Linux Security

linux security

why is linux hacked
1linux is widely used on a large number of servers in the word,making it a ‘de facto’ backbone
2since application source code is a available,it is easy to find out the vulnerabilities of the system
3many application on linux are installed by default so they are more vulnerable to attacks

linux vulnerabilities
常見的有:
bind
lxr(linux cross-referencing vulnerability)
utli-linux vulnerability
linux kernel capabiliy vulnerability
ps:執行execve() system call有local root exploit時,解決方法為upgrade kernel

………………………………………………………

chrooting
run command or interactive shell with special root directory
ex:chroot /usr/local/tester /bin/testscript
通常在根目錄下有非常多東西，包含很多的設定檔、函式庫，東西越多越有可能被抓到系統上的漏洞，使用者也可以查看很多系統上的設定檔，若不想讓使用者看到那麼多的東西，最好的做法就是用chroot把他鎖起來
chroot主要就是另外再打造一個root環境提供給使用者，使用者能使用什麼command都是受控制的，只要給足夠用的函式庫就夠了，更不用說使用者能看到什麼系統的設定檔囉！

好處
限制被CHROOT的使用者所能執行的程式，如SetUid的程式，或是會造成 Load 的 Compiler等等。
防止使用者存取某些特定檔案，如/etc/passwd。
防止入侵者/bin/rm -rf /。
提供Guest服務以及處罰不乖的使用者。
增進系統的安全。

相關tool
addjailsw:helps automate the creation of jail chroots

………………………………………………………

way to prevent hacking

1keep programs up-to-date:primary way

2關閉沒在用的suid program
若設定suid的program被buffer overflow,…等攻擊,則attacker可拿到root權限
ps:
列出系統上所有設定suid的權限
find / -perm -04000 -type f -ls

3使用stackguard,libsafe,openwall project
stackguard:a compiler that hardens programs against stack smashing attack
libsafe:a dynamically loadable library that checks all calls made to vulnerable library functions
openwall project’s non-exec stack kernel patch:a collection of security features for the linux kernel that makes the stack non-executable

…………………………………………………….

tool:
scanning network:netcat,strobe,nmap
scanning tool:nessus

port scan detection tools有以下:
klaxon
scanlogd
portsentry:可立即偵測並封鎖意圖侵入者 (掃 port、嘗試連入特定埠口) 的行動
lids

密碼破解tools
john the ripper
slurpie
ps
linux密碼在/etc/shadow

…………….

清除track
ex:
清除/dev/hda0
dd if=/dev/random of=/dev/hda0
or
dd if=/dev/zero of=/dev/hda0

ps:/dev/zero 會不斷產生null

knoppix erase tool
wipe : wipe a partition securely. good for prep’ing a partition for dd
ex:wipe -fik /dev/hda1

………………………………………………………………………………………………

基本linux保護
透過/etc/sysctl.conf修改kernel參數
net/ipv4/conf/all/rp_filter=1
net/ipv4/conf/all/log_martians=1
net/ipv4/conf/all/send_redirects=0
net/ipv4/conf/all/accept_source_route=0
net/ipv4/conf/all/acept_redirects=0
net/ipv4/tcp_syncookies=1
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/ip_forward=1

安全分析工具
sara(security auditor’s research assistant):早期scan tool
netcat: 預設安裝沒有-e功能
tcpdump
snort
saint:for unix/linux
wireshark
abacus port sentry
dsniff collection:專門用sniffer收集密碼
hping2:可產生封包
sniffit
nemesis
lsof(list open files):lists open files for running unix/linux process
iptraf:可即時看流量
lids(linux ids)
tcp wrappers

LSoF
這是一款Unix平台上的診斷和研究工具，它可以列舉當前所有進程打開的文件信息。
它也可以列舉所有進程打開的通訊 socket（communications sockets）。
Windows平台上類似的工具有Sysinternals。

攻擊tool
hunt:session hijacking tool

LKM(linux loadable kernel modules)
LKMs are loadable kernel modules used by the linux kernel to expand its functionality
advantage:
　they can be loaded dynamically
　there must be no recompilation of the whole kernel
用途:
　specific device drivers ,ex:soundcards

