Tải bản đầy đủ - 0 (trang)
Chapter 26.  Running a Secure System

Chapter 26.  Running a Secure System

Tải bản đầy đủ - 0trang

26.1.APerspectiveonSystemSecurity

It'ssometimesdifficultkeepingabalancedperspectiveon

systemsecurity.Themediatendstosensationalizestories

relatingtosecuritybreaches,especiallywhentheyinvolvewellknowncompaniesorinstitutions.Ontheotherhand,managing

securitycanbeatechnicallychallengingandtime-consuming

task.ManyInternetuserstaketheviewthattheirsystemholds

novaluabledata,sosecurityisn'tmuchofanissue.Others

spendlargeamountsofeffortnailingdowntheirsystemsto

protectagainstunauthorizeduse.Nomatterwhereyousitin

thisspectrum,youshouldbeawarethatthereisalwaysarisk

thatyouwillbecomethetargetofasecurityattack.Therearea

wholehostofreasonswhysomeonemightbeinterestedin

breachingyoursystemsecurity.Thevalueofthedataonyour

systemisonlyoneofthem;wediscusssomeotherslaterinthe

chapter.Youmustmakeyourownjudgmentastohowmuch

effortyouwillexpend,thoughwerecommendthatyouerron

thesideofcaution.

Traditionalsystemsecurityfocusedonsystemsthatwere

accessiblethrougheitheraconnectedhard-wiredterminalor

thesystemconsole.Inthisrealmthegreatestriskstypically

camefromwithintheorganizationowningthesystem,andthe

bestformofdefensewasphysicalsecurity,inwhichsystem

consoles,terminals,andhostswereinlockedrooms.Even

whencomputersystemsstartedtobecomenetwork-connected,

accesswasstillverylimited.Thenetworksinusewereoften

expensivetogainaccessto,orwereclosednetworksthatdid

notallowconnectionstohostsfromjustanywhere.

ThepopularityoftheInternethasgivenrisetoanewwaveof

network-basedsecurityconcerns.AnInternet-connected

computerisopentopotentialabusefromtensofmillionsof

hostsaroundtheworld.Withimprovedaccessibilitycomesan

increaseinthenumberofantisocialindividualsintentupon



causingnuisance.OntheInternet,anumberofformsof

antisocialbehaviorareofinteresttothesystemadministrator.

Thosethatweaddressinthischapterarethefollowing:



Denialofservice(DoS)

Thiskindofattackdegradesordisruptsaserviceonthe

system.



Intrusion

Thiskindofattackaccessesthesystembyguessing

passwordsorcompromisingsomeservice.Onceanintruder

hasaccesstoasystem,hemaythenvandalizeorstealdata

orusethetargetsystemtolaunchattacksonsomeother

host.



Snooping

Thiskindofattackinvolvesinterceptingthedataofanother

userandlisteningforpasswordsorothersensitive

information.Sometimesthisformofattackinvolves

modificationofdata,too.Snoopingusuallyinvolves

eavesdroppingonnetworkconnections,butcanalsobe

performedbycompromisingasystemtointerceptlibraryor

systemcallsthatcarrysensitiveinformation(e.g.,

passwords).



Viruses,worms,andTrojanhorses

Theseattackseachrelyoncompellingusersofyoursystem



toexecuteprogramssuppliedbytheattacker.Theprograms

couldhavebeenreceivedinanemailmessage,orfroma

website,orevenfromwithinsomeotherapparently

harmlessprogramretrievedfromsomewhereonthe

Internetandinstalledlocally.

ADoSattackcommonlyinvolvesgeneratinganabnormally

largenumberofrequeststoaserviceprovidedbyasystem.

