Linux server attack and defense technology detailed

With the expansion of Linux enterprise applications, there are a large number of network servers using the Linux operating system. The security performance of Linux servers is receiving more and more attention. Here, the depth of attacks on Linux servers is listed in levels and different solutions are proposed.

The definition of a Linux server attack is that an attack is an unauthorized act designed to obstruct, damage, weaken, or compromise the security of a Linux server. The scope of the attack can be denied from the service until the Linux server is completely compromised and destroyed. There are many kinds of attacks on Linux servers. This article explains from the perspective of attack depth that we divide the attacks into four levels.

Attack Level 1: Service Denial of Attack (DoS)

Due to the proliferation of DoS attack tools and the fact that the defects of the protocol layer targeted cannot be changed for a short time, DoS has become a circumstance. The most extensive and most difficult way to defend against attacks.

Service denial attacks include distributed denial of service attacks, reflective distributed denial of service attacks, DNS distribution denial of service attacks, and FTP attacks. Most service denial attacks lead to relatively low-level risks, even those that may cause the system to restart are only temporary problems. This type of attack is largely different from those that want to gain network control. It generally does not affect data security, but the service denial attack will last for a long time and is very difficult.

So far, there is no absolute way to stop such attacks. However, this does not mean that we should be at hand. In addition to emphasizing the importance of personal host protection and protection, the strengthening of server management is a very important part. Be sure to install the verification software and filtering function to verify the real address of the source address of the message. In addition, for several service denials, the following measures can be taken: turning off unnecessary services, limiting the number of simultaneous semi-connections opened at the same time, shortening the time out time of Syn semi-join, and updating system patches in time.

Attack Level 2: Local users get read and write access to their unauthorized files. Local users are users who have a password on any machine on the local network and thus have a directory on a drive. . The question of whether local users have access to the read and write permissions of their unauthorized files is largely due to the criticality of the files being accessed. Any local user's arbitrary access to the temporary file directory (/tmp) is dangerous, and it can potentially lay a path to the next level of attack.

The main attack method of Level 2 is: hackers trick legitimate users into telling their confidential information or performing tasks. Sometimes hackers pretend that network administrators send emails to users and ask users to give them passwords for system upgrades.

Attacks initiated by local users almost always start with remote login. For Linux servers, the best approach is to place all shell accounts on a single machine, that is, to register on only one or more servers that are assigned shell access. This makes it easier to manage log management, access control management, release protocols, and other potential security issues. The system that stores the user's CGI should also be distinguished. These machines should be isolated in a specific network segment, that is, they should be surrounded by routers or network switches depending on the configuration of the network. Its topology should ensure that hardware address spoofing cannot exceed this section.

Attack Level 3: Remote Users Get Read and Write Permissions for Privileged Files

A third level of attack can do more than just verify the existence of a particular file, and read and write these files. The reason for this is that there are some weaknesses in the Linux server configuration: remote users can execute a limited number of commands on the server without a valid account.

The password attack method is the main attack method in the third level. Damaged passwords are the most common attack method. Password cracking is a term used to describe the infiltration of a network, system, or resource to unlock a password-protected resource with or without tools. Users often ignore their passwords and password policies are difficult to implement. Hackers have multiple tools to defeat passwords protected by technology and society. Mainly include: Dictionary attack, Hybrid attack, Brute force attack. Once a hacker has a user's password, he has a lot of user privileges. Password guessing refers to manually entering a normal password or obtaining a password by compiling the original of the program. Some users choose simple passwords—such as birthdays, anniversaries, and spouse names—but do not follow the rules that should be mixed with letters and numbers. It doesn't take long for a hacker to guess a string of eight-word birthday data.

The best defense against third-level attacks is to strictly control access privileges, using a valid password.

◆ Mainly including the password should follow the rules of the alphabet, the number, the case (because Linux is different in case).

◆ Using special characters like "#" or "%" or "$" adds complexity. For example, use the word "countbak" and add "#$" (countbak#$) after it, so you have a fairly valid password.

Attack Level 4: Remote Users Get Root Permissions

The fourth attack level refers to things that should never happen. This is a fatal attack. Indicates that the attacker has root, superuser, or administrator permissions on the Linux server to read, write, and execute all files. In other words, the attacker has full control over the Linux server and can completely shut down or even destroy the network at any time.

Attack Level 4 The main forms of attack are TCP/IP continuous theft, passive channel listening and packet interception. TCP/IP continuous theft, passive channel listening and packet interception are methods for collecting important information into the network. Unlike denial of service attacks, these methods have more stealing-like nature and are more difficult to discover. A successful TCP/IP attack allows a hacker to block transactions between two groups, providing a good chance for a man-in-the-middle attack, and then the hacker can control one or both transactions without being noticed by the victim. Through passive eavesdropping, hackers will manipulate and register information, deliver the files, and find the deadly threats that can be passed from all available channels on the target system. The hacker will look for a combination of online and password to recognize the legitimate channel of the application. Packet interception refers to the address at the target system that constrains an active listener program to intercept and change all or special information. Information can be redirected to an illegal system for reading and then sent back to the hacker without change.

TCP/IP continuous theft is actually network sniffing. Note that if you are sure that someone has taken the sniffer to your network, you can find some tools for verification. This tool is called the Time Domain Reflectometer (TDR). TDR measures the propagation and changes of electromagnetic waves. Connect a TDR to the network to detect unauthorized devices that acquire network data. However, many small and medium-sized companies do not have such expensive tools. The best way to prevent sniffer attacks is: [#page_#][#page_#]

1. Secure topology. The sniffer can only capture data on the current network segment. This means that the finer the network segmentation work, the less information the sniffer can collect.

2. Session encryption. There is no need to worry about data being sniffed, but to find ways to make the sniffer not aware of the sniffed data.