linux security<\/p>\n\n\n\n
why is linux hacked<\/strong> linux vulnerabilities<\/strong> ………………………………………………………<\/p>\n\n\n\n chrooting<\/strong> \u597d\u8655 \u76f8\u95dctool ………………………………………………………<\/p>\n\n\n\n way to prevent hacking<\/p>\n\n\n\n 1keep programs up-to-date<\/strong>:primary way<\/p>\n\n\n\n 2\u95dc\u9589\u6c92\u5728\u7528\u7684suid program<\/strong> 3\u4f7f\u7528stackguard,libsafe,openwall project<\/strong> …………………………………………………….<\/p>\n\n\n\n tool: port scan detection tools\u6709\u4ee5\u4e0b: \u5bc6\u78bc\u7834\u89e3tools …………….<\/p>\n\n\n\n \u6e05\u9664track<\/strong> ps:\/dev\/zero \u6703\u4e0d\u65b7\u7522\u751fnull<\/p>\n\n\n\n knoppix erase tool ………………………………………………………………………………………………<\/p>\n\n\n\n \u57fa\u672clinux\u4fdd\u8b77<\/strong> \u5b89\u5168\u5206\u6790\u5de5\u5177 LSoF<\/strong> \u653b\u64catool LKM(linux loadable kernel modules)<\/strong> ………………………………………………………………………………………………<\/p>\n\n\n\n linux rootkits<\/strong> rootkits tools \u9632\u5236rootkits tools<\/strong> ………………………………………………………………………………………………<\/p>\n\n\n\n application security:<\/strong> security testing tool: encryption tool: log and traffic monitors tool: security auditing tool: ………………………………………………………………………………………………<\/p>\n\n\n\n linux security countermeasures:<\/strong> ……………………………………………………………………………………………… adduser linux security why is linux ha …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-417","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=417"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/417\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1linux is widely used on a large number of servers in the word,making it a ‘de facto’ backbone
2since application source code is a available,it is easy to find out the vulnerabilities of the system
3many application on linux are installed by default so they are more vulnerable to attacks<\/p>\n\n\n\n
\u5e38\u898b\u7684\u6709:
bind
lxr(linux cross-referencing vulnerability)
utli-linux vulnerability
linux kernel capabiliy vulnerability
ps:\u57f7\u884cexecve() system call\u6709local root exploit\u6642,\u89e3\u6c7a\u65b9\u6cd5\u70baupgrade kernel<\/p>\n\n\n\n
run command or interactive shell with special root directory
ex:chroot \/usr\/local\/tester \/bin\/testscript
\u901a\u5e38\u5728\u6839\u76ee\u9304\u4e0b\u6709\u975e\u5e38\u591a\u6771\u897f\uff0c\u5305\u542b\u5f88\u591a\u7684\u8a2d\u5b9a\u6a94\u3001\u51fd\u5f0f\u5eab\uff0c\u6771\u897f\u8d8a\u591a\u8d8a\u6709\u53ef\u80fd\u88ab\u6293\u5230\u7cfb\u7d71\u4e0a\u7684\u6f0f\u6d1e\uff0c\u4f7f\u7528\u8005\u4e5f\u53ef\u4ee5\u67e5\u770b\u5f88\u591a\u7cfb\u7d71\u4e0a\u7684\u8a2d\u5b9a\u6a94\uff0c\u82e5\u4e0d\u60f3\u8b93\u4f7f\u7528\u8005\u770b\u5230\u90a3\u9ebc\u591a\u7684\u6771\u897f\uff0c\u6700\u597d\u7684\u505a\u6cd5\u5c31\u662f\u7528chroot\u628a\u4ed6\u9396\u8d77\u4f86
chroot\u4e3b\u8981\u5c31\u662f\u53e6\u5916\u518d\u6253\u9020\u4e00\u500broot\u74b0\u5883\u63d0\u4f9b\u7d66\u4f7f\u7528\u8005\uff0c\u4f7f\u7528\u8005\u80fd\u4f7f\u7528\u4ec0\u9ebccommand\u90fd\u662f\u53d7\u63a7\u5236\u7684\uff0c\u53ea\u8981\u7d66\u8db3\u5920\u7528\u7684\u51fd\u5f0f\u5eab\u5c31\u5920\u4e86\uff0c\u66f4\u4e0d\u7528\u8aaa\u4f7f\u7528\u8005\u80fd\u770b\u5230\u4ec0\u9ebc\u7cfb\u7d71\u7684\u8a2d\u5b9a\u6a94\u56c9\uff01<\/p>\n\n\n\n
\u9650\u5236\u88abCHROOT\u7684\u4f7f\u7528\u8005\u6240\u80fd\u57f7\u884c\u7684\u7a0b\u5f0f\uff0c\u5982SetUid\u7684\u7a0b\u5f0f\uff0c\u6216\u662f\u6703\u9020\u6210 Load \u7684 Compiler\u7b49\u7b49\u3002
\u9632\u6b62\u4f7f\u7528\u8005\u5b58\u53d6\u67d0\u4e9b\u7279\u5b9a\u6a94\u6848\uff0c\u5982\/etc\/passwd\u3002
\u9632\u6b62\u5165\u4fb5\u8005\/bin\/rm -rf \/\u3002