………………………………………………………………………………………………

linux rootkits
若被裝 rootkis很難被找出來,因為rootkis可以藏的地方太多
ex:
換掉ls,則無法用ls找到該rootkis
換掉ps,則無法用ps找到問題process

rootkits tools
IRK4(linux rootkits IV)
knark,torn:較有名的rootkis
tuxit,adore,ramen
beastkit

防制rootkits tools
chkrootkit:to check for the presence of rootkits,不過通常都抓不到
tripwire
bastille linux
lids
dtk
rkdet
rootkit hunter
carbonite
rescan
saint jude

………………………………………………………………………………………………

application security:
whisker:cgi vulnerability scanner,但效果有限
flawfinder
stackguard: 避免buffer overflow
libsafe:避免buffer overflow
AIDE(advanced intrusion detection environment):a free replacement for tripwire

security testing tool:
nmap
lsof
netcat
hping2
nemesis

encryption tool:
stunnel
openssh
gnupg

log and traffic monitors tool:
mrtg
swatch
timbersee
logsurf
tcp wrappers
iplog
iptraf
ntop

security auditing tool:
LSAT

………………………………………………………………………………………………

linux security countermeasures:
check user account with null password in /etc/shadow
close the door first by denying access from network by default
stop all unused services
check system log in /var/log/ ,/var/log/secure
checking the errate(bug fixes)
ex:www.redhat.com/support/errate
update linux system regularly

………………………………………………………………………………………………
………………………………………………………………………………………………

adduser
Usage: useradd [options] LOGIN
Options:
-b, –base-dir BASE_DIR base directory for the new user account home directory
-c, –comment COMMENT set the GECOS field for the new user account
-d, –home-dir HOME_DIR home directory for the new user account
-D, –defaults print or save modified default useradd configuration
-e, –expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, –inactive INACTIVE set password inactive after expiration to INACTIVE
-g, –gid GROUP force use GROUP for the new user account
-G, –groups GROUPS list of supplementary groups for the new user account
-h, –help display this help message and exit
-k, –skel SKEL_DIR specify an alternative skel directory
-K, –key KEY=VALUE overrides /etc/login.defs defaults
-m, –create-home create home directory for the new user account
-l, do not add user to lastlog database file
-M, do not create user’s home directory(overrides /etc/login.defs)
-r, create system account
-o, –non-unique allow create user with duplicate (non-unique) UID
-p, –password PASSWORD use encrypted password for the new user account
-s, –shell SHELL the login shell for the new user account
-u, –uid UID force use the UID for the new user account
-Z, –selinux-user SEUSER use a specific SEUSER for the SELinux user mapping

passwd
Usage: passwd [OPTION…]
-k, –keep-tokens keep non-expired authentication tokens
-d, –delete delete the password for the named account (root only)
-l, –lock lock the named account (root only)
-u, –unlock unlock the named account (root only)
-f, –force force operation
-x, –maximum=DAYS maximum password lifetime (root only)
-n, –minimum=DAYS minimum password lifetime (root only)
-w, –warning=DAYS number of days warning users receives before password expiration (root only)
-i, –inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, –status report password status on the named account (root only)
–stdin read new tokens from stdin (root only)

改變檔案時間
touch
Usage: touch [OPTION]… FILE…
Update the access and modification times of each FILE to the current time.
Mandatory arguments to long options are mandatory for short options too.
-a change only the access time
-B SEC, –backward=SEC date back SEC seconds
-c, –no-create do not create any files
-d, –date=STRING parse STRING and use it instead of current time
-F SEC, –forward=SEC date forward SEC seconds
-f (ignored)
-m change only the modification time
-r, –reference=FILE use this file’s times instead of current time
-t STAMP use [[CC]YY]MMDDhhmm[.ss] instead of current time
–time=WORD set time given by WORD:access atime use (same as -a),modify mtime (same as -m)
–help display this help and exit
–version output version information and exit
Note that the -d and -t options accept different time-date formats.
ex:
將/etc/passwd的 access time和modification time設定成和/etc/test一樣
touch -acmr /etc/test /etc/passwd