Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux Operating System Security Management Experience     - Use Git in Eclipse (Linux)

- MySQL database to open a remote connection method (Database)

- Use smem visual display Linux memory usage (Linux)

- Fedora 20 installation source Xen4.3.0 (Linux)

- Transfer files and permissions from Windows to Linux system by Samba (Linux)

- The difference between free command displays the buffers and cache (Linux)

- Diagnose and resolve the SSH connection slow (Linux)

- Linux tmux tcpdump summary (Linux)

- Android system source code and compile the kernel source code (Programming)

- Java Concurrency -volatile keywords (Programming)

- Linux System Getting Started Learning: install software packages on Ubuntu and Fedora (Linux)

- Automatic batch resolve dependencies problem locally installed rpm package (Linux)

- How to use nmap command in Linux (Linux)

- Installation and Configuration ISC DHCP server on Debian Linux (Server)

- Ansible module Know (Linux)

- ld.so.conf.d profile (Linux)

- HomeKit User Interface Guidelines (Linux)

- Oracle 11g logical standby achieve BI needs (Database)

- Linux network cut package is not fully defragment (Linux)

- Why I do not like the Go language style interface (ie Structural Typing) (Programming)

  Linux Operating System Security Management Experience
  Add Date : 2018-11-21      
  Since the Linux operating system is a free open-source operating system, so more and more users. With the Linux operating system in our country's growing popularity, the relevant government departments is to develop Linux-based operating system with independent copyright raised to defend the national security of the height to look at, so we can easily predict the future Linux operating system in China will get faster and greater development. Although Linux and UNIX are very similar, but there are also some important differences between them. For many accustomed to the UNIX and Windows NT system administrators in terms of how to ensure the security of Linux operating system will face many new challenges. This article describes five practical Linux experience in safety management.
First, the file system
In the Linux system, namely to install a separate primary partition key for different applications will partition to read-only file system will greatly improve the security of. This is mainly related to the Linux ext2 file system itself only add (add only) and can not change these two attributes.
File partition Linux file systems can be divided into several main partitions, each respectively different configuration and installation, under normal circumstances at least to build /, / usr / local, / var, and / home partition and so on. / Usr can be mounted read-only and can be considered to be immutable. If / usr have changed any files, then the system will immediately send the security alert. Of course, this does not include the user to change / usr contents. / Lib, / boot and / sbin to install and set up the same. When installation should try to set them as read-only, and their files, directories, and attributes of any changes will cause the system to alarm.
Of course, all the major district are set to read-only is not possible, some partitions such as / var, with its own nature determines they can not be set to read-only, but should not allow it to have execute permissions.
Extended ext2 ext2 file systems use only and can not be changed to add two file attributes can be further enhanced level of security. Immutable and only add extended attributes are only two of the ext2 file system attribute flag approach. A marked immutable file can not be modified, or even the root user can not be modified. Just add a tag to a file can be modified, but only add content behind it, even if the root user so be it.
You can modify these properties files by chattr command, if you want to view the property value, then you can use the lsattr command. To learn more information about the ext2 file attribute, use the command man chattr to seek help. Both the file attributes in the detection of hackers attempting to install a backdoor invasion existing file is useful. For security purposes, once detected such activity should immediately stop and alarm information.
If your key file system mounted read-only and the file is marked as immutable, the intruder must re-install the system to delete these files but can not change immediately generate alarms, thus greatly reducing the illegal invasion of opportunity.
Protected log file when used in conjunction with the log file and log backups can not be changed and only add these two file attributes particularly useful. log file attributes, system administrators should be added only to the activities. When the log is updated, the backup log file properties should be set to the newly created immutable, and the new activity log file attributes, it is a just add. This usually need to add some control commands in the log update script.
Second, the backup
After the installation is complete Linux system, the whole system should be back up later according to the backup to verify the integrity of the system, so you can find the system file has been illegally tampered with. If the system files have been damaged occurs, you can use the system backup to restore to normal state.
CD-ROM backup of the current best system backup media is CD-ROM disc, the system can later be regularly compare the contents of the disc in order to verify the integrity of the system is damaged. If the requirements are particularly high level of security, you can set the bootable CD and will validate the system work as part of the process started. So long as you can boot to the CD, it shows the system had not been destroyed.
If you create a read-only partition, you can periodically re-load them from a disc image. Even as / boot, / lib and / sbin so can not be installed into read-only partitions, you can still check them according to the disc image, even from another security image re-download them at startup.
While other forms of backup / etc Many of the documents often change, but / etc many of the contents can still be placed on the optical disk for system integrity verification. Other less frequently modified files can be backed up to another system (such as tape), or compressed into a read-only directory. This approach can further additional system integrity check based on the use to verify a disc image on.
Now that the vast majority of the operating system are now in with the CD provided together, making a CD-ROM disk emergency boot disk or verification is very convenient to operate, it is a very effective and feasible method of authentication.

