Deep security reinforcement for Linux systems

[Introduction]
Linux system security cannot be ignored. However, system reinforcement is not very easy. The author briefly introduces the in-depth security reinforcement for Linux systems.

★Deep security reinforcement for Linux systems

Author: ayazero drdos@163.com
Personal web -- http://overflow.nease.net
Team's site -- http://ph4nt0m.net

Note: The following content may not apply to some occasions. Please check your account

1. Installation and upgrade
Use the latest Linux release version whenever possible. Unplug the network cable and disconnect the physical connection before installation,
We recommend that you install software packages in the custom mode of custom during installation,
Generally, there is no need to install X-windows on the server,
Add password restrictions to the lilo/grub boot tool to prevent physical access to malicious users.
Because the rescue mode of the Linux installation CD can be skipped, you need to add a password or lock the server chassis to the bios.
/Var,/home,/usr,/root, and other directories use independent physical partitions to prevent the D. o. S attack caused by filling hard disks with junk data and logs.

The root account gives a strong password.

Upgrade the system software with up2date or apt immediately after installation. Sometimes upgrading the kernel is also necessary, because problems with the kernel also give attackers the opportunity
Apt is a powerful package management tool under Debian GNU Linux and can be used in other versions of Linux.

2. Account
If there are many users in the system, you can edit/etc/login. defs and change the password policy.

Delete unnecessary accounts and groups in the system,
[Root @ ayazero/] # userdel-r username

If anonymous ftp is not enabled, you can delete the ftp account.

The safest way is local maintenance. Unfortunately, it is not realistic, but you still need to restrict the remote access of the root user. The administrator can log on remotely with an ordinary account,
Then su to root. We can add su users to the wheel group to improve security.

Add the following two lines to the header of the/etc/pam. d/su file:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel

Then, put the users that can execute su into the wheel group.
[Root @ ayazero/] # usermod-G10 admin

Edit/etc/securetty, comment out all the consoles that allow remote root logon, and disable all console programs,
[Root @ ayazero/] # rm-f/etc/security/console. apps/servicename

Encrypted ssh is used for login. If the Administrator only logs on from a fixed terminal, the range of valid ssh clients should also be limited.
Prevents sniffing and man-in-the-middle attacks

Classify the command history as zero to hide what you have done as much as possible.
[Root @ ayazero/] # unset HISTFILESIZE

3. Service
Minimum service principle. all unnecessary services are commented out.
Add "#" to services not required in/etc/inetd. conf. If inetd is not available in later versions, replace it with Xinetd;
Cancel automatic Service Startup and rename the first letter of the service that does not need to be run under/etc/rc. d/rc3.d in lower case,
Or change the service in the GUI that is started by the setup command.

If you want to be simpler, you can use the/etc/host. allow,/etc/host. deny files,
However, this article plans to use the iptables firewall, so we will not detail it here.

4. File System Permissions
Find all programs with "s" bits in the system, remove unnecessary "s" bits, or delete unnecessary ones directly.
[Root @ ayazero/] # find/-type f (-perm-04000-o-perm-02000)-exec ls-lg {}
[Root @ ayazero/] # chmod a-s filename

Preventing abuse and elevation of permissions by users

Add important files with unchangeable attributes
[Root @ ayazero/] # chattr + I/etc/passwd
[Root @ ayazero/] # chattr + I/etc/shadow
[Root @ ayazero/] # chattr + I/etc/gshadow
[Root @ ayazero/] # chattr + I/etc/group
[Root @ ayazero/] # chattr + I/etc/inetd. conf
[Root @ ayazero/] # chattr + I/etc/httpd. conf
...............................
Depending on your needs, I suspect that the intruders know this command,
After some exploit overflows, write a statement to inetd. conf to bind the shell to a port listener,
At this point, this command works, and the hacker will think that the overflow is unsuccessful.

Find the file without a master in the system:
[Root @ ayazero/] # find/-nouser-o-nogroup

Find the files and directories with write permissions for anyone:
[Root @ ayazero/] # find/-type f (-perm-2-o-perm-20)-exec ls-lg {}
[Root @ ayazero/] # find/-type d (-perm-2-o-perm-20)-exec ls-ldg {}

Prevent intruders from writing Trojan statements (such as a copy of a shell) to it or inheriting the master permission for illegal access

Find and reinforce files that have been used by intruders, such as. rhosts

Edit/etc/security/limits. conf and add or change the following lines:
* Hard core 0
* Hard rss 5000
* Hard nproc 20

5. Banner disguise
Intruders usually attack through operating systems, services, and application versions,
The vulnerability list and attack programs are also classified based on this, so we need to make some effort to increase the difficulty of intrusion.

