With the expansion of Linux business applications, a large number of network servers using the Linux operating system. Safety performance of Linux servers are more and more attention, Linux servers under attack here, according to the depth level in the form of lists, and propose different solutions.
Definition of the Linux server attacks are: attacks are designed to interfere with, damage, weaken, undermine the security of Linux servers unauthorized acts. Attack range from denial of service until it can harm and destruction of Linux servers. Linux server attacks on many types of paper from the point of view that the attack depth, we have divided into four attacks.
Attack Level I: Denial of Service (DoS)
Because of the proliferation of DoS attack tools, and the defects for the protocol layer of the short-term it can not change the fact that, DoS has become the most widespread, the most difficult to guard against attacks.
Denial of service attacks include distributed denial of service attacks, distributed denial of service attacks reflective, DNS distributed denial of service attacks, FTP attacks. Most denial of service attacks resulting in relatively low risk of even those may cause the system to restart the attack is only a temporary problem. Such attacks in the largely different from those who want to obtain a network control attacks, generally do not affect safety, but the denial of service attack on the data will continue for a long time, very tough.
So far, there is no absolute way to stop such attacks. But that does not mean that we should fight, in addition to emphasizing the individual host to strengthening the importance of the protection are not being exploited, strengthen the management of the server is a very important part. Be sure to install the software verification and filtering, test the real address of the packet source address. In addition to several denial of service can use the following measures: close unnecessary services, restrictions Syn half the number of connections open simultaneously, shortening the time out Syn half-time connection, update system patches.
Attack Level II: local users to obtain permission to read and write their unauthorized file
Local user password means that there is a machine in any local network, so users have a directory on a drive. Issue local users to access to their unauthorized file read and write access to a large extent depends on whether the danger is a key to access files. Random access to any local user temporary file directory (/ tmp) are dangerous, it can potentially pave a path leading to the next level of attack.
The main attack Level II is: hackers trick legitimate users informed of their confidential information or perform tasks, sometimes hackers will send a message to a user pretending to network managers, it requires the user to upgrade his system password.
By the local user-initiated attacks almost always start from a remote login. For Linux servers, the best way is to place all the shell accounts on a single machine, that is, only accept registered in one or more distribution have shell access on the server. This can make the log management, access control management, release agreements and other potential security issue management easier. You should also store the user distinguish CGI system. These machines should be isolated in specific network segments, that is, depending on the configuration of the network, they should be surrounded by a router or network switch. The topology should ensure that the hardware address spoofing can not exceed this section.
Attack level three: remote users access privileges file read and write permissions
The third level of attack can do not only verify the existence of a specific file, but also to read and write these files. The reasons for this are: the remote user without valid account can perform a limited number of commands on the server: such weaknesses Linux server configuration appears.
Password attack is the third level law the main method of attack, damage your password is the most common method of attack. Password cracking is a term used to describe a percolating network, system resources, or in the case with or without the use of tools to unlock password-protected resources. Users often ignore their password, the password policy is difficult to be implemented. There are several tools to defeat hacking technology and society password protected. Including: a dictionary attack (Dictionary attack), hybrid attacks (Hybrid attack), brute force attacks (Brute force attack). Once the hacker has the user's password, he has a lot of user privileges. Password guess means manually enter your regular password or get the password by original-programmed. Some users choose simple passwords - such as birthdays, anniversaries, and spouse name, but do not follow you should use letters, numbers, mixing rule used. For hackers to guess a string of 8 characters birthday data not take long.
The best method of defense to prevent the third level of attack is to strictly control access privileges, using a valid password.
It includes password should follow the letters, numbers, case (because Linux is case there is a distinction between) mixed-use rules.
Use like "#" or "%" or "$" will add special characters such complexity. Such as the use of the term "countbak", behind it to add "# $" (countbak # $), so you have a very valid password.
