Linux security knowledge

My comments:
This book describes all aspects of linux security and provides a clear line of thinking. This document provides
Many helpful security tips are a reference for Linux system maintenance personnel. Through this book, you can learn about linux security
Overall concept, from system security to application security, from stand-alone security to network security. But the security problem is constantly changing.
The process of constantly updating is not a solution. Therefore, this book only mentions the security problems discovered at that time.
Shao, for new security problems, refer to the book's website updates and online security warnings.
Chapter 1 linux security issues
Sticky bit)
If you have the write permission on the directory, you can delete the files and subdirectories, even if the user is not
And there is no read or write permission. The position where the execution permit appears. t indicates that after this bit is set,
Other users do not delete files or directories that do not belong to them. However, the directory under this directory does not inherit this permission and you need to set
.
# Chmod 1770 xxx
File Attributes
Modify the chattr command
The lsattr command is used to list file attributes.
File Attribute Definition
A. Do not update atime files. It is useful when you restrict disk I/0 traffic on A laptop or NFS, except for 2.0
This attribute is not supported by other kernels.
File a can only be opened in append mode. Only root can set this attribute.
When the c file is stored on the disk, the kernel automatically compresses the file.
D file mark so that it cannot be dumped.
The I file cannot be modified, deleted, or renamed. You cannot create any links to it and cannot write any data.
S. When deleting files, the corresponding disk storage block is cleared.
S. When you modify a file, write the file to it for synchronization.
U.
Ulimit command
You can add the command to the profile file or define it in the/etc/security/limits. conf file.
.
Command Parameters
-A: display all limits.
-Maximum size of c core files
-D the maximum data segment size of the process
-F shell: Maximum file size that can be created
-Maximum size of m resident memory
-S maximum stack size
-T the maximum CPU time per second
-P MPs queue size
-N: Maximum number of opened files
-Maximum number of u Processes
-V virtual memory limit
You can also define limits in the/etc/security/limits. conf file.
Domino type item value
Domino is the username or group name starting with the symbol @. * indicates all users. Set "type" to hard or soft. Item refers
Resources to be restricted. Such as cpu, core nproc or maxlogins
. Value is the corresponding limit value.
Signal
# Kill-term xxxx termination signal
# Kill-hup httpd re-reading the configuration Signal
Privileged port
The root user is the only user who can bind a port smaller than 1024. You can trust connections from remote machines with ports smaller than 1024.
.
Chapter 2 prevention measures and recovery from intrusion
System Security
Simple FIND command
# Find/\ (-perm-02000-o-perm-4000 \)-ls can find all setuserid and setgroupid IN THE SYSTEM
Program.
In the strictest cases, you can remove the setXid bits of all installed programs except/bin/su.
System security scanning tool cops tiger Nabou
Scan Detector
The first thing hackers do before they intrude into the system is to scan the system from the network and scan the detector to learn in time.
Good Intrusion Detection System (IDS)
Klaxon Courtney Scanlogd PortSentry
Reinforcement System
The Bastille project has created a set of modules to reinforce the recently released RedHat. After installing the system, you can run the patch,
It can run at any time. It is not necessary that the system has just been installed.
The reinforcement method is as follows: 1. Download the source code to the/root directory and unpack the package. Run the InteractiveBastille. pl script as root.
. After answering the question, the program will make corresponding changes. After the configuration is complete, the tool saves it in BackEnd. pl
If you want to harden the server with the same configuration, copy it to the new server and run AutomatedBastille. pl.
Openwall Linux patch
It is a kernel patch. To make these patches work, you must re-compile and install the new patch kernel. In
In some cases, these Kernel patches are not fully compatible with standard linux, so you must be sure to understand
.
LIDS
It includes kernel-level Port Scan detection programs and security warnings. Is the kernel patch (currently applicable to 2.2.X and 2.4.X,
But it will no longer support 2.2) and system management tools. Its features include:
1. Advanced file protection, and even root cannot detect and dispose of files protected by LIDS.
2. process protection. The kernel rejects sending signals (such as SIGKILL) to the protected process, and the process can be completely hidden.
Hidden, there will be no trace under/proc.
3. Better access control and more effective use of privileged-related capabilities, including prohibiting root users from changing these capabilities.
4. built-in port scanning and detection. The scanning program built into the kernel can detect the vast majority of Nmap and SATAN tools.
Partial scan.
To install LIDS, you must download the latest Linux kernel official version and LIDS source code. Use LIDS to patch the kernel,
Then re-compile the kernel.
Log File Analysis
Syslogd message can be marked as a specific function and level. In the/etc/syslog. conf file, you can set
Set the destination of the message.
Syslogd Function Description
Auth Security/verification message (negative)
Authpriv Security/verification message
Cron and
Daemon other system daemprocesses (sshd, xinetd, pppd, etc)
Kern kernel message
Lpr row Printing System
Mail subsystem (sendmail, postfix, qmail, etc)
News Usenet news
Syslog internal syslog messages
User-level message
Uucp UUCP Subsystem
Local0-local7 Custom Level
Log level description
The emerg system is unavailable.
Alert must take immediate action
Crit critical
Err Error
Warning
Notice common but important scenarios
Info notification message
Debug message
The configuration format of each row of syslog. conf is
Facility. loglevel logtarget. All fields are separated by tabs.
Example:
Daemon. notice/var/log/daemon. log sends the program to daemon with the priority of notice.
Or more advanced logs are recorded in the/var/log/daemon. log file. You can use the * sign to match all functions.
Or log level.
Target description
/Path/to/filename attaches the message to the end of the specified file, which is the most common case.
@ Loghost: the syslog server written to the loghost. It is convenient to Send Logs to multiple machines,
|/Path/to/named_pipe writes to the specified Named Pipe (to facilitate message filtering by external programs ).
User1 and user2 are written to the listed users.
* Write it to all login users.
/Dev/console write to the named terminal.
Log File license
You should set the log to be only root-owned and written, and can be read by the log group (or the group you want), while other users
You do not have any permissions. A user uses a password when entering the user name. When Logon fails
In this example, the password is recorded in the log due to user errors. Create a fictitious user belonging to the log group and
All Log check programs run by this user rather than root. The Log check program should not run as the root user.
You can use log analysis software to enable monitoring logs, such as logcheck, swatch, and logsurfer. But the best tool is the script written by the Administrator.

1 2 3 4 5 6 Next Page