Professional Documents
Culture Documents
Linux Security
Linux Security
Chng ta tip tc tm nhng File cho php ghi li trn h thng ca bn. iu g s xy ra nu k
tn cng c th t do thay i ni dung cc File ?
root@localhost# find / -perm -2 ! -type l -ls
Trong cc thao tc bnh thng vic ghi, thay i ni dung File thng c thc hin cc th
mc nh /dev v /tmp...Nu bn thy cc th mc khc m cc File li c th t do ghi li
c th c l l c vn ny sinh ri .
Bn cng ln quan tm n cc File khng c ch s hu (khng thuc bt c User hay Group
no). Tt nhin l khng ai s hu chng th k tn cng rt c th s s hu chng ;-( tm
cc File khng c ch s hu bn dng lnh:
root@localhost# find / -nouser -o -nogroup
Vi vic s dng lnh "lsattr" v "chattr" bn c th thay i c tnh cho cc File v th mc
di cp cao cp ca mt qun tr h thng nh kh nng iu khin qu trnh xo File, thay
i File v vi nhng tnh nng khc m lnh "chmod" khng th thc hin c.
Vic cp pht quyn hn s hu cho File theo mt quy tc thng nht, trong sut, khng thay
i...T ra c hiu qu c bit trong vic ngn chn qu trnh xo, thay i cc tp tin Log ca
k tn cng, hay vic ci t Trojan vo nhng File nh phn Binnary trn h thng ca bn.
Lnh "chattr" c s dng gn hay g b quyn hn s hu cho File, th lnh "lsattr" c
s dng lit k chng.
Cc File Log cn phi c bo v mt cch hp l. Khi d liu c ghi vo File Log mt ln,
n s khng th c php chnh sa hay thay i. S d c nhu cu ny, bi hin ti c rt
nhiu Script cho php k tn cng tn cng xo b, chnh sa ni dung trn File Log. xit
cht hn an ton cho File Log chng ta cn s dng lnh "chattr" v "lsattr" vi mt vi i
tng:
root@localhost# chattr +i /bin/login
root@localhost# chattr +a /var/log/messages
root@localhost# lsattr /bin/login /var/log/messages
----i--- /bin/login
-----a-- /var/log/messages
Tm li! sau phn ny bn ln ch : Khng bao gi cho php ngi s dng c php chy
cc chng trnh Set UID, hay nhng chng trnh khc c c quyn nh root trn Home
Directory ca bn. Lun kim ton v quan tm n h thng File trn Server ca bn, c bit l
vi nhng loi File c nguy c cao nu trn.
- Bn ln s dng tu chn nouid trong /etc/fstab cho php s chnh sa ghi li cc khu
vc nh vi tng ngi s dng.
- Tnh nng noexec v nodev cho cc File trong Home Directory ca ngi dng khng cho
php h t ng thc thi cc chng trnh hay to cc thit b Block.
Zone Transfer phi c cho php bi Master Name Server vi mc ch cp nht nhng thng
tin trn Slave Server. Cc yu cu phc v DNS tht bi c th l ra thng tin v nhng IP v
Hostname ca nhng ngi s dng khng hp php. Cho l do ny, bn cn hn ch nhng
phn hi trn Domain Public:
// Allow transfer only to our slave name server. Allow queries
// only by hosts in the 192.168.1.0 network.
zone mydomain.com {
type master;
file master/db.mydomain.com;
allow-transfer { 192.168.1.6; };
allow-query { 192.168.1.0/24; };
};
V hiu ho v ngn chn vic r r thng tin t DNS Server:
// Disable the ability to determine the version of BIND running
zone bind chaos {
type master;
file master/bind;
allow-query { localhost; };
};
b xung thm tnh nng bo mt cho DNS Server. File ./master/bind cha ng thng tin:
$TTL 1d
@ CHAOS SOA localhost. root.localhost. (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
NS localhost.
iu khin v ch nh r giao din mng phc v cho DNS Server. Vic hn ch nhng giao din
mng khng cn thit c th gim bt nguy c tn cng vo DNS Server ca bn:
listen-on { 192.168.1.1; };
S dng User Access Control List iu khin s truy cp, sa i cho nhng ngi s dng
ng ng tin cy trn phm v mng:
acl internal {
{ 192.168.1.0/24; 192.168.2.11; };
};
Thip lp User ca DNS Server nh mt User bnh thng trn h thng ca bn. Khng ln
thit lp cho n nhiu c quyn...Trnh tnh trng n s c th b k tn cng li dng thc
thi cc cuc tn cng "Get Root"
root@localhost# useradd -M -r -d /var/named -s /bin/false named
root@localhost# groupadd -r named
10) Bo mt cho Syslog
/sbin/lilo:
image = /boot/vmlinuz-2.2.17
label = Linux
read-only
restricted
password = your-password
Kernel OpenWall t ra rt hu ch trong vic ngn nga cc cuc tn cng trn b m Buffer
Overflow, cnh bo, ngn chn v hn ch nhng s thay i c thc hin bi cc User trn
h thng ca bn. s dng Kernel OpenWall bn phi Compli li Kernel.
