ftp. Cac.washington.edu/imap/8) Inn: ftp: //ftp.isc.org/isc/inn/inn-2.3.1.tar.gz 9) Linux mm: http://www.engelschall.com/ SW / MM / 10) Pine: ftp: //ftp.cac.washington.edu/pine/ 11) Samba: http://us1.samba.org/samba/download.html 12) OpenLDAP: http: // www .openldap.org / Software / Download / 13) PostgreSQL DB: fTP: //ftp.postgreSQL.ORG/Pub/1) Squid proxy: http://www.squid-cache.org/Versions/ 15) Apache: http : //httpd.apache.org/dist/1) MOD_SSL: http://www.modssl.org/source/17) Perl: http://perl.apache.org/dist/1PHP: http: / / www.php.net/downloads.php 19) mysqlhttp://www.mysql.com/downloads/mysql-3.23/mysql-3.25.13-pc-linux-gnu-i686.tar.gz

20) SXIDFTP: //Marcus.seva.net/pub/sxid/ 21) TripWire: http://www.tripwiresecurity.com/downloads/index.cfml? DL = ASR & 22) Gun PGHTTP: //www.gnupg. ORG / DOWNLOAD.HTML? The fourth part summary does not have absolute security network systems, network information confrontation is a long-term research topic, and the security issue is a variety of diversified, and with time technology changes, the hacker's invasion is also The security protection is also very important, it is also very important to keep the correct understanding, and master the latest security issues, plus the improved security strategy, which can prevent most of the network invasion, thus maintaining minimal degrees. Economic losses. • Part 5 Appendix 5.1 Free BSD Series FreeBSD is a very secure operating system. It is also because it's Source Code is free to get free, this OS has a long time to improve the strengthening. Although FreeBSD is very safe, there is still more steps to strengthen security, this how-to will teach you some steps to make your machine's overall security. 5.1.1 Network 5.1.1.1 Inetd (Inet daemon) Network plays a very important role in system security. FreeBSD's foundation is a built-in network function and has the most steady and fastest TCP / IP Stacks 4.4BSD. This Stack supports a lot of protocols like Telnet, FTP, Talk, RSH, etc. ... These service's main setup is /etc/inetd.conf. To edit this file, enter "vi /etc/inetd.conf" (in this example, I use vi. You can use the editor you get your more you get with. Maybe you can try Pico). If you want to use Pico, add -w option when starting it: -w Turn off automatic break. (So ​​you can allow a row of more than 80 characters) This option is very useful when editing /etc/inetd.conf. Of course, you can also use EE - it "factory" along with FreeBSD, and also the ROOT preset editor. However, "Echo $ Editor" confirmed once. After opening this file, you can see how to describe how each service is activated, to perform information with that user. (Man 5 inetd.conf) Since this file is a major setup file for many Internet services, it is a very important thing. If you want to turn off a service, you only add a "#" symbol in front of the line. The basic concept is to turn off some of the services you are not familiar with - if you don't know the service, or you don't know if it can do. Ideally, you don't need to open all services. For example, your device just wants to run Web Server. In this case, you only have to activate SSH and HTTPD. About 啥 is SSH, will explain the following. If you don't want to run, the most straightforward method is to turn off inetd. The practice is simple, just edit /etc/rc.conf and change inetd_enable = "yes" to inetd_enable = "no". In this way, no one can Telnet, Rlogin, or FTP to the computer. If you decide to activate your inetd, remember to activate the log option and improve the number of upper limits activated per minute. (The default is 256, I recommend raising to 1024-self-referring to the following explanation!) Why do you do this ...? There is no difference in Modem User or low speed dedicated line users. However, the high-speed lines, the upper limit is too low, and a DOS ATTACK (Denial of Service) will be too low.

