Discover and block system attacks in Linux environments

Source: Internet
Author: User
Tags ack format define ftp connect valid versions ftp access
Attack One,

When you install a Linux system on a PC, you have a powerful, advanced, multitasking network operating system. But the system is a little too powerful. Some release versions default to start many services (such as: Rlogind, inetd, httpd, Innd, fingerd,timed, RHSD, and so on). As a system administrator you need to be familiar with these services. If the machine is connected to the Internet, it is more necessary to shut down the security of its own system.

Most attackers are not innovators, and often use the latest published system Tools technology to break through a well-known or a new, newly discovered security vulnerability. But as a manager, by visiting the official sites you use for Linux, such as
Www.redhat.com, www.calderasystems.com, and so on can be informed of the latest security vulnerabilities and the corresponding patches. can also be determined by
Visit www.securityfocus.com, www.cert.org, and other security vulnerabilities notification sites.

The most convenient way to control access to a server is through a program called a TCP wrapper. This program is often installed by default in most release versions. Using TCP wrapper You can restrict access to some of the services mentioned earlier. And the TCP wrapper record file records all attempts to access your system's behavior. By using the last command to view the log of the program, the administrator can learn who is attempting to connect to your system.

In the Linux/etc directory, there is a inetd.conf file, which is a TCP wrapper configuration file, that defines the TCP wrapper can control which services are started. For example, to remove the finger service, comment out the line on the Finger Service (plus "#" in front);


# inetd. Conf This file describes the services that would be available
# through the INETD TCP/IP Super server. To Re-configure
# The running INETD process, edit this file, then send the
# INETD Process a sighup signal.

#

FTP stream TCP nowait ROOT/USR/SBIN/TCPD in.ftpd-l-A
Telnet stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd
# Finger, Systat and netstat give out user information which may
...............

However, for services such as sendmail,named, because they are not like finger,telnet services, the inet daemon starts the corresponding process to provide services when the request arrives, but instead runs as a daemon alone when the system starts. In Slackware version of Linux, you can comment off the command line that started SendMail by modifying the boot profile rc.m file in the/ETC/RC.D directory:

#!/bin/sh
# RC. M This file was executed by Init (8) When the system is being
# initialized for one of the ' multi user ' run levels (i.e.
# levels 1 through 6). It usually does mounting of file
# Systems et al.
# Start the SendMail daemon:
# if [-x/usr/sbin/sendmail]; Then
# echo ' Starting SendMail daemon (/usr/sbin/sendmail-bd-q 15m) ... "
#/usr/sbin/sendmail-bd-q 15m
# fi
............

(Note: For Redhat Publishing, you can consolidate the run chkconfig command or linuxconfig command to manage whether to start a service, such as: Chkconfig--level 345 sendmail on To implement the system to automatically start SendMail at 345 run level) for other services, such as named, also by commenting out the corresponding startup commands in the corresponding startup configuration file in the same directory, so that when you restart the machine, the corresponding service will not start. For a newer version of Redhat Linux, a linuxconfig command is provided that allows you to interactively set whether to run related services at startup, using the graphical interface. However, for services such as Telnet, FTP, and so on, it will be inconvenient for administrators to manage remotely if they are shut down together.

Linux provides another, more flexible and efficient way to implement restrictions on service-requesting users, enabling trusted users to use a variety of services on a secure basis.

In the/etc directory, there are two files: Hosts.deny Hosts.allow by configuring these two files, you can specify which machines can use these services and which ones are not available. The configuration of these two files is achieved through a simple access control language, the basic format of access control statements is: List of program names, hostname/IP address lists.

