Copyright Notice: This article can be reproduced, please be sure to indicate the original source and author information in hyperlink when reprint. Original Source: http://www.aiview.com/notes/linux_note_2.htm Author: Zhang Yang Alex_doesAThotmail.com Last updated: 2004-11-29
table of Contents
Text reference resources
A little picker of the Linux system management command, this is the second part, mainly paying attention to Linux system security. Please browse the rest of the note.
text
CHMOD T DIR_NAME can be used to set a glide link to a directory, setting the last bit of the viscous bit in the attribute T, use ls -l view. In the catalog of the stick, the user can only delete the files you created. For example, in general Linux release, the / TMP directory is set by default. LS -LD / TMP DRWXRWRWT 27 ROOT ROOT 8192 NOV 29 23:12 / TMP There are two file license bits, SUID and SGID. The files of the SUID or SGID license bit are executed, and the identity of this file owner (or the group) of this file owner (or the group) of this file owner (or the group) is not dependent on the file currently executed. The file of the SUID or SGID bit is set, and the X of the corresponding license bit RWX is changed to S. Use the following command to set the SUID bit: chmod u s filename ls -l filename -rwsr-xr-x Use the following command to set the SGID bit: ChMOD G S FileName Ls -l FileName -RWXR-SR-X Use the following command You can list all SUID or SGID programs in the system: Find / / (-perm -02000 -o -perm -04000 /) -LS Regularly Use Grep -i 'Authentication Failure' / VAR / LOG / MESSAGES> Failed_logins.txt Check if there is an unsuccessful login attempt to be very useful, different Linux issues may have different characteristics, where -i parameter specifies that the uppercase is ignored in the match. You can also run this command to run periodically, but pay attention to the output of the file, as well as regular inspection and cleanup work. With Chattr A filename, you can set a file to add mode, you can only add content, not allowed to delete, or reduce content operation, only root can set this property. Note that the files set a even if the root itself is not modified and deleted unless you use Chattr -a FileName to remove the property settings, this action can be applied to the system log file, which is just append, even if root does not There will be the need to delete these file content, which gives a little obstacle to the hacker who has obtained ROOT privilege, delays the process of his destruction, although it is just a small step. Set the file with the S property, cleared the disk block when deleting. Use the lsattr filename to view a file to use the properties set by Chattr. LIDS, an internal nuclear level Linux intrusion detection system, can detect semi-public scans made by NMAP, Satan and other tools, SYN secret scan, secret fin, and Xmas. The detected scan is recorded through the syslog latter email. Download the address http://www.lids.org After installing the LIDS, you need to recompile the kernel and install and restart the Linux system again. The log of the Linux system is mainly divided into two types: the log Syslog message belongs to the log of the user process or other system service process, such as the ACCESS_LOG of the Apache server and the ERROR_LOG log file. The latter is a log recorded by the system syslog, any system process or user process that wants to record the log can log the log to the log, which is a universal solution to most applications log logs. General this message will be sent to / dev / log, and then recorded by syslog into the log file. Syslogd is the default system log daemon in the Linux system, which can be configured through /tc/syslog.conf.
