6.IPtales firewall rules assume that our server server1 running Apache and sshd (sshd can not run on a standard port, cannot be modified in the configuration file).
EthO network card then Internet, LAN, ethi connection administrator at home dial-up login to server2 (its private network TP is 192.168.0.12), and then login to server1. The commands are as follows: in order to prevent possible IPspoofing, you can bind the network card address: server2 [[TheNo.1Picture.]] But it seems too few people invading users able to do this kind of situation, but nothing of value. An understanding of attack people know "port redirection 10 reverse piping of wonderful combination to travel across the firewall example? this technique has been used too wide, and hazards. In order to confront this difficult defense attack, we need to sacrifice something at the expense of ease of use: the above rule will be blocked from inside to outside of TCP received active selection. In addition, using tftp or other client reverse capture file attacks are also common, such as the loki mfv tool such as dependence on UDP, so now it completely obliterate the mourning: Note: in the update system and debug the network need to integrate these two rules temporarily removed. Because of the nature of the invasion is through text or graphical interface in standard or non standard port to get the target operating system shell, so not only can prevent reverse pipeline itself, also be immune to many people skills, but on the penetration of the General system administrator, this is too harsh! Here are some of the tables of attack countermeasures. In addition, iptables can configure transfer some scan failure behavior, such as nmap, it should be noted that rule, the firewall is not a panacea, if an attacker has enough crazy, don't expect your firewall can resist it DDoS. 7. integrity checking tripwire is a well-known tool that can help you figure out some important system files have been modified. Now Linux release General Department with the tools of open source version, in the default validation object configuration files include some sensitive files can be used. Use the command "manrpm" view help, "-V" parameter for MD5 checksum, attention to the rpm checksum generation of binary data files to a hard backing up, to prevent their being altered. 8. to scan for common security reinforcement is essentially finished, let us now do on your own system to do a risk assessment, it is recommended to use nessuslatestversion. Maybe you feel that your system is not a problem, but sometimes the nessus was able to report some issues, such as a third party has some security flaws Webrnail, if not the best, there is a problem we then go back and fix it. 9. advanced skills above measures have been sufficient for most intrusion infringers, the next section to those extremely sensitive to security paranoia. Buffer overflow countermeasure in stackgurad, stackshield, formatguard, heapguard and compilation techniques such as pointguard, but they need to recompile the source code, not only trouble and will cause system performance degradation, so here is intended to prevent the buffer overflow of kernel patches. Compare the familiar is PaX kernel patch, it is mainly through the data area of the heap/stack bss/non-executable code to overwrite the return address directly the Defense after the jump to the data area to perform some of the shellcode exploit.PaX sites recently visited, but Google can find a lot of corresponding newer kernel download of PaX. These patches do not defense all overflow attacks, but it can get quite a number of commercially exploit. 10. log policy is created on the invading related key hard copy of the log, not in emergency response time even the last of the black box. They could be redirected to the printer, the administrator messages, independent of the logging server and hot backup. 11.Snort Intrusion detection system on human intrusion response and security log requires the higher system necessary; the system in General, if the administrator does not go to see a pile of logs, then it simply consume system resources, just like chicken. Summary on the attack on consider a skilled intruders, owns its own mining systems underlying vulnerability, he has discovered a vulnerability in Apache. And has prepared this vulnerability remoteexploit temporarily also does not appear in the bugtraci, at the end of the known ' State ', if an intruder tries to attack our system, he must be able to tap a Apache and is the root-level remote overflow, and the work of the following: 1) in the code in implanting snellcode kills httpd process, and to bind to port 80 sh. 2) reuse the port 80. 3) let the shellcode execution iptables-FOUTPUT/TNPUT, provided that he guessed there is such a thing. None of the above needs root privileges after overflow is, and is able to bypass the difficult exploit PaX; in addition, after Apacne kill will automatically restart. If you want to attack the sshd, because all iptables will drop from external network access ssh end package, so even if a remote overflow (of course don't forget PaX), that the road is blocked. Take a look at another way, if the scripting attacks can allow remote login user's cleartext password ssn, or use a script to add the system account directly by defects, not only need root permissions system and/etc/passwd has been chAttr, meet the above criteria, and defeating the server2, there is hope for shelt. But the elevation of the common script attack!, this is not valid, of course, if the system does not run CGI, this road is impassable. It is true that an intruder is likely to undermine your http script, 3rd party Web security reinforcement is not in this discussion, the above conditions for most people invading ' sufficient demanding, it can be said that almost impossible. But we also have sacrificed a lot, and these measures rely on certain environment and implement security and ease of use, you need the reader stands in his perspective, looking for their balance
No comments:
Post a Comment