Third, improve the system of internal security
Linux operating system by improving internal functions to prevent buffer overflow attacks but hardest of this highly destructive attack prevention, although such improvement requires system administrator with considerable experience and skill, but for many of the require high level of security in terms of Linux system is still very necessary.
Solaris Designer security patch Solaris Designer for Linux 2.0 Linux kernel security patch provides a non-executable stack to reduce the threat of buffer overflow, thus greatly improving the security of the entire system.
Buffer overflow is very difficult to implement because the intruder must be able to judge when a potential buffer overflow occurs and its location in memory of what occurred. Buffer overflow is also very difficult to prevent, the system administrator must completely remove the buffer overflow condition exists to prevent this form of attack. Because of this, many people even think that Linux Torvalds himself Linux security patches is important because it prevents all use of buffer overflow attacks. But require attention, these patches will lead to new challenges to the implementation of certain programs and stack library dependency problems, these problems are brought to the system administrator.
Stack unenforceable patch has been distributed in a number of security mailing lists (such as securedistros@nl.linux.org), users can easily download it to them and so on.
StackGuardStackGuard is a very powerful tool for security patches. You can use gcc by StackGuard patched version to re-compile and link critical applications.
StackGuard increase when compiling a stack of checks to prevent stack buffer overflow attacks, although this will lead to a slight decrease system performance, but the high security requirements of a particular application StackGuard is still a very useful tool.
Now that you have a Linux version of SafeGuard uses, users StackGuard would be easier. Although StackGuard cause system performance degradation of about 10 to 20%, but it can be prevented through the buffer overflow of this type of attack.
Add new access control features of version 2.3 Linux kernel is trying to implement a file system access control lists, which can be added to a more detailed access on the basis of the original three categories (owner, group and other) access control mechanism on control.
In version 2.2 and 2.3 Linux kernel will also develop new access control feature, which will eventually be some of the current issues related to the impact of the ext2 file attributes. Compared with the traditional ext2 file system has it provides a more accurate safety control functions. With this new feature, the application will be able to access certain system resources without having superuser privileges, such as the initial socket and so on.
Based access control rule sets the Linux community is now related to the development of a rule-based access control (RSBAC) project, which claims to be able to make the Linux operating system to achieve B1 level security. RSBAC is based on extended access control framework and expands the number of system call method, which supports a variety of different access and authentication methods. This expansion and strengthening of internal security and local Linux system is a very useful.
Fourth, setting traps and honeypots
The so-called trap is activated when the alarm event can trigger the software, but honey pot (honey pot) program being designed to lure those who have attempted intrusion alarm triggered the trap of special procedures. By setting traps and honeypots procedures, once the invasion alarm system quickly appeared. In many large networks are generally designed with a special trap program. Trap procedure is generally divided into two types: one is only found an intruder without their retaliation, the other is and to take retaliatory action.
One common method is to deliberately set the honeypot claiming Linux system uses IMAP server version has many vulnerabilities. When the intruder on the IMAP server port scanning large capacity will fall into the trap and excitation system alarms.
Another example is the honeypot trap famous phf, it is a very vulnerable Web cgi-bin script. The initial phf is designed to find a phone number, but it has a serious security flaw: to allow an intruder to use it to get the system password file, or perform other malicious actions. The system administrator can set up a fake phf script, but it is not the system password file sent to the intruder, but the intruder to return some false information and also issued a warning to the system administrator.
Another type of honeypot trap program can intruders by the firewall IP address will be set to black to immediately reject the intruder to continue his visit. Denial of access to either unfriendly short-term, it can be long-term. Linux kernel firewall code is very suitable to do so.
V. intrusion nipped in the bud
Usually do before the intruder attacks thing is to end the scan resolution, if the ability to detect and deter intruders Pin scanning behavior, you can greatly reduce the incidence of invasion. The reaction system can be a simple status check packet filter, it can be a complicated intrusion detection system or firewall configuration.
Abacus Port SentryAbacus Port Sentry is an open source toolkit, it can monitor the network interface and interact with the firewall to shut down the port scan attack. When the port scan occurs ongoing, Abacus Sentry can quickly stop it continue. However, if configured incorrectly, it could allow a hostile external person to install on your system denial of service attacks.
Abacus PortSentry If used with Linux in transparent proxy tool can provide a very effective intrusion prevention measures. This will provide common services to all IP addresses of unused ports redirected to the Port Sentry in, Port Sentry can take the intruder is detected in time, pending further action and block port scans.
Abacus Port Sentry can detect slow-scan (slow scan), but it can not detect structured attacks (structured attack). The ultimate goal of these two methods have tried to cover up the attack intentions. Slow scan port scan is spread by a very long time to complete, and in the structure of the attack, the attacker tries to scan or detect multiple source addresses to hide their true target.
Proper use of this software will be able to effectively prevent a large number of parallel scan IMAP service and stop all such intruders.
- Vim useful plugin: vundle (Linux)
- Depth understanding of the use of Spring Redis (Programming)
- Linux environment SSH login password instead of using the RSA Certificate (Linux)
- Android application simulates the phone keypad (Programming)
- expdp reported ORA-39181 Export Processing Method (Database)
- Installed FFmpeg 2.6.3 on Ubuntu / Debian / Fedora system (Linux)
- Learning Linux coding style (Programming)
- CentOS6 5 source compiler installation Hadoop2.5.1 (Server)
- Single Instance ASM under CRS-4124, CRS-4000 error handling (Database)
- Ubuntu users Steam controller does not work solutions (Linux)
- Difference between TCP and UDP protocols (Linux)
- Ubuntu 14.04 can be used to create a WIFI hotspot for Android (Linux)
- C ++ 11 feature: decltype keywords (Programming)
- vector C ++ sequence containers (Programming)
- Distributed Hadoop1.2.1 cluster installation (Server)
- Oracle Linux 5.5 (64bit) Install Oracle 11gR2 RAC detailed tutorial (Database)
- C ++ string in the end (Programming)
- The relationship between UNIX and Linux (Linux)
- Rman Oracle database backup and recovery plan (Database)
- How to set the default Fedora from the command line (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.