System security policies for preventing buffer overflow attacks in Linux

Buffer overflow attacks are currently one of the most common attacks by hackers. to cope with the emerging buffer overflow attacks, we have studied how to prevent buffer overflow in Linux, summarizes the security policies for preventing buffer overflow attacks on the Linux platform. these security policies can be applied to internal enterprise servers.

Buffer overflow attacks are currently one of the most common attacks by hackers. to cope with the emerging buffer overflow attacks, we have studied how to prevent buffer overflow in Linux, summarizes the security policies for preventing buffer overflow attacks on Linux. these security policies can be applied to internal servers of general enterprises, includes web servers, mail servers, samba servers, ftp servers, and proxy servers. In actual use, we found that the configuration of these security policies can provide a good precaution for buffer overflow attacks.

In the study of computer system security, a system security vulnerability has aroused our attention. On the one hand, due to the extensiveness of such security vulnerabilities, almost all operating system platforms are affected. On the other hand, we are attracted by the concealment and powerful power of attack programs compiled by hackers based on such security vulnerabilities. This is the buffer overflow technology. It can make it seem safe to lose control of a host running regular services (such as DNS and ftpd) within a few seconds. Buffer overflow attacks are currently the most common attack methods for hackers. Buffer overflow has become a common term in Internet security event reports released by CERT and CIAC. Buffer overflow attacks aim to disrupt the functions of programs with certain privileges. In this way, attackers can gain control of the program. if the program has sufficient permissions, the entire host will be controlled.

In order to cope with the emerging buffer overflow attacks, we have studied the methods to prevent buffer overflow in Linux. the Linux platform has two main reasons: (1) linux is an open-source platform, which is conducive to in-depth technical details during our research. because Linux and its large number of applications are based on open-source code, many hackers have done a lot of work on it. it can be said that the level of network attacks on Linux represents the highest level of network attacks. (2) Linux is a Unix-like system and an operating system platform that is widely used in the Internet. it is very representative to select Linux as a platform for studying buffer overflow technology, experience gained from Linux platforms can be easily transplanted to other Unix or Unix-like platforms.

Through research, we have summarized the security policies for preventing buffer overflow on the Linux platform. these security policies can be applied to internal servers of general enterprises, includes web servers, mail servers, samba servers, ftp servers, and proxy servers. The security policies we have summarized are as follows:

1. do not display system prompt information

If you do not want the remote login user to see the system prompt information, you can change the telnet settings in the "/etc/inetd. conf" file:

Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
 

Add the "-h" parameter at the end so that daemon does not display any system information and only displays the logon prompt. Of course, this is necessary only when the telnet server is installed on the server.

2. process the "rc. local" file

By default, when you log on to a computer with a Linux system installed, the system will tell you the Linux release version name, version number, kernel version, and server name. This exposes too much system information. For security reasons, it is best to display only one "Login:" prompt message. The solution is as follows:

(1) edit the "/etc/rc. d/rc. local" file and add "#" before the following lines "#":

......

# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
 
(2) delete the "issue.net" and "issue" files under the "/etc" Directory:

[Root @ snow] # rm-f/etc/issue
[Root @ snow] # rm-f/etc/issue.net
 

 

The "/etc/issue.net" file displays the logon prompt when you log on to your computer from the network (for example, telnet or SSH. There is also an "issue" file in the "/etc" directory, which is a prompt displayed when the user logs on from the local device. Both files are text files and can be changed as needed. However, if you want to delete these two files, you must add "/etc/rc. d/rc. the lines in the local "script are commented out. Otherwise, the system will re-create these two files each time it restarts.

3. disable the finger service.

In Linux, the finger command can display the details of logged-on users in the local or remote system. hackers can exploit this information to increase the chance of intruding into the system. For system security, it is best to disable the finger service, that is, to delete the finger command from/usr/bin. If you want to retain the finger service, replace the finger file or modify its permissions so that only the root user can execute the finger command.

4. process the "inetd. conf" file

Inetd, also known as "super server", is used to load network programs according to network requests. The "/etc/inetd. conf" file tells inetd which network ports to listen to and which service to start for each port. To put the Linux system in any network environment, the first thing to do is to understand what services the server will provide. Services that are not needed should be disabled. it is best to uninstall them so that hackers will lose some chance to attack the system. View the "/etc/inetd. conf" file to learn about the services provided by inetd. Use the method of adding a comment (add the # sign at the beginning of a line) to prohibit unnecessary services and send a SIGHUP signal to the inetd process. The procedure is as follows:

(1) change the permission of the File "/etc/inetd. conf" to 600, and only allow root to read and write the file. [Root @ snow] # chmod 600/etc/inetd. conf
 

(2) make sure that the owner of the "/etc/inetd. conf" file is root.

