Ten Linux operating system security management skills experience summary

Since the Linux operating system is an open source, free operating system, it is welcomed by more and more users. With the continuous popularization of the Linux operating system in China, the relevant government departments will regard the development of operating systems with independent copyrights based on Linux to the level of safeguarding national information security. Therefore, it is not difficult to predict that the Linux operating system will be in China in the future. Get faster and bigger development. Although Linux is very similar to UNIX, there are some important differences between them. For many system administrators who are accustomed to UNIX and Windows NT, how to ensure the security of the Linux operating system will face many new challenges. This article describes a range of practical Linux security management experiences.

1. File System

In a Linux system, installing separate primary partitions for different applications and setting the critical partitions to read-only will greatly improve the security of the file system. This mainly involves the addition of (only added) and immutable properties of Linux's own ext2 file system.

◆ File partition Linux file system can be divided into several main partitions, each partition is configured and installed separately. In general, at least /, /usr/local, /var and /home should be created. Equal partitions. /usr can be installed as read-only and can be considered unmodifiable. If any files in /usr have changed, the system will immediately issue a security alert. Of course this does not include the user changing the content in /usr. The installation and settings of /lib, /boot, and /sbin are the same. You should try to make them read-only when you install them, and any modifications to their files, directories, and properties can cause system alerts.

Of course it is impossible to set all major partitions to read-only. Some partitions such as /var, etc., their nature determines that they cannot be set to read-only, but should not be allowed. Have execute permission.

◆ Extending ext2 uses the only add and immutable file attributes on the ext2 file system to further increase the security level. Immutable and just adding attributes are just two ways to extend the attribute flags of an ext2 file system. A file marked as immutable cannot be modified or even modified by the root user. A file marked as just added can be modified, but only after it can be added, even if the root user can.

You can modify these attributes of the file by the chattr command. If you want to view the attribute values, you can use the lsattr command. To learn more about the properties of ext2 files, use the command man chattr for help. These two file attributes are useful when detecting hackers attempting to install intrusion backdoors in existing files. For security reasons, once such activity is detected, it should be blocked immediately and an alarm message sent.

If your critical file system is mounted as read-only and the files are marked as immutable, the intruder must reinstall the system to delete the immutable files but this will immediately generate an alert, which greatly Reduce the chance of being hacked.

◆ Protecting log files is especially useful when used with log files and log backups. It is immutable and only adds these two file attributes. The system administrator should set the active log file property to only add. When the log is updated, the newly generated log backup file attribute should be set to be immutable, and the new active log file attribute becomes only added. This usually requires adding some control commands to the log update script.

Second, backup

After completing the installation of the Linux system, you should back up the entire system. You can verify the integrity of the system based on this backup, so you can find out if the system files are illegal. Tampered. If the system file has been corrupted, you can also use the system backup to restore to the normal state.

◆CD-ROM Backup The current best system backup medium is a CD-ROM disc. You can periodically compare the system to the disc content to verify that the integrity of the system has been compromised. If the security level is particularly demanding, you can set the disc to be bootable and verify the work as part of the system boot process. As long as it can be booted from the CD, the system has not been destroyed.

If you create a read-only partition, you can reload them from the disc image periodically. Even if partitions like /boot, /lib, and /sbin cannot be installed as read-only partitions, you can still check them against the disc image and even re-download them from another secure image at boot time.

◆ Other ways of backup Although many files in /etc often change, many of the contents of /etc can still be placed on the CD for system integrity verification. Other files that are not modified often can be backed up to another system (such as tape) or compressed to a read-only directory. This approach allows for additional system integrity checks based on verification using the disc image.

Since most of the operating systems are now provided with the CD, it is very convenient to make a CD-ROM emergency boot disk or verification disk. It is very effective and feasible. Authentication method.

Third, improve the internal security mechanism of the system

can improve the internal functions of the Linux operating system to prevent buffer overflow attacks such a highly destructive but the most difficult to prevent attacks, although Such improvements require considerable experience and skill from system administrators, but are necessary for many Linux systems that require a high level of security.

