With the expansion of Linux business applications, a large number of network servers using the Linux operating system.Linux server security are more and more attention, here under attack under the Linux server listed as the depth of the level, and propose different solutions.
Attack on the Linux server is defined as: to prevent an attack, damage, weaken, undermine the security of Linux servers unauthorized behavior.Attacks can range from denial of service until the damage and destruction of Linux servers completely.Linux server attacks on many types of attacks on the depth from the point of this note, we were divided into four levels of attack.
Attack Level I: Denial of Service attack (DoS)
As the proliferation of DoS attack tools, and the defects for the protocol layer can not change the fact that short-term, DoS has become the most widespread, the most difficult to prevent the attack.
Denial of service attacks include distributed denial of service attacks, distributed denial of service attacks reflection, DNS distributed denial of service attacks, FTP attacks.Most denial of service attacks resulting in relatively low risk, even those that might cause the system to restart the attack is only a temporary problem.Such attacks in the largely different from those who want to control access to network attacks, generally do not impact on data security, but the denial of service attacks will continue for a long time, very tough.
So far, there is no absolute way to stop such attacks.But this does not mean that we should be lying down, in addition to emphasis on individual hosts is not being used to enhance the importance of protecting, strengthening the management of the server is a very important part.Be sure to install the authentication software and filtering the source address of packet inspection and real address.In addition to several denial of service can use the following measures: turn off unnecessary services, restrictions Syn half-open connections at the same time the number of connections to shorten the time out Syn half-time, to update the system patch.
Attack Level II: local users to access their files from unauthorized read and write permissions
Local user is defined as any local network password on a machine, so a drive in a directory of users.Local users unauthorized access to the files they read and write permissions to see whether the problem is much danger to be the key to access the file.Free access to any local user temporary file directory (/ tmp) are dangerous, it can potentially forge a path leading to the next level of attack.
Stage two is the main method of attack: hackers trick legitimate users informed of their confidential information or perform tasks, sometimes pretending to network managers hackers will send a message to the user, the system requires the user to update his password.
Attacks launched by the local users are almost always start from a remote login.For Linux servers, the best way is to put all the shell accounts on a single machine, that is, only in one or more distribution servers with shell access to be registered.This can make the log management, access control management, release agreements and other potential security issue management easier.It should also be a system to store the user distinguish CGI.These machines should be isolated in a particular network segment, that is, the configuration of the network, they should be surrounded by a router or network switch.The topological structure should ensure that the hardware address spoofing can not exceed this section.
Attack Level III: remote user access privileges to read and write permissions to the file
The third level of attack can do not only verify the existence of a specific file, but also to read and write these files.Reasons for this situation: Linux server configuration appears that a number of weaknesses: the remote users to connect without a valid account on the server, perform a limited number of commands.
Password attack is the third level of the main attack, damage to the password is the most common method of attack.Password crackers are used to describe the tools in use or not use the case of penetration of the network, systems or resources to unlock password-protected resources with a term.Users often ignore their password, the password policy is difficult to be implemented.There are several tools to defeat hacking technology and society protected password.Including: dictionary attack (Dictionary attack), blended attacks (Hybrid attack), brute force attacks (Brute force attack).Once the hacker has the user's password, he has a lot of the user's privileges.Guess the password is entered manually or through ordinary password programmed to obtain the original password.Some users choose simple passwords - such as birthdays, anniversaries, and spouse's name, it does not follow the use letters, numbers, mixed-use rules.For hackers to guess a string of 8 characters birthday data not take long.
The third level of attacks against the best method of defense is to strictly control access privileges, using a valid password.
◆ including password should follow the letters, numbers, case (because Linux is case there is a distinction between) mixed-use rules.
◆ use something like the "#" or "%" or "$" will add special characters such complexity.Such as using "countbak" word behind it to add "#$"( countbak # $), so you have a very valid password.
Attack level four: the remote user to gain root privileges
The fourth level refers to those attacks happened should never happen, which is fatal attack.Linux server that the attacker has root, super user or administrator permissions, you can read, write and perform all the files.In other words, the attacker has full control on the right of Linux servers, you can at any time be able to completely shut down or even destroying the network.
