Top 10 Advanced Security management skills in Linux

I. File System

In Linux, separate primary partitions are installed for different applications. Setting key partitions as read-only will greatly improve the security of the file system. This mainly involves adding (only adding) and immutable attributes of Linux's ext2 file system.

● The File System of Linux can be divided into several major partitions, and each partition is configured and installed separately, generally, at least/,/usr/local,/var,/home, and other partitions must be created. /Usr can be installed as read-only and can be considered unmodifiable. If any file in/usr has changed, the system will immediately issue a security alarm. Of course, this does not include the content in/usr changed by the user. The installation and configuration of/lib,/boot, And/sbin are the same. During installation, you should try to set them as read-only, and any modifications to their files, directories, and attributes will trigger system alarms.
Of course, it is impossible to set all major partitions as read-only. Some partitions, such as/var, cannot be set as read-only because of their own nature, however, it should not be allowed to have execution permissions.

● Extended ext2: only adding and immutable file attributes on the ext2 file system can further improve the security level. Immutable and just adding properties are only two ways to extend the attribute flag of the ext2 file system. An object marked as immutable cannot be modified or even modified by the root user. A file marked as only can be modified, but content can only be added after it, even if the root user can.

You can use the chattr command to modify these attributes of a file. If you want to view the attributes, you can use the lsattr command. To learn more about the attributes of the ext2 file, run manchattr. These two file attributes are useful when detecting hacker attempts to install intrusion backdoors in existing files. For the sake of security, once such activities are detected, they should be immediately blocked and alarm information should be issued.

If your critical file system is installed as read-only and files are marked as immutable, intruders must reinstall the system to delete these Immutable files, but this immediately generates an alarm, this greatly reduces the chances of illegal intrusion.

● Protecting log files when used together with log files and log backups is immutable and adding only these two file attributes is particularly useful. The system administrator should set the active log File Attribute to add only. When a log is updated, the attributes of the new log backup file should be set to immutable, and the attributes of the new active log file are changed to add-only. This usually requires adding some control commands in the log update script.

Ii. Backup

After the Linux system is installed, the entire system should be backed up. In the future, the system integrity can be verified based on this backup. In this way, you can find whether the system file has been tampered with illegally. If the system file has been damaged, you can use the system backup to restore it to a normal state.

● CD-ROM backup the current best system backup medium is the CD-ROM disc, the system can be regularly compared with the disc content in the future to verify whether the integrity of the system is damaged. If you have a high security level requirement, you can set the disc to boot and verify the work as part of the system startup process. In this way, the system has not been damaged as long as the disk can be started.

If you create a read-only partition, You can regularly reload them from the disc image. Even if it cannot be installed as a read-only partition like/boot,/lib, And/sbin, you can still check them based on the disc image, you can even download them from another secure image at startup.

● Although many files in/etc may change frequently in other backup methods, many files in/etc can still be stored on a CD for system integrity verification. Other files that are not frequently modified can be backed up to another system (such as tape) or compressed to a read-only directory. In this way, additional system integrity checks can be performed on the basis of the verification using the CD image.

Since the vast majority of operating systems are now available along with the CD, it is very convenient to create an emergency boot disk or verify disk for an CD-ROM, it is a very effective and feasible verification method.

3. Improve the internal security mechanism of the system

You can improve the internal functions of the Linux operating system to prevent buffer overflow attacks. This is a highly destructive but most difficult attack method. Although such improvement requires the system administrator to have a wealth of experience and skills, however, it is necessary for many Linux systems with high security requirements.
● SolarisDesigner's security Linux patch SolarisDesigner is used for the 2.0 kernel Security Linux patch provides an unexecutable stack to reduce the threat of buffer overflow, thus greatly improving the security of the entire system.

Buffer overflow is quite difficult to implement because intruders must be able to determine when a potential buffer overflow will occur and where it will appear in the memory. It is also very difficult to prevent buffer overflow. The system administrator must completely remove the conditions of buffer overflow to prevent such attacks. Because of this, many people, including LinuxTorvalds, also think that this secure Linux patch is very important because it prevents all attacks using buffer overflow. However, it should be noted that these patches will also cause dependency on some programs and libraries on the execution stack, which also brings new challenges to the system administrator.

Unexecutable stack patches have been distributed in many security email lists, and users can easily download them.

● StackGuardStackGuard is a powerful Security Patch tool. You can use the gcc version patched by StackGuard to recompile and link key applications.

