As the Linux operating system is an open source free operating system, and therefore by more users.
As the Linux operating system in the continuous and universal in our country, the relevant government departments is the development of the Linux-based operating system with independent copyright to protect the national information security look great, so it is not difficult to forecast future Linux operating system in China will get faster and greater development. Although Linux and UNIX are very similar, but they also have some important differences. For a large number of used UNIX and WindowsNT system administrator, how to ensure the safety of the operating system Linux will face many new challenges. This article describes a series of practical Linux experience in safety management. First, the file system on Linux systems, namely different applications installed on a separate primary partitions will be key partition is set to read-only will greatly improve the security of the file system. This mainly involves the Linux ext2 file system itself only add (add) and immutable these two properties. ● File partition Linux file systems can be divided into several major sections, each partition separately different configuration and installation, typically at least to establish/,/usr/local,/var and/home etc. partition. /Usr can be installed to read-only and can be thought of as is not modifiable. If there are any files in/usr has changed, then the system will now issue a safety alert. Of course this does not include the user's own change/usr. /Lib,/boot and/sbin installation and Setup. At install time should try to make them read-only, and on their file properties, directories, and any modifications will cause the system to beep. Of course all primary partitions are set to read-only is not possible, some partitions as/var, its own nature determines that they cannot be set to read-only, but should not allow it to have execute permissions. ● Extended ext2 using ext2 file system to add only and immutable both file properties can further increase the security level. Immutable and only add properties just two extended ext2 file system attribute flags for the method. A marked immutable file cannot be modified or even cannot be the root user to modify. A tag is only added files can be modified, but only in its content, even if you later add the root user only. By chattr command to modify the properties of the file, if you want to view its property values, you can use the lsattr command. If you want to know more about ext2 file property information, you can use the command manchattr to seek help. These two properties on the file in an attempt to detect hackers in an existing file when installing intrusion backdoor is very useful. For security reasons, once detected such activity should immediately stop and alarm information. If your key file system installed to read-only and that the file is marked as immutable, intruders must reinstall system to remove these immutable file but it generates alerts immediately, thus greatly reducing the chance of being illegal intrusion. ● Protection of log file when the log file and log and backup with immutable and simply add the file attribute is especially useful. System administrators should log the activities of the file attributes set to add only. When the log is updated, the new generation of log backup file property should be set to immutable, but rather a new log file properties of the activities was just added. This usually requires log update script to add some control command. Second, backup upon completion of the installation of a Linux system should make a backup of the entire system, and later on the basis of this backup to verify the integrity of the system, so you can find system files have been illegally altered. If system files have been compromised, you can also use system backups to restore to normal state. ● CD-ROM back up the current best system backup media is the CD-ROM, which can be later regularly and compare contents to verify that the system's integrity is compromised. If the requirements of the security level is particularly high, so you can put the CD set to bootable and will verify the work as part of the system startup process. So as long as you can boot to the CD, the system is not compromised. If you create a read-only partitions, so you can regularly from the disc image to reload them. Even as/boot,/lib and/sbin so cannot be installed to read-only partitions, you can still check under CD image, they can even be started from another security images to download them again. ● Other backup Although many files in/etc often changes, but in many content/etc can still be placed on a compact disc for system integrity verification. Other frequently modified files, you can backup to another system (such as tapes) or compressed to a read-only directory. This way you can use the CD image is verified on the basis of additional system integrity checks. Now that the vast majority of operating systems now in CD is provided with the production of a CD-ROM emergency boot disk or verify disk operation is very convenient, it is a very effective and workable method of authentication. 