By disguising a Linux system, hackers are given the illusion of a system.

Source: Internet
Author: User
Tags netcraft
Computers on the network can be easily scanned by hackers using tools or other means to find vulnerabilities in the system and then attack the vulnerabilities. By disguising the Linux system and setting system illusion for hackers, hackers can analyze the system more difficult and lead them astray, thus further improving the security of computer systems.

Computers on the network can be easily scanned by hackers using tools or other means to find vulnerabilities in the system and then attack the vulnerabilities.

By disguising the Linux system and setting system illusion for hackers, hackers can analyze the system more difficult and lead them astray, thus further improving the security of computer systems. The following uses Red Hat Linux as an example to describe some common Linux system camouflage methods for several common hacker methods.

For HTTP services

By analyzing the types of Web servers, we can roughly predict the types of operating systems. for example, in Windows, IIS is used to provide HTTP services, while in Linux, Apache is the most common.

There is no information protection mechanism in the default Apache configuration and directory browsing is allowed. You can obtain information similar to "Apache/1.3.27 Server at apache.linuxforum.net Port 80" or "Apache/2.0.49 (Unix) PHP/4.3.8" through directory browsing.

You can hide Apache information by modifying the ServerTokens parameter in the configuration file. However, Apache running in Red Hat Linux is a compiled program, prompting that the information is compiled in the program. to hide the information, you need to modify the Apache source code, and then re-compile and install the program, to replace the prompt content.

Take Apache 2.0.50 as an example. edit the ap_release.h file and change "# define AP_SERVER_BASEPRODUCT" Apache "to" # define AP_SERVER_BASEPRODUCT "Microsoft-IIS/5.0 "". Edit the OS/unix/OS. h file and change "# define PLATFORM" Unix "to" # define PLATFORM "Win32 "". After modification, recompile and install Apache.

After installing Apache, modify the httpd. conf configuration file, change "ServerTokens Full" to "ServerTokens Prod", change "ServerSignature On" to "ServerSignature Off", and then save the disk and exit. After restarting Apache, run a tool to scan and find that the operating system is Windows.

For FTP services

Through the FTP service, you can also speculate on the operating system type. for example, in Windows, FTP services are mostly Serv-U, while in Linux, vsftpd, proftpd, and pureftpd are commonly used.

Take proftpd as an example. modify the configuration file proftpd. conf and add the following content:

ServerIdent on "Serv-u ftp Server v5.0 for WinSock ready ..."

After the disk is exited, restart the proftpd service and log on to the FTP server with the prompt modified for testing:

C:> ftp 192.168.0.1

Connected to 192.168.0.1.

220 Serv-u ftp Server v5.0 for WinSock ready...

User (192.168.0.1 :( none )):

331 Password required for (none ).

Password:

530 Login incorrect.

Login failed.

Ftp> quit

221 Goodbye.

In this way, the server is a Windows running Serv-U.

TTL return value

You can use the ping command to detect a host. the type of the operating system can be inferred based on the TTL base. For a network that does not pass through any gateway or route, the TTL value obtained by pinging the other system is called "TTL base ". In the network, each time a packet passes through a vro, the TTL is reduced by 1. when the TTL is 0, the packet is discarded.

In general, the TTL base of Windows is 128, while the TTL base of Red Hat Linux and Solaris in earlier versions is 255, and that of FreeBSD and new versions of Red Hat Linux is 64. For example, if you ping a Red Hat system, the following information is displayed:

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 64

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 64

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 64

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 64

Ping statistics for 192.168.0.1:

Packets: Sent = 4, stored ed = 4, Lost = 0 (0% loss ),

Approximate round trip times in milli-seconds:

Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms

Run the following command to modify the TTL base of Red Hat Linux to 128 (originally 64 ):

# Echo 128>/proc/sys/net/ipv4/ip_default_ttl

To make the settings take effect permanently, modify the/etc/sysctl. conf configuration file and add the following line:

Net. ipv4.ip _ default_ttl = 128

After saving and exiting, ping 192.168.0.1 to change the TTL base to 128.

# Iptables-I INPUT-s! Xx. xx-p tcp -- dport 22-j DROP

For ports 3389 and 22

Sometimes the operating system type can be inferred by scanning port 3389 and port 22. In Windows, TCP port 3389 is generally used for remote control, while in Linux, TCP port 22 may be used to provide SSH services with encrypted transmission.

To ensure security, you can use iptables to restrict SSH logon on port 22, so that unauthorized IP addresses cannot scan the existence of TCP port 22:

# Iptables-I INPUT-s! Xx. xx-p tcp -- dport 22-j DROP

Use iptables to transfer the TCP port 3389 of the local machine to other computers with port 3389 enabled, and disguise a TCP port 3389 that provides services for the Linux system. The command is as follows:

# Echo 1>/proc/sys/net/ipv4/ip_forward

# Iptables-t nat-I PREROUTING-p tcp -- dport 3389-j DNAT -- to xx. xx

# Iptables-t nat-I POSTROUTING-p tcp -- dport 3389-j MASQUERADE

The first command allows data packet forwarding. the second command allows data packet forwarding from TCP 3389 to xx. xx. xx. xx; the third command indicates that a "two-way path" is implemented for the forwarded data packets, and a correct return channel is set for the data packets. To make the forwarding take effect permanently, add the preceding command to the/etc/rc. local file.

In this way, when a hacker scans the port opened by the server, the hacker cannot find port 22. Instead, the hacker can see a disguised port 3389, so that the operating system type cannot be correctly determined.

For netcraft

Netcraft is a powerful scanning engine. through a simple TCP 80, you can know the operating system, Web service program, and Uptime of the tested server.

The methods described above do not work for netcraft. For netcraft, you can use iptables to perform system camouflage so that netcraft misjudges the operating system:


# Iptables-t nat-I PREROUTING-s 195.92.95.0/24-p tcp -- dport 80-j DNAT -- to xx. xx

# Iptables-t nat-I POSTROUTING-s 195.92.95.0/24-p tcp -- dport 80-j MASQUERADE

Packet capture shows that there are more than one netcraft server, so you need to perform forwarding spoofing on its network segment.

Summary

The above methods can only prevent and obstruct hackers from analyzing system vulnerabilities in a certain way, which can reduce the possibility of computer attacks to a certain extent, but it is still "anti-gentleman, not anti-villain ", it is just a new idea for everyone to learn and use.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.