리눅스보안관리.PDF

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "리눅스보안관리.PDF"

Transcription

1

2 CMOS Boot loader xlock, vlock

3 Boot loader boot: linux single root /etc/lilo.conf restricted password=pickyourpassword /etc/lilo.conf /sbin/lilo Login timeout ~/.bashrc ~/.bash_profile TMOUT=nn Logout ~/.bash_logout clear xlock, vlock

4 OS ftp, telnet, http TCP/IP fingerprint : nmap, queso OS /etc/inetd.conf /usr/sbin/in.telnetd -h nmap, queso

5 Port nmap, strobe, nc ID exploit Port scan finger, telnet, login /etc/inetd.conf # snort : port scan detector

6 Exploit remote/local attack

7 : ntucrack, John the Ripper (Brute-force attack) : tcpdump, snort, sniffit, ethereal

8 Shadow password /etc/passwd /etc/shadow MD5 DES MD5 /etc/pam.d/login /etc/pam.d/passwd password required pam_unix.so nullok obscure min=4 max=8 md5 min max cracklib otp, makepasswd

9 root /etc/securetty root /etc/pam.d/login auth requisite pam_securetty.so /etc/pam.d/login account required pam_access.so /etc/security/access.conf -:wheel:all EXECEPT LOCAL.win.tue.nl Local *.win.tue.nl wheel /etc/pam.d/login /etc/security/time.conf

10 chroot shell chroot shell jail rbash (restricted bash) redirection shell root:x:0:0:root:/root:/bin/csh xfs:x:101:234:x Font Server:/etc/X11/fs:/bin/false ftp:x:14:50:ftp User:/home/ftp:

11 Resource local DoS /etc/pam.d/login session required pam_limits.so /etc/security/limits.conf core, rss, nproc Super user /etc/pam.d/su # auth auth wheel groupadd wheel su sufficient pam_rootok.so required pam_wheel.so group=wheel usermod G wheel username

12 sudo root Shell sudo bash, csh, vipw, vigr, visudo, more visudo /etc/sudoers User_Alias Host_Alias Cmnd_Alias FULLTIMERS = millert, mikef, dowdy SERVERS = master, mail, www, ns SHUTDOWN = /usr/sbin/shutdown FULLTIMERS SERVERS = NOPASSWD: SHUTDOWN

13 root SUID race condition buffer overflow heap overflow format string bug ftp, http, sendmail, bind NFS(Network File System)

14 : user(u), group(g), other(o) : read (r), write(w), execute(x) sticky bit(t/t) SUID/SGID (s/s)

15 SetUID/SetGID passwd, chsh, chfn /etc/passwd /etc/shadow su, sudo, mount, umount, ping, sendmail, traceroute, at, lpr SUID root SUID backdoor, race condition, buffer overflow, format string bug # find / -user root perm 4000 exec ls l {} \; 2> /dev/null more

16 root HDD DoS /etc/fstab /tmp, /var/tmp noexec, nosuid exploit /tmp exploit Quota Quota support (CONFIG_QUOTA) [n] y /etc/fstab usrquota grpquota root quota.user, quota.group edquota

17 umask umask 077 MFM(Magnetic Force Microscopy) wipe chattr ext2 chattr +i filename

18 find, diff, cmp, strings, grep root SUID tripwire MD5 CFS, TCFS, SFS, VS3FS tar, dd, resotre

19 Network sniffing Port scanning, OS detection, Remote vulnerabilities scanning NFS NIS IP spoofing & session hijacking ftp, http, sendmail, dns Remote buffer overflow Backdoors, Reverse telnet, Bounce attack DoS, DDoS Ping-of-Death, SYN flooding

20 IP Spoofing & Session Hijacking

21 sniffit

22 DoS/DDoS(Distributed Denial of Service). Victims in mid-february 2000 Yahoo CNN Interactive Amazon.Com ebay Datek Online E*Trade ZDNet Buy.com

23 netstat a grep LISTEN more lsof grep portnumber more # /etc/inetd.conf echo, chargen, daytime, discard, time finger - ID telnet, ftp, talk, ntalk, auth, login, shell, imap, pop3 /etc/init.d/inetd restart

24 tcp wrapper / /etc/hosts.allow in.fingerd, in.telnetd : /etc/hosts.deny ALL : PARANOID in.fingerd, in.rlogind, in.telnetd, in.ftpd: ALL : spawn ( /usr/sbin/safer_finer \ /bin/mail s %d=%h root )&

25 IP spoofing /etc/host.conf nospoof on /etc/network/options spoofprotect=yes /etc/sysctl.conf net/ipv4/conf/all/rp_filter=1 ipchain # rules for standard unroutables ipchains A input i eth0 s /32 b j DENY ipchains A input i eht0 s /8 b j DENY # rules for private(rfc1918) addresses ipchains A input i eth0 s /8 b j DENY ipchains A input i eth0 s /12 b j DENY ipcahins A input i eth0 s /16 b j DENY # rules for reserved addresses(multicast) ipchains A input i eth0 s /5 b j DENY

26 IP spoofing telnet, rlogin, rcp ssh, scp, telnet-ssl, ssl-telnet, apache-ssl

27 SYN Attack IP: TCP syncookie support (CONFIG_SYN_COOKIES) [y/n] Y /etc/network/options syncookies=yes /etc/sysctl.conf net/ipv4/tcp_syncookies = 1 Ping flooding /etc/sysctl.conf net/ipv4/icmp_echo_ignore_all = 1 ping net/ipv4/icmp_echo_ignore_broadcasts = 1

28 /

29

30 Filesystems HOWTO Firewall HOWTO IPChain HOWTO Net HOWTO NFS HOWTO NIS HOWTO Quota mini HOWTO Security HOWTO Secure POP+SSH HOWTO Shadow Password HOWTO Securing and Optimizing Linux RedHat Edition

31