Fourth, the proposed replacement of common network service application WuFTPDWuFTD from 1994 began to keep a security vulnerability, a hacker can easily get remote root access permissions (RemoteRootAccess), and a lot of security holes don't even need the FTP server has a valid account number.
Recently, WuFTP also frequently appears security vulnerabilities. It's the best alternative program is ProFTPD. ProFTPD is very easy to configure, in most cases is also faster, and it's source code is relatively clean (buffer overflow error less). There are many important sites use ProFTPD. Sourceforge.net is a good example (this site 3,000 open source project, its load and not small!). Some Linux publishers in their primary FTP site using a ProFTPD, only two major Linux distributor (SuSE and Caldera) use WuFTPD. ProFTPD for other advantage is that you can either run from inetd and can run as a stand-alone daemon. This way you can easily solve the problems posed by inetd, such as: denial of service attacks (denialofserviceattack), etc. The system is simple, the easier it is to guarantee the security of the system. WuFTPD or reconsideration of that again all of the source code (very hard), or to completely rewrite the code, otherwise it must be ProFTPD WuFTPD instead. TelnetTelnet is very insecure, it used to transmit the password in clear text. It's a safe alternative is OpenSS. OpenSSH on Linux is already very mature and stable, and on the Windows platform there are also many free client software. Linux distributors should use OpenBSD's policy: install OpenSSH and have it set to default, Telnet is not installed, but it set to default. For is not in the United States Linux distributors, is easily in the Linux release with OpenSSH. United States Linux publishers will want to have some other way (for example: RedHat FTP servers in Germany (ftp.redhat.de) is the latest OpenSSH RPM packages). Telnet is incurable. To ensure the system's security must use OpenSSH such software to replace it. Recent years, Sendmail Sendmail security has improved very much (it is usually the focus of attack by hackers). However, Sendmail or have a very serious problem. In the event of a security vulnerability (for example: recent Linux kernel error), Sendmail is hacker attacks, because Sendmail is running with root privileges and code of the mammoth easily out of the question. Almost all Linux distributions have put Sendmail as the default configuration, only a few to Postfix or Qmail as an optional package. However, very few Linux distributor in your own mail server to use Sendmail. SuSE and RedHat uses a system based on Qmail. Sendmail would not necessarily be completely substitute another program. But its two alternative procedures for Qmail and Postfix than it security, speed, and in particular, Postfix is easy to configure and maintain. Susu is used to change the current user's ID, converted to other users. You can log on as a normal user, when you need to be root to do something, as long as the implementation of the "su" command, and then enter a root password. Su itself is no problem, but it will let people develop bad habits. If a system has multiple administrators, you must give them the password for root. Su is of an alternative program sudo. RedHat6.2 contains the software. Sudo allows you to set which user which group can do as root. You can also position under user logon restrictions on them (if it was "broken" in a user's password, and use this account to log on from a remote computer, you can restrict him to use sudo). Debian also has a similar program called super, comparison with sudo has advantages and disadvantages. Allow users to develop good habits. Use the root account and let more people know the root password is not a good habit. This is the reason for the invasion of www.apache.org because it has more than one system administrator they have root privileges. A tangle of system is very easy to be invaded. Named most Linux distribution has solved the problem. Named previously is run as root, so when a new vulnerability is named, is easy to invade some very important computer and gain root privileges. Now just use the command line parameters can have named to non-root users run. And now the vast majority of Linux distribution are so named as a normal user rights to run. The command format is usually: named-u;-g; INN in INN's document already explicitly pointed out: "the prohibition of this features (verifycancels), this feature is useless and will be removed." In about a month ago, a hacker has released into force when "verifycancels" INN at intrusion. RedHat is the "verifycancels" is set to valid. No setuid/setgid programs or network services programs to properly install and check to ensure the bestVolume has no security vulnerabilities.
No comments:
Post a Comment