Security Defense Linux sniffer (1)

As Linux becomes more and more widely used in the network, its security issues are getting more and more attention. This article mainly introduces the working principle and preventive measures of the sniffer technology.

What is a sniffer?

Sniffer is a device that can capture network packets. Sniffer is a Sniffer, or a bug. It quietly works on the bottom layer of the network and records all user secrets. The proper use of the sniffer is to analyze the network traffic to identify potential problems in the network. For example, if a certain part of the network is not running well and the message sending speed is slow, but we don't know where the problem is, we can use a sniffer to make a precise problem judgment. The functions and design of the sniffer are different. Some can only analyze one protocol, while others may be able to analyze several hundred protocols. Generally, most sniffing devices can analyze at least the following protocols: standard Ethernet, TCP/IP, IPX, DECNET, FDDI Token, microwave, and wireless network.

In actual application, the sniffer can be soft or hard. Software sniffing has the advantages of being cheap and easy to use. The disadvantage is that it is often unable to capture all the transmitted data (such as fragments) on the network, so it may not be able to fully understand network faults and running conditions. A hardware sniffer is usually called a protocol analyzer. Its advantage lies in the fact that software sniffer lacks it, but it is expensive. Most of the popular sniffer tools are software.

FTP, POP, and Telnet are inherently insecure because they transmit passwords and data in plain text on the network, and the sniffer can easily intercept these passwords and data. In addition, the security authentication methods of these service programs are also weak, that is, they are vulnerable to attacks by "Intermediate servers. The so-called "Intermediate server" attack means that the "Intermediate server" impersonates a Real Server to receive data from the user to the server, and then impersonates the user to pass the data to the Real Server. After the data transfer between the server and the user is transferred by the "Intermediate server" and completed, a very serious problem will occur.

The sniffer is different from the general keyboard capture program. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets. The sniffer puts it on a network interface to achieve this goal-for example, setting the ethernet card to the miscellaneous mode. Data is transmitted in a small Frame unit on the network. Frames are composed of several parts, and different parts perform different functions. For example, the first 12 bytes of Ethernet are the Source and Destination addresses, which tell the source and destination of network data. Other parts of the Ethernet frame are used to store actual user data, TCP/IP headers, and IPX headers. The frame is formed by a specific software called a network driver and then sent to the network cable through the network adapter. It reaches the target machine through a network cable and executes the opposite process at one end of the target machine. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. During the transmission and receipt process, each workstation on the LAN has its hardware address. These addresses uniquely represent machines on the network. This is similar to the Internet address system. When a user sends a packet, the packet is sent to all available machines on the LAN. In general, all machines on the network can "listen" to the traffic passed, but do not respond to packets that do not belong to them. In other words, workstation A does not capture data belonging to workstation B, but simply ignores the data. If the network interface of a workstation is in the multiplexing mode, it can capture all the packets and frames on the network. If a workstation is configured in this way, it (including its software) is a sniffer. This is also the cause of security problems caused by the sniffer.