Linux security tips (3)

Article Title: Linux security tips (3 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In this article, I will give you a brief introduction to Linxu's Security Mechanism (I will not be able to write a deep understanding of Linxu)
1 PAM Mechanism
PAM is a shared library that provides a framework and a set of programming interfaces to transfer authentication from programmers to ADMIN. PAM allows the ADMIN to select between multiple authentication methods. It can change the local authentication method without re-compiling the application related to authentication.
PAM includes the following functions:
** Encryption Password
** Allow random Shandow passwords
** Restrict user resources to prevent DOS Attacks
** Restrict users from logging in from a specific location within a specific time period
** Introduce the concept "client plug-in agents" to enable PAM to support machine-machine authentication in C/S applications.
The PAM Mechanism provides a convenient basis for some more advanced authentication methods. On this basis, it is easy to develop high-tech authentication methods such as smart card and fingerprint identification authentication.
2. Intrusion Detection System (IDS)
This is a relatively new technology. Currently, few servers are installed with the IDS system, and only the latest version of LINUX is used with this tool. Intrusion detection systems have a short history, but have developed rapidly. Currently, Snort, Portsentry, and Lids are popular intrusion detection systems. (I will introduce the intrusion detection system to you later)
Using the tools provided by LINUX and the tools DOWN from the INTERNET, the LINUX system can have advanced intrusion detection capabilities, including:
** Record intrusion attempts and notify the Administrator in time when an attack occurs;
** When an attack in a specified situation occurs, take the prescribed measures in advance;
** Sending some error messages, such as disguising them as other operating systems. In this way, attackers may think they are attacking a Windows NT or Solaris system. (Can we say this is a network spoofing technology ?)
3. Encrypted File System
The encrypted file system introduces the encryption service to the file system to improve the security of the computer system. There are too many reasons to encrypt the file system, such as preventing Hard Disk theft and unauthorized access. Currently, LINUX has multiple encrypted file systems, such as CFS, TCFS, and CRYPTFS, which are representative of TCFS,
By tightly integrating the encryption service with the file system, the user cannot feel the file encryption process. TCFS does not modify the data structure of the file system, and the semantics of backup and repair and user access to confidential files remain unchanged. TCFS can make the following users unreadable encrypted files:
** Users other than the legal owner;
** Eavesdropping on the communication line between users and remote file systems;
** File System server superuser.
For legal users, there is almost no difference between accessing confidential files and accessing common files.
4. Security Audit
Even if the system administrator takes a variety of security measures, new vulnerabilities are emerging. Attackers can quickly seize the opportunity to crack as many machines as possible before the vulnerability is fixed. Although LINUX cannot predict when the host will be attacked, it can record the attacker's whereabouts. The LINUX system can also detect and record time information and network connections. This information will be redirected to the log for future reference. Logs are a very important part of the Linux security structure. They are the only real evidence of the attack (this is why intruders often delete or forge logs ). Because of the various attack methods, Linux provides network, host, and user-level log information. LINUX records the following:
** Record all system and kernel information;
** Records the files requested by remote users to access;
** Records the processes that users can control;
** Record each command used by a specific user;
** Record each network connection and their source IP address and length, and sometimes the username and operating system used by the attacker.
5. Force Access Control
Mandatory Access Control (MAC, this MAC is not a technology MAC, you must be clear ), it is an access control defined and implemented by the system administrator from the perspective of the whole system. It marks the subject and object in the system and forcibly limits the sharing and flow of information, so that different users can only access the information related to the specified range, fundamentally prevent information leakage and access confusion.
The traditional MAC implementation is based on the MLS policy defined in TCSEC, but MLS has many disadvantages (inflexible, poor compatibility, and difficult to manage ), researchers have proposed various MAC strategies, such as DTE and RBAC. Since LINUX is a free * Operating System, there are currently several implementing mandatory access control on it, typical of which include SElinux, RSBAC, MAC, etc, the policies used are also different.
The SELinux security architecture launched by NSA is called Flask. In this structure, the logic of security policies and general interfaces are encapsulated in components independent of the * system, this independent component is called a security server. SELinux's security server defines a hybrid security policy consisting of Type implementation (TE), role-based access control (RBAC), and multi-level security (MLS. By replacing the security server, you can support different security policies. SELinux defines the security policy using the policy configuration language, and then compiles the policy in binary format through checkpolicy, stores it in the file/ss_policy, and reads the kernel space during kernel boot. This means that the security policy is different every time the system is booted. You can even use the security_load_policy interface to change the policy during system * (as long as the policy is configured to allow such changes ).
