Two security questions about UNIX Networks

Two security questions about UNIX Networks

In recent years, many articles have successively introduced a so-called Secure UNIX shutdown user. The main idea is to add the/etc/shutdown command or the/etc/haltsys command at the end of the/etc/passwd file or the/etc/shadow file to replace/bin. /SH command. In this way, even if someone knows the password of the shutdown user (or does not set the password of the shutdown user), the user cannot go to the UNIX system by shutting down the user, shutdown users are strictly defined as Super Users with only shutdown functions. This shutdown user has been recognized as the "safest user to shut down ".

This user is more secure than other shutdown methods, especially in standalone status, and its security is trustworthy. Unfortunately, the shutdown user also has some security risks in the UNIX network. This is mainly caused by the purpose of the shutdown user. First, because almost all users on the network need to shut down the user, the shutdown user usually does not have a password or the password is controlled by multiple users at the same time; on the other hand, to shut down the UNIX system, the shutdown user must have the superuser permission. In this way, although the Del key cannot be used to interrupt or su commands, some remote commands on the network may be used to shut down the user and intrude into the UNIX system, it even enters the root user's sh status.

1. Ask questions

Assume that there is a shutdown user name in computer A, and its settings and permission control are set in the "most secure shutdown user" method, because the system administrator, software administrator, and general operator all need to use this user, no password is set for it. Set the IP address of computer A to 129.15.21.77.

In this case, if you want to launch an attack to computer A from another computer (assuming computer B), you can use a remote command on the UNIX System Network to run the "safest user to shut down" command on computer ": shutdown. First, add the following code to the/etc/hosts file in computer B:

129.15.21.77 hostshut

Enter any common user in computer B and enter the following command:

RCMD hostshut-l shutdown VI/etc/passwd

Or RCMD hostshut-l shutdown VI/etc/shadow

In this way, the general computer user has opened the Password text of all the users in computer A, including the root Super User, with the VI command in computer B. After changing or deleting these passwords, you can easily use Telnet, rlogin, and other remote commands to log on to any user on computer. If you break into a malicious user at this time, the consequences will be unimaginable for computer.

2. Solve the Problem

To solve this security problem, you can first disable some remote functions in the inetd daemon, such as telnet, Shell, login, and exec, by directly using VI to modify/etc/inetd. CONF file, add # Before the above function, and then execute the/etc/inetd command. However, this greatly weakens the network functions of UNIX systems and may affect the implementation of other computer application solutions.

After practice, I found a safe shutdown method, which uses the input/output redirection, Unix dumb terminal technology and Unix timing system to achieve safe shutdown. The procedure is as follows:
 
First, enter the following command in the Super User to make the tty12 terminal a dumb terminal:

# Disable/dev/tty12

Because the Shutdown program needs to be run in the tty12 of the mute terminal, while the window of the mute terminal works in the original mode, the UNIX System Command read cannot be used for input, you must write a program that can implement the input/output function in the original mode. Use the CC-lcurses command to compile the following source program and generate the executable file safehalt:

File: // secure Shutdown program

# Include <curses. h>
# Include <termio. h>
# Include <stdio. h>
# Include <string. h>
Main ()
{
Window * Win;
Char til [] = "Do you want to shut down now? Please press Yes: ", S1 [4], sum [100];
Struct termio save, term;

Initscr (); raw (); noecho ();
Keypad (stdscr, true); clear ();
IOCTL (0, tcgeta, & term );
Save = term;
Win = newwin (24, 80, 0, 0 );

While (S1 [0]! = 'Q ')
{
S1 [0] = '/0'; S1 [1] ='/0'; S1 [2] = '/0 ';
Mvwaddstr (Win, 5, 0, TIL );
Wrefresh (WIN );
Read (0, & S1 [0], 1 );
If (S1 [0] = 'y ')
{
Sprintf (sum, "% S % s", Til, S1 );
Mvwaddstr (Win, 5, 0, sum );
Wrefresh (WIN );
Read (0, & S1 [1], 1 );
If (S1 [1] = 'E ')
{
Sprintf (sum, "% S % s", Til, S1 );
Mvwaddstr (Win, 5, 0, sum );
Wrefresh (WIN );
Read (0, & S1 [2], 1 );
If (S1 [2] ='s ')
System ("/etc/shutdown-G0-Y ");
}
}
}
Keypad (stdscr, false); echo ();
Noraw (); endwin ();
}

Finally, compile a Unix shell script atsh, which includes the following:

At now + 1 day
/Usr/bin/safehalt

After an atsh script program is executed, it will be automatically executed later.