m bo rng cc thng tin v thi gian trn h thng ca bn phi hon ton chnh xc v hp
l. S c rt nhiu rc ri xy ra khi thi gian trn h thng ca bn khng chnh xc. N s gy
rt nhiu kh khn cho vic kim ton h thng sau ny: Nh phn tch ni dung, s kin ca
cc Log File chng hn. m bo thi gian trn h thng ca bn lun chnh xc. Bn ch vic
Add thm vo Crontab mt lnh vi chc nng i chiu, so snh thi gian trn h thng ca
bn vi mt Host Time chun:
0-59/30 * * * * root /usr/sbin/ntpdate -su time.timehost.com
S dng Sudo thit lp quyn hn thc hin cu lnh ca User trn h thng ca bn. C th
thit lp quyn hn cho mt User bnh thng thc hin cc lnh nh root. Tip bn c th
dng chnh User ny iu khin h, qun h thng ca bn m khng cn phi s dng n
Acc root. Mc d nhng li ch m Sudo em li l rt ln, nhng nu khng c cu hnh mt
cch cn thn. Sudo c th ph v hon ton khi nim phn quyn, cp vn c coi l yu t
to ln sc mnh ca Unix/Linux
ng qun chn cho mnh mt Antivirus thch hp. N c nhim v qut, cnh bo, ngn chn,
tiu dit cc Virus khi chng c nh tn cng vo h thng ca bn. Mc d kh nng b tn
cng bi Virus trn Linux l rt t nhng khng phi khng c. Li ch to ln thc s m cc
Antivirus em li cho bn c l l vic n s pht hin v ngn chn cc Virus ngay t Mail
Server ca bn trc khi ngi s dng nhn c chng. H thng ca bn c th s dng
Unix/Linux, nhng u phi tt c cc User trong h thng ca bn u s dng Unix/Linux ?
Nu nh khng mun ni rng 90 % h s dng Windows. Hay trng hp cc User c mun
Up ln Server ca bn cc Script, Tools c nh: PHP Bomb, CGI Telnet, DDOS Zombine...Tt
c chng u c lit vo hng Malicious Code v c th d dng b pht hin bi Antivirus. C
rt nhiu Antivirus nhng bn thn ti thch s dng Kapersky Antivirus (KAVP) nht.
Tht l thiu xt nu nh khng nhc n 2 "bo k" tin cy ca hu ht cc mng my tnh.
l tng la (Firewall) v h thng d xm nhp (Network Instrution Detection). Trn mi trng
Unix/Linux c rt nhiu Soft loi ny. Nhng c l c 2 ng k c s dng kh rng ri v tnh
an ton v s ph cp l: Ipchains/Iptables (Firewall) v Snort (Network Instrution Detection)...
vit chi tit v t m v Firewall v Network Instrution Detection th c l khng bit s phi tn
bao nhiu trang
Do khun kh ca bi vit, vi mc ch im qua cc ch mc v bo mt cn lu ln ti
khng th no hng dn c th cch ci t, cu hnh, s dng cc Tools/Soft nu nh:
Sudo, Ipchains/Iptables, Snort, OpenSSH...Mong cc bn thng cm.
P/S: Trc thi im khi bi vit ny c hon thnh...Ti hon thnh xong cc bi vit chi
tit hng dn s dng chng. Ti s xem xt v Update trc tip n vo ti liu ny trong thi
gian sm nht.
Mt s File v Security cn lu trong Unix/Linux:
V Tr
/var/log
Permission
751
/var/log/message
/etc/crontab
644
600
/etc/syslog.conf
/etc/logrotate.conf
640
640
/var/log/wtmp
660
/var/log/lastlog
/etc/ftpusers
640
600
/etc/passwd
/etc/shadow
644
600
/etc/pam.d
/etc/hosts.allow
750
600
/etc/hosts.denny
600
/etc/lilo.conf
600
/etc/securetty
600
/etc/shutdown.allow
400
/etc/security
700
/etc/rc.d/init.d
750
/etc/init.d
750
/etc/sysconfig
751
/etc/inetd.conf
/etc/cron.allow
600
400
/etc/cron.denny
400
/etc/ssh
750
Chc Nng
Thc mc cha tt c Log File ca h
thng
Nhng thng bo ca h thng
Th mc cha cc File lin quan n
Crontab
File cu hnh ca Syslog
File cu hnh iu khin s lun phin ca
cc File Log
Hin th thng tin v nhng ai Logged
vo h thng
Ai Log vo h thng trc y
Danh sch nhng User khng c php
s dng FTP
Danh sch cc User trn h thng
Danh sch cc Password c m ho cho
cc User
File cu hnh cho PAM
File iu khin s cho php cc a ch,
Host
File iu khin s ngn cn cc a ch,
Host
File cu hnh trnh qun l khi ng trn
Linux
TTY Interface m root c php ng
nhp
Danh sch nhng User c php s dng
t hp phm: Ctrl + Alt
File thit lp quy tc an ton chung cho h
thng
Th mc cha cc File chng trnh khi
ng cng h thng (Redhat)
Th mc cha cc File chng trnh khi
ng cng h thng (Debian)
Th mc cha cc File cu hnh h thng
v Network (Redhat)
File nh ngha cc Service trn h thng
Danh sch cc User c php s dng
Cron
Danh sch cc User khng c php s
dng Cron
Thng tin cu hnh SSH