Linux top 10 Advanced Security Management Skills

Many people are learning the Linux operating system, and the computer is essential to the operating system. The development of Linux is very rapid. Here we will introduce the knowledge of Linux, so that you can learn how to use Linux. Today I will talk about the top ten advanced security management skills in Linux. I hope you will remember the top ten advanced security management skills in Linux.

You know the top ten advanced security management skills in Linux

I. File System

In Linux, separate primary partitions are installed for different applications. Setting key partitions as read-only will greatly improve the security of the file system. This mainly involves adding and only adding Linux ext2 File System) and immutable attributes.

◆ File partitions Linux file systems can be divided into several major partitions, each of which is configured and installed separately, generally, at least/,/usr/local,/var,/home, and other partitions must be created. /Usr can be installed as read-only and can be considered unmodifiable. If any file in/usr has changed, the system will immediately issue a security alarm. Of course, this does not include the content in/usr changed by the user. The installation and configuration of/lib,/boot, And/sbin are the same. During installation, you should try to set them as read-only, and any modifications to their files, directories, and attributes will trigger system alarms.
Of course, it is impossible to set all major partitions as read-only. Some partitions, such as/var, cannot be set as read-only because of their own nature, however, it should not be allowed to have execution permissions.

◆ Extended ext2: only adding and immutable file attributes on the ext2 file system can further improve the security level. Immutable and just adding properties are only two ways to extend the attribute flag of the ext2 file system. An object marked as immutable cannot be modified or even modified by the root user. A file marked as only can be modified, but content can only be added after it, even if the root user can.

You can use the chattr command to modify these attributes of a file. If you want to view the attributes, you can use the lsattr command. To learn more about the attributes of the ext2 file, run manchattr. These two file attributes are useful when detecting hacker attempts to install intrusion backdoors in existing files. For the sake of security, once such activities are detected, they should be immediately blocked and alarm information should be issued.

If your critical file system is installed as read-only and files are marked as immutable, intruders must reinstall the system to delete these Immutable files, but this immediately generates an alarm, this greatly reduces the chances of illegal intrusion.

◆ It is particularly useful to protect log files when used together with log files and log backups, and to add only these two file attributes. The system administrator should set the active log File Attribute to add only. When a log is updated, the attributes of the new log backup file should be set to immutable, and the attributes of the new active log file are changed to add-only. This usually requires adding some control commands in the log update script.

Ii. Backup

After the Linux system is installed, the entire system should be backed up. In the future, the system integrity can be verified based on this backup. In this way, you can find whether the system file has been tampered with illegally. If the system file has been damaged, you can use the system backup to restore it to a normal state.

◆ CD-ROM backup current best system backup media is the CD-ROM disc, after the system and the disc content can be regularly compared to verify whether the integrity of the system is damaged. If you have a high security level requirement, you can set the disc to boot and verify the work as part of the system startup process. In this way, the system has not been damaged as long as the disk can be started.

If you create a read-only partition, You can regularly reload them from the disc image. Even if it cannot be installed as a read-only partition like/boot,/lib, And/sbin, you can still check them based on the disc image, you can even download them from another secure image at startup.

◆ Many files in/etc may change frequently in other backup methods, but many files in/etc can still be stored on a CD for system integrity verification. Other files that are not frequently modified can be backed up to another system, such as tape, or compressed to a read-only directory. In this way, additional system integrity checks can be performed on the basis of the verification using the CD image.

Since the vast majority of operating systems are now available along with the CD, it is very convenient to create an emergency boot disk or verify disk for an CD-ROM, it is a very effective and feasible verification method.

3. Improve the internal security mechanism of the system

You can improve the internal functions of the Linux operating system to prevent buffer overflow attacks. This is a highly destructive but most difficult attack method. Although such improvement requires the system administrator to have a wealth of experience and skills, however, it is necessary for many Linux systems with high security requirements.
◆ SolarisDesigner's security Linux patch SolarisDesigner is used for the 2.0 kernel Security Linux patch provides an unexecutable stack to reduce the threat of buffer overflow, thus greatly improving the security of the entire system.

Buffer overflow is quite difficult to implement because intruders must be able to determine when a potential buffer overflow will occur and where it will appear in the memory. It is also very difficult to prevent buffer overflow. The system administrator must completely remove the conditions of buffer overflow to prevent such attacks. Because of this, many people, including LinuxTorvalds, also think that this secure Linux patch is very important because it prevents all attacks using buffer overflow. However, it should be noted that these patches will also cause dependency on some programs and libraries on the execution stack, which also brings new challenges to the system administrator.

Unexecutable stack patches have been distributed in many security email lists such as securedistros@nl.linux.org, and users can easily download to them.

◆ StackGuardStackGuard is a powerful Security Patch tool. You can use the gcc version patched by StackGuard to recompile and link key applications.

Stack check is added during StackGuard compilation to prevent stack Attack Buffer Overflow, although this may cause a slight reduction in system performance, but StackGuard is still a very useful tool for specific applications with high security requirements.

