The Linux system's insecure programs and replacements-general Linux technology-Linux technology and application information. For details, see the following.
Paste. Technical articles from the linux community. I think it may be helpful to the experts. After compilation and analysis by the experts of the Red friends, it will be more helpful to our new cainiao-level beginners.
Technical article: insecure programs and replacements in Linux
The publisher is bestcatxp.
Security Technology bestcatxp writes 'wuftd has been prone to security vulnerabilities since 1994. Hackers can easily obtain Remote root Access permissions, in addition, many security vulnerabilities do not even require a valid account on the FTP server. Recently, WuFTP also frequently experienced security vulnerabilities.
Author: Hacker source: CCID Security Community Release Date: 2007.01.26
WuFTD has been prone to security vulnerabilities since 1994. Hackers can easily obtain Remote root Access permissions, in addition, many security vulnerabilities do not even require a valid account on the FTP server. Recently, WuFTP also frequently experienced security vulnerabilities.
Its best alternative is ProFTPD. ProFTPD is easy to configure. In most cases, it is faster, and its source code is also relatively clean (fewer buffer overflow errors ). Many important sites use ProFTPD. Sourceforge.net is a good example (this site has a total of 3,000 open-source projects, and its load is not small !). Some Linux Publishers also use ProFTPD on their main FTP site, and WuFTPD is only used by two major Linux Publishers (SuSE and Caldera.
Another advantage of ProFTPD is that it can run both from inetd and as a separate daemon. In this way, some problems caused by inetd can be easily solved, such as denial of service (DoS) attacks. The simpler the system, the easier it is to ensure system security.
WuFTPD either review all source code (very difficult) or completely rewrite the code. Otherwise, WuFTPD must be replaced by ProFTPD.
Telnet
Telnet is very insecure. It uses plain text to send passwords. Its safe alternative is OpenSSH. OpenSSH is very mature and stable on Linux, and there are also a lot of free client software on Windows platform. Linux publishers should adopt the OpenBSD policy: install OpenSSH and set it to the default one. Install Telnet but do not set it to the default one.
For Linux Publishers not in the United States, it is easy to add OpenSSH to the Linux release. For Linux publishers in the United States, there are some other approaches (for example, Red Hat has the latest OpenSSH rpm package on the FTP server in Germany (ftp.redhat.de ). Telnet is a hopeless program. To ensure system security, software such as OpenSSH must be used instead.
Sendmail
In recent years, the security of Sendmail has improved a lot (in the past, it was usually a program that hackers attacked ). However, Sendmail still has a serious problem. Once a security vulnerability occurs (for example, a Linux kernel error occurs recently), Sendmail is a program that has been attacked by hackers, because Sendmail runs with root permission and the code is huge and prone to problems.
Almost all Linux publishers use Sendmail as the default configuration, and only a few use Postfix or Qmail as optional software packages. However, few Linux publishers use Sendmail on their own mail servers. Both SuSE and Red Hat use Qmail-based systems.
Sendmail is not necessarily replaced by other programs. However, its two alternatives, Qmail and Postfix, are safer and faster than it, and especially Postfix, is easier to configure and maintain than it.
Su
Su is used to change the ID of the current user and convert it to another user. You can log on as a common user. When you need to do something as root, you only need to execute the "su" command and then enter the root password. Su itself is no problem, but it will make people develop bad habits. If a system has multiple administrators, you must give them the root password.
An alternative to su is sudo. Red Hat 6.2 contains the software. Sudo allows you to set which user group can execute programs as root. You can also restrict the user's logon location (if someone breaks a user's password and uses this account to log on from a remote computer, you can restrict the user's use of sudo ). Debian also has a similar program called super, which has advantages and disadvantages compared with sudo.
Let users develop good habits. Using the root account and letting multiple people know the root password is not a good habit. This is why www.apache.org was infiltrated because it has multiple system administrators who have root privileges. A messy system is easy to intrude.
Named
Most Linux publishers solve this problem. Named was previously run as root. Therefore, when a new vulnerability occurs in named, it is easy to intrude into some important computers and obtain the root permission. Now, you only need to use some command line parameters to run named as a non-root user. In addition, most Linux publishers now allow named to run with the permissions of common users.
INN
The INN documentation clearly states that "disabling this function (verifycancels) is useless and will be removed ". About a month ago, a hacker released a method to intrude into INN when verifycancels takes effect. Red Hat sets verifycancels as valid. Any setuid/setgid program or network service program must be correctly installed and checked to ensure that security vulnerabilities are not found.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
