Analyzes attacks against Linux servers

Analyzes the attack on Linux servers-Linux Enterprise applications-Linux server applications. The following is a detailed description. With the expansion of Linux enterprise applications, a large number of network servers use the Linux operating system. The security and performance of Linux servers have received increasing attention. Here we list the depth of attacks against Linux servers in a hierarchical manner and propose different solutions.

Linux Server attacks are defined as an unauthorized action designed to impede, damage, weaken, or damage the security of Linux servers. The attack range can be from denial of service to completely endangering and damaging the Linux server. There are many types of Linux Server attacks. This article describes the attack depth in four levels.

Attack Level 1: DoS)

Due to the proliferation of DoS attack tools and the fact that the protocol layer defects cannot be changed for a short time, DoS has become the most widely spread and the most difficult way to prevent attacks.

Denial-of-Service (DoS) attacks include distributed denial-of-service (DoS) attacks, reflected distribution Denial-of-Service (DoS) attacks, DNS distribution Denial-of-Service (DoS) attacks, and FTP attacks. Most denial-of-service attacks cause relatively low-level risks. Even attacks that may cause system restart are only temporary problems. This type of attacks, unlike those that want to obtain network control, generally do not affect data security. However, Service Denial of Service (DoS) attacks may last for a long time and are very difficult.

So far, there is no absolute way to stop such attacks. However, this does not mean that we should stick to it. In addition to emphasizing the importance of personal hosts to strengthen protection against exploitation, it is very important to strengthen the management of servers. Be sure to install the verification software and filter function to check the real address of the source address of the message. In addition, you can take the following measures for Service Denial: disable unnecessary services, limit the number of Syn semi-connections opened at the same time, shorten the time out time of Syn semi-connections, and timely update system patches.

Attack Level 2: Local Users obtain the read and write permissions for unauthorized files

A local user is a user who has a password on any machine on the local network and thus has a directory on a drive. Whether the local user has obtained the read and write permissions of their unauthorized files constitutes a risk depends largely on the key of the accessed files. Arbitrary access to the temporary file directory (/tmp) by any local user is dangerous. It can potentially lay a path to the next level of attacks.

Level 2: hackers trick legitimate users into telling them confidential information or executing tasks. Sometimes hackers pretend that network administrators send emails to users, ask the user to give the password for the system upgrade.

Attacks initiated by local users generally start with remote logon. For Linux servers, the best way is to place all shell accounts on a single machine, that is, only one or more servers allocated with shell access are registered. This makes it easier to manage logs, access control, release protocols, and other potential security issues. The system that stores user CGI should also be differentiated. These machines should be isolated in specific network segments, that is, they should be surrounded by routers or network switches according to network configurations. Its topology structure should ensure that the hardware address spoofing cannot go beyond this segment.

Attack Level 3: remote users can read and write privileged files.

Level 3 attacks not only verify the existence of specific files, but also read and write these files. This is caused by the following vulnerabilities in Linux server configuration: remote users can execute a limited number of commands on the server without a valid account.

Password Attack is the primary attack method in level 3, and password damage is the most common attack method. Password cracking is a term used to describe the penetration of networks, systems, or resources to unlock password-protected resources when using or without tools. Users often ignore their passwords and the password policy is difficult to implement. Hackers have a variety of tools to defeat passwords protected by technology and society. It mainly includes Dictionary attack, Hybrid attack, and Brute force attack ). Once a hacker has a user's password, he has many privileges. Password conjecture means to manually enter the common password or get the password by compiling the original program. Some users choose simple passwords-such as birthdate, birthdate, and spouse name, but do not follow the rules of mixed use of letters and numbers. It does not take long for a hacker to guess a string of 8-character birthday data.

The best way to defend against Level 3 attacks is to strictly control access to privileges, that is, to use valid passwords.

This includes password rules that should be used in combination with letters, numbers, and cases (because Linux is case sensitive.

Complexity is also added when special characters such as "#", "%", or "$" are used. For example, if you use the word "countbak" and add "# $" (countbak # $) to it, you have a valid password.

Attack Level 4: remote users get root permissions

The fourth attack level refers to what should never happen, which is a fatal attack. Attackers have root, superuser, or administrator permissions on Linux servers, and can read, write, and execute all files. In other words, attackers have full control over the Linux server and can completely shut down or even destroy the network at any time.

The four main attack types are continuous TCP/IP theft, passive channel listening, and information packet interception. Continuous TCP/IP theft, passive channel listening, and packet interception are methods to collect important information into the network. Unlike denial-of-service attacks, these methods are more similar to theft, relatively hidden and difficult to be discovered. A successful TCP/IP attack can block transactions between two groups and provide a good opportunity for man-in-the-middle attacks, then hackers control the transactions of one or both parties without being noticed by the victims. Through passive eavesdropping, hackers will manipulate and register information, deliver files, and find the critical points that can be passed through all the channels in the target system. Hackers will find a combination of online connections and passwords and recognize the channels that are valid for application. Information packet interception refers to binding an active listener program in the target system to intercept and change all or special information addresses. The information can be sent to an illegal system for reading, and then sent to the hacker without any change.

Continuous TCP/IP stealing is actually a network sniffing. If you are sure that someone is connected to your network, you can find some verification tools. This tool is called the Time Domain Reflectometer (TDR ). TDR measures the propagation and variation of electromagnetic waves. Connect a TDR to the network and detect unauthorized devices that obtain network data. However, many small and medium-sized companies do not have such expensive tools. The best way to prevent sniffer attacks is:

1. Secure topology. The sniffer can only capture data in the current network segment. This means that the finer the network segment, the less information the sniffer can collect.

2. Session Encryption. There is no need to worry about data being sniffed, but to find a way to make the sniffer not aware of the data. The advantage of this method is obvious: even if the attacker sniffed the data, the data is useless to him.