A bad person can simply use a shell script to get more than 256 Connections, which will be unfortunately in this. In other words, if you want to get a number of Connection acceptable every minute, remember to do the following settings, otherwise you can get your computer. Therefore, in this line inetd_enable = "yes" below: inetd_flags = "" To be changed: inetd_flags = "- l -r 1024" This will cause the online action log (-L parameter) and will be the maximum number of online Added from a preset 256 to 1024. You must also make some changes to your /etc/syslog.conf, these will be mentioned. 5.1.2 SSH In the case mentioned below, you don't need Run inetd at all. For example, if you only run web, news, or NFS Server, then there is no need to run other services on your machine. But you will be asked, "How do I control my machine !?" Well, so now I want to introduce SSH. You can log in to your machine through SSH (SecureShell). The Secure Shell was originally designed to replace rsh, rlogin, etc. Other Berkeley r * commands. I believe that you will soon understand how SSH is useful, and start using it, replacing other programs like Telnet and FTP. SSH has a lot of functions, but the most well known is that its encrypted communication method is to prevent your password and information from transmitting on the network in a clear manner. If you use telnet, your communication content may be "eavesdropped": the information in the transmission is changed, and the communication content is seen. (Isn't it possible to solve it? Unfortunately, it still has problems that have been cracked when inserted and connected), I hope you can completely turn off inetd and use SSH. If you think it is completely unlikely to activate some Services, you will be completely unlikely, then you want to activate the log function, and increase the number of times the same servi-CE per minute. (Reason, mentioned above) You can download SSH from ftp://ftp.funet.fi/pub/unix/security/login/ssh. If you want a simpler method: # cd / usr / ports / security / ssh # make install5.1.1.3 inetd (part ii) Ok, you still insist on you to use inetd. Then let's take a look at those options in inetd.conf, you can improve your system security. Before attacking a system, the attacker will first collect information about the system. For Telnetd, you can try it behind Telnetd to add a -h: telnet stream tcp noait rootd -h from telnetd's Man Page: -h disable the printing of host-specific Information Before loginhas been completed. When there are many pipes to get system information, this trick below is a good solution. If you think that Telnet daemon is not necessary, then only add a "#" to the front of the line: #telnet stream tcp noait root / usr / libexec / telnetd telnetd has an extremely good measure, you can Refused people with no full FQDN online. To do this, just add a -U option to telnetd: Telnet Stream TCP NOWAIT ROOT / USR / LIBEXEC / TELNETD TELNETD -H -U This is a small action, but this is a great help to your system security. 5.1.1.4 ftpd now to see FTP. Some logs have been made for FTP FreeBSD.

You can see that the FTPD in /etc/inetd.conf has added "-l". However, you still have to set your syslogd so that it can accept the log generated by FTP Daemon. From Man Page, you can learn that each successful or failed FTP login attempt, will record with a log_ftp mechanism. If this option is specified twice, all downloads (GET), upload, new, delete, build directory, and renamed action and file names will be recorded. Also: log_ftp message presets are not recorded by Syslogd (8). You still have to activate this feature in the setting file of syslogd (8). Let's open the function of the syslogd record ftpd log ~ This file is /etc/syslog.conf (don't forget to see Man 5 syslog.conf). Add the line below to this setting file: ftp. * / Var / log / ftpd should not forget to implement this instruction "touch / var / log / ftpdlog", because syslogd can't write a one without being opened file. If you want your ftpd to provide you more log information, then add a "-l" in the ftp line: ftp stream tcp noait root / usr / libexec / ftpd ftpd -l -l If you want to be sure Your users use SCP (Secure Copy, attached to SSH), but want to provide anonymous ftp service, and only add a "-a" behind the FTP line: ftp stream TCP NOIT ROOT / USR / libexec / ftpd ftpd -l -a You can also edit / etc / ftpwelcome, indicating that an Anonymous FTP login is currently accepted, but the user within the system has to use RCP. If you have an ANONYMOUS FTP, you can use the -s option to record the transmission: ftp stream tcp noait root / usr / libexec / ftpd ftpd -a -s5.1.1.5 FingerDfinger service default value is also secure: it does not allow Query without user name. This is a good thing (TM). However, some people don't want Run Fingerd anyway. In this case, you can add a "#" as long as it is simple to give it a "#". Also, if you want to live, who come to Finger, add a "-l", it will be line: Finger Stream TCP NOWAIT NOBODY / USR / LIBEXEC / FINGERD FINGERD -S -LFinger generated LOG information preset is written / var / LOG / Messages. If you want this information to write into a specific file, then add this line in /etc/syslog.conf: daemon.notice / var / log / fingerd / *! Fingerd Anyone? * / $ Man 5 syslog. In addition to FTP, Telnet and Finger, you really don't need to activate anything in /etc/inetd.conf. Usually I will turn off Talk and Comsat, I don't have to have something. As I said before, if you don't know what servcie is used, you don't need it, then turn off it. Some of the network-related and useful Man Page are: inetd, ftpd, telnetd, fingerd, syslogd, comsat, talkd, rshd, rlogind, inetd.conf. And remember to see the "See Also" part of Man Page to get more information. 5.1.6 IPFW (IP FREWALL) IP FireWall is made of packet filtering. That's right, just like this. However, what you have to consider is that your kernel must support IPFW.