[Root @ snow] # chmod 600/etc/inetd. conf
 

The command displays the following information:

File: "/etc/inetd. conf"
Size: 2869 Filetype: Regular File
Mode: (0600/-rw -------) Uid: (0/root) Gid: (0/root)
Device: 8, 6 Inode: 18219 Links: 1
Access: Fri Apr 12 14:28:11 2002 (00000.00: 10: 44)
Modify: Wed Apr 10 11:20:22 2002 (00002.06: 12: 16)
Change: Wed Apr 10 11:20:22 2002 (00002.06: 12: 16)
 

(3) edit/etc/inetd. conf file (vi/etc/inetd. conf). disable all unnecessary services, such: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. Disabling unnecessary services can significantly reduce the risk of the system.

(4) after the "inetd. conf" file is changed, send a SIGHUP signal (killall-HUP inetd) to the inetd process ).

[Root @ snow] # chattr-I/etc/inetd. conf
 

(5) to ensure the security of the "inetd. conf" file, you can use the chattr command to make it unchangeable. As follows:

[Root @ snow] # chattr + I/etc/inetd. conf
 

This prevents any modifications to the "inetd. conf" file. A file with the "I" attribute cannot be changed (you cannot delete or rename it, create a link to the file, or write data to the file ). Only root users can cancel this attribute. To modify the "inetd. conf" file, cancel the unmodifiable attributes as follows:

[Root @ snow] # chattr-I/etc/inetd. conf
 

After changing the "inetd. conf" file, you need to change its attributes to unchangeable.

5. start the system's "rc" script

Files starting with "rc" in the/etc/rc. d Directory are used to start the initialization file of the system. The rc files are similar to the autoexec. bat files in the Ms-dossystem. Rc indicates "runtime commands ". They determine the services to be started by the init process. In the redhat system, these scripts are in/etc/rc. d/rc3.d (if the system is started by x by default, it is/etc/rc. d/rc5.d ). To disable a service at startup, you only need to replace uppercase S with lowercase s. at the same time, redhat also provides a tool to help you disable the service, enter/usr/sbin/setup, and then select "system services" to customize the services that will be run when the system starts. Another option is the chkconfig command, which is provided by many linux systems. The numbers in the script name are in the starting order. the numbers starting with an uppercase key are used to kill the process. For example, if S50snmpd (simple SNMP Network Management Protocol, remote users can obtain a lot of system information from it) is changed to s50snmpd, the service will not be started when the system starts.

Run the following command to check how many services are running before the startup script is disabled: suneagle # ps-eaf | wc-l
 

There are two very useful tools: ps-xau (output a large amount of information about system operation) and netstat-vat (list all network-related information ). Run the command to know which services the system is providing and running.

6. process "services" files

The relationship between the port number and the standard service is defined in RFC1700 "Assigned Numbers. The "/etc/services" file enables the server and client programs to convert the service name to the port number. this table exists on each host and its file name is "/etc/services ". Only the "root" user has the permission to modify this file. In general, this file does not need to be modified because it already contains the port number of a common service. To improve security, we can add protection to this file to avoid unauthorized deletion and changes. To protect this file, run the following command: [root @ snow] # chattr + I/etc/services
 

7. change the access permission for the script file in the "/etc/rc. d/init. d/" directory.

Change the permission to start and stop daemon script files in the following ways. [Root @ snow] # chmod-R 700/etc/rc. d/init. d /*
 

In this way, only the root user can read, write, and execute the script, because the user does not need to know the content of the script file.

8. make the system unresponsive to ping

Preventing the system from responding to ping requests is good for network security because no one can ping your server and receive any response. The TCP/IP protocol has many weaknesses. hackers can use some technology to use the channel for transmitting normal data packets to secretly transmit data. So that your system does not respond to ping requests, you can minimize this risk. Run the following command: echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
 

After running this command, the system does not respond to ping. You can add this line to the "/etc/rc. d/rc. local" file to run the command automatically when the system restarts. No response to the ping command,