Thisrushofactivitymaycausethehostsystemtoexhaustits

memory,processingpower,ornetworkbandwidth.Anotherway

istoprovidetheservicewithnon-ordinaryinputinorderto

exploitabugintheserviceandcauseacoredump.Asaresult,

furtherrequeststothesystemarerefused,orthesystem's

performancedegradestoanunusablepoint.Forthistypeof

attacktowork,anattackermusteitherexploitapoorly

designedserviceorbeabletogenerateanumberofrequests

farexceedingthecapacityoftheservice.

AmoreinsidiousformofDoSattackisthedistributeddenialof

service(DDoS).Inthisformofattack,alargenumberof

computersareusedorcausedtogeneraterequestsagainsta

service.ThisincreasesthedamageofaDoSattackintwo

ways:byoverwhelmingthetargetwithahugevolumeoftraffic,

andbyhidingtheperpetratorbehindthousandsofunwitting

participants.Usingalargenumberofhostsfromwhichto

launchanattackalsomakesDDoSattacksparticularlydifficult

tocontrolandremedyoncethey'veoccurred.Evenpeoplewho

havenoconcernsaboutthestateoftheirowndatashould

protectthemselvesagainstthisformofattacksoastominimize

theriskofbecominganunwittingaccompliceinaDDoSattack

againstsomeoneelse.

Thesecondformofattack,sometimesknownascracking,is

theonethatmostpeopleassociatewithsecurity.[*]Companies

andinstitutionsoftenstoresensitivedataonnetwork-accessible

computersystems.Acommonexampleofconcerntothe

averageInternetuseristhestorageofcreditcarddetailsby

websites.Wherethereismoneyinvolved,thereisincentivefor



dishonestindividualstogainaccessandstealormisusethis

kindofsensitivedata.

[*]Thetermscrackingandhackingareoftenconfusedinpopularusage.Whereascrackinginvolvesimmoralor

illegalbehavior(suchascompromisingthesecurityofasystem),hackingisagenericwordmeaningto

program,tinkerwith,orhaveanintenseinterestinsomething.Thepopularmediaoftenusesthetermhacking

torefertocracking;theLinuxcommunityistryingtoreassociatehackingwithpositiveconnotations.



Sometimesthemethodsthatareusedtogainunauthorized

accessordisruptserviceareveryingenious,ifnotunethical.

Designinganintrusionmechanismoftenrequiresastrong

knowledgeofthetargetsystemtouncoveranexploitableflow.

Often,onceanintrusionmechanismhasbeendiscovered,itis

packagedintheformofaso-calledrootkit,asetofprogramsor

scriptsthatanyonepossessingonlybasicknowledgecanuseto

exploitasecurityhole.Thevastmajorityofintrusionattacks

arelaunchedby"scriptkiddies"whomakeuseofthese

prepackagedintrusionkitswithoutanyrealknowledgeofthe

systemstheyareattacking.Thegoodnewsisthatitisusually

straightforwardforasystemadministratortoprotectasystem

fromthesewell-knownattacks;wediscussvariouswaysto

secureyoursysteminthischapter.



26.2.InitialStepsinSettingUpaSecureSystem

Therearesomeverysimplethingsyoucandotoprotecta

Linuxsystemfromthemostbasicsecurityrisks.Ofcourse,

dependingonyourconfiguration,thewaysinwhichyouwillbe

usingyoursystem,andsoforth,theymightbemoreinvolved

thanthesimplesetupdescribedhere.Inthissectionwebriefly

coverthemechanismstosecureaLinuxsystemfromthemost

commonattacksthisisthebasicapproachoneoftheauthors

takeswheneverinstallinganewmachine.



26.2.1.ShuttingDownUnwantedNetwork

Daemons

ThefirststepinsecuringaLinuxmachineistoshutdownor

disableallnetworkdaemonsandservicesthatyoudon'tneed.