The list of program names specifies the name of one or more programs that provide the appropriate service, separated by commas or spaces between the names, and can be viewed in the inetd.conf file with the name of the program that provides the service: As in the previous file example, the last item in the Telent row is the Required program name: IN.TELNETD host name/IP Address list Specifies the identity of one or more hosts that are allowed or prohibited from using the service, separated by commas or spaces between the host names. Both the program name and the host address can be used with wildcards to facilitate the designation of multiple services and multiple hosts. When a service request arrives at the server, the access control software queries the two files in the following order until a match is encountered:

1. When there is an item in the/etc/hosts.allow that matches the host address entry of the requesting service, the host is allowed to obtain the service
2. Otherwise, if there is an item in the/etc/hosts.deny that matches the host address entry of the requesting service, the host is prohibited from using the service
3. Otherwise allow the service if the corresponding profile does not exist, the access control software is considered an empty file, so you can turn off all services for all hosts by deleting or removing the configuration file.

In a file, a blank line or a line beginning with a # is ignored, and you can implement the annotation function by adding the # before the row. Linux offers the following flexible way to specify a process or host list:

1. One with "." The start of the domain name string, such as. amms.ac.cn then www.amms.ac.cn matches this one successfully
2. with '. ' End of IP string such as 202.37.152. Then the IP address includes the 202.37.152. The host matches this one
3. The format is N.N.N.N/M.M.M.M to represent the network/mask, and if the IP address of the host requesting the service and the bit of the mask is equal to the result of N.N.N.N, then the host matches that item.
4. All indicates matching all possibilities
5. Expect represents the removal of the host defined later. For example: List_1 EXCEPT list_2 indicates that the host listed in the LIST_1 host list is removed from the list_2
6. The local representation matches all host names that do not contain '. ' A few of the above hosts are just a few of the ways Linux offers, but it's enough for our general applications.

Let's take a few examples to illustrate the problem:

We only want to allow the same LAN machine to use the FTP function of the server, and prohibit the FTP service request on the secondary WAN, local LAN by 202.39.154. , 202.39.153. and 202.39.152 three network segments. In the Hosts.deny file, we define that all machines are prohibited from requesting all services: All:all in Hosts.allow files, we define only LAN access FTP functionality: In.ftpd-l-a:202.39.154 202.39.153. 202.39.152. This way, when a non-LAN machine requests an FTP service, it is rejected. And the LAN machine can use the FTP service. All:all then restart your inetd process:/etc/rc.d/init.d/inet Restart but Hosts.deny files can only control access to services contained in/etc/inetd.conf files these services have/usr/bin/ TCPD Management. The TCP wrapper listens for incoming network requests and then compares the services in Hosts.allow and Hosts.deny, then makes the decision to allow or reject. But for services that wrapper don't include, you need to use other methods.

Two
The simplest and most effective way to protect your system is TCP wrapper. The Linux system makes a lot of progress in tracking access records to your machine.
Job. Wrapper denied some access to your system, the system added some information to some log files. In/var/log
directory, you can generally see the following files:


Boot.log cron Cron.1 cron.2 dmesg httpd
Lastlog lastlog.1 Maillog Maillog.1
Maillog.2
Messages Messages.1 Netconf.log
Netconf.log.1
netconf.log.2 Secure Secure.1 secure.2
Secure.3 secure.4 Spooler Spooler.1 spooler.2
UUCP wtmp WTMP.1 Xferlog xferlog.1
Xferlog.2


You can see that some log files have extensions such as 1,2. This is caused by the system running cron.daily. In fact, Cron.daily is
The subdirectory below/etc contains a number of managed script files that are run automatically by the system. Without your involvement, these script implementations have some
Task automation: such as the rotation log file so that it does not become too large. As an administrator you should be familiar with how to modify these script to set
When you run the program. Of course, there are now many full-featured text patterns or graphics patterns in the log file Analyzer that automatically discovers dangerous attacks
Signs, and then send letters like managers. Many of these tools can be found in http://www.freshmeat.net/tucows.