Change/etc/issue. Because reboot is reloaded, edit/ect/rc. d/rc. local
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
Remove "#" before the preceding row

Apache does not echo the version:
In the apache configuration file, find ServerTokens and ServerSignature direve VE and modify the default attributes:
# ServerTokens Full
ServerTokens Prod # ServerSignature On
ServerSignature Off
Modify uname
Find the uname. c source code and find the following line:
Print_element (PRINT_SYSNAME, name. sysname); // The operating system name, such as linux
Print_element (PRINT_NODENAME, name. nodename); // host name
Print_element (PRINT_RELEASE, name. release); // release version, for example, 2.4.20-18
Print_element (PRINT_VERSION, name. version );//
Print_element (PRINT_MACHINE, name. machine); // machine type, such as i686
Print_element (PRINT_PROCESSOR, processor); // processor type

Can be modified
Print_element (PRINT_SYSNAME, "HP-UX ");
.......
Replace/bin/uname after compilation

You can view the configuration file or source code for modifications to other services and programs.
Do not change too much, otherwise it will cause great trouble for system management.

6. Iptales firewall rules
Assume that our server server1 runs apache and sshd (sshd can be modified in the configuration file without running on the standard port)
The eth0 Nic is connected to the Internet, and eth1 is connected to the LAN. The Administrator dials in to server2 at home (the private network IP address is 192.168.0.12) and then logs in to server1.
[Roor @ ayazero root] # iptables-a input-I eth1-s 192.168.0.12-p tcp -- dport 22-j ACCEPT
To prevent IP spoofing, you can also bind the NIC address of Server 2:
Sh-2.05b # iptables-a input-I eth1-s 192.168.0.12 -- mac-source 01: 68: 4B: 91: CC: B7-p tcp -- dport 22-j ACCEPT
However, it seems that few intruders can do this, and there is no value to use it.

[Root @ ayazero root] # iptables-A input-I eth0-P TCP -- dport 80-J accept
[Root @ ayazero root] # iptables-A input-M state -- State established, related-J accept
[Root @ ayazero root] # iptables-A input-J Drop

Anyone who knows about the attack knows the wonderful combination of "port redirection + reverse Pipeline" to cross the firewall.
This kind of technique has been used too widely and is very harmful.
To defend against this difficult attack, we must sacrifice a certain degree of ease of use.
[Root @ ayazero root] # iptables-A output-O eth0-p tcp -- syn-J Drop
The above rules will block active TCP connections from the inside out
In addition, it is common to use TFTP or other clients to obtain files in reverse direction,
TFTP and other tools depend on UDP, so we need to erase it completely now.
[Root @ ayazero root] # iptables-A output-O eth0-p udp-J Drop
PS: These two rules need to be removed temporarily when updating the system and debugging the network.
Because the essence of intrusion is to get the shell of the target operating system on standard or non-standard ports through text or graphic interfaces,
Therefore, this not only blocks the reverse pipeline itself, but also immune many intrusion Techniques
However, this is too harsh for general system administrators!

Iptables attack Countermeasures
Syn-flood protection:
[Root @ ayazero foo] # iptables-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT

Furtive port Detail:
[Root @ ayazero foo] # iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, RST-m limit -- limit 1/s-j ACCEPT

Ping of death:
[Root @ ayazero foo] # iptables-a forward-p icmp -- icmp-type echo-request-m limit -- limit 1/s-j ACCEPT

In addition, iptables can also configure rules that disable some scanning behaviors, such as nmap. Note the following:
The firewall is not omnipotent. When an attacker is crazy enough, do not expect your firewall to withstand DDoS floods.
For more information about iptables, see Rusty Russell's Packet Filtering HOWTO.

7. Integrity Verification
Tripwire is a famous tool that helps you determine whether important system files have been modified.
Currently, Linux releases generally contain their open-source versions. You can add some sensitive files to the default validation object configuration file.

