【简】
Linux system is not overlooked. However, the system is reinforced is not a very easy thing. The author of this article briefly introduces the deep security reinforcement of the Linux system.
★ Linux system depth
Safe reinforcement
AUTHOR:
Ayazero Drdos@163.com
Personal web -
http://overflow.nease.net
Team's Site -
http://ph4nt0m.net
Note: The following may not apply to some occasions, please
1. Install and upgrade
Try to use the latest Linux distribution, unplug the network cable before installation, disconnect the physical connection,
It is recommended to use a Custom customization method when installing.
Software package, the quantity is much better,
In general, the server is not necessary to install X-Windows,
Add password restrictions in the LILO / GRUB boot, prevent malicious users who can physically touch
Because Linux installation CDs of the RESCUE mode can skip this limit, so you have to give
BIOS plus password or server chassis lock
/ var, / home, / usr, / root, etc. Directory for independent physics
Partitioning, preventing spam and logs from filling hard drives to cause D.O.s attack.
A strong password is given the root account.
Upgrade the system software immediately with Up2date or APT, sometimes the upgrade kernel is also necessary, because the problem of kernel will also provide opportunities to attackers
APT is a powerful package management tool under Debian GNU Linux, or other versions of Linux.
2. Account
If the user in the system is more, edit /etc/login.defs, change the password policy
Unnecessarily accounts and groups in delete systems,
[root @ ayazero /] # Userdel -r username
If you don't open anonymous FTP, you can delete the FTP account.
The safest way is local maintenance, but unfortunately not realistic, but still need to limit ROOT remote access, and administrators can log in remotely with ordinary accounts.
Then SU to root, we can add users using Su to increase security
Add the following two lines in the head of the /etc/pam.d/su file:
Auth sufficient /lib/security/pam_rootok.so debug
Auth Required /Lib/security/pam_wheel.so group = WHEEL
Then put the user who can perform SU in the WHEEL group
[root @ ayazero /] # Usermod -g10 admin
Edit / etc / securetty, comment out all console allowed to log in remote login, and then prohibit all console programs,
[root @ ayazero /] # rm -f /etc/security/console.apps/serviceName
Log in uses encrypted SSH, if the administrator logs only from a fixed terminal, it should restrict the scope of the legal SSH client.
Prevent sniffing and intermediary attacks
Collect the history record into zero, and hide what you have done as much as possible
[root @ ayazero /] # unset histfilesize
3. Service
At least the principle of service, all the services that you don't need are not commented
The service is not required in /etc/inetd.conf to add "#", and there is no inetd in the higher version to change to XINETD;
Cancel the automatic run service, the first letter of the service that does not need to run /tc/rc.d/rc3.d, the first letter of the first letter is renamed lowercase,
Or the service change in the GUI interface launched by the setup command If you want to be simple, you can use the two files of /etc/host.allow ketc/host.deny,
However, this article plans to use the IPTables firewall, so it is not described herein.
4. File system authority
Find all the procedures in the system that contain "S" bit, put unnecessary "S" bits, or directly delete it at all
[root @ ayazero /] # Find / -type f (-perm -04000 -o -perm -02000) -EXEC ls -lg {}
[root @ ayazero /] # chmod a-s filename
Prevent users from abuse and improve privileges
Plus important files with non-change properties
[root @ ayazero /] # chattr I / etc / passwd
[root @ ayazero /] # chattr I / etc / shadow
[root @ ayazero /] # chattr I / etc / gshadow
[root @ ayazero /] # chattr I / etc / group
[root @ ayazero /] # chattr I /etc/inetd.conf
[root @ ayazero /] # chattr i /etc/httpd.conf
...............................
Specifically, I doubt now
The invaders know this order,
Some exploit is overflow, write a statement to inetd.conf, bind shell listens on a port,
At this point, this command has played a role, and the shallow intruder will think that overflow is unsuccessful.
Find the files that do not have the owner in the system:
[root @ ayazero /] # Find / -nouser -o -nogroup
Find out anyone's file and directory:
[root @ ayazero /] # Find / -type f (-perm -2 -o -perm -20) -exec ls -lg {}
[root @ ayazero /] # Find / -Type d (-perm -2 -o -perm -20) -exec ls -ldg {}
Prevent intruders from writing it directly
Trojan statement, such as a copy of a shell) or inheritance of the main right to illegally access
Find out and reinforce those documents that have been used in invaders, such as .rhosts
Edit /etc/security/limits.conf, add or change, as follows:
* Hard Core 0
* HARD RSS 5000
* Hard NPROC 20
5. Banner camouflage
Intruders usually attack through operating systems, services and application versions,
The vulnerability list and attack programs are also classified here, so we need to make some hands and feet to increase the difficulty of intrusion.
