Security detection UNIX and Linux server security Settings Primer _linux

Source: Internet
Author: User
Tags anonymous socket syslog system log unix domain socket website server ftp client shell account
In fact, every hacker has its own unique method. The author has collected a lot of data to invade the website server, but because the actual situation is different, often causes many methods the invalidation; This shows that each site is different, the need for intruders to differentiate treatment. If Shenzhen's line is much better than Beijing's, thus giving the dictionary a great convenience, Shenzhen users can rely on the advantage of online attack password, as Beijing's users need to give priority to other options. For so many intrusion methods, I refer to Mr. H Ackalot, an article by the hacker celebrities, to introduce you to the basic steps of invading the website.
The analysis of a part of the home page by the black case can be found that the use of intruders are most interested in Web servers and FTP servers, because relatively speaking this is the simplest two ways. Given the reader's knowledge of the U nix system and Web server, the author gives the following steps.
First, understand the system to invade

The operating systems used as servers on the network are now dominated by UNIX and Linux, and they must be understood if they are to invade these systems.
Most of the instructions used on DOS have instructions on UNIX and Linux (because early DOS development borrowed from Unix) to follow the DOS instructions for some of the most important directives when using shell account:
Help=help
Cp=copy
mv= move
ls= DIR
RM =del
Cd=cd
To see WHO and R also on the line Y users can type the WHO instruction to know the data of one user on Y, and I can enter FINGER. These basic UNIX instructions allow you to get the information you are using for Y.

Second, crack the code
In the UNIX operating system, all system users ' passwords are stored in a file, which is stored under the/ETC directory, and its filename is called passwd. If the reader thinks that the job is to get the file and log on to the system with the password above, that's a big mistake. The P asswd file in Unix and Linux is special, where all the account passwords have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are all one-way compiled (one-way encrypted), That means there's no way to decompile it (decrypt).
But there are some programs that can get these original passwords. I recommend to you a crack code of the program "Cracker Jack", it is also a use of dictionaries to the dictionary file exhaustive software. First "Cracker Jack" will compile every value in the dictionary file, then compare the compiled values with the contents in the password file, and the same result will report the corresponding precompiled password. This software cleverly bypasses the code's inability to decompile, and uses a brute-lift comparison to get a password. There are many tools for using this principle to get passwords, and readers can go to the web to search for them.

Third, access to password files
This is the most difficult part. Obviously, if an administrator had a password file, he would certainly not put it there for others to comfortably get. The intruder must find a good way to get the password file without entering the system. Here I introduce two methods, we can try, there may be success.
1.TC directory in the FTP service will not be locked, intrusion can use FTP client program using anoymously Anonymous account login, and then check whether/etc/passwd for anonymous set Read permission, if there is a backup to use software decoding.
2. In some systems, the/cgi-bin directory will have a file called PHF, if you are ready to invade the server, it will be more convenient. Since PHF allows users to read remote files in the Web site system, the user can use the browser to crawl the P asswd file, just type URL:HTTP://XXX.XXX.XXX/CGI-BIN/PHF in the browser's address bar. QALIAS=X%0A/BIN/CAT%20/ETC/PASSWD, where Xxx.xxx.xxx is the name of the site to be invaded.
If neither of these approaches works, the intruder must implement other options.
In some cases the intruder found the second part of the password file is x,! or *, so that the password file has been locked, this is the system administrator to use one of the means of security. But it is not quite the case that the password file is completely hidden. Typically, there will be an unlocked password file backed up in the system so that intruders can take advantage of it, such as: Intruders often look for/Etc/shadow directories or similar directories to see if they can find a backup of their password files.

Four, build their own shell account
After two or three two critical steps the intruder finally got the key password file and cracked the password. Now you can run the Telnet program and log on to the host. When you connect to the server, the server displays some of its information to you, typically U NIX, Linux, Aix, IRIX, Ultrix, BSD, or even DOS and Vax/vms, and then the login prompt appears on the screen, and the account number and password you type are available for landing on the system. At this point the intruder can use their UNIX knowledge to do what they love to do.

