Shulou(Shulou.com)06/02 Report--

This article will explain in detail the ways of local process attacks on the linux system. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Linux system local process attack methods include: 1, denial of service attack (DOS); 2, the local user obtains the read and write permission of the unauthorized file; 3, the remote user obtains the read and write permission of the privileged file; 4, the remote user obtains the root permission.

The operating environment of this tutorial: windows10 system, Dell G3 computer.

Linux system with the expansion of Linux enterprise applications, there are a large number of network servers using Linux operating system. More and more attention has been paid to the security performance of Linux server. Here, different solutions are proposed according to the level of attack on Linux server.

Linux server attack is defined as an unauthorized behavior designed to hinder, damage, weaken and destroy the security of Linux server. Attacks can range from denial of service to complete compromise and destruction of the Linux server. There are many kinds of attacks on Linux servers. From the point of view of attack depth, we divide the attacks into four levels.

Attack level 1, denial of service attack (DOS)

Due to the proliferation of DOS attack tools and the fact that the defects of the protocol layer can not be changed for a short time, DOS has become the most widespread and difficult to prevent attacks.

Denial of service attacks include distributed denial of service attacks, reflective distributed denial of service attacks, DNS distributed denial of service attacks, FTP attacks and so on. Most denial of service attacks cause relatively low-level risks, and even those that can lead to a system restart are only temporary problems. To a large extent, this kind of attacks are different from those that want to gain network control, and generally have no impact on data security, but denial of service attacks will last for a long time and are very difficult to deal with.

So far, there is no absolute way to stop such attacks. But this does not mean that we should be arrested, in addition to emphasizing the importance of strengthening the protection of personal hosts from being used, strengthening the management of the server is a very important part. Be sure to install verification software and filtering functions to verify the real address of the source address of the message. In addition, for several kinds of service denial, the following measures can be taken: turn off unnecessary services, limit the number of Syn semi-connections open at the same time, shorten the time out time of Syn semi-connections, and update system patches in time.

Attack level 2. Local users get read and write permissions for unauthorized files.

A local user is a user who has a password on any machine on the local network and therefore a directory on a drive. The problem that local users get read and write access to their unauthorized files depends largely on the criticality of the files being accessed. Arbitrary access by any local user to the temporary file directory (/ tmp) is dangerous and can potentially pave a path to the next level of attack.

The main method of level 2 attack is that hackers trick legitimate users into telling them confidential information or performing tasks, sometimes pretending that a network manager sends an email to the user, asking the user to give him a password to upgrade the system.

Almost all attacks initiated by local users begin with remote login. For Linux servers, the best approach is to place all shell accounts on a single machine, that is, to accept registration only on one or more servers assigned shell access. This makes log management, access control management, release protocols, and other potential security issues easier to manage. The systems that store the user's CGI should also be distinguished. These machines should be isolated in specific network segments, that is, depending on the configuration of the network, they should be surrounded by routers or network switches. The topology should ensure that hardware address spoofing does not go beyond this section.

Attack level 3. Remote users gain read and write access to privileged files

The third level of attack can not only verify the existence of specific files, but also read and write them. The reason for this is that there are weaknesses in the Linux server configuration that remote users can execute a limited number of commands on the server without a valid account.

Password attack is the main attack method in the third level, and password damage is the most common attack method. Password cracking is a term used to describe infiltrating a network, system, or resource with or without a tool to unlock a password-protected resource. Users often ignore their passwords, and password policies are difficult to implement. Hackers have a variety of tools to beat passwords protected by technology and society. Mainly include: dictionary attack (Dictionary attack), mixed attack (Hybrid attack), brute force attack (Brute force attack). Once a hacker has a user's password, he has a lot of user privileges. Password conjecture refers to entering the ordinary password by hand or obtaining the password by programming the original. Some users choose simple passwords-such as birthdays, anniversaries and spouse names-but do not follow the rules of mixing letters and numbers. It doesn't take long for a hacker to guess a string of eight-character birthday data.

The best defense against level 3 attacks is to strictly control access privileges, even with valid passwords.

It mainly includes that passwords should follow the rules of mixed use of letters, numbers, and case (because Linux is case-sensitive).

Using special characters like "#" or "%" or "$" also adds complexity. For example, use the word "countbak" and add "# $" (countbak#$) after it, so that you have a fairly valid password.

