linux security

linux security

why is linux hacked
1linux is widely used on a large number of servers in the word,making it a 'de facto' backbone
2since application source code is a available,it is easy to find out the vulnerabilities of the system
3many application on linux are installed by default so they are more vulnerable to attacks

linux vulnerabilities
常見的有:
bind
lxr(linux cross-referencing vulnerability)
utli-linux vulnerability
linux kernel capabiliy vulnerability
ps:執行execve() system call有local root exploit時,解決方法為upgrade kernel

...............................................................

chrooting
run command or interactive shell with special root directory
ex:chroot /usr/local/tester /bin/testscript
通常在根目錄下有非常多東西,包含很多的設定檔、函式庫,東西越多越有可能被抓到系統上的漏洞,使用者也可以查看很多系統上的設定檔,若不想讓使用者看到那麼多的東西,最好的做法就是用chroot把他鎖起來
chroot主要就是另外再打造一個root環境提供給使用者,使用者能使用什麼command都是受控制的,只要給足夠用的函式庫就夠了,更不用說使用者能看到什麼系統的設定檔囉!

好處
限制被CHROOT的使用者所能執行的程式,如SetUid的程式,或是會造成 Load 的 Compiler等等。
防止使用者存取某些特定檔案,如/etc/passwd。
防止入侵者/bin/rm -rf /。
提供Guest服務以及處罰不乖的使用者。
增進系統的安全。

相關tool
addjailsw:helps automate the creation of jail chroots

...............................................................

way to prevent hacking

1keep programs up-to-date:primary way

2關閉沒在用的suid program
若設定suid的program被buffer overflow,...等攻擊,則attacker可拿到root權限
ps:
列出系統上所有設定suid的權限
find / -perm -04000 -type f -ls

3使用stackguard,libsafe,openwall project
stackguard:a compiler that hardens programs against stack smashing attack
libsafe:a dynamically loadable library that checks all calls made to vulnerable library functions
openwall project's non-exec stack kernel patch:a collection of security features for the linux kernel that makes the stack non-executable

.............................................................

tool:
scanning network:netcat,strobe,nmap
scanning tool:nessus

port scan detection tools有以下:
klaxon
scanlogd
portsentry:可立即偵測並封鎖意圖侵入者 (掃 port、嘗試連入特定埠口) 的行動
lids

密碼破解tools
john the ripper
slurpie
ps
linux密碼在/etc/shadow

................

清除track
ex:
清除/dev/hda0
dd if=/dev/random of=/dev/hda0
or
dd if=/dev/zero of=/dev/hda0

ps:/dev/zero 會不斷產生null

knoppix erase tool
wipe : wipe a partition securely. good for prep'ing a partition for dd
ex:wipe -fik /dev/hda1

............................................................................................................

基本linux保護
透過/etc/sysctl.conf修改kernel參數
net/ipv4/conf/all/rp_filter=1
net/ipv4/conf/all/log_martians=1
net/ipv4/conf/all/send_redirects=0
net/ipv4/conf/all/accept_source_route=0
net/ipv4/conf/all/acept_redirects=0
net/ipv4/tcp_syncookies=1
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/ip_forward=1

安全分析工具
sara(security auditor's research assistant):早期scan tool
netcat: 預設安裝沒有-e功能
tcpdump
snort
saint:for unix/linux
wireshark
abacus port sentry
dsniff collection:專門用sniffer收集密碼
hping2:可產生封包
sniffit
nemesis
lsof(list open files):lists open files for running unix/linux process
iptraf:可即時看流量
lids(linux ids)
tcp wrappers

LSoF
這是一款Unix平台上的診斷和研究工具,它可以列舉當前所有進程打開的文件信息。
它也可以列舉所有進程打開的通訊 socket(communications sockets)。
Windows平台上類似的工具有Sysinternals。

攻擊tool
hunt:session hijacking tool

LKM(linux loadable kernel modules)
LKMs are loadable kernel modules used by the linux kernel to expand its functionality

advantage:
 they can be loaded dynamically
 there must be no recompilation of the whole kernel
用途:
 specific device drivers ,ex:soundcards

............................................................................................................

linux rootkits
若被裝 rootkis很難被找出來,因為rootkis可以藏的地方太多

ex:
換掉ls,則無法用ls找到該rootkis
換掉ps,則無法用ps找到問題process

rootkits tools
IRK4(linux rootkits IV)
knark,torn:較有名的rootkis
tuxit,adore,ramen
beastkit

防制rootkits tools
chkrootkit:to check for the presence of rootkits,不過通常都抓不到
tripwire
bastille linux
lids
dtk
rkdet
rootkit hunter
carbonite
rescan
saint jude

............................................................................................................

application security:
whisker:cgi vulnerability scanner,但效果有限
flawfinder
stackguard: 避免buffer overflow
libsafe:避免buffer overflow
AIDE(advanced intrusion detection environment):a free replacement for tripwire

security testing tool:
nmap
lsof
netcat
hping2
nemesis

encryption tool:
stunnel
openssh
gnupg

log and traffic monitors tool:
mrtg
swatch
timbersee
logsurf
tcp wrappers
iplog
iptraf
ntop

security auditing tool:
LSAT

............................................................................................................

linux security countermeasures:
check user account with null password in /etc/shadow
close the door first by denying access from network by default
stop all unused services
check system log in /var/log/ ,/var/log/secure
checking the errate(bug fixes)
ex:www.redhat.com/support/errate
update linux system regularly

............................................................................................................
............................................................................................................

adduser
Usage: useradd [options] LOGIN
Options:
-b, --base-dir BASE_DIR base directory for the new user account home directory
-c, --comment COMMENT set the GECOS field for the new user account
-d, --home-dir HOME_DIR home directory for the new user account
-D, --defaults print or save modified default useradd configuration
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration to INACTIVE
-g, --gid GROUP force use GROUP for the new user account
-G, --groups GROUPS list of supplementary groups for the new user account
-h, --help display this help message and exit
-k, --skel SKEL_DIR specify an alternative skel directory
-K, --key KEY=VALUE overrides /etc/login.defs defaults
-m, --create-home create home directory for the new user account
-l, do not add user to lastlog database file
-M, do not create user's home directory(overrides /etc/login.defs)
-r, create system account
-o, --non-unique allow create user with duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new user account
-s, --shell SHELL the login shell for the new user account
-u, --uid UID force use the UID for the new user account

-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping


passwd
Usage: passwd [OPTION...]
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the named account (root only)
-u, --unlock unlock the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)


改變檔案時間
touch
Usage: touch [OPTION]... FILE...
Update the access and modification times of each FILE to the current time.
Mandatory arguments to long options are mandatory for short options too.
-a change only the access time
-B SEC, --backward=SEC date back SEC seconds
-c, --no-create do not create any files
-d, --date=STRING parse STRING and use it instead of current time
-F SEC, --forward=SEC date forward SEC seconds
-f (ignored)
-m change only the modification time
-r, --reference=FILE use this file's times instead of current time

-t STAMP use [[CC]YY]MMDDhhmm[.ss] instead of current time
--time=WORD set time given by WORD:access atime use (same as -a),modify mtime (same as -m)
--help display this help and exit
--version output version information and exit
Note that the -d and -t options accept different time-date formats.
ex:
將/etc/passwd的 access time和modification time設定成和/etc/test一樣
touch -acmr /etc/test /etc/passwd


2010-03-10 07:06:24發表 2015-10-19 13:54:52修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅

Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net