Stack check is added during StackGuard compilation to prevent stack Attack Buffer Overflow, although this may cause a slight reduction in system performance, but StackGuard is still a very useful tool for specific applications with high security requirements.

Now you have a Linux version that uses SafeGuard. It is easier for you to use StackGuard. Although the use of StackGuard will cause the system performance to decrease by about 10 ~ 20%, but it can prevent the entire buffer overflow.

● The new access control function Linux kernel version 2.3 is trying to implement an access control list in the file system, which can be in the original three categories (owner, group, and other) add more detailed access control based on the access control mechanism.

In linux kernels of versions 2.2 and 2.3, a new access control function will be developed, which will eventually affect the current ext2 file attributes. Compared with the traditional ext2 file system, it provides a more precise security control function. With this new feature, applications will be able to access certain system resources without the superuser permission, such as initial integration.

● Rule Set-Based Access Control now the relevant Linux community is developing a rule-based access control (RSBAC) project, which claims to enable B1-level security for the Linux operating system. RSBAC is an extension framework based on access control and extends many System Call methods. It supports multiple access and authentication methods. This is very useful for extending and enhancing the internal and local security of Linux systems.

Iv. Set traps and Honeypot

The so-called trap is the software that can trigger an alarm event when activated, while the honeypot program refers to the trap program designed to lure the hacker to trigger a special alarm. By setting traps and honeypot programs, once an intrusion event occurs, the system can quickly issue an alarm. In many large networks, specialized traps are generally designed. Traps are generally divided into two types: one is to detect only intruders and not take revenge against them, and the other is to take revenge at the same time.

A common way to set up a honeypot is to intentionally claim that Linux systems use many vulnerable IMAP Server versions. When intruders scan large ports on these IMAP servers, they will fall into a trap and trigger system alarms.

Another example of honeypot traps is the famous phf, which is a very fragile Webcgi-bin script. The initial phf was designed to find phone numbers, but it had a serious security vulnerability: allowed intruders to use it to obtain system password files or perform other malicious operations. The system administrator can set up a false phf script, but it does not send the system password file to the intruder, but returns some false information to the intruder and sends an alarm to the system administrator at the same time.

Another type of honeypot trap programs can immediately reject intruders by blacklisting the IP addresses of intruders in the firewall. Rejecting unfriendly access can be either short-term or long-term. The Firewall code in the Linux kernel is very suitable for this.

5. Eliminate intrusion in the bud

One of the most common tasks that intruders do before launching an attack is to scan the terminal number. If you can detect and block the hacker's scanning behavior in time, it can greatly reduce the incidence of intrusion events. The reaction system can be a simple status check package filter, a complex intrusion detection system, or a configurable firewall.

● Abacuspsensentryabacuspsensentry is an open source tool kit that monitors network interfaces and interacts with firewalls to disable port scanning attacks. AbacusSentry can immediately stop ongoing port scanning. However, if improperly configured, it may also allow hostile outsiders to install DoS attacks in your system.

Abacuspsensentry can provide effective intrusion prevention measures if used together with transparent agent tools in Linux. In this way, unused ports that provide common services for all IP addresses can be redirected to PortSentry. PortSentry can detect and block port scanning before intruders take further actions.

Abacuspsensentry can detect slowscan, but it cannot detect structured attacks (structuredattack ). Both methods aim to conceal the attack intention. Slow scanning is accomplished by spreading port scanning to a long time. In a structured attack, attackers attempt to mask their actual attack targets by scanning or detecting multiple source addresses.

Correct use of this software will effectively prevent a large number of parallel scanning for IMAP services and prevent all such intruders. AbacusSentry is most effective when used together with the IPChains tool of Linux2.2 kernel. IPChains can automatically redirect all port scanning behaviors to PortSentry.

The Linux 2.0 kernel can be repaired using IPChains. abacuspsensentry can also be used with ipfwadm in earlier versions 2.2. ipfwadm is replaced by IPChains after version.

Abacuspsensentry can also be configured to respond to UDP scanning on Linux systems, or even to a variety of semi-scanning, such as FIN scanning, this scan attempts to avoid discovery by sending only a small probe package instead of establishing a real connection.

Of course, a better solution is to use a dedicated intrusion detection system that can reconfigure the Firewall Based on intrusion alarms and attack signatures. However, such products are generally expensive, making it difficult for common users.

Vi. Anti-Attack Detection

System master