Basically,any(external)networkportthatthesystemis

listeningforconnectionsonisarisk,sincetheremightbea

securityexploitagainstthedaemonservingthatport.Thefast

waytofindoutwhatportsareopenistousenetstat-an,as

shown(we'vetruncatedsomeofthelines,however):



#netstat-an

ActiveInternetconnections(serversandestablished)

ProtoRecv-QSend-QLocalAddressForeignAddress

tcp000.0.0.0:71200.0.0.0:*

tcp000.0.0.0:60000.0.0.0:*

tcp000.0.0.0:220.0.0.0:*



Hereweseethatthissystemislisteningforconnectionson

ports7120,6000,and22.Lookingat/etc/services,dropping

the-norusingthe-ptonetstat,canoftenrevealwhat



daemonsareassociatedwiththeseports.Inthiscasetheyare

theXfontserver,theXWindowSystemserver,andthessh

daemon.

Ifyouseealotofotheropenportsforthingssuchastelnetd,

sendmail,andsoforthaskyourselfwhetheryoureallyneed

thesedaemonstoberunning,andtobeaccessiblefromother

hosts.Fromtimetotime,securityexploitsareannouncedfor

variousdaemons,andunlessyouareverygoodatkeeping

trackofthesesecurityupdates,yoursystemmightbe

vulnerabletoattack.Also,telnetd,ftpd,andrshdallinvolve

sendingclear-textpasswordsacrosstheInternetfor

authentication;amuchbettersolutionistousesshd,which

encryptsdataoverconnectionsandusesastronger

authenticationmechanism.Evenifyouneverusetelnetd,it's

notagoodideatoleaveitrunningonyoursystem,incase

someonefindsawaytobreakintoit.

Shuttingdownservicesisusuallyamatterofde-installingthe

correspondingpackage.Ifyouwanttokeeptheclient,butthe

clientanddaemonarepackagedtogether(exceedinglyrare

thesedays),youneedtoedittheappropriateconfigurationfiles

foryourdistributionandrebootthesystem(tobesurethe

daemonisgoodanddead).OnRedHatsystems,forexample,

manydaemonsarestartedbyscriptsinthe/etc/rc.d/init.d

directory;renamingorremovingthesescriptscanpreventthe

appropriatedaemonsfromstartingup.Otherdaemonsare

launchedbyinetdorxinetdinresponsetoincomingnetwork

connections;modifyingtheconfigurationofthesesystemscan

limitthesetofdaemonsrunningonyoursystem.

Ifyouabsolutelyneedaservicerunningonyourmachine(such

astheXserver),findwaysofpreventingconnectionstothat

servicefromunwantedhosts.Forexample,itmightbesafestto

allowsshconnectionsonlyfromcertaintrustedhosts,suchas

frommachinesinyourlocalnetwork.InthecaseoftheX

serverandXfontserver,whichrunonmanydesktopLinux

machines,thereisusuallynoreasontoallowconnectionsto



thosedaemonsfromanythingbutthelocalhostitself.Filtering

connectionstothesedaemonscanbeperformedbyTCP

wrappersorIPfiltering,whicharedescribedlaterinthis

chapter.



26.2.2.Top10ThingsYouShouldNeverDo

We'vemadetheclaimthatsecurityismostlycommonsense,so

whatisthiscommonsense?Inthissectionwesummarizethe

mostcommonsecuritymistakes.(Therearen'tactually10

itemsinthislist,butthereareenoughtomerittheuseofthe

common"top10"phrase.)Consistentlyavoidingthemallis

harderworkthanitmightfirstseem.



Neverusesimpleoreasilyguessedpasswords.