Finally, a password file to do an analysis, the contents of the document are as follows:
Root:1234aaab:0:1:operator:/:/bin/csh
nobody:*:12345:12345::/:
daemon:*:1:1::/:
Sys:*:2:2::/:/bin/csh
Sun:123456hhh:0:1:operator:/:/bin/csh
Bin:*:3:3::/bin:
Uucp:*:4:8::/var/spool/uucppublic:
News:*:6:6::/var/spool/news:/bin/csh
Audit:*:9:9::/etc/security/audit:/bin/csh
Sync::1:1::/:/bin/sync
Sysdiag:*:0:1:old System
Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag
Sundiag:*:0:1:system
Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
Tom:456lll45uu:100:20::/home/tom:/bin/csh
John:456fff76sl:101:20:john:/home/john:/bin/csh
Henry:austs45yus:102:20:henry:/home/henry:/bin/csh
Harry:sydusrd5sy:103:20:harry:/home/harry:/bin/csh
Steven:ges45yds5ry:104:20:steven:/home/steven:/bin/csh
+::0:0:::

The words ":" is divided into several fields, for example: the meaning of TOM:456LLL45UU:100:20:TOMCHANG:/HOME/TOM:/BIN/CSH is:
User Name:tom
Password:456lll45uu
User N 100
Group N 20
Real Name:tom Chang
Home Dir:/home/tom
Shell:/bin/csh

Readers can find that the password fields such as nobody, Daemon, sys, bin, UUCP, news, AudIT, Sysdiag, SUNDIAG, etc. are all *, which means that the passwords of these accounts are locked and cannot be used directly.

It is noteworthy that many systems after the first installation there will be a number of default accounts and passwords, which is convenient for the speculative hackers, below are some UNIX default account and password.
Account PASSWORD
----------- ----------------
Root root
SYS Sys/system/bin
Bin Sys/bin
Mountfsys Mountfsys
ADM ADM
UUCP UUCP
NUUCP Anon
Anon anon
User User
Games games
Install Install
Reboot for "Command login" use
Demo Demo
Umountfsys Umountfsys
Sync Sync
Admin Admin
Guest Guest
Daemon Daemon

where root Mountfsys umountfsys install (with R-Sync is also) are root-level accounts that have sysop (System administrator) privileges.

Finally, it is necessary to introduce the Unix log files. Many intruders don't want intrusive computers to track them, so what exactly does that.
System administrators rely mainly on the system log, which we often call log files to get the traces of the intrusion and intruders in the IP and other information. Of course, some administrators use third-party tools to record the intrusion of the computer information, which is mainly about the general U Nix system to record the intrusion traces of the file.

UNIX systems have multiple versions, each system has a different log file, but most of them should have the same location, the most common location is the following:
/usr/adm, an earlier version of Unix;
/var/adm, the new point version uses this position;
/var/log, some versions of the Solaris,linux Bsd,free BSD use this location;
/etc, most Unix versions put utmp here, some also put wtmp here, which is also syslog.conf position.

Here are some of the features of the file, and of course they vary according to the intrusion system.
Acct or PACCT, record the command records used by each user;
Access_log, mainly used to run the server NCSA HTTPD, this record file will have any site connected to your server;
Aculog, save the modems record you dial out;
Lastlog, recorded the user's most recent login record and each user's initial destination, sometimes the last unsuccessful landing records;
Loginlog, record some abnormal landing records;
Messages, record output to the system console record, the other information by the syslog to generate;
Security, record some cases of using the UUCP system in an attempt to enter a restricted area;
Sulog, record the use of the SU command;
Utmp, recording all users currently logged into the system, which is constantly changing as users enter and leave the system;
Expansion of the utmpx,utmp;
WTMP, record user login and exit events;
Syslog, the most important log file, is obtained using the syslogd daemon.
Log information:
/dev/log, a UNIX domain socket that accepts messages generated by processes running on the local machine;
/dev/klog, a device that accepts messages from the UNIX kernel;
514 port, an Internet socket, receiving syslog messages generated by other machines via UDP;
UUCP, recorded UUCP information, can be updated by local UUCP activities, but also can be initiated by remote site action modification, information including the issue and acceptance of the call, send the request, sender, send time and send host;
Lpd-errs, the log of processing printer fault information;
FTP log, the FTPD with the-l option can obtain the recording function;
httpd log, the HTTPD server logs every Web Access record in the log;
History log, which keeps a record of the user's most recent input command;
Vold.log, records the error records encountered when using an external media.

The above introduces the main steps of the intrusion server, the reader should now have some basic understanding of it. Again, it is absolutely not possible for readers to have a lack of knowledge of UNIX systems.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.