Take the /etc/slog.conf file as follows: -------------------- # log anything (Except mail) of level info or higher. # Don't log Private authentication messages! * .info; mail.none; news.none; authpriv.none; cron.none / var / log / message.. Authpriv. * / var / log / secure # log all the Mail message in one place. mail. * / var / log / maillog # log cron stuff cron. * / var / log / cron # save boot messages also to boot.log local7. * /var/log/boot.log - --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SSHD, INETD, PPPD, etc.) KERN kernel message LPR line system MAIL mail subsystem (sendmail, postfix, qmail, etc.) News USENET news message Syslog internal Syslog Message USER General User-level message UUCP subsystem local0-local7 customized Level Syslog Log Level: EMERG System Must take action with Alert Must take action crit crisis ERR Error Warning WARNING WARNING NOTING Normal but important situation INFO notification message debug message Syslog.conf's first column for specifying log function and log level, Intermediate. Separate, you can use * to match all log functions and log level second columns are the distribution target of messages, and you can have the following format: / path / to / filename append the message to the specified file end, most commonly used @ LOGHOST Write the Syslog Server on the Loghost host | / path / to / named_pipe The message writes to the specified named pipe (easy to external program filtering message) USER1, USER2 writes the message to the specified user * Write the message to all user / de / console, / dev / tty1, etc. Write the message to the specified terminal Good syslog.conf should be as follows:
# Log all messages # for easy scanning by log checkers * .debug / var / log / messages # write to terminals for real Bad Situations Kern, daemon.crit / dev / console kern, daem root root * .emerg * # Separate Out other logs to be easier to read # debug level for more important facilities kern.debug /var/log/kern.log mail.debug / var/log/mail.log daemon.debug / var / log /Daemon.log auth.debug /var/log/auth.log syslog.debug /var/log/syslog.log authpriv.debug /var/log/authpriv.log fpt.debug /var/log/ftp.log # NOTICE Fine for others user.notice /var/log/user.log lpr.notice /var/log/lpr.log news.notice /var/log/news.log uucp.notice /var/log/uucp.log cron.notice /var/log/cron.log local0, local1, local2.notice /var/log/local.log local3, local4, local5.notice / votice, local7.notice / var / log / Local.log while modifying the syslog.conf file, don't forget, you should archive the old log file to a unified directory, such as: Old_log, so you can make the log file clearer. But pay attention to, in the new log file, I also use the message file. Syslogd can also be called in the shell, any verified user can generate a line in the log in the log: logger -p kern.alert -t 'su (pam_unix)' "Authentication Failure ..." This is a failed Verify that the log generated is exactly the same. Moreover, hackers may generate a lot of useless log information, used to make the log system to turn the log back to clear the old log, or make the logs full, and no new logs are recorded. Because, while we protect the log, we must also realize that the contents of the log are not fully credible.
Licensing setting principle of log files: Only root can write log files, and only the logs group users have read permissions, as follows # addgroup logs # cd / var / log # chgrp -r logs. # Find. -Type -d | Xargs Chmod 750 # Find. -type -f | xargs chmod 640 # chmod 750. It is also necessary to ensure that only root can be written / var / log directory, otherwise the log can be deleted by others: Ls -LD / VAR / LOG DRWXR-XR- x 17 Root Root 4096 NOV 29 01:52 / var / log, a way to protect the log, set a secret Syslog host in the network, set this host's network card to a mixed mode, used to monitor the subnet All syslog packs, so that all hosts that need to transfer the logs are configured to send logs to a hostless host. This is even if the hacker captures the target host, and cannot find the host of the backup log through the syslog.conf file, which is just a host that does not exist. In practice, it can also be adjusted to the configuration of the switch to ensure that the Syslog package can be accepted by the Syslog process on the backup log host. For example, set the transfer log host in syslog.conf to @ 192.168.0.13, but this log host does not exist in the actual network. It may be 192.168.0.250 or other hosts are accepting the syslog package. Subnet mask 30 means that only 2 hosts in this subnet. Touch command can be used to modify file attributes touch -t 200411280000.00 filename can be used to find all modified files after November 28, 2004: Touch -T 200411280000.00 / TMP / Comparison Find / / (-Newer / TMP / Comparison -cnewer / TMP / Comparison /) -LS The most recommended list of system vulnerabilities: BugTraq, Subscribe here http://www.security-focus.com/archive other VulnWatch and Linux Security Wait.
Vulnwatch Subscribe here http://www.vulnwatch.org/subscribe.html Linux Security here Subscribe to http://www.linuxsecurity.com/general/mailingLists.html
Reference resource
Linux system management learning note (1) http://www.aiview.com/notes/linux_note.htm "Linux hacker big exposure" second edition, by Brain Hatch, James Lee. Translator: Wang Yichuan, Tsinghua University Publishing House Mail list resources on system vulnerabilities:
Bugtraq: http://www.security-focus.com/archive vulnwatch: http://www.vulnwatch.org/subscribe.html Linux security: http://www.linuxsecurity.com/general/mailinglists.html