In this way, a Shutdown program will automatically run on the tty12 screen every day. When yes is entered, the machine will be shut down. Of course, you can set a shutdown password in the program. This method completely eliminates security issues caused by shutdown users.

Automatic Data Transmission Security

In Unix systems, two methods are used to automatically send data files in batches: one is to add data files under the user's home directory. in the netrc file, add the host name, user name, and password of the remote machine to the file, and then create the file. users of the netrc file can use ftp to automatically send files in batches after logon. Another method is to write a batch script file using a Unix shell, to execute this script file to automatically send data in batches. Both methods can automatically send data files in batches, but there are some security risks. Both methods use plain text files to store the host name, IP address, user name, and password of the remote machine, therefore, you only need to use simple Unix commands such as CAT, VI, and more to view the main secrets of remote machines.

To increase security, these confidential information must be hidden and encrypted. The author uses the binary code of the C language program to encapsulate the IP address, host name, user name, and password of the remote machine to increase its security. When using C language for programming and encapsulation, note that important information such as the IP address, host name, user name, and password of the remote machine cannot be directly assigned to the string variable in the program. If a value is directly assigned to a string variable, it is easy to find the above important information from the binary code of the C program using common tools of Unix Commands strings, HD, and DOS. Note that you cannot generate intermediate files with important information about the remote machine during program execution. If these intermediate files appear, although they can be deleted before the program ends, these intermediate files may be accessed and leaked when the number of data files sent is too long, so it is best not to generate intermediate files in the program.

The following example shows how to send data files from a local super user to another super user, which can automatically send multiple files in a row. Although this program uses a superuser to send data, it is cleverly designed during programming, so when it is compiled into executable code, it is difficult to find important information about the security of local and remote computers from these binary codes. At the same time, the program uses the pipeline communication method so that no intermediate files will be generated during the execution process, and the security is relatively high. The implementation code is as follows:

File: // send data safely
# Include <stdio. h>
# Include <string. h>
Main (INT argc, char * argv [])
{
Int I, u1, U2, U3, U4;
Float IP1, ip2;
Char PW [10] = "", us [5] = "", ftpn [4] = "";
Char ftpcmd [500] = "", runl [10] = "";
Char ftpprt [256] = "";
File * fftp;

If (argc> 1)
{
Us [0] = 'U'; US [1] = 's'; US [2] = 'E'; US [3] = 'R ';
U1 = 'R'; U2 = 'O'; U3 = 'O'; U4 = 'T ';
PW [0] = '5'; PW [1] = '1'; PW [2] = '2 ';
PW [3] = '7'; PW [4] = '3 ';
PW [5] = '7'; PW [6] = '4 ';
Ftpn [0] = 'F'; ftpn [1] = 'T'; ftpn [2] = 'P ';
IP1 = 106.73; ip2 = 168.13;
Printf ("/F data from the local machine:/N ");
For (I = 1; I <argc; I ++)
{
Sprintf (runl, "L % s", argv [I]);
System (runl );
}
Sprintf (ftpcmd, "% S-N-I %. 2f. %. 2f <
Sprintf (ftpcmd, "% S % C % s/n", ftpcmd, US, u1, U2, U3, U4, PW );
Sprintf (ftpcmd, "% SCD/usr/tmp/N", ftpcmd );
For (I = 1; I <argc; I ++)
{
Sprintf (ftpcmd, "% sput % s/n", ftpcmd, argv [I]);
Sprintf (ftpcmd, "% SLS % s/n", ftpcmd, argv [I]);
}
Sprintf (ftpcmd, "% scmd/N", ftpcmd );
Printf ("/N is sending ...... /N ");
Fftp = popen (ftpcmd, "R ");
I = 0;
While (fgets (ftpprt, 256, fftp )! = NULL)
{
I ++;
If (I> 0)
Printf ("% s", ftpprt );
}
Pclose (fftp );
)
)