Before reading this article, we also need basic security features of Linux systems have a certain understanding of
Open-source Linux operating system is a free operating system, it is not only safe, stable, low cost, and few found the virus spread, therefore, Linux operating system has been considered the rival Microsoft's Windows system. In recent years, with the Linux operating system in our country's continued popularity, as more and more servers, workstations and personal computers started using Linux software, of course, more and more fans began to get a safe place strong operating system interest. The purpose of this paper is to users as fast as on Linux, boutique Hack software features and use a more detailed and comprehensive understanding. Today we first understand the types of weapons to find N broiler.
Vulnerability scanner is a remote or local host automatically detect security vulnerabilities procedures. And Windows systems, when hackers get a list of target host, he can use some Linux scanner program to find loopholes in these hosts. In this way, an attacker can find a variety of TCP ports the server distribution, services, Web services, software version, and these services and security vulnerabilities. The system administrator, if the ability to detect and deter such acts, it can greatly reduce the incidence of invasion. According to conventional standards, vulnerability scanners can be divided into two types: host vulnerability scanners (Host Scanner), and network vulnerability scanner (Network Scanner). Host vulnerability scanner is running in the system of local procedures for testing system vulnerabilities; network vulnerability scanner refers to the target network based on Internet remote detection procedures and host vulnerabilities, the following, we select some typical examples of software and introduction.
1, host-based scanning software utility
(1) sXid
sXid is a system monitoring program, software downloads, use "make install" command to install. It can scan the system suid and sgid files and directories, because these directories are likely to be backdoor program, and can be set to report results by e-mail. The default installation configuration file / etc / sxid.conf, this file is easy to read the comments, which defines the work sxid way, the cycle frequency of the log file; log file default is / var / log / sxid. log. For safety considerations, we can configure the parameters set to sxid.conf immutable, using the chattr command to set sxid.log file can only be added. In addition, we can always use sxid-k with-k option to check, this check is very flexible way, not charged to the log, issue the email. Shown in Figure 1.
Figure 1
(2) LSAT
Linux Security Auditing Tool (LSAT) is a local security scanner and found unsafe default configuration, it can generate reports. LSAT by the Triode development, mainly for the Linux RPM release based on the design. Software downloaded, compiled as follows:
cndes $ tar xzvf last-VERSION.tgz
cndes $ cd lsat-VERSION
cndes $. / configure
cndes $ make
Then run as root: root #. / Lsat. By default, it will generate a name lsat.out report. Can also specify some options:
-O filename specify the file name to generate reports.
-V verbose output mode.
-S do not print any information on the screen, only to generate reports.
-R implementation of the RPM verification and inspection, to identify the content and the default file permissions are changed.
LSAT can check many things, mainly: Check useless RPM installation; check the inetd and Xinetd and some system configuration files; check the SUID and SGID files; check 777 files; inspection processes and services; open ports and so on. LSAT common method is to use cron regularly called, and then use diff compare the current report and previously reported differences, you can find the system configuration changes. The following is the report of a test piece:
****************************************
This is a list of SUID files on the system:
/ Bin / ping
/ Bin / mount
/ Bin / umount
/ Bin / su
/ Sbin / pam_timestamp_check
/ Sbin / pwdb_chkpwd
/ Sbin / unix_chkpwd
****************************************
This is a list of SGID files / directories on the system:
/ Root / sendmail.bak
/ Root / mta.bak
/ Sbin / netreport
****************************************
List of normal files in / dev. MAKEDEV is ok, but there
should be no other files:
/ Dev / MAKEDEV
/ Dev / MAKEDEV.afa
****************************************
This is a list of world writable files
/ Etc / cron.daily / backup.sh
/ Etc / cron.daily / update_CDV.sh
/ Etc / megamonitor / monitor
/ Root / e
/ Root / pl / outfile
(3) GNU Tiger
This is the scanning software can detect the security of this machine, from TAMU's Tiger (an old-scanning software). Tiger program can check the following items: system configuration error; unsafe permissions; all users can write files; SUID and SGID files; Crontab entries; Sendmail and ftp settings; weak password or an empty password; system file changes. In addition, it also exposed the weaknesses and generate detailed report.
