There is no absolutely secure system in the world. Even a stable Linux system is widely considered to have shortcomings in terms of management and security. We expect the system to work at minimum risk, which requires enhanced management of system security.
Below,
I will elaborate on the shortcomings of Linux in two aspects, and introduce how to enhance the security management of Linux.
Prevent hacker intrusion
Before talking about the security management of hacker intrusion, I would like to briefly introduce some of the main ways and methods used by hackers to attack Linux Hosts, so that you can understand the methods and techniques of hacker attacks. In this way, we can better prevent problems before they happen, and take proper security measures.
To prevent malicious intrusion, you can reduce the connection between the Intranet and external networks, or even be independent of other network systems. Although this method causes inconvenience in network usage, it is also the most effective preventive measure.
Hackers generally seek the following ways to test a Linux or Unix host until it finds a target that is easy to intrude and then begins to intrude. Common attack methods are as follows:
1. directly obtain the root password by eavesdropping, or obtain the password of a special User. The User may be root, and then obtain the password of any User, because it is usually easy to obtain a general user password.
2. Hackers often use common characters to crack decryption codes. An American hacker once said that as long as the word "password" is used, most computers in the United States can be opened. Other commonly used words include: account, ald, alpha, beta, computer, dead, demo, dollar, games, bod, hello, help, intro, kill, love, no, OK, okay, please, sex, secret, superuser, system, test, work, and yes.
3, use the command: finger@some.cracked.host, you can know the user name on the computer. Find these users and obtain the system password file/etc/passwd through these easy-to-hack users. Then, use the password dictionary file and password guessing tool to guess the root password.
4. Use the SetUID file stored in the/tmp directory or execute the SetUID program to allow the root user to execute it to generate a security vulnerability.
5. Use the Security Vulnerability of the program that requires the SetUID root permission on the system to obtain the root permission, for example, pppd.
6. intrusion from the. rhost host. When you perform rlogin logon, The rlogin program locks the host and account defined by. rhost, and does not need a password to log on.
7. Modify the user's. login, cshrc,. profile and other Shell setting files and add some destructive programs. The user only needs to log on, for example, "if/tmp/backdoor exists run/tmp/backdoor ".
8. As long as the user logs on to the system, the Backdoor program (possibly a Crack program) will be executed without knowing it. It will damage the system or provide further system information to facilitate Hacker penetration into the system.
9. If the company's important hosts may have layer-by-layer protection of the network firewall, Hacker sometimes finds any host on the subnet that is easy to intrude into and then slowly sticks out to the important host. For example, if you use NIS for online connection, you can use remote commands to log on without a password. This makes it easy for hackers to get started.
10. Hacker goes online through the intermediate host and finds the target to avoid being caught by Reverse lookup.
11. There are several methods for Hacker to access the host. You can access the host through Telnet (Port 23), Sendmail (Port25), FTP (Port 21), or WWW (Port 80. Although a host has only one address, it may carry out multiple services at the same time, and these ports are a good way for hackers to "enter" the host.
12. Hacker usually uses the RPC Service NIS (IP) and NFS to intercept information. By using simple commands (such as showmount), remote hosts can automatically report the services they provide. When the information is intercepted, even if the security software such as tcp_wrapper is installed, the Administrator will be "borrowed" from the file system on the NIS Server without knowing it, and cause/etc/passwd outflow.
13. send an E-mail to the anonymous account, obtain the/etc/passwd password file from the FTP site, or directly download the passwd file in the FTP site/etc directory.
14. Network eavesdropping: Use the sniffer program to monitor the network Packet and capture the initial session information of Telnet, FTP, and Rlogin. Then, the root password can be intercepted, therefore, sniffer is one of the main causes of illegal Internet Intrusion today.
15. intrusion into hosts using system security vulnerabilities, such as Sendmail, Imapd, Pop3d, and DNS, and frequent detection of security vulnerabilities, this is quite easy for hosts that are hard to hack into and repair system vulnerabilities.
16. If Hacker intrude into the computer, the system's Telnet program may be dropped. All the user's Telnet session accounts and passwords are recorded and sent to Hacker via E-mail for further intrusion.
17. Hacker clears system records. Some powerful hackers will delete the entry time and IP address of the record, such as clearing syslog, lastlog, messages, wtmp, utmp, and Shell history file. history.