3. improving the system of internal safety mechanisms can improve Linux operating system's internal function to prevent buffer overflow attack this destructive extremely strong but the most difficult to prevent attacks, although such improvements require system administrators have considerable experience and skills, but for many high requirements on the security level of the Linux system is still very necessary. ● SolarisDesigner security Linux patch version for 2.0 SolarisDesigner kernel security Linux patch provides a non-executable stack buffer overflow to reduce threats,Thereby greatly improving the overall system security. Buffer overflow is quite difficult to implement, because the intruder must be able to judge a potential buffer overflow when it will occur and it is in memory of where it appears. Buffer overflow prevention seems very difficult, the system administrator must be completely removed from the buffer overflow conditions in order to prevent this form of attack. Because of this, many people even LinuxTorvalds I think this security Linux patch is important because it prevents all use buffer overflow attacks. But require attention that these patches will cause the execution stack of some programs and library dependency problems, these problems to your system administrator will bring new challenges. Non-executable stack patch has many security mailing list (? A HREF = "mailto: securedistros @ nl." >securedistros@nl. Linux.org) distribution, the user can easily download them, etc. ● StackGuardStackGuard is a very powerful tool for security patch. You can use the StackGuard patched version of gcc to compile and link key of the application. When compiling StackGuard increased stack checks to prevent stack buffer overflow attack, although this can lead to system performance slightly decreased, but for security-level requirements in terms of high specific applications StackGuard still is a very useful tool. Now have a use a Linux version, SafeGuard users StackGuard will be easier. Although you can use the StackGuard can cause system performance degradation of about 10 to 20%, but it can prevent the buffer overflow attacks of this class. • Add a new access control functionality to Linux 2.3 kernel is attempting to implement a file system access control list, which should be in the original three classes (owner, group and other) access control mechanisms to increase on the basis of more detailed access control. In 2.2 and 2.3 version of the Linux kernel is also developing a new access control function, it will eventually affect the current relevant ext2 file properties of some problems. Unlike traditional compared with ext2 file system and provides a more precise security control features. With this new feature, the application will be able to have superuser privileges to access the certain system resources, such as the initial socket, etc. ● Rule set based access control is now the Linux community is developing a rules-based access control (RSBAC) project, which claims to be able to make the Linux operating system to achieve B1-level security. RSBAC is based on access control extension framework and extend the number of system calls a method that supports a variety of different access and authentication methods. This expansion and strengthening of the Linux system internal and local security is a very useful. 4. set the traps and pitfalls honeypot so-called is activated to trigger the alarm event of software, and honeypots (honeypot) program is designed to lure a intrusion attempts to trigger special alarm trap program. By setting traps and honeypot program, in the event of intrusion event system can quickly issued an alert. In many large networks, generally designed with a special trap program. Traps are generally divided into two kinds: one is only found an intruder in without having to take retaliatory action that is at the same time taking retaliatory action. Set up a honeypot of a commonly used method is deliberately claimed that Linux system using a lot of vulnerability in the IMAP Server version. When an intruder on the IMAP Server bulk port scan would fall into the trap and fire alarm system. Another example of honeypot trap is very famous phf, it is a very fragile Webcgi-bin script. Initial phf is designed to find phone number, but it has a serious security vulnerability: allow intruders use to access the system password file or performing other malicious actions. The system administrator can set up a fake phf, but it is not the system password file is sent to an intruder, but returns to the intruder and some false information to the system administrator issued an alert. Another type of honey trap program through the firewall to intruders IP address set to blacklist to immediately deny intruders access continues. Denial of unfriendly access can be either short-or long-term. Linux kernel firewall code is ideal for doing so. 5, the invasion and proactively intruder attack before most often do a thing-end, scan, if you are able to detect and prevent intruders-end, scan behavior, you can significantly reduce the incidence of intrusion events. Reaction system can be a simple status check packet filter or a complex of intrusion detection systems or firewalls can be configured. ● AbacusPortSentryAbacusPortSentry is open source Toolkit that monitors network interfaces and interaction with firewall to close the port scan attack. In the event of ongoing port scan, AbacusSentry can quickly to prevent it from continuing to perform. But if not configured properly, it can also allow hostile external users in your system, install a denial of service attacks. AbacusPortSentry if and Linux in transparent proxy utility can provide a very effective intrusion prevention measures. This can be provided for all IP addresses universal service does not use port redirection to PortSentry PortSentry, can an intruder to take further action on the timely detected and blocked port scan. AbacusPortSentry can detect slow scan (slowscan), but it cannot detect the structured attack (structuredattack)。 Both the final aim of an attack attempt to try to cover up. Slow scan is a port scan across a very long time to complete, and in the structured attack, the attacker trying to scan or detecting multiple source addresses to conceal their real target of the attack. Correct use of the software will be able to effectively prevent the IMAP service a large number of parallel scans and blocks all such intruders. AbacusSentry and Linux2.2 kernel IPChains tool is most effective when used together, IPChains can automatically move all
No comments:
Post a Comment