From an attacker's point of view, they are most interested in your security files on your server. If you shut down the external network to your server
's visit. You may encounter a situation like this:


[Root@linux/] #grep refused/var/log/secure*

Sep 07:52:42 Netgate in.rlogind[7138]: refused
Connect from 2??.?. 5?.? 42
Sep 07:52:52 Netgate in.rshd[7139]: refused
Connect from 2??.?. 5?.? 42
Sep 07:52:55 Netgate in.rexecd[7144]: refused
Connect from 2??.?. 5?.? 42
Sep 07:52:59 Netgate imapd[7146]: Refused connect
From 2??.?. 5?. 42
Sep 07:52:59 Netgate in.fingerd[7142]: refused
Connect from 2??.?. 5?.? 42
Sep 07:53:00 Netgate ipop3d[7143]: refused
Connect from 2??.?. 5?.? 42
Sep 07:53:07 Netgate in.ftpd[7147]: refused
Connect from 2??.?. 5?.? 42
Sep 07:53:10 Netgate gn[7145]: Refused connect
From 2??.?. 5?.? 42
Sep 07:53:22 Netgate in.telnetd[7149]: refused
Connect from 2??.?. 5?.? 42
Sep 07:56:34 Netgate imapd[7150]: Refused connect
From 2??.?. 5?.? 42


As you can see, an attacker has attempted to connect several ports on the server. But as the server shuts down the inetd boot
All services, so the log system logs these access rejections. If no such service is found in your machine, the refusal does not explain your machine.
The device was not attacked. The Maillog file will save email messages that are forwarded via the server. Xferlog Save the FTP log information and so on.

If you want to see WTMP, you can use the last command

# Last | More Fishduck ttyp6 Nexus Tue Sep 16:03 still logged on Birdrat ttyp5 speedy Tue Sep 15:57 still logged in root tty1 Tue Sep 12:54 still logged in will show who landed in and logged in for a long time. You can find information about illegal landers by looking at them. You can also view previous wtmp files such as WTMP.1, you can use the command: # last-f/VAR/LOG/WTMP.1 | More but you also need to pay attention to your log file status information, if it is particularly small or size 0 indicates that the attacker could have entered the system and modified the file. To prevent any user from modifying certain files, such as adding only to the log file, not allowing deletion, and so on: you can prevent attackers from modifying log file password files by using the Linux intrusion detection system. The tool can decide whether to allow modifications to certain files when you start Lilo. The details of the tool can be obtained by accessing www.soaring-bird.com.cn/oss_proj/lids/index.html. The grandparent process for all processes of the system is called "Init", and its process ID number is 1. You can see the INIT process information through the following command. # PS Ax | grep init 1? The init process at the start of the S 6:03 init system will start the "inetd" process, as mentioned earlier that the process implements listening network requests, which are implemented through the network port number. For example, when you telnet to your Linux server, you actually request the inetd process to start the process in.telnetd process on port 23 to process your access request to implement communication. The in.telnetd process then initiates a process that asks for your username and password, and then you log on to the machine. INETD also listens on many ports to wait for an access request, and then activates the program that completes the associated service. You can see which service is using which port by looking at the file/etc/services. From a resource-saving perspective, it is meaningful to use a process instead of each service to correspond to a process. When an attacker visits your site for the first time, they tend to use the tool that is used as a port scanner, through which attackers can see you open those system services. One of the more famous port scanners on Linux is nmap. CanTo download the software from http://www.insecure.org/nmap/index.html, the latest version even has a graphical interface nmapfe. Let's run nmap to see what we can get: option '-ss ' refers to the use of TCP SYN, which is a half-pen scan, ' O ', which detects only the OS O of the scanned system at the same time. (using OS fingerprint technology, see http://www.isbase.com/book/showQueryL.asp?libID=271) An attacker who knows what operating system the other is using can be targeted to find common vulnerabilities to the operating system.