Level four major attacks against the form of TCP / IP continuous theft, passive channels to listen to and intercept packets.TCP / IP continuous theft, passive channels to listen to and packet interception is to collect important information into the network approach, unlike the denial of service attacks, theft of these methods are more similar to the nature of covert was found.A successful TCP / IP attacks allow hackers to block transactions between the two groups, middlemen attack provides a good opportunity, then hackers will not pay attention to the case of victims of one or both control of transactions.Passive eavesdropping by an attacker could manipulate and registration information, the service of documents will all be from the target system can be found through the channels a fatal point.Password hacker will look for a combination of online and point of application to recognize the legitimate channels.Packet blocking constraint on the target system is an active listener program to intercept and change information in all or particular address.Information can be changed to read the illegal system, and then returned without change to the hacker.
TCP / IP is the continuous theft of the actual network sniffer, note that if you believe that someone picked up the sniffer to your network, you can find some verification tools.This tool is called Time Domain Reflectometry meter (Time Domain Reflectometer, TDR).TDR and changes of electromagnetic wave propagation measurements.To a TDR connected to the network, to detect unauthorized access to network data equipment.However, many small and medium company does not have this expensive tool.Sniffer for the attack against the best method is:
1, the security topology.The current network sniffer can only capture the data segment.This means that the network segment the more detailed work, the sniffer to collect less information.[# Page_ #] [# page_ #] 2, the session encryption.Data is not particularly worried about sniffing, but finding ways to make the sniffer to sniff the data do not know.Advantage of this approach is obvious: even if the attacker to sniff data, which is of no use to him.
Special Note: The counter-measures against attacks
For more than the second level of attack you should pay special attention to the.Because they can continue to enhance the level of attacks to penetrate Linux server.At this point, we can take counter-measures are:
◆ First, back up important business-critical data.
◆ all the passwords to change the system to notify users that new look for the system administrator password.
◆ isolate the network segment to attack only in a small range.
◆ Allow behavior to continue.If possible, do not rush to put the attacker out of the system, to prepare for the next step.
◆ Record all, the collection of evidence.The evidence includes: the system registry files, application log files, AAA (Authentication, Authorization, Accounting, authentication, authorization and accounting) log files, RADIUS (Remote Authentication Dial-In User Service) registry, the network unit log (Network Element Logs), firewall log, HIDS (Host-base IDS, host-based intrusion detection system) events, NIDS (network intrusion detection system) events, disk drives, hidden files.Collection of evidence to the attention of: moving or demolition of any equipment to be photographed before; in the survey to follow two rules in the information collection should be at least two people, to prevent tampering of information; shall record all steps taken and theAny change configuration settings, to make all these records are kept in a safe place.Check the system access permissions for all directories to detect whether Permslist been modified.
◆ various attempts (using different parts of the network) to identify the attack source.
◆ In order to use legal weapons to crack down on crime, the evidence must be preserved, and the formation of evidence takes time.To do this, must endure the impact of the attack (though some security measures could be developed to ensure the attack does not harm the network.)This case, we not only take some legal means, but also at least you have the authority of a security company to help stop this crime.The most important features of these operations is to obtain 犯罪 evidence and find the address of the offender, provide a log.The evidence collected should be effectively preserved.Produced at the beginning of the two, one for the evaluation of evidence, and the other for legal verification.
◆ After trying to find loopholes in the system close the loopholes, and self-attack test.
Network security has not only technical problem but a social problem.Enterprises should improve the network security seriously, if blindly rely only on technical tools, it will more and more passive; only play a social and legal aspects of cybercrime can be more effective.China's fight against cyber crime with a clear judicial interpretation has, unfortunately, most companies only focus on technology aspects of the law was ignored, social factors, and this is the purpose of writing this article.
Denial of Service (DoS)
DoS or Denial Of Service, Denial of Service abbreviation, can not think of Microsoft's DOS operating system! DoS attack is to stop providing services to the target machine or resource access, usually in the consumption of resources for the target server, the server processing capacity by more than forgedcause the server to respond the request of the data block, so that user requests are not normal responses to achieve the attack purpose.