21. is the root-owned programs.
Removal is root has a program of the s-bit flags and, of course, some programs need this, use the command ' chmoda-s ' complete this. Note: the preceding with (*), of those programs generally do not need to have the s bit flags. root@deep]# find/-typef\(-perm-04000-o-perm-02000\)\-execls–lg{}\;-rwsr-xr-x1rootroot33120Mar211999/usr/bin/at*-rwsr-xr-x1rootroot30560Apr1520:03/usr/bin/cage*-rwsr-xr-x1rootroot29492Apr1520:03/usr/bin/gpasswd-rwsr-xr-x1rootroot3208Mar221999/usr/bin/disable-paste-rwxr-sr-x1rootman32320Apr91999/usr/bin/man-r-s--x--x1rootroot10704Apr1417:21/usr/bin/passwd-rws--x--x2rootroot517916Apr61999/usr/bin/suidperl-rws--x--x2rootroot517916Apr61999/usr/bin/sperl5.00503-rwxr-sr-x1rootmail11432Apr61999/usr/bin/lockile-rwsr-sr-x1rootmail64468Apr61999/usr/bin/procmail-rwsr-xr-x1rootroot21848Aug2711:06/usr/bin/crontab-rwxr-sr-x1rootslocate15032Apr1914:55/usr/bin/slocate*-r-xr-sr-x1roottty6212Apr1711:29/usr/bin/wall*-rws--x--x1rootroot14088Apr1712:57/usr/bin/cfn*-rws--x--x1rootroot13800Apr1712:57/usr/bin/cs *-rws--x--x1rootroot5576Apr1712:57/usr/bin/newgrp*-rwxr-sr-x1roottty8392Apr1712:57/usr/bin/write-rwsr-x---1rootsquid14076Oct714:48/usr/lib/squid/pinger-rwxr-sr-x1rootutmp15587Jun909:30/usr/sbin/utempter*-rwsr-xr-x1rootroot5736Apr1915:39/usr/sbin/usernetctl*-rwsr-xr-x1rootbin16488Jul609:35/usr/sbin/traceroute-rwsr-sr-x1rootroot299364Apr1916:38/usr/sbin/sendmail-rwsr-xr-x1rootroot34131Apr1618:49/usr/libexec/pt_cown-rwsr-xr-x1rootroot13208Apr1314:58/bin/su*-rwsr-xr-x1rootroot52788Apr1715:16/bin/mount*-rwsr-xr-x1rootroot26508Apr1720:26/bin/umount*-rwsr-xr-x1rootroot17652Jul609:33/bin/ping-rwsr-xr-x1rootroot20164Apr1712:57/bin/login*-rwxr-sr-x1rootroot3860Apr1915:39/sbin/netreport-r-sr-xr-x1rootroot46472Apr1716:26/sbin/pwdb_ckpwdroot@deep]# chmoda-s/usr/bin/cageroot@deep]# chmoda-s/usr/bin/gpasswdroot@deep]# chmoda-s/usr/bin/wallroot@deep]# chmoda-s/usr/bin/cfnroot@deep]# chmoda-s/usr/bin/cs root@deep]# chmoda-s/usr/bin/newgrproot@deep]# chmoda-s/usr/bin/writeroot@deep]# chmoda-s/usr/sbin/usernetctlroot@deep]# chmoda-s/usr/sbin/tracerouteroot@deep]# chmoda-s/bin/moUntroot @ deep] # chmoda-s/bin/umountroot @ deep] # chmoda-s/bin/pingroot @ deep] # chmoda-s/sbin/netreport you can use the following command to find all of the band s bit flag program: root @ deep] # find/-typef\ (-perm-04000-o-perm-02000\); \-execls-lg {} \ The result >; suid-sgid-results output to the file suid-sgid-results. In order to find all writable files and directories, use the following command: root @ deep] # find/-typef\ (-perm-2-o-perm-20\)-execls-lg {} \; >; ww-files-results root @ deep] # find/-typed\ (-perm-2-o-perm-20\)-execls-ldg {} \; >; ww-directories-results used the following command to find no owner of a file: root @ deep] # find/-nouser-o-nogroup >; unowed-results with the following command to find all the .rhosts file: root @ deep] # find/home-name.rhosts >; rhost-results suggested replacement of common network service application WuFTPD WuFTD from 1994 began to keep a security vulnerability, a hacker can easily get remote root access permissions (RemoteRootAccess), and a lot of security holes don't even need the FTP server has a valid account number. Recently, WuFTP also frequently appears security vulnerabilities. It's the best alternative program is ProFTPD. ProFTPD is very easy to configure, in most cases is also faster, and it's source code is relatively clean (buffer overflow error less). There are many important sites use ProFTPD. Sourceforge.net is a good example (this site 3,000 open source project, its load and not small!). Some Linux publishers in their primary FTP site using a ProFTPD, only two major Linux distributor (SuSE and Caldera) use WuFTPD. ProFTPD for other advantage is that you can either run from inetd and can run as a stand-alone daemon. This way you can easily solve the problems posed by inetd, such as: denial of service attacks (denialofserviceattack), etc. The system is simple, the easier it is to guarantee the security of the system. WuFTPD or reconsideration of that again all of the source code (very hard), or to completely rewrite the code, otherwise it must be ProFTPD WuFTPD instead. Telnet Telnet is a very very unsafe, it used to transmit passwords in clear text. It's a safe alternative is OpenSS. OpenSSH on Linux is already very mature and stable, and on the Windows platform there are also many free client software. Linux distributors should use OpenBSD's policy: install OpenSSH and have it set to default, Telnet is not installed, but it set to default. For is not in the United States Linux distributors, is easily