Now you have a Linux version that uses SafeGuard. It is easier for you to use StackGuard. Although the use of StackGuard will cause the system performance to decrease by about 10 ~ 20%, but it can prevent the entire buffer overflow.

◆ The new access control function Linux kernel version 2.3 is trying to implement an access control list in the file system, which can be in the original three types of owner, group, and other) add more detailed access control based on the access control mechanism.

In linux kernels of versions 2.2 and 2.3, a new access control function will be developed, which will eventually affect the current ext2 file attributes. Compared with the traditional ext2 file system, it provides a more precise security control function. With this new feature, applications will be able to access certain system resources without the superuser permission, such as initial integration.

◆ Rule Set-Based Access Control now a rule-based Access Control RSBAC project is being developed by the relevant Linux community. This project claims to enable B1-level security for the Linux operating system. RSBAC is an extension framework based on access control and extends many System Call methods. It supports multiple access and authentication methods. This is very useful for extending and enhancing the internal and local security of Linux systems.

Iv. Set traps and Honeypot

The so-called trap is the software that can trigger an alarm event during activation, while the honeypot program refers to the trap program designed to lure the hacker to trigger a special alarm. By setting traps and honeypot programs, once an intrusion event occurs, the system can quickly issue an alarm. In many large networks, specialized traps are generally designed. Traps are generally divided into two types: one is to detect only intruders and not take revenge against them, and the other is to take revenge at the same time.

A common way to set up a honeypot is to intentionally claim that Linux systems use many vulnerable IMAP Server versions. When intruders scan large ports on these IMAP servers, they will fall into a trap and trigger system alarms.

Another example of honeypot traps is the famous phf, which is a very fragile Webcgi-bin script. The initial phf was designed to find phone numbers, but it had a serious security vulnerability: allowed intruders to use it to obtain system password files or perform other malicious operations. The system administrator can set up a false phf script, but it does not send the system password file to the intruder, but returns some false information to the intruder and sends an alarm to the system administrator at the same time.

Another type of honeypot trap programs can immediately reject intruders by blacklisting the IP addresses of intruders in the firewall. Rejecting unfriendly access can be either short-term or long-term. The Firewall code in the Linux kernel is very suitable for this.

5. Eliminate intrusion in the bud

One of the most common tasks that intruders do before launching an attack is to scan the terminal number. If you can detect and block the hacker's scanning behavior in time, it can greatly reduce the incidence of intrusion events. The reaction system can be a simple status check package filter, a complex intrusion detection system, or a configurable firewall.

◆ Abacuspsensentryabacuspsensentry is an open source tool kit that monitors network interfaces and interacts with firewalls to disable port scanning attacks. AbacusSentry can immediately stop ongoing port scanning. However, if improperly configured, it may also allow hostile outsiders to install DoS attacks in your system.

Abacuspsensentry can provide effective intrusion prevention measures if used together with transparent agent tools in Linux. In this way, unused ports that provide common services for all IP addresses can be redirected to PortSentry. PortSentry can detect and block port scanning before intruders take further actions.

Abacuspsensentry can detect slow scanning slowscan, but it cannot detect structured attacks structuredattack ). Both methods aim to conceal the attack intention. Slow scanning is accomplished by spreading port scanning to a long time. In a structured attack, attackers attempt to mask their actual attack targets by scanning or detecting multiple source addresses.

Correct use of this software will effectively prevent a large number of parallel scanning for IMAP services and prevent all such intruders. AbacusSentry is most effective when used together with the IPChains tool of Linux2.2 kernel. IPChains can automatically redirect all port scanning behaviors to PortSentry.

The Linux 2.0 kernel can be repaired using IPChains. abacuspsensentry can also be used with ipfwadm in earlier versions 2.2. ipfwadm is replaced by IPChains after version.

Abacuspsensentry can also be configured to respond to UDP scanning on Linux systems, or even to a variety of semi-scanning, such as FIN scanning, this scan attempts to avoid discovery by sending only a small probe package instead of establishing a real connection.

Of course, a better solution is to use a dedicated intrusion detection system that can reconfigure the Firewall Based on intrusion alarms and attack signatures. However, such products are generally expensive, making it difficult for common users.

Vi. Anti-Attack Detection

The system mainly Blocks intrusion attempts to prevent intrusion, while the anti-attack system can reverse port scanning or initiate other attacks, which not only causes intruders to intrude into the conspiracy, on the contrary, "Introducing the wolf into the room" will lead to anti-attacks.

Some security systems, such as AbacusSentry, have certain anti-attack capabilities. For example, some sites Prevent Users From connecting via telnet. when responding to the telnet connection request, the system will return some undesirable malicious information. This is only the simplest and most minor anti-attack measure.

Generally, anti-attack is not recommended because such anti-attack measures are easily exploited to attack other systems.

