Grading defense against Linux server attacks

With the expansion of Linux enterprise applications, there are a large number of network servers using the Linux operating system. The security performance of Linux servers is receiving more and more attention. Here, the depth of attacks on Linux servers is listed in levels and different solutions are proposed.

The definition of a Linux server attack is that an attack is an unauthorized act designed to obstruct, damage, weaken, or compromise the security of a Linux server. The scope of the attack can be denied from the service until the Linux server is completely compromised and destroyed. There are many kinds of attacks on Linux servers. This article explains from the perspective of attack depth that we divide the attacks into four levels.

Contents

Attack Level 1
Attack Level 2
Attack Level 3
Attack Level 4
Special Tip: Counterattack Measures against Attacks

Link
Denial of Service Attack (DoS)

Attack Level 1: Service Denial of Attack (DoS)

Due to the proliferation of DoS attack tools and the shortcomings of the protocol layer targeted Unable to change the fact that DoS has become the most widely spread and most difficult attack method.

Service denial attacks include distributed denial of service attacks, reflective distributed denial of service attacks, DNS distribution denial of service attacks, and FTP attacks. Most service denial attacks lead to relatively low-level risks, even those that may cause the system to restart are only temporary problems. This type of attack is largely different from those that want to gain network control. It generally does not affect data security, but the service denial attack will last for a long time and is very difficult.

So far, there is no absolute way to stop such attacks. However, this does not mean that we should be at hand. In addition to emphasizing the importance of personal host protection and protection, the strengthening of server management is a very important part. Be sure to install the verification software and filtering function to verify the real address of the source address of the message. In addition, for several service denials, the following measures can be taken: turning off unnecessary services, limiting the number of simultaneous semi-connections opened at the same time, shortening the time out time of Syn semi-join, and updating system patches in time.

Attack Level 2: Local users get read and write access to their unauthorized files

Local users refer to passwords on any machine on the local network, and thus on a drive There is a user on the directory. The question of whether local users have access to the read and write permissions of their unauthorized files is largely due to the criticality of the files being accessed. Any local user's arbitrary access to the temporary file directory (/tmp) is dangerous, and it can potentially lay a path to the next level of attack.

The main attack method of Level 2 is: hackers trick legitimate users into telling their confidential information or performing tasks. Sometimes hackers pretend that network administrators send emails to users and ask users to give them passwords for system upgrades.

Attacks initiated by local users almost always start with remote login. For Linux servers, the best approach is to place all shell accounts on a separate machine, that is, to register on only one or more servers that are assigned shell access. This makes it easier to manage log management, access control management, release protocols, and other potential security issues. The system that stores the user's CGI should also be distinguished. These machines should be isolated in a specific network segment, that is, they should be surrounded by routers or network switches depending on the configuration of the network. Its topology should ensure that hardware address spoofing cannot exceed this section.

Attack Level 3: Remote Users Get Read and Write Permissions for Privileged Files

A third level of attack can do more than just verify the existence of a particular file, and read and write these files. The reason for this is that there are some weaknesses in the Linux server configuration: remote users can execute a limited number of commands on the server without a valid account.

The password attack method is the main attack method in the third level. Damaged passwords are the most common attack method. Password cracking is a term used to describe the infiltration of a network, system, or resource to unlock a password-protected resource with or without tools. Users often ignore their passwords and password policies are difficult to implement. Hackers have multiple tools to defeat passwords protected by technology and society. Mainly include: Dictionary attack, Hybrid attack, Brute force attack. Once a hacker has a user's password, he has a lot of user privileges. Password guessing refers to manually entering a normal password or obtaining a password by compiling the original of the program. Some users choose simple passwords—such as birthdays, anniversaries, and spouse names—but do not follow the rules that should be mixed with letters and numbers. It doesn't take long for a hacker to guess a string of eight-word birthday data.

The best defense against third-level attacks is to strictly control access privileges, using a valid password.

◆ Mainly including the password should follow the rules of the alphabet, the number, the case (because Linux is different in case).

◆ Using special characters like "#" or "%" or "$" adds complexity. For example, use the word "countbak" and add "#$" (countbak#$) after it, so you have a fairly valid password.

Attack Level 4: Remote Users Get Root Permissions

The fourth attack level refers to things that should never happen. This is a fatal attack. Indicates that the attacker has root, superuser, or administrator permissions on the Linux server to read, write, and execute all files. In other words, the attacker has full control over the Linux server and can completely shut down or even destroy the network at any time.

