Linux server attack and Defense security Introduction _unix Linux

With the expansion of Linux enterprise applications, there are a large number of network servers using the Linux operating system. Linux server security can be more and more attention, here according to the depth of the attack on the Linux server in the Level form, and propose different solutions.
The definition of a Linux server attack is that an attack is an unauthorized behavior designed to hinder, damage, weaken, and compromise the security of a Linux server. The scope of the attack can be rejected from the service until the Linux server is completely compromised and compromised. There are many kinds of attacks on Linux servers, from the perspective of attack depth, we divide the attack into four levels.
Attack level One: Service denial of attack (DoS)
As a result of the proliferation of Dos attacks and the fact that the defects of the protocol layer are not changed in the short term, DOS becomes the most widespread and the most difficult way to prevent attack.
Denial of service attacks include distributed denial of service attacks, reflective distributed denial of service attacks, DNS distributed denial of service attacks, FTP attacks, and so on. Most service denial of attack leads to a relatively low-level risk, that is, those attacks that may cause the system to reboot are only temporary problems. Such attacks are largely different from those that want to gain network control, and generally do not have an impact on data security, but the denial of service attacks can last for a long time.
So far, there is no absolute way to stop this kind of attack. But this does not mean that we should be without a fight, in addition to emphasizing the importance of personal mainframe protection not being exploited, it is very important to strengthen the management of the server. Be sure to install the verification software and filtering function to verify the real address of the source address of the message. In addition, for several service rejections, you can use the following measures: Turn off unnecessary services, limit the number of concurrent SYN connections that are open, shorten the time out of the SYN semi-connection, and update the system patches in a timely manner.
Attack level Two: Local users have access to read and write access to their unauthorized files
A local user is a user who has a password on any machine on the local network and therefore has a directory on a drive. The question of whether local users have access to the read and write permissions of their unauthorized files poses a high degree of risk to the key of the file being accessed. Arbitrary access to the temporary Files directory (/tmp) by any local user is risky and can potentially lay a path to the next level of attack.
The primary attack method of level Two is that hackers trick legitimate users into telling their confidential information or perform tasks, and sometimes hackers pretend that a network administrator sends a message to a user and asks the user to give him a system-upgraded password.
Attacks initiated by local users are almost always the start of a remote login. For Linux servers, it is best to put all shell accounts on a separate machine, that is, only one or more servers that are assigned shell access. This makes it easier to manage log management, access control management, release protocols, and other potential security issues. You should also distinguish between systems that store user CGI. These machines should be isolated in specific network segments, that is, depending on the configuration of the network, they should be surrounded by routers or network switches. Its topology should ensure that hardware address spoofing does not exceed this section.
Attack level Three: remote users get read and write access to privileged files
A third-level attack can do more than verify that a particular file exists, and that it can read and write to those files. The reason for this is that there are weaknesses in the Linux server configuration: Remote users can execute a limited number of commands on the server without a valid account.
The password attack method is the main attack method in the third level, and the corrupted password is the most common attack method. Password cracking is a term used to describe the penetration of a network, system, or resource to unlock a password-protected resource with or without the use of a tool. Users often ignore their passwords, and password policies are difficult to implement. Hackers have a variety of tools to defeat the technology and socially protected passwords. Mainly include: Dictionary attack (Dictionary attack), mixed attack (Hybrid attack), brute force attack (brute force). Once the hacker has the user's password, he has a lot of user privileges. Password conjecture refers to the manual access to the ordinary password or by the preparation of the original program to obtain the password. Some users choose simple passwords-such as birthdays, anniversaries, and spouse names-but do not follow the rules that should be mixed with letters or numbers. It doesn't take long for a hacker to guess a string of 8-word birthday data.
The best defense against third-level attacks is to strictly control access privileges, that is, to use a valid password.
This includes the rule that passwords should be mixed with letters, numbers, and capitalization (because Linux has a distinction between capitalization).
Using special characters such as "#" or "%" or "$" adds complexity. For example, use the word "countbak" and Add "#$" (countbak#$) after it, so that you have a fairly valid password.
Attack level four: remote users get root permissions
The attack level is the one that should never have happened, which is a fatal attack. Indicates that the attacker owns the root, Superuser, or Administrator license for the Linux server and can read, write, and execute all files. In other words, the attacker has full control over the Linux server and can be completely shut down or even destroyed at any time.