7. Improved Logon

When the server moves the system login server to a separate machine, the security level of the system will be increased. Replacing the Linux Login tool with a more secure login server can also further improve the security.

In a large Linux network, it is best to use a separate Login server for the syslog service. It must be a server system that can meet the login needs of all systems and has enough disk space. There should be no other services running on this system. A More Secure Login server can greatly weaken the ability of intruders to tamper with log files through the login system.

◆ Secure syslog even if you use a separate Login server, Linux's own syslog tool is quite insecure. Therefore, a so-called secure log server has been developed to integrate the password signature into the log. This ensures that intruders cannot be detected even after tampering with system logs. Currently, the most common secure log server used to replace syslogs is called "secure syslogssyslong)". You can download this tool from CoreSDI site http://www.core-sdi.com/ssylog. This daemon implements a password protocol called PEQ-1 to implement remote auditing of system logs. Even if intruders obtain system superuser permissions, they can still audit the information, because the protocol ensures that the log information In the past and during the intrusion is not recorded by the auditor on a remotely trusted host) the notification cannot be modified.

◆ Another syslog-ng tool to replace syslog is syslog-ng's next generation syslog ). This is a more configurable daemon. It provides a password signature to detect tampering of log files. Password Security Login server and remote audit function can make it difficult for intruders to tamper with logs and detect such bad attempts. You can download the tool from www. babit. hu/products/syslog-ng.html.

8. Single Logon

It is a headache for system administrators to maintain multiple user accounts in a distributed and large network environment. Currently, some single signon logon systems can not only reduce the burden on administrators, but also improve the security level.

Network Information Service (NIS) is a good single logon system developed based on Sun's YellowPage service. Its basic security features are not robust enough, some bugs and vulnerabilities have been published, so some people call it the NetworkIntruderService for network intruders ). The NIS update version NIS + the original NIS version has been improved. Now we have the NIS + version for Linux.

Kerberos is also a very famous single logon system. Javasosv4 has some well-known security vulnerabilities. For example, intruders can conduct offline exhaustive attacks against the oscookie without being discovered. Ketberosv5 has been greatly improved and there will be no v4 problems.

In a large network, a single logon system such as NIS and Kerberos has both advantages and disadvantages. On the one hand, authentication mechanisms are available in different systems to help isolate this function and reduce the impact between it and other services. On the other hand, once an account in a system is damaged, all systems that can be accessed through this account will also be damaged. Therefore, a single logon system requires a password with a high level of anti-fraud.

Windows-based networks have their own single logon systems in the WindowsNT domain system. In Linux, you can perform authentication based on Windows. This allows users to modify, maintain, and manage their accounts and passwords in Windows, and the modification results will be reflected in UNIX Logon at the same time. If pam_smb is used, the Linux system can perform authentication based on WindowsSMBDomain. This is quite convenient in the network centered on Windows network management, but it also brings some unsecure features of the Windows Authentication System.

9. Master the latest security products and technologies

As a system administrator, you must keep track of the development trend of Linux security technology and use more advanced Linux security tools in a timely manner. At present, there are many research and development projects on Linux security in the world. Currently, at least three Secure Linux projects have been started, and each project has its own goals. They are:

◆ Security LinuxSecureLinux) The Security Linuxwww. reseau. nl/securelinux project aims to provide a secure Linux distribution for Internet server systems. The project manager is seeking to integrate powerful passwords and some additional Web server features in this product. Since it was created outside the United States, it is expected that the improved password security will not be restricted by the export laws of security products in the United States.

◆ The BastilleLinuxBastilleLinux (www.bastille-linux.org) project seeks to establish a standard similar to OpenBSD in a Linux environment. This project aims to create a secure distribution for desktops so that network administrators do not have to worry about user security.

◆ Kha0sLinuxKha0sLinuxwww.kha0s.org) is seeking to create a minimum security Linux distribution with strong encryption and security policies similar to OpenBSD. The team is currently requesting participation and cooperation from global users and vendors on its Web site.

In addition, the following two points are also very useful for administrators to improve Linux security management:

Access Security Linux Mail list now has many Mail lists about Linux security, such as securedistros@nl.linux.org, Kha0s-dev@kha0s.org, etc., frequently access these mail lists to get a lot of security information.

Another common mailing list is security-audit@ferret.lmh.ox.ac.uk, which specifically discusses source code security auditing. This list may be a large number of duplicates with other email lists, but it is worth reading if you want to know about source code auditing and related security issues.

10. multi-pronged approach

The defense capability of any single security measure is limited. A secure system must adopt multiple security measures and adopt multiple measures to ensure better security. If a Linux system adopts the above security measures, attackers will have to bypass the firewall, avoid intrusion detection systems, skip traps, use system filters, escape your log monitor, modify file system attributes, and destroy secure login servers. As an alarm may be triggered at any stage, it is almost impossible for intruders to intrude into such a system without being discovered.

I hope you can master the top ten advanced security management skills of Linux.