# nmap-ss-o localhost


Starting Nmap v. 2.3BETA5 by Fyodor (Fyodor@dhp.com,
www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
Open TCP FTP
Open TCP Telnet
Open TCP SMTP
Open TCP Domain
Open TCP Finger
-Open TCP HTTP
The Open TCP linuxconf
SUNRPC Open TCP
113 Open TCP Auth
139 Open TCP Netbios-ssn
513 Open TCP Login
514 Open TCP Shell
515 Open TCP Printer

TCP Sequence prediction:class=random Positive increments
difficulty=4360068 (Good luck!)
Remote Operating System Guess:linux 2.1.122-2.2.12

Nmap Run completed--1 IP address (1 host up) scanned in 2
Seconds


These open ports are the attackers ' intrusion points. Once you have modified the inetd.conf file to turn off some of the services, you can then use the Nmap scan to discover that the commented out service is not scanned when you restart inetd.
Of course, administrators can also use a number of other security scanning tools such as Satan or Nessus to detect the security of their own systems
The vulnerability of an attacker to discovering its own system earlier and making up for it.
Three
A joke says a thief goes into a house, steals everything in the room, but replaces it with the same thing.
of things. But in the online world, this can happen. An attacker exploits a system vulnerability to enter your department illegally.
When you use the PS command to list all the processes in the system, you don't see any unusual evidence. You check your password file,
Everything is so normal. What the hell is going on? When the system goes into your system, the first thing to do is replace
Some specific files on the system: such as the netstat command. When you use the netstat-a command, there is no indication that the system attacker exists
Information. Of course, an attacker would replace all the files that might reveal their existence in a Linux environment a well-known such toolkit name is
Rootkit. You can get hundreds of results by searching for keyword rootkit in any search engine. These tools generally include:


PS Netstat top ...

Since these documents have been superseded. So simply using the LS command to see these files is not a flaw. There are a number of ways you
You can verify the integrity of your system files. If you are installing Red Hat, Caldera, turbolinux or any system that uses RPM. You can
To use RPM to verify the integrity of your system files: First you should find out which packages you need to look at, and use
RPM command you can find out that a file belongs to a package: # Rpm-qf/bin/netstat Net-tools-1.51-3 and then you can scan
The entire RPM package looks at what's changed. Using this command for packages that do not change does not have any output information, as follows:

# rpm-v Net-tools

The result of using this command after replacing the version of Netstat version 5.2 binary executable with 6.0 is:

....... T/bin/netstat

This indicates that the/bin/netstat/file has been modified. If I use RPM-QF to test PS and top commands, I can get it belonging to the package Procps and then
Verify the integrity of the package Procps. The following is the result of a "black" site:

# Rpm-qf/bin/ps Procps.2.0.2-2
# rpm-v Procps
SM5.. Ugt/bin/ps
.. Ugt/usr/bin/top

The attacker hacked into the system and replaced the commands in our system with their own PS and top commands. So that administrators do not see their
The running process, perhaps, is a sniffer to listen to all the user data in and out of the network and find the password information. Below is a small
Script to scan all of your system's RPM libraries and check to see if all the packages have been tampered with. But it should be noted that not all of the scripts
The problem reported is that the system file was compromised by an attacker. For example, your password file is generally different from when you install the system:

#!/bin/bash
#
# Run through RPM database and inconsistencies
# for Rpmlist in ' Rpm-qa '
# These quotes are back quotes
Do echo "-----$rpmlist-----";
Rpm-v $rpmlist Done >/tmp/rpmverify.out

When you run the scripts, the output is directed to the file/tmp/rpmverify.out you can view the file using the less command. But
Because text files such as:/etc/passwd,/etc/inetd.conf and so on are likely to appear to have been modified. But how do you know these are administrators?
Have you modified it or modified it by intruders? The method is:

When you make sure your system is clean and not invaded by attackers, you create fingerprint information for these system files. Before you suspect your system
These fingerprints were used to determine whether the system was invaded. The fingerprint information for creating the file is implemented by command md5sum:

# MD5SUM/ETC/PASSWD
d8439475fac2ea638cbad4fd6ca4bc22/etc/passwd

# Md5sum/bin/ps
6d16efee5baecce7a6db7d1e1a088813/bin/ps

# Md5sum/bin/netsat
B7dda3abd9a1429b23fd8687ad3dd551/bin/netstat

These data are the fingerprint information of the files on my system. The fingerprint information of the files on different systems is generally different, and you should be making
Use md5sum to compute the fingerprint information of your own system files. Here are some of the files you should create fingerprint information;
/usr/bin/passwd/sbin/portmap/bin/login/bin/ls/usr/bin/top/etc/inetd.conf/etc/services
By fingerprint information you can determine if any system files have been tampered with.

