3. improving the system of internal safety mechanisms can improve Linux operating system's internal function to prevent buffer overflow attack this destructive extremely strong but the most difficult to prevent attacks, although such improvements require system administrators have considerable experience and skills, but for many high requirements on the security level of the Linux system is still very necessary.
● SolarisDesigner security Linux patch version for 2.0 SolarisDesigner kernel security Linux patch provides a non-executable stack to reduce the threat of a buffer overrun, thus greatly improving the overall system security. Buffer overflow is quite difficult to implement, because the intruder must be able to judge a potential buffer overflow when it will occur and it is in memory of where it appears. Buffer overflow prevention seems very difficult, the system administrator must be completely removed from the buffer overflow conditions in order to prevent this form of attack. Because of this, many people even LinuxTorvalds I think this security Linux patch is important because it prevents all use buffer overflow attacks. But require attention that these patches will cause the execution stack of some programs and library dependency problems, these problems to your system administrator will bring new challenges. Non-executable stack patch has many security mailing list (such as & nbspsecuredistros @ nl linux.org) distribution, the user can easily download them, etc. ● StackGuardStackGuard is a very powerful tool for security patch. You can use the StackGuard patched version of gcc to compile and link key of the application. When compiling StackGuard increased stack checks to prevent stack buffer overflow attack, although this can lead to system performance slightly decreased, but for security-level requirements in terms of high specific applications StackGuard still is a very useful tool. Now have a use a Linux version, SafeGuard users StackGuard will be easier. Although you can use the StackGuard can cause system performance degradation of about 10 to 20%, but it can prevent the buffer overflow attacks of this class. • Add a new access control functionality to Linux 2.3 kernel is attempting to implement a file system access control list, which should be in the original three categories (owner, group and other) access control mechanisms to increase on the basis of more detailed access control. In 2.2 and 2.3 version of the Linux kernel is also developing a new access control function, it will eventually affect the current relevant ext2 file properties of some problems. Unlike traditional compared with ext2 file system and provides a more precise security control features. With this new feature, the application will be able to have superuser privileges to access the certain system resources, such as the initial socket, etc. ● Rule set based access control is now the Linux community is developing a rules-based access control (RSBAC) project, which claims to be able to make the Linux operating system to achieve B1-level security. RSBAC is based on access control extension framework and extend the number of system calls a method that supports a variety of different access and authentication methods. This expansion and strengthening of the Linux system internal and local security is a very useful. 4. set the traps and pitfalls honeypot so-called is activated to trigger the alarm event of software, and honeypots (honeypot) program is designed to lure a intrusion attempts to trigger special alarm trap program. By setting traps and honeypot program, in the event of intrusion event system can quickly issued an alert. In many large networks, generally designed with a special trap program. Traps are generally divided into two kinds: one is only found an intruder in without having to take retaliatory action that is at the same time taking retaliatory action. Set up a honeypot of a commonly used method is deliberately claimed that Linux system using a lot of vulnerability in the IMAP Server version. When an intruder on the IMAP Server bulk port scan would fall into the trap and fire alarm system. Another example of honeypot trap is very famous phf, it is a very fragile Webcgi-bin script. Initial phf is designed to find phone number, but it has a serious security vulnerability: allow intruders use to access the system password file or performing other malicious actions. The system administrator can set up a fake phf, but it is not the system password file is sent to an intruder, but returns to the intruder and some false information to the system administrator issued an alert. Another type of honey trap program through the firewall to intruders IP address set to blacklist to immediately deny intruders access continues. Denial of unfriendly access can be either short-or long-term. Linux kernel firewall code is ideal for doing so.
No comments:
Post a Comment