Protect against four levels of attacks to ensure Linux server security

The following article mainly describes the prevention of four levels of attacks to ensure the security of the Linux server. If you are cautious about ensuring the security of Linux servers against four levels of attacks, the following article will unveil its mystery. With the continuous expansion of Linux enterprise applications.

A large number of web servers are using the Linux operating system. The security performance of Linux servers is receiving more and more attention.

The depth of attack on Linux servers is listed in levels and different solutions are proposed.

With the expansion of Linux enterprise applications, there are a large number of network servers using the Linux operating system. The security performance of Linux servers is receiving more and more attention. Here, the depth of attacks on Linux servers is listed in levels and different solutions are proposed.

The definition of a Linux server attack is that an attack is an unauthorized act designed to obstruct, damage, weaken, or compromise the security of a Linux server. The scope of the attack can be denied from the service until the Linux server is completely compromised and destroyed. There are many kinds of attacks on Linux servers. This article explains from the perspective of attack depth that we divide the attacks into four levels.

Attachment level 1: Service denial of attack (DoS)

Due to the proliferation of DoS attack tools and the fact that the defects of the protocol layer targeted cannot be changed for a short time, DoS has become a circumstance. The most extensive and most difficult way to defend against attacks.

Service denial attacks include distributed denial of service attacks, reflective distributed denial of service attacks, DNS distribution denial of service attacks, FTP attacks, and so on. Most service denial attacks lead to relatively low-level risks, even those that may cause the system to restart are only temporary problems. This type of attack is largely different from those that want to gain network control. It generally does not affect the security of the data Linux server, but the service denial attack will last for a long time and is very difficult.

So far, there is no absolute way to stop such attacks. However, this does not mean that we should be at hand. In addition to emphasizing the importance of personal host protection and protection, the strengthening of server management is a very important part. Be sure to install the verification software and filtering function to verify the real address of the source address of the message. In addition, for several service denials, the following measures can be taken: turning off unnecessary services, limiting the number of simultaneous semi-connections opened at the same time, shortening the time out time of Syn semi-join, and updating system patches in time.

Attack level 2: Local users get read and write access to their unauthorized files

Local users refer to passwords on any machine on the local network, and thus on a drive There is a user on the directory. The question of whether local users have access to the read and write permissions of their unauthorized files is largely due to the criticality of the files being accessed. Any local user's arbitrary access to the temporary file directory (/tmp) is dangerous, and it can potentially lay a path to the next level of attack.

The main attack method of Level 2 is: hackers trick legitimate users into telling them confidential information or performing tasks. Sometimes hackers pretend that network administrators send emails to users and ask users to give them passwords for system upgrades.

Almost all attacks initiated by local users start with remote login. For Linux servers, the best approach is to place all shell accounts on a separate machine, that is, to register on only one or more servers that are assigned shell access. This makes it easier to manage log management, access control management, release protocols, and other potential security issues. The system that stores the user's CGI should also be distinguished. These machines should be isolated in a specific network segment, that is, they should be surrounded by routers or network switches depending on the configuration of the network. Its topology should ensure that hardware address spoofing cannot exceed this section.

Attack Level 3: Remote Users Get Read and Write Permissions for Privileged Files

A third level of attack can do more than just verify the existence of a particular file, but also read and write these files. The reason for this is that there are some weaknesses in the Linux server configuration: remote users can execute a limited number of commands on the server without a valid account.

Password attack is the main attack method in the third level. Damage password is the most common attack method. Password cracking is a term used to describe the infiltration of a network, system, or resource to unlock a password-protected resource with or without tools. Users often ignore their passwords and password policies are difficult to implement.

A hacker has multiple tools to defeat passwords protected by technology and society. Mainly include: Dictionary attack, Hybrid attack, Brute force attack. Once a hacker has a user's password, he has a lot of user privileges. Password guessing refers to manually entering a normal password or obtaining a password by compiling the original of the program. Some users choose simple passwords—such as birthdays, anniversaries, and spouse names—but do not follow the rules that should be mixed with letters and numbers. It doesn't take long for a hacker to guess a string of eight-word birthday data.

The best defense against third-level attacks is to strictly control access privileges, using a valid password. It mainly includes the rules that passwords should be mixed with letters, numbers, and capitalization (because Linux distinguishes between uppercase and lowercase). Using special characters like "#" or "%" or "$" also adds complexity. For example, use the word "countbak" and add "#$" (countbak#$) after it, so you have a fairly valid password.