18. Intruders often change inspection commands such as ifconfig and tcpdump to avoid detection.
19. The system thief secretly copies/etc/passwd and then uses the dictionary file to unlock the password.
20. Thieves covet root permissions through Super User programs such as su or sudo.
21. Hackers often use Buffer overflow to manually intrude into the system.
22. cron is a tool used by Linux to automatically execute commands, such as regular backup or deletion of expired files. Intruders often use cron To leave backdoors. In addition to regularly executing broken decoding to intrude into the system, they can also avoid risks discovered by administrators.
23. use IP spoof (IP fraud) technology to intrude into Linux Hosts.
The above are common hackers' tactics to attack Linux Hosts. If hackers can use the above method to easily intrude into a computer, the security of the computer is too poor, you need to download the new version of software to upgrade or use patch files to fix security vulnerabilities. It is a warning that unauthorized use of others' computer systems or theft of others' information is illegal. We hope that readers will not try this way.
In addition to the above methods, many hackers can use intrusion tools to attack Linux systems. These tools are often planted on victim servers after being infiltrated by intruders. These intrusion tools have different characteristics. Some of them are simply used to capture user names and passwords, while others are very powerful to record all network data streams. In short, hackers exploit intrusion tools to attack Linux Hosts.
Security Protection for hackers
If you want to protect the security of the system, the first step for hacker intrusion should be to advance the prevention work. As a system administrator, you must ensure that the system you manage has no security vulnerabilities. In this way, illegal users are not allowed to take the opportunity.
To do a good job of prevention in advance, I think the main points are as follows:
First, close all possible system backdoors in advance to prevent intruders from exploiting system vulnerabilities. For example, "rpcinfo-p" is used to check whether unnecessary remote services are running on the machine. Once detected, stop immediately to avoid leaving system backdoors for illegal users.
Second, check that the system runs newer Linux and Unix daemon. Because the old daemon allows other machines to remotely run some illegal commands.
Third, security patches are regularly obtained from operating system manufacturers.
Fourth, install programs to enhance system security, such as Shadow password, TCP wrappet, SSH, and PGP.
Fifth, you can build a network firewall to prevent network attacks.
Sixth, use scanning tools to detect system vulnerabilities to test the degree to which the host is vulnerable.
7. subscribe to some security reports and visit security sites to obtain timely security information to fix system software and hardware vulnerabilities.
Even if the prevention work is done, you cannot take care of it. With the continuous development of network technology, the level of hackers is also constantly improving. Their attack methods can be described as endless and unexpected events. Therefore, we need to perform daily attacks on the system while doing a good job of prevention.
Security check. Especially as a system administrator, you must observe system changes at any time, such as changes in processes, files, and time in the system.
Specifically, there are several methods to perform security checks on the system:
1. Make full use of the built-in check commands in Linux and Unix systems to detect the system. For example, the following commands are useful in Linux and Unix systems:
-Who: Check who logs on to the system;
-W: Check who logs on to the system and what operations are being performed;
-Last: displays the users and TTYS that have been logged on to the system;
-History: displays commands run in the past by the system;
-Netstat: You can view the current network status;
-Top: dynamically checks system processes in real time;
-Finger: view all login users.
2. Regularly check system logs, files, time, and process information. For example:
-Check the/var/log/messages log file to view the logon status of external users;
-Check the logon history files (such as. history files) in the/home/username directory );
-Check the. rhosts and. forward remote login files in the/home/username directory;
-Run the "find/-ctime-2-ctime + 1-ls" command to view the files modified in less than two days;
-Run the "ls-lac" command to view the real modification time of the file;
-Run the "cmp file1 file2" command to compare the file size changes;
-Protect important system commands, processes, and configuration files to prevent intruders from replacing them with the right to modify the system.
Of course, in order to ensure the absolute security of the system, in addition to the prevention and security inspection work, we also need to develop a good habit of ensuring system and network security. This means regular and regular backup of complete data. With complete data backup, the system can be quickly restored in case of attacks or system faults.
Protection against virus intrusion
Nowadays, DOS, Windows 9X/Me/NT/2000/XP systems are very popular, but people have hardly heard of viruses in Linux or Unix systems, some people even think that there is no virus in Linux or Unix systems. In fact, this is a big misunderstanding. In fact, the first computer virus in the world is a Unix virus. If a virus flood occurs in the Linux system, the consequences will be unimaginable. Currently, many types of viruses are written using standard C Programs to adapt to any types of Linux and Unix operating systems. And they can be compiled across platforms using the make program.
Although Windows NT/2000 and Linux and Unix systems have very advanced protection mechanisms that can prevent most viruses, not all