Usually on the machine I manage, I will rearray the core to support IPFW. Probably looks like this: Options ipfirewall #finger the netoptions ipfirewall_verbose #log the netoptions ipfirewall_default_to_accept The first line represents the most important IP Firewall support. The second line allows IPFW to accept or reject the record log of Packets. The third line is very important, so that the IPFW default value is accepting any place. If you don't do this, the default value refuses to come anywhere Packets. I like the latter than the latter, but I think it is not a good thing to reject any Packets on my own workstation, or a workstation that is logged in. If you don't know what you are doing, you don't use this option. This is not very correct to set FireWall. It is correct if it is preset anything. If you want to build a high security system, or a firewall, don't join this option: option ipfirewall_default_to_accept Remember one thing: To preset, refuse to accept any packets, then join Rule To set you want to accept those Packets. View /etc/rc.firewall to get more information. Once again, I will remind you, don't use this option, unless you just want to prevent DOS Attacks or temporarily remove some Port / Network Ban. 5.1.1.7 Log_IN_VAIN You can also change some useful system variables through the sysctl command: # sysctl -w Net.inet.tcp.log_in_vain = 1 # sysctl -w net.Inet.udp.log_in_vain = 1 This will try Ask your machine asking the connections log of the service you have. For example, if you don't run DNS Server in your machine, and someone wants to request DNS service to your machine, this time you will see Connection Attempt to UDP Yourip: 53 from Otherip: X (X is a certain High port #) You can see this line with the "DMESG" command. Dmesg show is the system's kernel messagebuffer. However, this buffer's space is limited, so the system will write these messages into / var / log / messages to go: # tail -1 / var / log / messagesjun 12 19:36:03 UGH / KERNEL: Connection Attempt to UDP Yourip: 53 from Otherip: X5.1.1.8 Final Notes Theory, your system is now safer when you installed it. You can do something now to make sure your current fidelity: $ netstat -na | grep listen tells you that services run in those ports. The less, the better :), then run some other port scanners (strobe, nmap) to find out what you have opened. To ensure that your syslogd has begun to start the event you just want to log, you can do this: # cd / var / log # tail -10 fingerd ftpd message does not see anything in the log file, remember to reactivate inetd and syslogd: # kill -hup `cat / var / run / syslog.pig`` Cat /var/run/inetd.pid` 5.1.1.9 FileSystem Since Unix treats something as a file, protect you The archive system is very important. There is something to do before you install the operating system: you must plan and design how to cut your partition. There are a few important reasons to make you do this: one is the different archive system you can mount to assign a different option (there are several examples below).

Don't be, if you want to go out your FileSystem Export, you have to control more subtle. If you are a user who is transferred from Linux to FreeBSD, you will find Linux to put anything to root partition "/", and FreeBSD preset is "/", "/ usr", and "/ var" . This also makes it easy to use DUMP-like tools. Let us discuss Security! I usually do it, I will cut the partition that usually written can be cut, and these partitons can use "Nosuid" to Mount. From Mount's Man Page, you can know: Let SuID or SGID BIT invalid. For procedures like SuIDPERL, set this option. So you will have a partition to use: / home or / usr / home. Then you can open the stepion to / var / tmp then put your / TMP here: # r r -rf / tmp # ln -s / var / tmp / TMP You can refer to this example: # CAT / ETC / FSTAB # Device MountPoint FSTYPE OPTIONS DUMP Pass # / dev / sd0s1b None SWAP SW 0 0 / DEV / SD0S1A / UFS RW 1 1 1 / DEV / SD0S1G / USR UFS RW 2 2 / DEV / SD0S1H / USR / HOME UFS RW 2 2 / DEV / SD0S1F / VAR UFS RW 2 2 / DEV / SD0S1E / VAR / TMP UFS RW, Nosuid 2 2Proc / Proc ProCFS RW 0 0 Now you can determine that the general user can write is not "-nosuid" by Mount. However, it is not possible to write. Now you have to care about / var / spool / uucppublic ". You can put" / var "to mount in" -nosuid ", or down this command: # chmod Ow / var / spool / uucppublic If you want Find all your writable directory, under this command: #find / -perm -0777 -type d -ls As Man Page, the program with Suid / SGID will make your Nosuid fail. Find out those programs Suid or SgID: # Find / -perm -2000 -ls # find / -perm -4000 -ls At the same time, you can just know those programs. You can use programs that are not very useful "CHMOD000 "Like Uustat, UuCico, etc., if you never touch UUCP. Or PPP and PPPD, if you never use them. Also, you won't go to the printer, put lpr lprd is also chmod 000. ! Maybe there will be a shell script to write a shell script to ask you something to CHMOD 000. Now you may want to ask, what way you can prevent the attacker from re-"-nosuid" MOUNT Your FileSystem? Well, no Unless you change your secureevel.5.1.1.10 SecureELevelFreebsd Kernel has a concept called SecureLevel. When someone is arguing that this mechanism is enough to prevent large "script kiddiez". SecureLevel refers to you. KERNEL is executing the safety level. Each level has a different protection and inspection mechanism. These are the Man Page: KERNEL of INIT (8) can be performed in four different security levels. Any superUser Process can improve the security level, but Only INIT can reduce it.