RPM MD5 Verification
[Root @ ayazero rpm] # rpm-V
Run the "man rpm" command to view help. The "-V" parameter is used for MD5 verification,
Note that you must make a hard backup of the binary data files generated by rpm verification to prevent the files from being modified.

8. Self-Scan
General security reinforcement is basically done. Now let's make a risk assessment for our own system,
Nessus latest version is recommended [homepage: http://www.nessus.org]
(Since open-source resources are used from start to end, we will continue to save costs here)
Maybe you think your system is okay, but sometimes nessus can report some problems,
For example, a third-party webmail has certain security defects,
If there is no problem, we can fix it again.

9. Advanced Skills
The above measures are enough to discourage most intruders, and the next part will be the paranoia that are extremely sensitive to security.
Buffer overflow measures include stackgurad, stackshield, formatguard, heapguard, pointguard, and other compilation technologies,
However, they need to re-compile the source code, which is not only troublesome but also degrades the system performance.
Therefore, we plan to use Kernel patches to prevent Buffer Overflow.

We are familiar with the PaX kernel patch. It mainly uses the [heap/bss/stack] unexecutable code in the Data zone to defend against exploit that directly overwrites the returned address and jumps to the data zone to execute shellcode.
The PaX website does not seem to be accessible, but google can find a lot of PaX downloads for newer kernels.
Http://home.hetnet.nl /~ Ottolander/pax/pax.html

Too many aiming points:
Openwall Project
Http://www.openwall.com/linux/

Grsecurity
Http://www.grsecurity.net

During the peak hours, the company was able to block a considerable number of exploit attacks,
The advanced exploit skills on how to bypass patches are no longer mysterious, but writing such an attack program usually meets certain conditions,
Even if such a program is written, the function and file pointer are successfully overwritten, this system may still be unable to pass the "overflow result" to attackers-there is still no way to get a shell or establish a connection.

Lids
The Linux intrusion detection and protection system and kernel patch provide enhanced access control through a ring0 permission greater than root,
Even root cannot be changed. The existing information is not discussed here.
Site: http://www.lids.org

Lids and buffer overflow patches may be incompatible. Please tell me the truth.

10. Log Policy
It is mainly to create a hard copy of the important logs related to intrusion, so that the last black box does not exist in the emergency response.
They can be redirected to printers, Administrator emails, independent log servers and their hot backups.

11. Snort intrusion detection system
This is necessary for systems with high requirements for Intrusion Response and Security logs;
For general systems, if the Administrator does not view a lot of logs,
Then it occupies system resources in vain, just like the chicken ribs

12. Final suggestions
List of vulnerabilities on the concerned bugtraq
Subscription vendor Security Announcement
Frequent Patching
How to defend against attacks

Summary
Thoughts on Attacks:
Assume that there is a highly skilled intruder with the ability to discover the underlying vulnerabilities of the system,
He discovered a vulnerability in Apache and wrote Remote Exploit,
This vulnerability has not yet appeared on the Bugtraq and is "unknown,
If intruders try to attack our system,
He must be able to mine an Apache database with root-level remote overflow,
Add the code in shellcode to kill the HTTPd process and bind sh to port 80.
Reuse On port 80
Let shellcode execute iptables-F output/input, provided that he guessed this was the case.
The above needs to be the root permission after the overflow, and it is an advanced exploit that can bypass pax. In addition, after Apach e is killed, it will be automatically restarted.
If you want to attack sshd, iptables will discard all packets from the Internet to access sshd, so even if there is a remote overflow (of course, do not forget PAX), this will not work.
For other methods, if a script attack can obtain the plaintext password that allows remote logon to an SSH user, or directly add a system account using script defects,
This requires not only the system root permission, but also the/etc/passwd has been chattr,
If the above conditions are met and server2 is broken, shell is expected.
However, there is little chance of Privilege Escalation! Normal script attacks are invalid here. Of course, if the system does not run CGI, this is even worse.
It is true that intruders may destroy your scripts over HTTP, but third-party web security reinforcement is not discussed in this article.
The above conditions are harsh enough for most intruders and are almost impossible to achieve.
However, we have sacrificed a lot for this, and these measures depend on a certain environment for implementation.
Security and ease of use require readers to find their balance points from their own perspectives.

Full text from: Silicon Valley power