(4) Nabou
Nabou is a system that can be used to monitor changes in the Perl program, which provides file integrity checking and user accounts, etc., and all the data stored in the database. In addition, users can also embed Perl code in the configuration file to define your own function perform custom testing, operation is actually very easy.
(5) COPS
COPS is the configuration error reporting system and other information, on the linux system safety checks. The test objectives are: file, directory and device files permissions check; important system files of the content, format and authority; the existence of the owner as the root of the SUID file; of important system binaries for CRC checksum and check to see whether been modified; on anonymous FTP, Sendmai network applications such as inspection. Be noted that, COPS is monitoring tools do not do the actual repair. This software is more suitable for use with other tools, its advantage is better at finding potential vulnerabilities.
(6) strobe
Strobe is a TCP port scanner, which can record all of the machines specified open ports, running very fast. It was originally used to scan the LAN open e-mail to get e-mail user information. Another important feature of Strobe is that it can quickly identify specify what services are running on the machine, the inadequacies of such a relatively limited amount of information.
(7) SATAN
SATAN can be used to help system administrators detect security of the network-based attacker can be used to search for vulnerable systems. SATAN is designed for system administrators and a security tool. However, because of its breadth, ease of use and ability to scan remote network, SATAN or because of curiosity, are used to locate vulnerable hosts. SATAN consists of a network security issues related to detection of the table, find the specific system through the network or subnet, and report its findings. It can search the following weaknesses:
NFS - without permission from the program or port to export.
NIS --- access password file.
Rexd - is blocked by a firewall.
Sendmail - weaknesses.
ftp - ftp, wu-ftpd or tftp configuration problem.
Remote Shell access - whether it be banned or hidden.
X windows - whether to provide unrestricted access to the host.
Modem - dial-up access through tcp no limit.
(8) IdentTCPscan
IdentTCPscan is a more specialized scanner, you can run on various platforms. Software, specify the TCP port to join the process of identifying the owner of the function, that is, it determined that the process UID. This program has a very important function is through the discovery process, UID, quickly identify misconfigured. It runs very fast, can be considered as intruders pet, is a strong, sharp tools.
2, network-based scanning tool utility
(1) Nmap
Nmap or Network Mapper, it is the Free Software Foundation's GNU General Public License (GPL) released under. The basic functions: detection of a host is online; scan host port, sniffer network services provided; determine the host operating system. After downloading the software, the implementation of configure, make and make install three orders, the nmap binary code installed on the system, you can perform a nmap.
Nmap syntax is very simple, but is very powerful. For example: Ping-scan command is "-sP", in defining the target host and network, the can be scanned. If root to run Nmap, Nmap features will be more enhanced, because the super-user can create easy to use custom Nmap data packets. Single scan using Nmap for network scanning or whole is very simple, just with a "/ mask" the destination address can be assigned to Nmap. In addition, Nmap allows the use of all the specified network address, such as 192.168.100 .* subnet is the host selected for scanning.
Ping Scan. Intruder to use Nmap to scan the entire network to find targets. By using the "-sP" command, by default, Nmap to scan hosts each send an ICMP echo and a TCP ACK, the host of any kind of response will be received Nmap. Shown in Figure 2.
Figure 2
Nmap supports different types of port scans, TCP connect scan can use "-sT" command, specifically shown in Figure 3:
Figure 3
Hidden scan (Stealth Scanning). In the scan, if the attacker does not want their information to be recorded in the log on the target system, TCP SYN scanning can help you. Use "-sS" command, you can send a SYN scan detection system or network. Figure 4.
Figure 4
If an attacker to conduct UDP scans, you can know which ports are open on the UDP. Nmap will send a UDP packet O byte to each port. If the host is not up to return to port, said port is closed. Figure 5.
Figure 5
Operating system identification. By using the "-O" option, you can detect the remote operating system type. Nmap sends to the host through the different types of detection signals, narrowing the search range of operating systems. Shown in Figure 6.