\u63d0\u4f9bGuest\u670d\u52d9\u4ee5\u53ca\u8655\u7f70\u4e0d\u4e56\u7684\u4f7f\u7528\u8005\u3002
\u589e\u9032\u7cfb\u7d71\u7684\u5b89\u5168\u3002<\/p>\n\n\n\n
addjailsw:helps automate the creation of jail chroots<\/p>\n\n\n\n
\u82e5\u8a2d\u5b9asuid\u7684program\u88abbuffer overflow,…\u7b49\u653b\u64ca,\u5247attacker\u53ef\u62ff\u5230root\u6b0a\u9650
ps:
\u5217\u51fa\u7cfb\u7d71\u4e0a\u6240\u6709\u8a2d\u5b9asuid\u7684\u6b0a\u9650
find \/ -perm -04000 -type f -ls<\/p>\n\n\n\n
stackguard:a compiler that hardens programs against stack smashing attack
libsafe:a dynamically loadable library that checks all calls made to vulnerable library functions
openwall project’s non-exec stack kernel patch:a collection of security features for the linux kernel that makes the stack non-executable<\/p>\n\n\n\n
scanning network:netcat,strobe,nmap
scanning tool:nessus<\/p>\n\n\n\n
klaxon
scanlogd
portsentry:\u53ef\u7acb\u5373\u5075\u6e2c\u4e26\u5c01\u9396\u610f\u5716\u4fb5\u5165\u8005 (\u6383 port\u3001\u5617\u8a66\u9023\u5165\u7279\u5b9a\u57e0\u53e3) \u7684\u884c\u52d5
lids<\/p>\n\n\n\n
john the ripper
slurpie
ps
linux\u5bc6\u78bc\u5728\/etc\/shadow<\/p>\n\n\n\n
ex:
\u6e05\u9664\/dev\/hda0
dd if=\/dev\/random of=\/dev\/hda0
or
dd if=\/dev\/zero of=\/dev\/hda0<\/p>\n\n\n\n
wipe : wipe a partition securely. good for prep’ing a partition for dd
ex:wipe -fik \/dev\/hda1<\/p>\n\n\n\n
\u900f\u904e\/etc\/sysctl.conf\u4fee\u6539kernel\u53c3\u6578
net\/ipv4\/conf\/all\/rp_filter=1
net\/ipv4\/conf\/all\/log_martians=1
net\/ipv4\/conf\/all\/send_redirects=0
net\/ipv4\/conf\/all\/accept_source_route=0
net\/ipv4\/conf\/all\/acept_redirects=0
net\/ipv4\/tcp_syncookies=1
net\/ipv4\/icmp_echo_ignore_broadcasts=1
net\/ipv4\/ip_forward=1<\/p>\n\n\n\n
sara(security auditor’s research assistant):\u65e9\u671fscan tool
netcat: \u9810\u8a2d\u5b89\u88dd\u6c92\u6709-e\u529f\u80fd
tcpdump
snort
saint:for unix\/linux
wireshark
abacus port sentry
dsniff collection:\u5c08\u9580\u7528sniffer\u6536\u96c6\u5bc6\u78bc
hping2:\u53ef\u7522\u751f\u5c01\u5305
sniffit
nemesis
lsof(list open files):lists open files for running unix\/linux process
iptraf:\u53ef\u5373\u6642\u770b\u6d41\u91cf
lids(linux ids)
tcp wrappers<\/p>\n\n\n\n
\u9019\u662f\u4e00\u6b3eUnix\u5e73\u53f0\u4e0a\u7684\u8a3a\u65b7\u548c\u7814\u7a76\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u5217\u8209\u7576\u524d\u6240\u6709\u9032\u7a0b\u6253\u958b\u7684\u6587\u4ef6\u4fe1\u606f\u3002
\u5b83\u4e5f\u53ef\u4ee5\u5217\u8209\u6240\u6709\u9032\u7a0b\u6253\u958b\u7684\u901a\u8a0a socket\uff08communications sockets\uff09\u3002
Windows\u5e73\u53f0\u4e0a\u985e\u4f3c\u7684\u5de5\u5177\u6709Sysinternals\u3002<\/p>\n\n\n\n
hunt:session hijacking tool<\/p>\n\n\n\n
LKMs are loadable kernel modules used by the linux kernel to expand its functionality
advantage:
\u3000they can be loaded dynamically
\u3000there must be no recompilation of the whole kernel
\u7528\u9014:
\u3000specific device drivers ,ex:soundcards<\/p>\n\n\n\n
\u82e5\u88ab\u88dd rootkis\u5f88\u96e3\u88ab\u627e\u51fa\u4f86,\u56e0\u70barootkis\u53ef\u4ee5\u85cf\u7684\u5730\u65b9\u592a\u591a
ex:
\u63db\u6389ls,\u5247\u7121\u6cd5\u7528ls\u627e\u5230\u8a72rootkis
\u63db\u6389ps,\u5247\u7121\u6cd5\u7528ps\u627e\u5230\u554f\u984cprocess<\/p>\n\n\n\n
IRK4(linux rootkits IV)
knark,torn:\u8f03\u6709\u540d\u7684rootkis
tuxit,adore,ramen
beastkit<\/p>\n\n\n\n
chkrootkit:to check for the presence of rootkits,\u4e0d\u904e\u901a\u5e38\u90fd\u6293\u4e0d\u5230
tripwire
bastille linux
lids
dtk
rkdet
rootkit hunter
carbonite
rescan
saint jude<\/p>\n\n\n\n
whisker:cgi vulnerability scanner,\u4f46\u6548\u679c\u6709\u9650
flawfinder
stackguard: \u907f\u514dbuffer overflow