These four levels are: -1 Always insecure mode - Switch to Level 0! 0 Unsaic mode - "Unhappy" and "Can only attach" These two flags (FLAG) can be changed. All Devices can be read and written according to their read and write permissions. 1 Safety Mode - The flag of "not more" and "can only be attached" cannot be canceled; the file system, / dev / mem, and / dev / km, and / dev / kmem cannot be written. 2 High Security Mode - Like security mode, add more than the mount of the hard disk, in addition to Mount (2). It prevents a file system from being messy at Umount. And when this level is also prohibited, Newfs (8) is performed when Multi-User. If the security level is initially -1, then init will remain protocol. Otherwise, in SINGLE User Mode, init will turn the security level to 0, and will run at 1 when MultiUser Mode. If you want to run in the Multiuser mode, you can enter the Single User Mode first, edit / etc / rc, and use sysctl to be more If your system is only used to run the Web Server, you can reassure SecureLevel to 2. But if you want to run X Server, adjust your SecureLevel to 1 or higher will result in some problems. Because X Server must write / dev / mem and / dev / kmem, and SecureLevel 1 does not allow you to do this. There is a solution to the way, then adjust SecureLevel after activating X Server. But my opinion is that if you run X Server, you have other security issues to be considered, but more than SecureLevel. The following instructions will display your current SecureLevel setpoint. # sysctl kern.secureLevel If you want to improve your secondelease: # sysctl -w kern.secureLevel = XX can be 0, 1 or 2. In addition, you will have some questions when you "make world". Because "make install" will be added to the Immutable flag: # ls -lo / kernel-r-XR-XR-X 1 root wheel Schg 1061679 Jun 30 01:27 / kernel "SCHG" Flag will prevent you from installing new Kernel: NFR # iduid = 0 (root) GID = 0 (WHEEL) Groups = 0 (WHEEL), 2 (KMEM) NFR # sysctl kern.securelevelkern.securelevel: 2NFR # rm -rf / kernelRM: / kernel: Operation Not permitted

NFR # mv / kernel / tmp / mv: rename / kernel to / tmp // kernel: Operation Not Permitted

If you are in SecureLevel 1 or 2, then SCHG FLAG cannot be changed.

# chflags noschg / kernelchflags: / kernel: Operation Not permitted is worth mentioning, /boot.config can change the system settings when you turn it on, you should prevent yourself to tamper you should do this: # Touch /Boot.config# chflags SCHG / Boot.config You can look at the system preset and those executive files are Schg Flag. # ls -lo / sbin | grep schg-rx ------ 1 bin bin schg 204800 JUL 19 20:38 Init # ls -lo / bin | grep SCHG-R-SR-XR-X 1 root bin schg 192512 Jul 19 20:36 RCP back to the end to talk about the lock system! Since I just mentioned the Immutable Flags, I don't try to set the whole / sbin and / bin to Schg Flag!? This will give you Crack you The person of the system is a small setback. (Suppose your system is also working in the appropriate SecureLevel) # chflags schg / bin / * # chflags schg / sbin / * However, / sbin may be changed to another name, then re-create a new / sbin, so Change / sbin and / bin Schg Flag is a very reasonable idea, we can change / sbin and / bin's Schg flag: # chflags schg / bin / * # chflags schg / sbin / * # chflags schg / sbin / * Will have problems when "make world". ("Make InstallWorld" is also, in any case, it is best to "make world" in Single User mode. With the "Makr World", why do you want to do this, come on this webpage to see: http://www.nothing-going-on.demon.co.uk/freebsd/make-world/make- World.html Now you have properly locked your system, and use only the necessary service, and the archive system is also in the appropriate MOUNT, and also in a suitable Kernel SecureLevel. The relevant Man Pages described above are: init (8), chflags (1), sysctl (8). 5.1.1.1 Logging system record is important. If your unman is attacked, you can find some spider silk. The standard log action of UNIX is achieved through syslogd (8). It is activated from / etc / rc and has been executed until the system shutdown. You can determine if you are executing syslogd on your system: $ ps -axu | grep syslogdslogd when you are activated. This file is very important because it tells Syslogd to record those things, and these things should be placed there. You may want to see the MAN Pages: $ man syslogd; man 5 syslog.conf; Syslogd can also be recorded as a network operating system, Syslogd can also be recorded as a network operating system. Itself can also send records to other computers through the network. I want to be of course ear, it can record everything that happens in my system - and this is the default value. Because syslogd uses UDP - so information can be forged. You can do at least one thing: don't let your syslogd accept record messages from other computers.