Attack Level 4: Remote Users Get Root Permissions

The fourth attack level refers to things that should never happen. This is a fatal attack. Indicates that the attacker has root, superuser, or administrator permissions on the Linux server to read, write, and execute all files. In other words, the attacker has full control over the Linux server and can completely shut down or even destroy the network at any time.

Attack Level Four main forms of attack are TCP/IP continuous theft, passive channel listening and packet interception. TCP/IP continuous theft, passive channel listening and packet interception are methods for collecting important information into the network. Unlike denial of service attacks, these methods have more stealing-like nature and are more difficult to discover.

A successful TCP/IP attack allows hackers to block transactions between two groups, providing a good chance for a man-in-the-middle attack, and then the hacker will control one or both transactions without being noticed by the victim. . Through passive eavesdropping, hackers will manipulate and register information, deliver the files, and find the deadly threats that can be passed from all available channels on the target system. The hacker will look for a combination of online and password to recognize the legitimate channel of the application. Packet interception refers to the address at the target system that constrains an active listener program to intercept and change all or special information. Information can be redirected to an illegal system for reading and then sent back to the hacker without change.

TCP/IP continuous theft is actually network sniffing. Note that if you are sure that someone has taken the sniffer to your network, you can find some tools for verification. This tool is called the Time Domain Reflectometer (TDR). TDR measures the propagation and changes of electromagnetic waves. Connect a TDR to the network to detect unauthorized devices that acquire network data. However, many small and medium-sized companies do not have such expensive tools. The best way to prevent sniffer attacks is:

1, Linux server security topology. The sniffer can only capture data on the current network segment. This means that the finer the network segmentation work, the less information the sniffer can collect.

2. Session encryption. There is no need to worry about data being sniffed, but to find ways to make the sniffer not aware of the sniffed data. The advantage of this approach is obvious: even if the attacker sniffs the data, the data is useless to him.

Special Tip: Counterattack Measures for Attacks

You must pay special attention to attacks that exceed the second level. Because they can constantly increase the attack level to penetrate the Linux server. At this point, the counter-attacks we can take are:

First back up important enterprise key data.

Change all passwords in the system and notify the user to find a new password for the system administrator.

Isolating this network segment makes the attack behavior only appear in a small area.

Allow the behavior to continue. If possible, don't rush to get the attacker out of the system and prepare for the next step.

Record all actions and collect evidence. The evidence includes: system login file, application login file, AAA (Authentication, Authorization, Accounting, authentication, authorization, accounting) login file, RADIUS (Remote Authentication Dial-In User Service) login, network element login (Network Element Logs) , firewall login, HIDS (Host-Base IDS), NIDS (Network Intrusion Detection System) events, disk drives, hidden files, etc. Pay attention when collecting evidence: take photos before moving or disassembling any equipment; follow the two-person rule in the investigation, and have at least two people in the information collection to prevent tampering; all steps taken and Any changes to the configuration settings should be kept in a safe place. Check the access permissions for all directories in the system and check if Permslist has been modified.

A variety of attempts (using different parts of the network) to identify the source of the attack.

In order to use legal weapons to fight crime, evidence must be retained, and it takes time to form evidence. In order to do this, you must endure the impact of the attack (although some security measures can be made to ensure that the attack does not harm the network). In this case, we must not only take some legal measures, but also at least ask an authoritative security company to help stop this crime. The most important feature of this type of operation is to obtain evidence of the crime, find the address of the perpetrator, and provide the log it has. The evidence collected should be effectively saved. Two copies were made at the beginning, one for evaluation of evidence and the other for legal verification.

After finding the system vulnerability, try to block the vulnerability and conduct a self-attack test.

Network security is not just a technical issue, but a social issue. Enterprises should pay more attention to the security of network Linux servers. If they rely solely on technical tools, they will become more and more passive. Only by exerting social and legal aspects to combat cybercrime can they be more effective. China has a clear judicial interpretation of the fight against cybercrime. Unfortunately, most companies only pay attention to the role of technology and ignore legal and social factors. This is also the purpose of this article.

Denial Service Attack (DoS)

DoS is Denial Of Service, the abbreviation of Denial of Service, can not be considered as Microsoft's DOS operating system! DoS attack allows the target machine to stop providing services or resources. The access is usually aimed at consuming server-side resources. By forging the request data exceeding the processing power of the server, the server responds to the blocking, so that the normal user request cannot be answered, so as to achieve the attacking purpose.