libsafe:\u907f\u514dbuffer overflow
AIDE(advanced intrusion detection environment):a free replacement for tripwire<\/p>\n\n\n\n
nmap
lsof
netcat
hping2
nemesis<\/p>\n\n\n\n
stunnel
openssh
gnupg<\/p>\n\n\n\n
mrtg
swatch
timbersee
logsurf
tcp wrappers
iplog
iptraf
ntop<\/p>\n\n\n\n
LSAT<\/p>\n\n\n\n
check user account with null password in \/etc\/shadow
close the door first by denying access from network by default
stop all unused services
check system log in \/var\/log\/ ,\/var\/log\/secure
checking the errate(bug fixes)
ex:www.redhat.com\/support\/errate
update linux system regularly<\/p>\n\n\n\n
………………………………………………………………………………………………<\/p>\n\n\n\n
Usage: useradd [options] LOGIN
Options:
-b, –base-dir BASE_DIR base directory for the new user account home directory
-c, –comment COMMENT set the GECOS field for the new user account
-d, –home-dir HOME_DIR home directory for the new user account
-D, –defaults print or save modified default useradd configuration
-e, –expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, –inactive INACTIVE set password inactive after expiration to INACTIVE
-g, –gid GROUP force use GROUP for the new user account
-G, –groups GROUPS list of supplementary groups for the new user account
-h, –help display this help message and exit
-k, –skel SKEL_DIR specify an alternative skel directory
-K, –key KEY=VALUE overrides \/etc\/login.defs defaults
-m, –create-home create home directory for the new user account
-l, do not add user to lastlog database file
-M, do not create user’s home directory(overrides \/etc\/login.defs)
-r, create system account
-o, –non-unique allow create user with duplicate (non-unique) UID
-p, –password PASSWORD use encrypted password for the new user account
-s, –shell SHELL the login shell for the new user account
-u, –uid UID force use the UID for the new user account
-Z, –selinux-user SEUSER use a specific SEUSER for the SELinux user mapping<\/p>\n\n\n\n
passwd
Usage: passwd [OPTION…]
-k, –keep-tokens keep non-expired authentication tokens
-d, –delete delete the password for the named account (root only)
-l, –lock lock the named account (root only)
-u, –unlock unlock the named account (root only)
-f, –force force operation
-x, –maximum=DAYS maximum password lifetime (root only)
-n, –minimum=DAYS minimum password lifetime (root only)
-w, –warning=DAYS number of days warning users receives before password expiration (root only)
-i, –inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, –status report password status on the named account (root only)
–stdin read new tokens from stdin (root only)<\/p>\n\n\n\n
\u6539\u8b8a\u6a94\u6848\u6642\u9593
touch
Usage: touch [OPTION]… FILE…
Update the access and modification times of each FILE to the current time.
Mandatory arguments to long options are mandatory for short options too.
-a change only the access time
-B SEC, –backward=SEC date back SEC seconds
-c, –no-create do not create any files
-d, –date=STRING parse STRING and use it instead of current time
-F SEC, –forward=SEC date forward SEC seconds
-f (ignored)
-m change only the modification time
-r, –reference=FILE use this file’s times instead of current time
-t STAMP use [[CC]YY]MMDDhhmm[.ss] instead of current time
–time=WORD set time given by WORD:access atime use (same as -a),modify mtime (same as -m)
–help display this help and exit
–version output version information and exit
Note that the -d and -t options accept different time-date formats.
ex:
\u5c07\/etc\/passwd\u7684 access time\u548cmodification time\u8a2d\u5b9a\u6210\u548c\/etc\/test\u4e00\u6a23
touch -acmr \/etc\/test \/etc\/passwd<\/p>\n","protected":false},"excerpt":{"rendered":"