in the Linux release with OpenSSH. United States Linux publishers will want to have some other way (for example: RedHat FTP servers in Germany (ftp.redhat.de) is the latest OpenSSH RPM packages). Telnet is incurable. To ensure the system's security must use OpenSSH such software to replace it. Recent years, Sendmail Sendmail security has improved very much (it is usually the focus of attack by hackers). However, Sendmail or have a very serious problem. In the event of a security vulnerability (for example: recent Linux kernel error), Sendmail is hacker attacks, because Sendmail is running with root privileges and code of the mammoth easily out of the question. Almost all Linux distributions have put Sendmail as the default configuration, only a few to Postfix or Qmail as an optional package. However, very few Linux distributor in your own mail server to use Sendmail. SuSE and RedHat uses a system based on Qmail. Sendmail would not necessarily be completely substitute another program. But its two alternative procedures for Qmail and Postfix than it security, speed, and in particular, Postfix is easy to configure and maintain. Su su is used to change the current user's ID, converted to other users. You can log on as a normal user, when you need to be root to do something, as long as the implementation of the "su" command, and then enter a root password. Su itself is no problem, but it will let people develop bad habits. If a system has multiple administrators, you must give them the password for root. Su is of an alternative program sudo. RedHat6.2 contains the software. Sudo allows you to set which user the group to which the body can take rootWhat are the procedures for implementation. You can also position under user logon restrictions on them (if it was "broken" in a user's password, and use this account to log on from a remote computer, you can restrict him to use sudo). Debian also has a similar program called super, comparison with sudo has advantages and disadvantages. Allow users to develop good habits. Use the root account and let more people know the root password is not a good habit. This is the reason for the invasion of www.apache.org because it has more than one system administrator they have root privileges. A tangle of system is very easy to be invaded. Named most Linux distribution has solved the problem. Named previously is run as root, so when a new vulnerability is named, is easy to invade some very important computer and gain root privileges. Now just use the command line parameters can have named to non-root users run. And now the vast majority of Linux distribution are so named as a normal user rights to run. The command format is usually: named-u;-g; INN at the INN of the document has expressly pointed out: "the prohibition of this features (verifycancels), this feature is useless and will be removed." In about a month ago, a hacker has released into force when "verifycancels" INN at intrusion. RedHat is the "verifycancels" is set to valid. No setuid/setgid programs or network services programs to properly install and check to ensure the least possible security holes. Security codes 1. abolition of the system, all the default username and password. 2. the legality of the user to be authenticated before don't display company headers, online help and other information. 3. the abolition of "hackers" to attack the system of network services. 4. use of 6 to 8 digit alpha-numeric password. 5. limit users try to log on to the system. 6. records of breaches of security and safety record for review. 7. important information prior to transmission on the Internet is encrypted. 8. pay attention to the recommendations of the experts, the installation they recommended system "patch". 9. limit does not need a password to access hosts file. 10. to modify the network configuration file so that the TCP connection from the external constraints to the fewest number of ports. Do not allow such as tftp, sunrpc, printer, rexec, rlogin or agreement. 11. use upas instead of sendmail. Sendmail has too many known vulnerabilities, it is difficult to repair. 12. remove the operation is not critical and rarely used programs. 13. use chmod all system directory changed to 711 mode. In this way, attackers will not be able to see them something, but users can still be executed. 14. when possible, the disk is read-only mode. In fact, only a few directories need read/write status. 15. the system software upgrade to the latest version. Older versions may have been research and was a successful attack, the latest version is typically include these remedies.
No comments:
Post a Comment