Linux system depth security reinforcement

xiaoxiao2021-03-06  196

【简】

Linux system is not overlooked. However, the system is reinforced is not a very easy thing. The author of this article briefly introduces the deep security reinforcement of the Linux system.

★ Linux system depth

Safe reinforcement

AUTHOR:

Ayazero Drdos@163.com

Personal web -

http://overflow.nease.net

Team's Site -

http://ph4nt0m.net

Note: The following may not apply to some occasions, please

1. Install and upgrade

Try to use the latest Linux distribution, unplug the network cable before installation, disconnect the physical connection,

It is recommended to use a Custom customization method when installing.

Software package, the quantity is much better,

In general, the server is not necessary to install X-Windows,

Add password restrictions in the LILO / GRUB boot, prevent malicious users who can physically touch

Because Linux installation CDs of the RESCUE mode can skip this limit, so you have to give

BIOS plus password or server chassis lock

/ var, / home, / usr, / root, etc. Directory for independent physics

Partitioning, preventing spam and logs from filling hard drives to cause D.O.s attack.

A strong password is given the root account.

Upgrade the system software immediately with Up2date or APT, sometimes the upgrade kernel is also necessary, because the problem of kernel will also provide opportunities to attackers

APT is a powerful package management tool under Debian GNU Linux, or other versions of Linux.

2. Account

If the user in the system is more, edit /etc/login.defs, change the password policy

Unnecessarily accounts and groups in delete systems,

[root @ ayazero /] # Userdel -r username

If you don't open anonymous FTP, you can delete the FTP account.

The safest way is local maintenance, but unfortunately not realistic, but still need to limit ROOT remote access, and administrators can log in remotely with ordinary accounts.

Then SU ​​to root, we can add users using Su to increase security

Add the following two lines in the head of the /etc/pam.d/su file:

Auth sufficient /lib/security/pam_rootok.so debug

Auth Required /Lib/security/pam_wheel.so group = WHEEL

Then put the user who can perform SU in the WHEEL group

[root @ ayazero /] # Usermod -g10 admin

Edit / etc / securetty, comment out all console allowed to log in remote login, and then prohibit all console programs,

[root @ ayazero /] # rm -f /etc/security/console.apps/serviceName

Log in uses encrypted SSH, if the administrator logs only from a fixed terminal, it should restrict the scope of the legal SSH client.

Prevent sniffing and intermediary attacks

Collect the history record into zero, and hide what you have done as much as possible

[root @ ayazero /] # unset histfilesize

3. Service

At least the principle of service, all the services that you don't need are not commented

The service is not required in /etc/inetd.conf to add "#", and there is no inetd in the higher version to change to XINETD;

Cancel the automatic run service, the first letter of the service that does not need to run /tc/rc.d/rc3.d, the first letter of the first letter is renamed lowercase,

Or the service change in the GUI interface launched by the setup command If you want to be simple, you can use the two files of /etc/host.allow ketc/host.deny,

However, this article plans to use the IPTables firewall, so it is not described herein.

4. File system authority

Find all the procedures in the system that contain "S" bit, put unnecessary "S" bits, or directly delete it at all

[root @ ayazero /] # Find / -type f (-perm -04000 -o -perm -02000) -EXEC ls -lg {}

[root @ ayazero /] # chmod a-s filename

Prevent users from abuse and improve privileges

Plus important files with non-change properties

[root @ ayazero /] # chattr I / etc / passwd

[root @ ayazero /] # chattr I / etc / shadow

[root @ ayazero /] # chattr I / etc / gshadow

[root @ ayazero /] # chattr I / etc / group

[root @ ayazero /] # chattr I /etc/inetd.conf

[root @ ayazero /] # chattr i /etc/httpd.conf

...............................

Specifically, I doubt now

The invaders know this order,

Some exploit is overflow, write a statement to inetd.conf, bind shell listens on a port,

At this point, this command has played a role, and the shallow intruder will think that overflow is unsuccessful.

Find the files that do not have the owner in the system:

[root @ ayazero /] # Find / -nouser -o -nogroup

Find out anyone's file and directory:

[root @ ayazero /] # Find / -type f (-perm -2 -o -perm -20) -exec ls -lg {}

[root @ ayazero /] # Find / -Type d (-perm -2 -o -perm -20) -exec ls -ldg {}

Prevent intruders from writing it directly

Trojan statement, such as a copy of a shell) or inheritance of the main right to illegally access

Find out and reinforce those documents that have been used in invaders, such as .rhosts

Edit /etc/security/limits.conf, add or change, as follows:

* Hard Core 0

* HARD RSS 5000

* Hard NPROC 20

5. Banner camouflage

Intruders usually attack through operating systems, services and application versions,

The vulnerability list and attack programs are also classified here, so we need to make some hands and feet to increase the difficulty of intrusion.