Add a "-s" in /etc/rc.conf: syslogd_flags = "- s" # Flags to syslogd (if enabled). If you have the necessary specific machine record (like your Router, or Is web server, use "-a" to specify specific HOSTS, DOMAINS, or SUBNETS. Next time you reactivate your system, Syslogd will refuse documentary messages from other places. If someone tries to send information, Syslogd will record. If you don't want to reactivate your system, you can use the syslogd kill -9, then activate syslogd as root. Remember to add "-s" this parameter. If someone tries to attack your system and fail, your system record will not be fake. But if your system has been captured, and / var / log is killed! • There is a way to prevent it. One is that one machine is taken in your network system to record the things that happen in the entire network, and don't dry anything else. In addition to UDP Port 514, there are no other use. This will come to you to record all things happened in all machines (Routers, Firewalls, Serves, Workstations). You can only send sensitive messages, or anything you feel is important. This machine can be old 486, but there is a big hard disk. I remember to set the correct "-a" option, so as not to get the Oolue between the confiscation of records. You can also take an old pasta printer to it to print a sensitive event (like a failed login try). If you print the system record on paper, an attacker wants to clear it is difficult. There are other methods, such as sending records onto home through serial port (cuaan) or Parallel Port (LPN). Everyone has different records. But one thing I usually do is to join this line in /etc/slog.conf: auth. * / Var / log / authlogfreebsd shipped newslog. This will compress record files and clear the outstanding record. Setting your files in /etc/newsyslog.conf - Take a look at Man Page to get more information:% man newslog is not like syslogd, Newsyslog is not always executed. It is activated from crontab:% grep newsyslog / etc / crontab0 * * * root / usr / sbin / newsyslog% You can modify /etc/newsyslog.conf to meet your needs. I usually change its preset file mode, from 664 to 660 - because there is no need to let the general user view your system record. You should do this: # CD / var / log # chmod G-W, O-R *; ChMod A R WTMP This prevents general users from reading record files unless they are in the appropriate group (Wheel or like). Also, remember to change the group of recorded files to Wheel - this is purely just for convenience: if you are in the Wheel this group; you of course be Su (1) to root then read record files. But after doing this, you can read the recorded file directly. Is it not convenient!? You still have to join "root.wheel": Root.wheel ": / var / log / maillog root.wheel 640 7 100 * Z / var / log / authlog root.wheel 640 7 100 * z / var / log / message found.wheel 640 7 100 * z This will compress and numbered it when the record file reaches 100K, change the mode to 640, Chown into root.wheel and kill the old record file - this is what we want.

Of course, the standard UNIX has other different Syslog programs to choose from, one of which is the SSYSLOG (Secure Syslog) of Core EDI. You can find: http://www.core-sdi.com/English/ Corelabs / ssyslog / download.html There is also nsyslog (new syslog), which is written by the group of bpfilter, you can find it at http://cheops.anu.edu.au/~avalon/nsyslog.html This program is. No matter what kind of program (standard syslog, ssyslog, or nsyslog), you should also take a look at some procedures for you to analyze system logs, help you save the trouble of log file with grep. One of them is Logcheck, you can download in this place: http://www.psionic.com/abacus/abacus_logcheck.html This similar program is called logsurfer, you can download from this web page: http://www.cert. Dfn.de/eng/team/wl/logsurf/ 5.1.2 Misc. Hints and TIPS 5.1.2.1 LKM may turn off the LKM on the system that officially provides services. Why? Please see: Phrack Magazine Volume 7, Issue 51 September 01, 1997, Article 09 To turn off the LKMS, add this line in the kernel setting file: Options nolkm5.1.2.2 PortmapFreebsd factory default will put portmap this Function opens. If you don't need it, turn it off. If you don't run any programs that need to call the RPC, you don't need to run this program. If you want to turn off the portmap, you can modify /etc/rc.conf, put portmap_enable = "yes" # Run the portmapper service (or no). Change to portmap_enable = "no" # Run the portmapper service (or no ). 5.1.2.3 The default value of SendmailFreeBSD will also perform the functionality of Sendmail. From a long time ago, Sendmail is known for unsafe and vulnerabilities. Recently, people have worked hard to clear the errors in Sendmail, but because Sendmail is a very hyperprior program, it is quite difficult to capture all errors. In other words: If you don't need it, it is best to turn it off. If you really need it, you'd better go to Sendmail's website to see if there is a new Patches or Hacks, Sendmail's website at http://www.sendmail.org. Also, if your Sendmail version is a version after 8.8, set your system to prevent spammer from going to do bad things with your system. Setting Anti-spam information can be found under http://www.sendmail.org/antispam.html. If you decide to turn the sendmail, just want to modify /etc/rc.conf (yes, it is it): sendmail_enable = "yes" # Run the sendmail daemon (or no). Change to sendmail_enable = " No "# Run the sendmail daem". 5.1.2.4 Ports and packages On a high-security system, it is best not to use Ports or Packakges. You won't really know whether it is installed in the system to enter your system - and you won't want more than these Suid, believe me.