Neveruseapasswordthat'sthesameas(orcloselyrelated

to)youruserID,name,dateofbirth,thenameofyour

company,orthenameofyourdog.Ifyou'reanamateur

radiooperator,don'tuseyourcallsign;ifyoulovecars,

don'tusethemake/modelorregistrationnumberofyour

caryougettheidea.Alwaysensurethatyourpasswordsare

notsimplewordsthatcanbefoundinadictionary.Thebest

passwordsarenonsensestrings.Onegoodpracticeistouse

apasswordbasedonasimpleruleandaphrasethatyou

canremember.Forexample,youmightchoosearulesuch

asusingthelastletterofeachwordinthephrase"Mary

hadalittlelamb,itsfleecewaswhiteassnow";hence,the

passwordwouldbecomeydaebsesesw,certainlynotsomething

thatwillbeeasilyguessed,butapasswordthatwillbe

easilyremembered.Anothercommontechniqueistouse

numbersandpunctuationcharactersinthepassword;

indeed,somepasswdprogramsinsistuponthis.A

combinationofthetwotechniquesisevenbetter.Oneof



ourcolleguesswearsbyhead-c6/dev/random|

mimencodeasawaytogeneratehardpasswords.Adjust

thenumberofrandombytestouse(-c6)totaste.Sixinput

charactersgiveeightcharactersofoutput,themaximum

someLinuxdistributionsacceptforpasswords.



Don'tusetherootaccountunlessyouhaveto.

Oneofthereasonsthatmanycommondesktopoperating

systems(suchasWindows)aresovulnerabletoattack

throughemailvirusesandthelikeisthelackofa

comprehensiveprivilegesystem,orrathertheuser's

convenienceofrunningapplicationswithadministrator

privileges.Mindyou,somebrokenapplicationsrequiretobe

runwithadministratorrights.Insuchsystems,anyuser

haspermissiontoaccessanyfile,executeanyprogram,or

reconfigurethesysteminanyway.Becauseofthisit'seasy

tocoerceausertoexecuteaprogramthatcandoreal

damagetothesystem.Incontrast,theLinuxsecurity

modellimitsawiderangeofprivilegedtasks,suchas

installingnewsoftwareormodifyingconfigurationfiles,to

therootuser.Donotsuccumbtothetemptationtousethe

rootaccountforeverything!Indoingsoyouarethrowing

awayoneofthemorepowerfuldefensesagainstvirusand

Trojanhorseattacks(nottomentionaccidentalrm-rf*

commands).Alwaysuseanormaluseraccount,andusethe

suorsudocommandstotemporarilyobtainrootaccess

whenyouneedtoundertakeprivilegedtasks.Thereisan

additionalbenefitinthislimiteduseoftherootaccount:

logging.Thesuandsudocommandswritemessagestothe

systemlogfilewhenthey'reinvoked,mentioningtheIDof

theuserperformingthesuorsudo,aswellasthedateand

timethatthecommandwasinvoked.Thisisveryhelpfulfor

keepingtrackofwhenrootprivilegesarebeingused,and

bywhom.



Don'tshareyourpasswords.

Don'ttellanybodyyourpasswords,ever.Thisalsomeans

youshouldn'twriteyourpasswordsonlittlestickynotes

attachedtoyourmonitor,orinthediaryyoukeepinthetop

drawer.Ifyouwanttoallowpeopletemporaryaccessto

yoursystem,createanaccountforthemtouse.Thisallows

yousomeconvenienceinmonitoringwhattheydo,andyou

caneasilycleanupafterward.Ifyoureallymusttrust

someonewithyourrootaccount,usethesudocommand,

whichallowsyoutogiveusersrootaccesstoselected

commandswithoutrevealingtherootpassword.



Don'tblindlytrustbinariesthathavebeengiventoyou.

Althoughitisveryconvenienttoretrieveandinstallbinary

copiesofprogramsonyoursystem,youshouldalways

questionhowmuchyoutrustthebinarybeforerunningit.If

you'reinstallingsoftwarepackagesthatyou'veretrieved

directlyfromtheofficialsitesofyourdistributionorfroma

significantdevelopmentsite,youcanbefairlyconfidentthe

softwareissafe.Ifyou'regettingthemfromanunofficial

mirrorsite,youneedtoconsiderhowmuchyoutrustthe

administratorsofthesite.Itispossiblethatsomeoneis

distributingamodifiedformofthesoftwarewithbackdoors

thatwouldallowsomeonetogainaccesstoyourmachine.