Four
As mentioned in the previous section, when Netstat,ls and other commands are modified to discover that the system has been compromised, what should I do next? According to the importance of your system
You have a variety of options. But I recommend backing up the user directory, password, and other critical system files. And then again
Install the system. But do not copy the backed-up files to the new system casually, as attackers may hide something illegal in these files.

You can also restrict access to hosts through TCP wrapper, and turn off non-critical network services without reinstalling the system. and then update
The affected package. It is important to start the system again "clean", but it is not easy to achieve this. If you find Procps or Net-tools packs,
has been modified by an attacker, the first thing is to reinstall a clean package to replace the one that was left behind by the attacker. Generally it's best to get from your
The system publisher gets the latest package reinstall.

Once an attacker enters the system, it will store some tools on the system and hide it, making it difficult to spot. Here is an attack
An instance of a system in which a person invades. When the system is compromised by an attacker, the server is restricted from network access and replaces all affected packages. And then just
You need to look through the log file to find repetitive attempts to enter the system. View the/etc/passwd file and find a user that is not legal.
Go to the user's directory:/home/jon, run "ls-l" to get the following content:

. .. .. . bashrc. bash_history. SCREENRC emech.tar.gz

Except for a file with a name of emech.tar.gz, nothing unusual can be seen. But if you look closely, you'll see that there are two systems
".." Directory. (refers to the directory at the top level of the subdirectory) it is really strange that I use the command "CD ..." I'll go into the/home directory. Originally
Where the subdirectory name is after two points with a space. (".. You can find the following command:

# Cd/home/jon
# echo. * | Cat-v
. .. .. . bashrc. bash_history. SCREENRC emech.tar.gz

Careful observation shows that each subdirectory is separated by a single space, while the second "..." There are two spaces between and. BASHRC. It's
means the second ".." The subdirectory is actually a dot-dot-space. Go to the directory below:

# CD ' ... '

Then list the contents of the directory:

#ls

Randfiles mech.set mech.pid Checkmech cpu.memory
Mech.help mech.usage Mech Mech.levels emech.users Psdevtab

Next we'll see if it hides the file somewhere else:

# Find/-user Jon-print

In addition to the/home/jon directory, also found the following content;

/usr/local/bin/.httpd
/tmp/cl
/tmp/.l/bcast
/tmp/.l/.l
/tmp/.l/imapd
/tmp/.l/log
/tmp/.l/pscan
/tmp/.l/pscan.c
/tmp/.l/rpc
/tmp/.l/slice2
/tmp/.l/sniffer
/tmp/.l/sxploit
/tmp/.l/thc
/tmp/.l/ufs.c

The intruder has installed sniffers and port scanners on the system, and he has created a good home for himself. In the view, also
A gruesome file named "Tcp.log" was found in the directory of legitimate users. The document has hundreds of presidents, including every time
Telnet and FTP access to the system's connection! In addition to the notification in the file that may have been compromised the machine administrator should reinstall
System, I also told them that they needed to update the password of all users of the system.

Here are some examples to help you search for hidden dangers. First look at the files in the user directory that have "Suid" or "GUID". These texts
The executable attribute bit of the piece is s instead of X. Such as:

#ls-S/USR/BNI/PASSWD
-r-s--x--x 1 root 10704 Apr 1999/usr/bin/passwd

The "s" of the fourth bit of the property indicates that when the command is executed, the actual valid user ID of the process becomes the root user. In order to allow ordinary users to repair
Change your password, this is necessary. A seventh bit of X if s indicates that the other group's users run the program and the program has all groups of users
A valid group ID. Enabling a program to impersonate a particular user or group is not a harmful thing. But in general, non-admin users are in their directory
Should not have root-suid procedures. We can use the following command to search for such a file:

# Find/home-perm-4000-o-perm-2000-print

Next we continue to look for programs and files left by intruders, so we need a quick way to find hidden directories. The following method is
Look for hidden directories like ". KDE". You can also find such as ". "or" ... "Directory: Cracker.