Change / etc / Issue, because Reboot is reloaded, so edit /ECT/rc.d/rc.local
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose theme you reboot.
#echo ""> / etc / Issue
#echo "$ r" >> / etc / issue
#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / issue #
#CP -F / etc / Issue /etc/issue.net
#echo >> / etc / issu
Remove the "#" before the above line
Apache does not return version:
Apache's configuration file, find two Directive, modify the default properties: SERVERTOKENS and Serversignature
#ServertoKens Full
ServerToKens PROD <----------
#Serversignature on
Serversignature off <----------
Modify uname
Take out the source code of uname.c, find the following line
Print_Element (Print_sysName, Name.sysName); // Operating system name, Linux
Print_Element (Print_nodeName, Name.NodeName); // Host Name
Print_Element (Print_Release, Name.Release); // Release, such as: 2.4.20-18
Print_Element (Print_Version, Name.Version); //
Print_Element (Print_Machine, Name.machine); // Machine type, such as i686
Print_Element (Print_Processor, Processor); // Processor Type
Can be modified to
Print_Element (Print_SysName, "HP-UX");
.......
Compile replacement / bin / uname
Other services and program modifications can view their configuration files or source code
Don't change too much, otherwise you will bring you a lot of trouble to system management.
6. iptales firewall rules
Suppose our server Server1 runs apache, sshd (SSHD can be modified in the standard port, the configuration file can be modified)
Eth0 NIC connection Internet, Eth1 connection LAN, the administrator dials to Server2 at home (its private network IP is 192.168.0.12), then log in to Server1
[Roor @ ayazero root] # iptables -a input -i eth1 -s 192.168.0.12 -p TCP - Dport 22 -J ACCEPT
To prevent IP spoofings from possible, you can also bind Server2 network card address:
SH-2.05B # iptables -a input -i eth1 -s 192.168.0.12 --MAC-Source 01: 68: 4B: 91: CC: B7 -P TCP - Dport 22 -J ACCEPT
But it seems to be very little
Intrusioners can do this, and there is no use of value
[root @ ayazero root] # iptables -a input -i eth0 -p TCP - Dport 80 -J ACCEPT
[root @ ayazero root] # iptables -ainput -m state --state established, Related -j Accept
[root @ ayazero root] # iptables -a input -j drop
I know the "Port Redirection Reverse Pipeline" to cross the firewall.
This skill has been used to use too wide, and the harm is very large to fight against this difficult attack, we must pay for sacrificing certain ease of use.
[root @ ayazero root] # iptables -a output -o th0 -p tcp --Syn -j Drop
The above rules will block the TCP active connection from the inside out
In addition, the attack behavior of the document with TFTP or other clients will be very common,
Due to TFTP and some other tools depend on UDP, so I have to completely wipe it out.
[root @ ayazero root] # iptables -a output -o eth0 -p udp -j drop
PS: You need to temporarily remove these two rules when updating the system and debugging the network.
Because the essence of the invasion is the shell of the target operating system through the text or the graphical interface, the standard or non-standard port,
So, not only prevents the reverse pipe itself, but also immunized a lot of intrusion skills.
However, this is too harsh than a general system administrator!
Some attack countermeasures for iptables
SYN-FLOOD protection:
[root @ ayazero foo] # iptables -a forward -p tcp --syn -m limited --LIMIT 1 / S -J ACCEPT
FURTIVE Port Scanner:
[root @ ayazero foo] # iptables -a forward -p tcp --TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J ACCEPT
Ping of Death:
[root @ ayazero foo] # iptables -a forward -p ICMP --ICMP-TYPE ECHO-Request -m Limit --Limit 1 / S -J ACCEPT
In addition, iptables can also configure rules that make some scanning behaviors such as NMAP failure, should pay attention to:
The firewall is not universal. When an attacker is so crazy, don't expect your firewall to resist the flood of DDOS.
For more details about iptables, please refer to the Packet Filtering Howto of Rusty Russell.
7. Integrity check
TripWire is a more famous tool, which can help you determine if some important system files have been modified
Now there is always his open source version in the LINUX release, you can use some sensitive files in the default check object profile.