RSBAC is the full name of Rule Set Based Access Control (Access Control Based on Rule sets). It is developed Based on the Generalized Framework for Access Control (GFAC) model proposed by Abrams and LaPadula, you can provide flexible access control based on multiple modules. All security-related system calls extend the security implementation code, which calls the Central Decision component and then calls all activated decision modules to form a comprehensive decision, then the system calls the extension to implement this decision. RSBAC currently contains MAC, RBAC, and ACL modules.
6 Firewall
A firewall is a component or a series of components that restrict access between a protected network and the Internet or between other networks. LINUX firewall has the following functions:
** Access Control: Implements address-based, time-based, and user-based access control policies to prevent unauthorized access and protect internal users' legal access from being affected.
** Audit, record network access through it, establish complete logs, audit and track network access records, and generate reports as needed.
** Anti-attack: the firewall system is directly exposed to untrusted networks. For the outside world, the internal network protected by the firewall is like a point, and all attacks are directly targeted at it, this is called a bastion host. Therefore, the bastion host must be highly secure and capable of resisting various attacks.
** Other ancillary functions, such as audit-related alarms and intrusion detection, access control-related identity authentication, encryption and authentication, and even VPN
######################################## ################################
######################################## ################################
　　
Supplement the previous article as an in-depth understanding of the PAM mechanism:
Use PAM for Uniform Identity Authentication
Release date: 2000-8-8
Source: Bricks Team ; Author: bricks
PAM is the abbreviation of pluggable authentication modules. the Pluggable Authentication Module (not a Linux module) is used to implement the authentication mechanism of applications. A programmer or administrator can change the authentication mechanism without re-writing or compiling the program.
It has been widely used in linux, for example,/etc/securitty/etc/onlogin/etc/ftpusers is actually used for it. it is also used when you enter the password during login and when you change the password. /etc/pam. conf and/etc/pam/* are their configuration files.
Its biggest advantage is its elasticity and scalability. You can modify the authentication mechanism at will and customize the system according to your actual needs. It will be very clear after you understand it.
DESIGN GOALS)
(A) The Administrator can select the authentication method, from simple passwords to the smart card system.
(B) You can configure different authentication mechanisms for different programs. For example, use S/Key Authentication for telnet.
The local login lacks the General UNIX password.
(C) Support Program display requirements. For example, login needs terminal-based display, while dtlogin
X is required, while 'ftp 'and 'telnet' must be authenticated through the network.
(D) supports configuring multiple authentication mechanisms for a program.
(E) When using multiple authentication mechanisms, you do not have to enter the same password multiple times.
(F) However, you need to enter multiple passwords when you are serious.
(G) When the underlying authentication mechanism changes, the upper-layer software does not need to be modified.
The (h) structure provides a _ pluggable _ model for system authentication.
(I) must be able to meet the existing service needs.
4. overview of the pam framework (view the pam framework) its core is actually some library functions. the applications you write need to call them. PAM provides you with a set of portals (the front end ). this function calls modules defined by specific authentication mechanisms.
(The back end ).
To put it simply, you call a function and only tell it that you want to recognize it. This is enough. the configuration file specifies the authentication mechanism. you only need to check the returned values to see if the authentication is successful. developers only need to remember a few functions.
Ftp telnet login (Applications)
|
|
+ -------- +
|
+ ----- +
| Pam api | <-- pam. conf file
+ ----- +
|
+ -------- +
UNIX Kerberos Smart Cards (mechanical ISMs)
Figure 1: The Basic PAM structure functions are divided into four parts: (1) authentication (authentication), (2) account (account Management), (3) session (dialog management), and (4) password (password management ). what are these four things?
(A) Authentication management:
You can use 'pam _ authenticate () 'to authenticate users, and use 'pam _ setcred ()' to refresh and destroy users' credentials.
(B) Account management:
Including 'pam _ acct_mgmt () 'to check whether the account in use is still valid. It can be used to check whether the user times out or whether the account has expired.
(C) Session management:
Including 'pam _ open_session () 'and 'pam _ close_session ()' for managing the conversation process. For example, it can be used to record the user's connection time. A telnet process is actually a session.
(D) Password management: 'pam _ chauthtok () 'is used to fix the Password.
The program calls