Security Configuration-use VXE (virtual execution environment technology) to protect Linux System Security

All operating systems have vulnerabilities, and none of them are absolutely secure. Any system connected to the Internet will be detected and may be intruded. Although the linux operating system is regarded as relatively secure, the operating system runs stably and quickly, but Linux itself has many hidden vulnerabilities. Today, the Internet is so popular that everyone is using Linux

Original:Li chenguang 

All operating systems have vulnerabilities. None of them are absolutely secure. Any system connected to the Internet will be detected and may be intruded,Linux operating systemAlthough it is widely recognized as a secure and fast operating system, Linux has many hidden vulnerabilities. Nowadays, the Internet is so popular that everyone is using Linux. This is because Linux is powerful and cheap, and it is precisely because Linux is very cheap. Many people will ignore its security problems after installing Linux, they are not well protected due to carelessness or limited capabilities.

According to the analysis by network security experts, the main vulnerabilities in linux include sample scripts, unrelated software, open ports, unpatched and weak passwords. However, the biggest concern is the excessive permissions of Super Users in linux. In the image of someone, a Super User in Linux is God, which can make you alive or let you die. The linux intrusion technology commonly used by hackers is high privilege, if a hacker can escalate the permissions of an ordinary user to root user in linux by some means, there is no doubt that he can control the entireLinux.

Here we will talk about the Virtual execution environment technology (Virtual eXe)CutIng Environment (VXE ). In short, VXE is an intrusion protection system (IPS ). the intrusion protection system is regarded as an important development direction of the intrusion detection system. It solves the important problem that the intrusion detection system does not actively block the attack before the attack occurs. Intrusion Protection can not only be detected. They can also be blocked before the attack causes losses, so that the intrusion detection system can be upgraded to a new level.

I. Working Principle of VXE

VXE provides protection for Linux/Uinux systems to prevent hackers from intruding through the network. It protects the host and subsystems and services in Linux to ensure system security. For example, services such as SSH, SMTP, POP, and HTTP are generally provided in Linux. Although these services have been developed and used for a long time, some hidden bugs still exist. VXE in LINUX is a simple task, which is to protect the security of hosts and applications, to make necessary restrictions on the user's shell call behavior, to provide CGI (Public Gateway Interface) server for script protection. Therefore, VXE does not need to change the settings of these subsystems and programs, but only protects them.

In linux, when a program runs as a root user, the program can call and access all resources in the system if necessary. Although this seems very convenient, it is also very beneficial to program operation, but this situation has also laid a security risk for system security, once hackers control their applications through buffer overflow attacks or other attacks, the scope of the destruction is very extensive. This is undoubtedly the result we do not want to see.

 

In general, the Administrator has a lot to do on Linux/Unix systems, so there is no time and effort to correctly configure the software. To ensure that the system can run in the shortest time, the Administrator has to install and configure the program or process with the root permission. This is a quick and easy way to ensure that these processes can access the required resources. It is also a convenient way to make the system vulnerable and target attackers. Especially for buffer overflow attacks, it is critical to correctly configure all software so that it has as few permissions as possible. In this way, even if an attacker can attack the system and defeat a program, the attacker's permissions are limited, without causing greater risks. As we all know, some applications cannot discover program defects in the short term in the programming process, and they must be constantly improved to achieve software integrity. During this period, the program will leave many potential problems. VXE technology provides necessary protection against possible buffer overflow attacks. From the above, it is not difficult to find that the fundamental purpose of VXE technology is to minimize the threat that defective programs or services pose to the entire system and control risks to a certain extent, this protects operating system intrusion. Iii. Installation and Use of VXEVXE supports Linux kernel versions 2.2.x and later. Before installing VXE, you must first install the following programs in the Linux operating system: (1) Linux Kernel development kit; (2) In the Perl language environment. The default directory path of Perl is/usr/bin/perl, if Perl is not installed in the default directory path, you must do the relevant link; (3) TClx, TClx default directory path is/usr/bin/tcl, if TclX is not installed in the default directory path, related links are required; (4) normal HTTP Services. Manually create a temporary directory and set VXE CompressionPackage ExtractTo the temporary directory. Before you officially install VXE, you also need to know the following system information: ◆ Linux Kernel Source, usually in the/usr/src/linux directory; ◆ CGI directory path, we recommend that you run VXE in the CGI directory, for example,/home/ Httpd/Cgi-bin/Vxe; ◆ VXE binary code and VXE installation path, recommended in/usr/local/vxe; ◆ Kernel Log file path, it is recommended to install it in/var/log/kernel; ◆ vxe cgi script address, and it is recommended to install it in/cgi-bin/vxe. The preceding directory must be manually created. The VXE installation script does not automatically create the preceding directory. If there is no Kernel Log file in Linux, you must modify the syslogd configuration file. Add the following line of parameters to the/etc/syslog. conf file: kern. */var/log/kernel