Attack level four: the remote user to gain root privileges
The fourth level refers to those attacks thing should never have happened, it is deadly attacks. Root, super user or administrator permissions indicate the attacker has Linux server, you can read, write and perform all the files. In other words, the attacker has full control over the Linux server, you can be able to completely shut down at any time or even destroy the network.
Attack level four main form of attack is a TCP / IP continuous theft, passive channel to listen to and packet interception. TCP / IP continuous theft, passive channel to listen to and packet interception is to gather important information into the network approach, unlike the denial of service attacks, theft of these methods are more similar nature, more difficult to detect concealed. A successful TCP / IP attacks allow hackers to block transactions between the two groups, middlemen attack provides a good opportunity, then one or both hackers will control transactions without being noticed victims. Through passive wiretapping, hackers can manipulate and registration information, the file service, also found the Achilles' heel through from all channels can be on the target system. Looking for the online hackers and password, the application recognizes the legitimate channels. Packet interception is bound in the target system refers to an active listener program to intercept and change all or specific address information. Information can be sent to the illegal system changed to read, then returned without change to the hacker.
TCP / IP is the continuous theft of the actual network sniffer, note that if you believe that someone picked up the sniffer to your network, you can find some tools to verify. This tool is called time domain reflectometry measurement device (Time Domain Reflectometer, TDR). TDR and changes in the electromagnetic wave propagation is measured. A TDR connected to the network, able to detect unauthorized access to network data equipment. However, many small and medium companies without such expensive tools. The best way to prevent the attack sniffer are:
1, security topology. Sniffer can only capture data on the current network segment. This means that the network segment the more detailed work, the sniffer to collect less information.
2, session encryption. I do not particularly worry about data being sniffed, but finding ways to make sniffing sniffer do not know the data. The advantage of this approach is obvious: even if the attacker to sniff the data, which is of no use to him.
Special Note: counter-measures to deal with attacks
For more than a second level of attack that you should pay special attention. Because they can continue to enhance the attack level to penetrate Linux server. In this case, counter-measures we can take are:
First, back up important business-critical data.
All passwords to change the system to notify users find the system administrator to get a new password.
Isolate the network segment so that attacks occur only in a small range.
Allow behavior to continue. If possible, do not rush to put the attacker out of the system, to prepare for the next step.
Record all actions to collect evidence. The evidence includes: the system registry files, application log on file, AAA (Authentication, Authorization, Accounting, authentication, authorization, accounting) to log files, RADIUS (Remote Authentication
Dial-In User Service) sign in network elements to log (Network Element Logs), firewall login, HIDS (Host-base IDS, host-based intrusion detection system) events, NIDS (network intrusion detection system) events, disk drives, hidden documents. When collecting evidence to Note: Before moving or removing any equipment to be photographed; in the investigation to follow two rules, the information to be collected at least two people, to prevent tampering of information; should record all steps taken and the any change in the configuration settings, make all these records are kept in a safe place. Check the system access permissions of all directories to detect whether Permslist been modified.
Various attempts (using different parts of the network) to identify the source of the attack.
In order to use legal weapons to combat crime, the evidence must be preserved, and the formation of evidence takes time. To do this, we must endure the impact of the attack (though some security measures could be developed to ensure the attack does not harm the network). This case, we should not only take some legal means, but also at least make an authoritative security company to help stop this crime. The most important feature of these operations is to obtain evidence of a crime and find the address of the offender, has provided the log. For the evidence collected, should be effectively preserved. Production at the beginning of the two, one for the assessment of the evidence, and the other for legal verification.
After trying to find loopholes in the system close the loopholes, and self-attack test.
Network security has not only technical problem but a social problem. Enterprises should improve the network security seriously, if blindly rely only on technical tools, it will more and more passive; only play a social and legal aspects of combating cyber crime can be more effective. Our fight against cyber crime has a clear judicial interpretation, unfortunately, most companies only focus on the role of technical aspects and ignore the law, social factors, and this is the purpose of writing this article.