Change / etc / Issue, because Reboot is reloaded, so edit /ECT/rc.d/rc.local

# This will overwrite / etc / issue at every boot. So, make any changes you

# Want to make to / etc / issue here or you will lose theme you reboot.

#echo ""> / etc / Issue

#echo "$ r" >> / etc / issue

#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / issue #

#CP -F / etc / Issue /etc/issue.net

#echo >> / etc / issu

Remove the "#" before the above line

Apache does not return version:

Apache's configuration file, find two Directive, modify the default properties: SERVERTOKENS and Serversignature

#ServertoKens Full

ServerToKens PROD <----------

#Serversignature on

Serversignature off <----------

Modify uname

Take out the source code of uname.c, find the following line

Print_Element (Print_sysName, Name.sysName); // Operating system name, Linux

Print_Element (Print_nodeName, Name.NodeName); // Host Name

Print_Element (Print_Release, Name.Release); // Release, such as: 2.4.20-18

Print_Element (Print_Version, Name.Version); //

Print_Element (Print_Machine, Name.machine); // Machine type, such as i686

Print_Element (Print_Processor, Processor); // Processor Type

Can be modified to

Print_Element (Print_SysName, "HP-UX");

.......

Compile replacement / bin / uname

Other services and program modifications can view their configuration files or source code

Don't change too much, otherwise you will bring you a lot of trouble to system management.

6. iptales firewall rules

Suppose our server Server1 runs apache, sshd (SSHD can be modified in the standard port, the configuration file can be modified)

Eth0 NIC connection Internet, Eth1 connection LAN, the administrator dials to Server2 at home (its private network IP is 192.168.0.12), then log in to Server1

[Roor @ ayazero root] # iptables -a input -i eth1 -s 192.168.0.12 -p TCP - Dport 22 -J ACCEPT

To prevent IP spoofings from possible, you can also bind Server2 network card address:

SH-2.05B # iptables -a input -i eth1 -s 192.168.0.12 --MAC-Source 01: 68: 4B: 91: CC: B7 -P TCP - Dport 22 -J ACCEPT

But it seems to be very little

Intrusioners can do this, and there is no use of value

[root @ ayazero root] # iptables -a input -i eth0 -p TCP - Dport 80 -J ACCEPT

[root @ ayazero root] # iptables -ainput -m state --state established, Related -j Accept

[root @ ayazero root] # iptables -a input -j drop

I know the "Port Redirection Reverse Pipeline" to cross the firewall.

This skill has been used to use too wide, and the harm is very large to fight against this difficult attack, we must pay for sacrificing certain ease of use.

[root @ ayazero root] # iptables -a output -o th0 -p tcp --Syn -j Drop

The above rules will block the TCP active connection from the inside out

In addition, the attack behavior of the document with TFTP or other clients will be very common,

Due to TFTP and some other tools depend on UDP, so I have to completely wipe it out.

[root @ ayazero root] # iptables -a output -o eth0 -p udp -j drop

PS: You need to temporarily remove these two rules when updating the system and debugging the network.

Because the essence of the invasion is the shell of the target operating system through the text or the graphical interface, the standard or non-standard port,

So, not only prevents the reverse pipe itself, but also immunized a lot of intrusion skills.

However, this is too harsh than a general system administrator!

Some attack countermeasures for iptables

SYN-FLOOD protection:

[root @ ayazero foo] # iptables -a forward -p tcp --syn -m limited --LIMIT 1 / S -J ACCEPT

FURTIVE Port Scanner:

[root @ ayazero foo] # iptables -a forward -p tcp --TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J ACCEPT

Ping of Death:

[root @ ayazero foo] # iptables -a forward -p ICMP --ICMP-TYPE ECHO-Request -m Limit --Limit 1 / S -J ACCEPT

In addition, iptables can also configure rules that make some scanning behaviors such as NMAP failure, should pay attention to:

The firewall is not universal. When an attacker is so crazy, don't expect your firewall to resist the flood of DDOS.

For more details about iptables, please refer to the Packet Filtering Howto of Rusty Russell.

7. Integrity check

TripWire is a more famous tool, which can help you determine if some important system files have been modified

Now there is always his open source version in the LINUX release, you can use some sensitive files in the default check object profile.