Attack level four The main form of attack is TCP/IP continuous theft, passive channel listening and packet interception. TCP/IP continuous theft, passive channel listening and packet interception, is the way to collect important information to enter the network, unlike denial of service attacks, these methods have more similar nature of theft, more concealment is not easy to find. A successful TCP/IP attack could allow hackers to block transactions between two groups, providing a good opportunity for man-in-the-middle attacks, and then hackers would control one or both of the transactions without the victim's attention. Through passive eavesdropping, hackers manipulate and register information, deliver documents, and find the fatal key to pass through all available channels on the target system. The hacker will look for a combination of online and password to identify the legal channel for the application. Packet interception is an address in which the target system constrains an active listener program to intercept and change all or special information. Information can be sent to the illegal system for reading and then sent back to the hacker without change.
TCP/IP continuous theft is actually a network sniffer, note if you are sure that someone has picked up the sniffer to your own network, you can find some tools to verify it. This tool is called the Time-domain reflection meter (time domain REFLECTOMETER,TDR). TDR measures the propagation and variation of electromagnetic waves. Connecting a TDR to a network can detect unauthorized devices that obtain network data. But many small and medium-sized companies do not have this expensive tool. The best way to protect against sniffer attacks is to:
1, the security of the topological structure. The sniffer can only capture data on the current network segment. This means that the finer the network segmentation works, the less information the sniffer can collect.
2, session encryption. Instead of particularly worrying about the data being sniffed, it is necessary to find ways to make the sniffer not recognize the data that is being sniffed. The advantage of this approach is obvious: even if an attacker sniffs the data, the data is useless to him.
Special Note: Counter measures against attack
You should pay special attention to attacks beyond the second level. Because they can continuously upgrade the attack level to penetrate the Linux server. At this point, we can take the counter measures are:
First back up important enterprise-critical data.
Change all passwords in the system, notify the user to find the system administrator to get the new password.
Isolating the network segment causes the attack to appear only in a small area.
Allow the behavior to continue. If possible, do not rush the attackers out of the system and prepare for the next step.
Record all actions and collect evidence. The evidence includes: System login files, application login files, AAA (authentication, Authorization, Accounting, authentication, authorization, billing) login files, RADIUS (Remote authentication dial-in User Service) login, Network unit login (network element Logs), firewall login, HIDS (host-base IDS, host-based Intrusion detection System) events, NIDS (Network intrusion detection System) events, disk drives , hidden files, and so on. Take note When collecting evidence: take pictures before moving or disassembling any equipment; the two-person rule should be followed in the survey, with at least two people in the information collection to prevent tampering with the information, all steps taken and any changes to the configuration settings should be recorded to keep the records in a safe place. Check the access License for all directories of the system and detect if Permslist has been modified.
Make various attempts (using different parts of the network) to identify the source of the attack.
In order to use legal weapons to fight crime, evidence must be preserved, and evidence will take time to form. To do this, it is necessary to endure the impact of the attack (although some security measures can be devised to ensure that the attack does not compromise the network). In this case, we should not only take some legal measures, but also invite at least one authoritative security company to help prevent this crime. The most important feature of this type of operation is to obtain evidence of the crime and to locate the offender's address and provide the log. The evidence collected should be effectively preserved. At the outset, two copies were produced, one for assessing evidence and the other for legal verification.
After finding the system vulnerabilities, try to plug the vulnerability and conduct a self attack test.
Network security is not only a technical problem, but a social problem. Enterprises should pay more attention to the network security, if blindly relying solely on technical tools, it will become more and more passive, only to play the social and legal aspects of combating cybercrime, can be more effective. Our country has already had the clear judicial explanation to the crackdown network crime, unfortunately most enterprises only attaches importance to the technical link function but ignores the legal, the social factor, this is also this article writing goal.
Denial of service attack (DoS)
DOS is the denial of service, the abbreviation for Denial of services, can not be considered as Microsoft's DOS operating system! Dos attacks allow the target machine to stop providing service or resource access, usually with the goal of consuming server-side resources, causing server responses to block by forging request data exceeding the server's processing power, so that normal user requests are not answered for attack purposes.