RPM MD5 check
[root @ ayazero rpm] # rpm -v
Use "Man RPM" to view the command help, "- v" parameter is used for MD5 check,
Note that the binary data file generated by the RPM check is hard.
Backup to prevent it from being modified
8. Scan it yourself
normal
Safety reinforcement is basically completed, now let us have a risk assessment of the system you do,
Recommended NESSUS LATEST VERSION [homepage: http://www.nessus.org]
(Since it is an open source from the head to the tail, it will continue to save costs here, huh, huh)
Maybe you feel that your system is no problem, but sometimes Nessus can still report some problems.
For example, a third-party webmail has certain security defects.
If there is no problem, there is a problem, let's go back and fix it.
9. Advanced Tips
The above measures are enough to make most intruders, the next part gives those who are extremely sensitive to safety.
The buffer overflow countermeasures are: StackGurad, StackShield, FormatGuard, HeapGuard, Pointguard and other compilation technology, but they need to recompile the source code, not only troublesome but also reduce system performance.
So here is intended to use the kernel patches that prevent the buffer overflow.
More familiar is the PAX kernel patch, which is mainly through the data area [HEAP / BSS / Stack] unforptive code to defend the direct override to return the address and jump to the data area to perform some of the exploit.
The PAX site seems to have access, but you can find a lot of PAX corresponding to the neighboring kernel with Google.
download
http://home.hetnet.nl/~ottolaander/pax/pax.html
跺啭 朱 朱:
OpenWall Project
http://www.openwall.com/linux/
Grsecurity
http://www.grsecurity.net
眕奻 朱 间 祥 夔 郘 垀 垀 衄 衄 衄 衄,,,,,,,, 垀,, 面 面 面 垀 衄,,
Nowadays on how to get rid of patch is very unmachammined, it is usually necessary to meet certain conditions.
Even if the program is written, the function, the file pointer is successfully covered, may also pass the "overflow results" to the attacker on this system - still can't get the shell or establish a connection
LIDS
Intrusion detection and protection system on Linux, kernel patches, providing enhanced access control through a larger RING0 permission than root,
Even the root can not change, existing information, not discussed here.
Site:
http://www.lids.org
LIDS and buffer overflow patches may not be compatible, welcome friends who know the truth tell me
10. Log Policy
Mainly to create a hard copy for intrusion related important logs, not even when the emergency response does not have the last black box.
You can redirect them to printers, adminunities, separate log servers and their hot backups.
11. Snort Intrusion Detection System
There is this necessary system for intrusion response and safety logs.
For a general system, if the administrator will not go to see a lot of logs,
Then it is like a chicken rib.
12. Final suggestion
Caring for Bugtraq
Vulnerability list
Subscribe to the safety announcement of the manufacturer
Diligent patch
Standing on the attacker's angle to think about how to defend
summary
Thoughts on attacks:
Suppose there is a technically superb intruder, with the ability of the underlying vulnerability of the self-excavation system,
He found a vulnerability of Apache and writing Remote Exploit,
This vulnerability has not yet appeared on bugtraq, in the "unknown" state.
If the intruder tries to attack our system,
He must be able to dig an Apache and a ROOT level remote overflow.
<1> Implantation code kill the httpd process in Shellcode, and binds the SH in the 80-port
<2> Reuse at 80 port
<3> Let Shellcode execute iptables -f output / input, provided that he guessed that there is such a thing
The above needs to overflow is the root permission, and it is possible to bypass the advanced Exploit of the PAX, and the Apach E will be automatically restarted.
If you want to attack SSHD, because iptables will discard all packages from the external network access SSHD, so even if there is a distance overflow (of course don't forget the PAX), this way is not
Other methods, if the script attack can get a clear text of the SSH user to log in to the SSH user, or use script defects to add system accounts, which not only requires system root privileges, but / etc / passwd has been chattr,
Meet the above conditions, and attack Server2, I hope to get the shell.
But the opportunity to improve the permissions is not big! Ordinary script attack is invalid, of course, if the system does not run the CGI, this path is even more
It is true that the invaders are likely to destroy your scripts on HTTP, but third-party web security is not in this article discussions.
The above conditions are surprising to most intruders, which can be said to be almost impossible.
But we also sacrificed a lot for this, and these measures rely on a certain environment.
Security and ease of use, need readers to find their balance points at their own point.
Full article:
Silicon Valley Power