Attack Level 4 The main forms of attack are TCP/IP continuous theft, passive channel listening and packet interception. TCP/IP continuous theft, passive channel listening and packet interception are methods for collecting important information into the network. Unlike denial of service attacks, these methods have more stealing-like nature and are more difficult to discover. A successful TCP/IP attack allows a hacker to block transactions between two groups, providing a good chance for a man-in-the-middle attack, and then the hacker can control one or both transactions without being noticed by the victim. Through passive eavesdropping, hackers will manipulate and register information, deliver the files, and find the deadly threats that can be passed from all available channels on the target system. The hacker will look for a combination of online and password to recognize the legitimate channel of the application. Packet interception refers to the address at the target system that constrains an active listener program to intercept and change all or special information. Information can be redirected to an illegal system for reading and then sent back to the hacker without change.

TCP/IP continuous theft is actually network sniffing. Note that if you are sure that someone has taken the sniffer to your network, you can find some tools for verification. This tool is called the Time Domain Reflectometer (TDR). TDR measures the propagation and changes of electromagnetic waves. Connect a TDR to the network to detect unauthorized devices that acquire network data. However, many small and medium-sized companies do not have such expensive tools. The best way to protect against sniffer attacks is:

1. Secure topology. The sniffer can only capture data on the current network segment. This means that the finer the network segmentation work, the less information the sniffer can collect.

2. Session encryption. There is no need to worry about data being sniffed, but to find ways to make the sniffer not aware of the sniffed data. The advantage of this approach is obvious: even if the attacker sniffs the data, the data is useless to him.

Special Tips: Counterattack Measures for Attacks

You must pay special attention to attacks that exceed the second level. Because they can constantly increase the attack level to penetrate the Linux server. At this point, the counter-attacks we can take are:

◆ First back up important enterprise key data.

◆ Change all passwords in the system and notify the user to find a new password for the system administrator.

◆ Isolate the network segment so that the attack behavior only appears in a small area.

◆ Allow behavior to continue. If possible, don't rush to get the attacker out of the system and prepare for the next step.

◆ Record all actions and collect evidence. The evidence includes: system login file, application login file, AAA (Authentication, Authorization, Accounting, authentication, authorization, accounting) login file, RADIUS (Remote Authentication Dial-In User Service) login, network element login (Network Element Logs) , firewall login, HIDS (Host-Base IDS), NIDS (Network Intrusion Detection System) events, disk drives, hidden files, etc. Pay attention when collecting evidence: take photos before moving or disassembling any equipment; follow the two-person rule in the investigation, and have at least two people in the information collection to prevent tampering; all steps taken and Any changes to the configuration settings should be kept in a safe place. Check the access permissions for all directories in the system and check if Permslist has been modified.

◆ Make various attempts (using different parts of the network) to identify the source of the attack.

◆ In order to use legal weapons to combat criminal acts, evidence must be retained, and it takes time to form evidence. In order to do this, you must endure the impact of the attack (although some security measures can be made to ensure that the attack does not harm the network). In this case, we must not only take some legal measures, but also at least ask an authoritative security company to help stop this crime. The most important feature of this type of operation is to obtain evidence of the crime, find the address of the perpetrator, and provide the log it has. The evidence collected should be effectively saved. Two copies were made at the beginning, one for evaluation of evidence and the other for legal verification.

◆ After finding a system vulnerability, try to block the vulnerability and conduct a self-attack test.

Network security is more than just a technical issue, but a social issue. Enterprises should pay more attention to network security. If they rely solely on technical tools, they will become more and more passive. Only by exerting social and legal aspects to combat cybercrime can they be more effective. China has a clear judicial interpretation of the fight against cybercrime. Unfortunately, most companies only pay attention to the role of technology and ignore legal and social factors. This is also the purpose of this article.

-------------------------------------------- -------------------------------------

Links

Denial of Service Attack (DoS)

DoS is Denial Of Service, the abbreviation of denial of service, can not be considered Microsoft's DOS operating system! The DoS attack stops the target machine from providing service or resource access. It usually targets the consumption of server-side resources. By forging the request data exceeding the processing power of the server, the server responds to the blocking, so that the normal user request cannot be answered. purpose.