◆ Solaris Designer's Secure Linux Patch Solaris Designer's Secure Linux Patch for Version 2.0 kernel provides an unexecutable stack to reduce the threat of buffer overflows, greatly improving the security of the entire system.

Buffer overflows are quite difficult to implement because the intruder must be able to determine when a potential buffer overflow will occur and where it appears in memory. Buffer overflows are also very difficult to prevent. System administrators must completely remove the existence of buffer overflows to prevent this type of attack. Because of this, many people even include Linux Torvalds, who also consider this secure Linux patch to be important because it prevents all attacks that use buffer overflows. However, it is important to note that these patches also cause problems with certain programs and libraries on the execution stack, which also pose new challenges for system administrators.

Unexecutable stack patches have been distributed on many secure mailing lists (such as [email protected]), and users can easily download them.

◆StackGuardStackGuard is a very powerful security patch tool. You can recompile and link critical applications with the gcc version patched by StackGuard.

StackGuard adds stack checking to prevent stack attack buffer overflows, although this will result in a slight degradation in system performance, but for specific applications with high security requirements, StackGuard is still a very Useful tools.

There is now a Linux version that uses SafeGuard, and it will be easier for users to use StackGuard. Although the use of StackGuard can cause system performance degradation of about 10 to 20%, it can prevent the entire buffer overflow.

◆Adding new access control features Linux version 2.3 kernel is trying to implement an access control list in the file system, which can be based on the original three categories (owner, group and other) access control mechanism Add more detailed access controls.

The new access control features will be developed in the 2.2 and 2.3 Linux kernels, which will eventually affect some of the current issues with ext2 file attributes. It provides a more precise security control than the traditional ext2 file system. With this new feature, applications will be able to access certain system resources, such as initial sockets, without superuser privileges.

◆ Rule Set Based Access Control The Linux community is currently developing a Rule Based Access Control (RSBAC) project that claims to enable B1 security for the Linux operating system. RSBAC is an extension framework based on access control and extends many system invocation methods, supporting a variety of different access and authentication methods. This is useful for extending and enhancing the internal and local security of Linux systems.

Setting traps and honeypots

The so-called traps are software that can trigger an alarm event when activated, while the honey pot program refers to the design. To trap traps that have an intruder attempt to trigger a dedicated alarm. By setting trap and honeypot procedures, an alarm can be issued quickly in the event of an intrusion event. In many large networks, specialized trap programs are generally designed. Trap procedures are generally divided into two types: one is to find only intruders without taking revenge actions, and the other is to take revenge at the same time.

A common method of setting up honeypots is to deliberately claim that the Linux system uses a version of the IMAP server with many vulnerabilities. When an intruder scans a large port of these IMAP servers, it falls into a trap and triggers a system alarm.

An example of another honeypot trap is the famous phf, which is a very fragile Web cgi-bin script. The original phf was designed to look up phone numbers, but it has a serious security hole: it allows intruders to use it to get system password files or perform other malicious operations. The system administrator can set up a fake phf script, but instead of sending the system's password file to the intruder, it returns some false information to the intruder and simultaneously alerts the system administrator.

Another type of honey trap trap can immediately deny an intruder to continue access by setting the intruder's IP address to a blacklist in the firewall. Rejecting unfriendly visits can be either short-term or long-term. The firewall code in the Linux kernel is great for doing this.

V. Eliminate the invasion in the bud.

One of the most common things that an intruder does before the attack is the end scan, if it can detect and stop the intruder's end number sweep in time. Targeting behavior can greatly reduce the incidence of intrusion events. The reaction system can be a simple status check packet filter, or it can be a complex intrusion detection system or a configurable firewall.

◆Abacus Port SentryAbacus Port Sentry is an open source toolkit that monitors network interfaces and interacts with firewalls to turn off port scan attacks. When an ongoing port scan occurs, Abacus Sentry can quickly stop it from continuing. But if misconfigured, it may also allow hostile outsiders to install denial of service attacks on your system.

Abacus PortSentry provides a very effective intrusion prevention measure if used with a transparent proxy tool in Linux. This redirects unused ports that provide generic services for all IP addresses to Port Sentry, which detects and blocks port scans before the intruder takes further action.