Attack level 4. Remote users gain root privileges

The fourth attack level refers to something that should never have happened, which is a fatal attack. Indicates that the attacker has root, superuser, or administrator permissions on the Linux server to read, write, and execute all files. In other words, the attacker has full control over the Linux server and can completely shut down or even destroy the network at any time.

The four main forms of attack are TCP/IP continuous theft, passive channel listening and packet interception. TCP/IP continuous theft, passive channel listening and packet interception are methods to collect important information to enter the network. Unlike denial of service attacks, these methods are more similar to theft and are more hidden and difficult to detect.

A successful TCP/IP attack allows a hacker to block a transaction between two groups, providing a good opportunity for a man-in-the-middle attack, and then the hacker controls the transaction of one or both parties without being noticed by the victim. Through passive eavesdropping, hackers manipulate and register information, deliver documents, and find passable vital points from all available channels on the target system. The hacker will look for the combination of online and password to identify the legal channel for the application. Packet interception refers to constraining an active listener program in the target system to intercept and change the address of all or special information. The information can be transferred to an illegal system for reading and then sent back to the hacker without change.

TCP/IP continuous theft is actually network sniffing. Note that if you are sure that someone has connected the sniffer to your network, you can find some tools to verify it. This tool is called time domain reflection meter (Time Domain Reflectometer,TDR). TDR measures the propagation and variation of electromagnetic waves. Connecting a TDR to a network can detect unauthorized devices that acquire network data. However, many small and medium-sized companies do not have such expensive tools.

The best way to guard against sniffer attacks is:

1. Secure topology. The sniffer can only capture data on the current network segment. This means that the more detailed the segmentation of the network, the less information the sniffer can collect.

2. Session encryption. Don't worry about sniffing the data in particular, but find a way to make the sniffer not recognize the sniffed data. The advantage of this approach is obvious: even if the attacker sniffs the data, the data is of no use to him.

Special hint: counterattack measures to deal with attacks

You should pay special attention to attacks that exceed the second level. Because they can constantly upgrade the attack level to infiltrate the Linux server. At this point, the counterattack measures we can take are:

First of all, back up the important enterprise critical data.

Change all passwords in the system and inform the user to contact the system administrator to get the new password.

Isolate the network segment so that the attack occurs only in a small area.

Allow the behavior to continue. If possible, don't rush to drive the attacker out of the system to prepare for the next step.

Record all actions and collect evidence. These evidences include: system login files, application login files, AAA (Authentication, Authorization, Accounting, authentication, authorization, billing) login files, RADIUS (Remote Authentication Dial-In User Service) login, network unit login (Network Element Logs), firewall login, HIDS (host-based intrusion detection system) events, NIDS (network intrusion detection system) events, disk drives, hidden files, and so on.

Note when collecting evidence: take a picture before moving or dismantling any device; follow the two-person rule in the investigation; there should be at least two people in the information collection to prevent tampering with the information; all steps taken and any changes to the configuration settings should be recorded and kept in a safe place. Check the access permissions of all directories in the system to see if the Permslist has been modified.

Make various attempts (using different parts of the network) to identify the source of the attack.

In order to use legal weapons to combat crime, evidence must be retained, and it takes time to form evidence. In order to do this, you must bear the impact of the attack (although some security measures can be put in place to ensure that the attack does not damage the network). In this case, we should not only take some legal measures, but also ask at least one authoritative security company to help prevent this crime. The most important feature of this kind of operation is to obtain the evidence of the crime, find the address of the offender, and provide the log. The evidence collected should be effectively preserved. Two copies were made at the beginning, one for the evaluation of evidence and the other for legal verification.

After finding the loophole in the system, try to plug the loophole and test the self-attack.

Network security is not only a technical problem, but also a social problem. Enterprises should pay more attention to network security. If they blindly rely on technical tools, they will become more and more passive. Only by giving full play to social and legal aspects to crack down on cyber crime can they be more effective. China has a clear judicial explanation for cracking down on cyber crime, but it is a pity that most enterprises only pay attention to the role of technical links while ignoring legal and social factors, which is also the purpose of this article.

Noun explanation: denial of service attack (DOS)

DOS is Denial Of Service, the abbreviation of denial of service, but can not be regarded as Microsoft's DOS operating system! DOS attacks make the target machine stop providing services or access to resources, usually aimed at consuming server-side resources, and block the server response by falsifying request data that exceed the server's processing capacity, so that normal user requests can not be answered, so as to achieve the purpose of the attack.

This is the end of this article on "what are the ways of local process attacks in linux systems?". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.