Although you can use different options (such as "-v" or "-n" when you are pkg_add, it is best to come back: Grab its source code, your computer, and then manually install it. 5.1.2.5 FILESYSTEM Quota If your system is "shell" Type Server, you may want to set the user's quota (available space). This can protect your system from the intrusion of Denial of Service attack (whether there is intentional or unintentional). The user can use the user to fill your hard drive at the system where Quota is not set. To open the Quota function, you can modify this setting in /etc/rc.conf: check_quotas = "no" # check quotas (or no). Change to check_quotas = "yes" # check quotas (or no ). Please take a look at the following Man Page, these files explain how to use quota's settings, and some set examples: quotaon, edquota, repquota, quota, please make sure Userquota in / etc / fstab "For details, please refer to Man 5 fSTAB. 5.1.2.6 crontab If you use / etc / crontab, this feature is likely to provide some additional information of intruders. Please make sure you have done "Chmod 640 /etc/crontab" 5.1.2.7 BPFBPF is the abbreviation of Berkeley Packet Filter. To use this function you must modify Kernel to achieve the purpose of listening to the network. BPF is used as TCPDUMP and NFR. However, the BSD's listener is also reached through BPF. If someone gets your system's root permission, set BPF functions on the system to help them easier to listen to your network. If there is no necessary words, do not set the function of BPF in Kernel. FreeBSD's set value is turned off. 5.1.2.8 CVSUP, CVS, etc. If you are using CD-ROM to install your system, it is very likely that some programs have an error that have been wrong when you get your CD-ROM. In most cases (we want this), these errors are not related to system security. However, I suggest you upgrade your system to the latest -Current (or -stable, depending on your preference) version. So you can make sure your system is the latest version of the system original code. The information you need can find here: http://www.freebsd.org/handbook/Handbook264.html# 508 you must go "make world" after updating your operating system, detailed files in: http : //www.nothing-going-on.de.co.uk/freebsd/make-world/make-world.html 5.1.2.9 SSH uses ssh to replace Telnet, FTP, RLOGIN, RSH, etc. Stressed is not enough. For people (Dial-Up, 56K frame) using a slow line, SSH has the -c option: -c After compressing the data, it is then transmitted out, including stdin, stdout, stderr and TCP / IP through X11. The compressed algorithm is with Gzip, and can specify a compressed Level. This feature is good for people who use slow lines for moden users. But there are people with high-speed lines, which will only drag slow speed. You can set the default value for the host to connect, please refer to the file. This will let you use it quickly :) In short, it is right with ssh! Please, please, use SSH.