Figure 6
Ident scan. Attackers like to find a certain process for vulnerable computers, such as a root to run the WEB servers. If the target machine is running identd, an attacker can "-I" option, which users have found that TCP connection http daemon. We scan a Linux WEB server, for example, use the following command:
# Nmap-sT-p 80-I-O www.yourserver.com
In addition to these scans, Nmap offers many options, it is essential for many Linux magic weapon of the attacker, through the software, we can well aware of the system, thus following the attack lay a good foundation.
(2) p0f
p0f is very useful for network attacks, it uses SYN packets to achieve the passive operating system detection technology, can accurately identify the type of target system. And other scanning software, it does not send any to the target system's data, just accepts the data from the target system analysis. Therefore, a great advantage: almost impossible to be detected, and p0f is designed system identification tools, the fingerprint database is very detailed and faster update is also especially suitable for installation in the gateway. Software download, execute the following command to compile and install p0f:
# Tar zxvf p0f-1.8.2.tgz
# Make & & make install
p0f is very simple to use, use the following command at the system startup, the system automatically starts p0f to identify:
# Cp p0f.init / etc/init.d/p0f
# Chkconfig p0f on
Then, from time to time on the p0f can log analysis. For ease of use, p0f package provides a simple analysis of the script p0frep, through which an attacker can easily find a particular type of system running the remote host address. P0f also can detect the following: the existence of a firewall or disguise; to the distance between the remote system and its start time; other network connection, and ISP.
(3) ISS
ISS Internet Scanner is the world's leading network security products market, Tong Guo right comprehensive and independent network security vulnerability detection and analysis and Jianchatamen the Ruodian, the Fengxian Fenweigaozhong Di three levels and produces a wide range of meaningful reports . Now, the fee version of the software provides more attack, and gradually moving in the direction of commercialization.
(4) Nessus
Nessus is a powerful remote security scanner, which has a strong ability to report output, you can generate HTML, XML, LaTeX, and ASCII text formats such as safety report, and to make recommendations for each security issue. Software system for the client / sever model, server-side to carry out safety checks, the client used to configure the management server. In the server also uses plug-in system that allows users to perform specific functions by adding plug-ins, can be faster and more complex security checks. In addition to plug-in addition, Nessus also provides users with a description of the attack types of scripting languages, to conduct additional safety tests.
Software download, extract and complete the installation. Installed, confirm that in the / etc / ld.so.conf file by adding installation path of the installed library file: / usr / local / lib. If not, just add the path of the file, then run ldconfig, that Nessus can be found at runtime the runtime. Nessus configuration file for the Nessusd.conf, located in / usr / local / etc / Nessus / directory. Under normal circumstances, does not recommend changes to its contents. Note, used to create a nessusd account for future use when landing scan. After the completion of the above preparations, in order to root the identity of the user with the following command starts the server: Nessusd-d.
The client, the user can specify the machine running Nessus services, the use of port scanners and test content and test the ip address range. Nessus itself is based on work in multi-threaded, so the user can also set the number of threads that work simultaneously. So that users can set the remote configuration of the Nessus work. Is set up, click start you can start scanning. When the scanning is complete, will generate reports, the left side of the window lists all the hosts being scanned, as long as the host name with a mouse click in the window on the right was found by scanning the list of security vulnerabilities of the host. Security vulnerabilities and then click the small icon, which lists severity of the problem and the problem causes and solutions.
(5) Nikto
Nikto is a web server can test a variety of security projects scanning software, can be scanned in more than 200 kinds of servers out of more than 2000 kinds of potentially dangerous files, CGI and other problems. It also uses Whiske library, but usually updated more frequently than Whisker.
(6) Whisker
Whisker is a very good HTTP server flaw scanning software, can scan a large number of known security vulnerabilities, in particular, those dangerous CGI vulnerability, it uses the perl programming library, we can use it to create their own HTTP scanner.
(7) Xprobe
XProbe is an active operating system fingerprinting tools, which can determine the type of remote host operating system. XProbe rely on a signature database with fuzzy matching and a reasonable guess to determine the remote operating system type, operating system, using ICMP protocol is its unique fingerprint. When used, it assumes that a port is not being used, it will port to the target host to send UDP packets higher, the target host will respond to ICMP packets, and then, XProbe will send the package to identify other target host system, with this software, the operating system to judge each other very easily.