# Find/-type d-name ". *"-print

The "-type d" option refers to simply listing directories. This command will not be "." or ".." List.

Five
As a good system Manager, the best way to defeat an attacker's attack is to understand how the attacker works and how the mechanism is working. It
They use those tools, how they manipulate intrusions, and so on. So it is necessary to have a thorough understanding of the various network tools I have explained here.

It's a case in point. An attacker uses sniffer to listen for network streams to collect user names and passwords. Below we
Explain how sniffer works in detail. Simply put, sniffer is a allows you to detect your network interface to receive all the numbers
It has been reported that. In general, the computer only accepts the destination address as its own datagram, and sniffer the network interface into the miscellaneous error mode,
So you can accept all datagrams received by the network card.

If you run the ifconfig eth0 command, you will get the following result:


Eth0 Link encap:ethernet hwaddr 00:c0:4f:e3:c1:8f
inet addr:192.168.22.2 bcast:192.168.22.255 mask:255.255.255.0
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:49448 errors:0 dropped:0 overruns:0 frame:0
TX packets:33859 errors:0 dropped:0 overruns:0 carrier:0
Collisions:6 txqueuelen:100
Interrupt:10 Base address:0x300


Open two terminals, a terminal running sniffer device-sniffit;
# sniffit-i
Another virtual terminal where you can run ifconfig eth0 again. You will find that the output has the following contents:
Up broadcast RUNNING Promisc multicast mtu:1500 metric:1
Note that, compared to the above, adds a word "promisc", which is the abbreviation for the miscellaneous error pattern (promiscuous mode).

Sniffit is a lightweight, terminal-based sniffer device. You can from
Http://reptile.rug.ac.be/~coder/sniffit/sniffit.html get it.

Another similar sniffer is netwatch, and you can get it from http://www.slctech.org/~mackay/netwatch.html.

If you don't want to install additional sniffer in the system, you can use one of the tools in the system: tcpdump this tool, though
Not as gorgeous as the previous two tools, but she can do all the same.

# tcpdump Host Www.linuxjournal.com-l | Tee/tmp/tcpdump.out
Where-L instructs Tcpdump to save the output data into a file. Here's what the output is:


16:41:49.101002 www2.linuxjournal.com.www > Marcel.somedomain.com.1432:f
2303148464:2303148464 (0) Ack 1998428290 win 16352
16:41:49.101206 marcel.somedomain.com.1432 > Www2.linuxjournal.com.www:. Ack
1 win 32120 (DF)
16:41:50.001024 www2.linuxjournal.com.www > Marcel.somedomain.com.1429:f
1805282316:1805282316 (0) Ack 1988937134 win 16352
16:41:50.001215 marcel.somedomain.com.1429 > Www2.linuxjournal.com.www:. Ack
1 win 32120 (DF)
16:41:50.840998 www2.linuxjournal.com.www > Marcel.somedomain.com.1431:f
1539885010:1539885010 (0) Ack 1997163524 win 16352
16:41:50.841198 marcel.somedomain.com.1431 > Www2.linuxjournal.com.www:. Ack
1 win 32120 (DF)
16:41:51.494356 marcel.somedomain.com.1429 > Www2.linuxjournal.com.www:p
1:335 (334) Ack 1 win 32120 (DF)
16:41:51.497003 marcel.somedomain.com.1433 > Www2.linuxjournal.com.www:s
2019129753:2019129753 (0) win 32120
(DF)
16:41:51.671023 www2.linuxjournal.com.www > Marcel.somedomain.com.1429:r

There are many kinds of sniffer available in Linux systems. Attackers may use modified PS commands to hide their shipments after invading the system.
The sniffer of the line. or change it to a name that appears to be a normal process.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.