If you are hard, you don't believe in evil, no security measures can help you !! 5.1.2.10 Related urls1) freebsd hardening project: http://www.watson.org/fbsd-hardening/ 2) FreeBSD IPFW Configuration Page: http: //www.metronet.com/~pgilley/freebsd/ipfw 3) Freebsd Security Advisories: ftp://ftp.Freebsd.org/pub/freebsd/cert/advisories/ 4) FreeBSD Security Web Page: http: // www .freebsd.org / security / security / security.html 5) Security Tools in Freebsd: http://www.samag.com/archive/0705/feature.html 5.2 SCO Series 5.2.1 Grasping the management of the network hosting is network security The prerequisite management of management is always one of the most important links in system security management. Any attack on the network is not possible without legitimate username and password (the background network application opens the back door exception). However, most system administrators currently pay attention to the management of privileged users, and ignore management of ordinary users. Mainly manifested in setting up the user's time chart, and set the user's permissions (ID), groups, and file privileges, and left the illegal user to steal the information and the destruction system left a gap. Financial systems UNIX users are end users, they only need to work in a specific application system, complete certain fixed tasks, in general, do not need to execute system commands (shell). Taking the National Electronic Exchange of Agricultural Bank as an example, the username is DZHD, which is described in the / etc / passwd file: dzhd: x: 200: 50:: / usr / dzhd: / bin / sh It .profile content is roughly : COBSW = R N Q-10DD_Printer = "1P-S" path = / etc: / bin: / usr / bin: $ home / bin: / usr / dzhd / obj: mail = / usr / spool / mail / lognameumask 007eval`test -m ANSI: ANSI -M: /? ANSI -C -S -Q`Export Path Mail Cobsw DD_PrinterCD USR / DZHD / OBJRUNX HDGEXIT User After logging in, if you press the interrupt button "delete", turn off Terminal power supply, or simultaneously type "Ctrl" "/", then the user will enter the shell command status. For example, he can constantly create a subdirectory in his own directory, or use Yes> AA to create a large-incomparable junk file and exhaust the hard disk space, etc., resulting in the crash of the system, paralysis; if the file system Permissions settings are not strict, he can run, peek, even modify it; you can also steal higher permissions by commands; you can also log in to other hosts to mess ... Let you prevent it, it is imagined. This problem is related to user settings. Therefore, try not to set the user into the above form. If this must be, depending on the actual needs, you can see if the SH can turn the user into a restricted SH, such as RSH, etc., becoming the following form: dzhd: x: 200: 50:: / usr / dzhd / obj: / bin / RSH or as follows: dzhd: x: 200: 50:: / usr / dzhd: ./ Main in the main (.porfile) headed as follows: trap '' 0 1 2 3 5 15 So all of the above problems can be avoided .

In addition, check your / etc / passwd file periodically to see if there are unknown users and users' permissions; regularly modify the user password, especially the passwords of users such as UUCP, BIN, etc., to prevent people to open a activity here. Skylight - a user who can enter and exit; delete all sleep users, etc. 5.2.2 Setting your own network environment is a common tool that prevents illegal access to the common tools on the online access of Telnet, FTP, RLogin, RCP, RCMD, and other network operation commands, and the use of them must be restricted. The easiest way is to modify the corresponding service port number in / etc / services. But doing so will make everything outside the Internet have rejected, even if it is no exception. This kind of closure of self-adapt is not worth promoting, because this will make this website and network outside the outside, will also bring inconvenience to yourself. Through the analysis of the UNIXT system, we believe that there is a conditional restriction (allowable) online access. 5.2.2.1 Establishing an ETC / FTPUsers file (unwelcome FTP user table). The command associated with it is FTP. The configuration is as follows: # User name DGXTDZHD ... The above is some users in this unit, and the invasator uses the above username FTP to access the website. 5.2.2.2 Save the .Netrc file Note Save the .Netrc file (remote registration data file). The command related to it is FTP. .NETRC contains data that registers the remote host transferred by FTP as file transfer on the network. Usually residing in the user's current directory, file permissions must be 0600. The format is as follows: Machine Host Name Login Alignment User Name Password The Operation Command Set of MacDef Init FTP. 5.2.2.3 Creating anonymous FTP called anonymous FTP, means that users of other hosts can perform data to send and receive data by FTP or Anonymous users without any password. The establishment method is as follows: 1) Create an FTP user with SysadMSH, represented in the Passwd file as: ftp: x: 210: 50:: / usr / ftp: /bin/sh.profile The path is: path = $ home / bin: $ HOME / ETC2) in / usr / ftp directory: # Create an anonymous FTP to the directory #mkdir bin etc dev pub shib # change all directory permissions outside the PUB #Chmod 0555 bin etc dev shib # Change the owner of the PUB directory and the same group #Chown FTP Pub # chgrp ftp pub # Copy anonymous FTP execution file # cp / bin / r / bin / pwd / bin / 1s bin # change the required execution file permission #CHMOD 011 bin / * # View required pseudo-equipment Situation # 1 / dev / socksys # 1 / dev / null # Establish the driver of the required pseudo device # cd / usr / ftp / dev # MKOND NULL C 4 2 # MKOND SOCKSYS C 26 0 # Change the pseudo device driver Owner, homework #chown ftp ftp / * # chgrp ftp ftp / * # Copy shared file # cp / shib / ilbe_s shlib Note Do not copy / etc / passwd, / etc / proup to ETC, this is potential for security Threat. In addition, add your password to the FTP user, don't tell anyone. 5.2.2.4 Restriction. Rhosts User Equity File (also called the user file) The relevant command has rlogin, RCP, RCMD, etc. The so-called user equivalent is that the user can log in to another host without entering a password. The user equivalent file name is .rhosts, store under the root or user's home directory. Its form is as follows: # Host name user name ASH020000 Rootash020001 DGXT ... If the user is empty, it is equivalent to all users.