Althoughthisisaratherparanoidview,itisnevertheless

onethatmanyLinuxdistributionorganizationsare

embracing.Forexample,theDebianorganizationis

developingameansofvalidatingasoftwarepackageto

confirmthatithasn'tbeenmodified.Otherdistributionsare

suretoadoptsimilartechniquestoprotecttheintegrityof

theirownpackagedsoftware.



Ifyoudowanttoinstallandexecuteaprogramthathas

beengiventoyouinbinaryform,therearesomethingsyou

candotohelpminimizerisk.Unfortunately,noneofthese

techniquesiseasyifyou'renewtotheLinuxenvironment.

First,alwaysrununtrustedprogramsasanon-rootuser

unlesstheprogramspecificallyrequiresrootprivilegesto

operate.Thiswillcontainanydamagetheprogrammight

do,affectingonlyfilesanddirectoriesownedbythatuser.If

youwanttogetsomeideaofwhattheprogrammightdo

beforeyouexecuteit,youcanrunthestringscommand

overthebinaries.Thiswillshowyouallthehardcoded

stringsthatappearinthecode.Youshouldlookforany

referencestoimportantfilesordirectories,suchas

/etc/passwdor/bin/login.Ifyouseeareferencetoan

importantfile,youshouldaskyourselfwhetherthatisin

keepingwiththepurposeoftheprograminquestion.Ifnot,

beware.Ifyou'remoretechnicallyinclined,youmightalso

considerfirstrunningtheprogramandwatchingwhatitis

doingusingaprogramsuchasstraceorltrace,which

displaythesystemandlibrarycallsthattheprogramis

making.Lookforreferencestounusualfilesystemor

networkactivityinthetraces.



Don'tignoreyourlogfiles

Yoursystemlogfilesareyourfriend,andtheycantellyoua

lotaboutwhatishappeningonyoursystem.Youcanfind

informationaboutwhennetworkconnectionshavebeen

madetoyoursystem,whohasbeenusingtherootaccount,

andfailedloginattempts.Youshouldcheckyourlogfiles

periodicallyandgettoknowwhatisnormaland,more

usefully,whatisabnormal.Ifyouseesomethingunusual,

investigate.



Don'tletyoursystemgettoofaroutofdate.

It'simportanttokeepthesoftwareonyoursystemfairly

current.ThatLinuxkernel1.2systemyouhaverunningin

thecornerthat'sbeenreliablyservingyourprintersfor

yearsmightbeagreatsubjectatcocktailparties,butit's

probablyasecurityincidentwaitingtohappen.Keepingthe

softwareonyoursystemup-to-datehelpsensurethatall

bugandsecurityfixesareapplied.MostLinuxdistributions

provideasetofpackagesthataresecurityfixesonly,so

youdon'thavetoworryaboutissuessuchasconfiguration

fileandfeaturechangesinordertokeepyoursystem

secure.Youshouldatleastkeeptrackoftheseupdates.



Don'tforgetaboutphysicalsecurity.

Mostsecuritybreachesareperformedbypeopleinsidethe

organizationrunningthetargetsystem.Themost

comprehensivesoftwaresecurityconfigurationintheworld

meansnothingifsomeonecanwalkuptoyourmachineand

bootafloppycontainingexploitcode.Ifyourmachineuses

aBIOSorsystemPROMthatallowsthedevicebootorderto

beconfigured,setitsothatthefloppyandCD-ROMdrives

bootaftertheharddrive.IfyourBIOSprovidessupportfor

passwordprotectionofitsconfiguration,useit.Ifyoucan

padlockthemachinecaseclosed,considerdoingso.Ifyou

cankeepthemachineinaphysicallysecureareasuchasa

lockedroom,that'sevenbetter.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 26.  Running a Secure System

Tải bản đầy đủ ngay(0 tr)

×