RPM MD5 check

[root @ ayazero rpm] # rpm -v

Use "Man RPM" to view the command help, "- v" parameter is used for MD5 check,

Note that the binary data file generated by the RPM check is hard.

Backup to prevent it from being modified

8. Scan it yourself

normal

Safety reinforcement is basically completed, now let us have a risk assessment of the system you do,

Recommended NESSUS LATEST VERSION [homepage: http://www.nessus.org]

(Since it is an open source from the head to the tail, it will continue to save costs here, huh, huh)

Maybe you feel that your system is no problem, but sometimes Nessus can still report some problems.

For example, a third-party webmail has certain security defects.

If there is no problem, there is a problem, let's go back and fix it.

9. Advanced Tips

The above measures are enough to make most intruders, the next part gives those who are extremely sensitive to safety.

The buffer overflow countermeasures are: StackGurad, StackShield, FormatGuard, HeapGuard, Pointguard and other compilation technology, but they need to recompile the source code, not only troublesome but also reduce system performance.

So here is intended to use the kernel patches that prevent the buffer overflow.

More familiar is the PAX kernel patch, which is mainly through the data area [HEAP / BSS / Stack] unforptive code to defend the direct override to return the address and jump to the data area to perform some of the exploit.

The PAX site seems to have access, but you can find a lot of PAX corresponding to the neighboring kernel with Google.

download

http://home.hetnet.nl/~ottolaander/pax/pax.html

跺啭 朱 朱:

OpenWall Project

http://www.openwall.com/linux/

Grsecurity

http://www.grsecurity.net

眕奻 朱 间 祥 夔 郘 垀 垀 衄 衄 衄 衄,,,,,,,, 垀,, 面 面 面 垀 衄,,

Nowadays on how to get rid of patch is very unmachammined, it is usually necessary to meet certain conditions.

Even if the program is written, the function, the file pointer is successfully covered, may also pass the "overflow results" to the attacker on this system - still can't get the shell or establish a connection

LIDS

Intrusion detection and protection system on Linux, kernel patches, providing enhanced access control through a larger RING0 permission than root,

Even the root can not change, existing information, not discussed here.

Site:

http://www.lids.org

LIDS and buffer overflow patches may not be compatible, welcome friends who know the truth tell me

10. Log Policy

Mainly to create a hard copy for intrusion related important logs, not even when the emergency response does not have the last black box.

You can redirect them to printers, adminunities, separate log servers and their hot backups.

11. Snort Intrusion Detection System

There is this necessary system for intrusion response and safety logs.

For a general system, if the administrator will not go to see a lot of logs,

Then it is like a chicken rib.

12. Final suggestion

Caring for Bugtraq

Vulnerability list

Subscribe to the safety announcement of the manufacturer

Diligent patch

Standing on the attacker's angle to think about how to defend

summary

Thoughts on attacks:

Suppose there is a technically superb intruder, with the ability of the underlying vulnerability of the self-excavation system,

He found a vulnerability of Apache and writing Remote Exploit,

This vulnerability has not yet appeared on bugtraq, in the "unknown" state.

If the intruder tries to attack our system,

He must be able to dig an Apache and a ROOT level remote overflow.

<1> Implantation code kill the httpd process in Shellcode, and binds the SH in the 80-port

<2> Reuse at 80 port

<3> Let Shellcode execute iptables -f output / input, provided that he guessed that there is such a thing

The above needs to overflow is the root permission, and it is possible to bypass the advanced Exploit of the PAX, and the Apach E will be automatically restarted.

If you want to attack SSHD, because iptables will discard all packages from the external network access SSHD, so even if there is a distance overflow (of course don't forget the PAX), this way is not

Other methods, if the script attack can get a clear text of the SSH user to log in to the SSH user, or use script defects to add system accounts, which not only requires system root privileges, but / etc / passwd has been chattr,

Meet the above conditions, and attack Server2, I hope to get the shell.

But the opportunity to improve the permissions is not big! Ordinary script attack is invalid, of course, if the system does not run the CGI, this path is even more

It is true that the invaders are likely to destroy your scripts on HTTP, but third-party web security is not in this article discussions.

The above conditions are surprising to most intruders, which can be said to be almost impossible.

But we also sacrificed a lot for this, and these measures rely on a certain environment.

Security and ease of use, need readers to find their balance points at their own point.

Full article:

Silicon Valley Power

转载请注明原文地址:https://www.9cbs.com/read-128550.html

New Post(0)