5.2.2.5 Limiting Hosts.Equiv host equivalence file, (also called the host file) The command is Rlogin, RCP, RCMD, etc. The host equivalent is similar to the user equivalent, and the host equivalent file is valid in two computers, the host equivalent file is hosts.equiv, stored under / etc, its form as follows: # Host name user name ASH020000ASH020001 ... when remote When using FTP to access the system, UNIX system first verifies the username and password. After error, view the ftpusers file, once in it contains the username used, automatically rejects the connection, thereby achieving limitation. So we only need to include all users other than the anonymous FTP in the FTPUsers file, even if the entrants get the correct user information in this unit, it is unable to log in to the system. The information that needs to be released, put it under / usr / ftp / bub, let the distant are obtained by anonymous FTP. Using anonymous FTP, no password does not need to threaten the security of the system system, because it cannot change the directory, you can't get other information in this machine. Use the .NETRC configuration, pay attention to keep your confidentiality to prevent information about other related hosts. Using user equivalence and hosting machine such access, users can log in to remote systems like other valid users without passwords, remote users can log in directly to directly log in without passwords, can also use the RCP command to copy from local hosts Document, you can also use the RCMD remote execution of this unit. Therefore, the primary subsidy has serious insecurity, and must be strictly controlled or used in a very reliable environment. The famous "worm" virus found in the United States in 1998, written by young people named Yel (Morris), spread on the Internet, causing many UNIX systems, lost billions of US dollars, its important communication One is to use the user equivalent and host equivalent. Careful use (it is best not to use) and check the above files often, which will effectively strengthen system security. UNIX systems do not directly provide control to Telnet. But we know, / etc / profile is the system default shell variable file, and you must first execute it when all users are logged in. If we add a few shell commands in this file: # Set the interrupt variable trap '' 0 1 2 3 4 5 15UMASK 022 # get the login terminal name DC = "'WHO AM I | awk' [Prin $ 2] '` " # Check if the limited GREP $ DE / ETC DEFAULT / AAA> dev / null 2> & 1 # If limited IF [$? = "0"] thenecho "Please enter your password: / c" read ABC # get the correct password DD = "GREP ROOT / ETC / EDFAULT / AAA | AWK '[PINT $ 2]'` "# illegal users issued a warning message to the main control platform [" $ ABC "! = $ Dd] thenecho" illegal users! "Echo" illegally User tries to log in! "> Tev / tty01logname> / dev / tty01 # simultaneously records Diary file echo" Have illegal users try to log in! / C "> / usr / tmp / errecho $ dc>> / usr / tmp / errlogname>> / usr / tmp / errexit; fi; Fi, / etc / default / aaa is a text file for the limited terminal name, the root is a password, its contents are as follows:

Root typ2ttyp3ttyp1ttyp2ttyp3ttypattypb ... Such illegal users have obtained legitimate usernames and passwords, and cannot be used remotely. The system administrator is time to read the journal file, pay attention to the console information, and take the case that is illegally accessed and takes timely. If the above process is implemented in the C language, the acceptance of love is not displayed, the effect is better. 5.2.3 Strengthening the confidentiality of important information It mainly includes the HOSTS table, X.25 address, routing, connection modem computer number and the type of communication software used, and the username of the network, etc., these materials should take some confidentiality measures. Prevent random spread. If you can apply for a mobile phone number for a telecommunications department, you will not be published, not for inquiry. Due to the intervention of public or ordinary postal, exchange equipment, information may be tampered or leaked by them. 5.2.4 Strengthening the management router for important network devices is a very important ring in a network security plan. Most routers have now had some features of the firewall, such as disabling Telnet access, and displays illegal network segment access. Correct access filtering via the network router is a means to limit the simple and effective means of external access. If you have conditional places, you can also set up a network, isolate this website and other nets. Do not store any business data on the gateway, delete the users who have used outside the user who must have the normal operation of the system, and can also enhance the security of the network. In short, as long as we start from the present, cultivate network security awareness, and pay attention to the accumulation and learning of experience, it is entirely possible to ensure the safety and normal operation of our information system. -

Your Buddha Mercy ※ Source:. [From: 129.170.29.245]

-------------------------------------------------- ------------------------------ The primary selection area theme mode Previous Next Login

转载请注明原文地址:https://www.9cbs.com/read-10959.html

New Post(0)