|
浅谈LINUX服务器安全
作者:squall
随着网络的发展,LINUX操作系统逐步让我们所了解,一个大型企业的服务器更离不开LINUX OS所支持。从技术特点上来看,LINUX OS可靠性高,伸缩性强,网络功能性强,对数据库的支持功能强,不留后门,并且完全开放源代码,价格低廉。
下面让我们先看看专业人士是如何评价LINUX OS的:
毛德操:就Linux界里面的人来讲,据我所知从来没有人讲过Linux是绝对安全的,世界上没有绝对的东西。我们讲的是Windows的漏洞太多了,而不是讲Linux就一定没有漏洞。客观上讲,Linux已经发现的安全漏洞来讲,比例确实是很小的,可能有的人会讲,那是因为你Linux用的少,其实Linux用的也不少。比方说在服务器用Linux不少,在嵌入式系统用得不少,还有在高等院校Linux用得也不少。从这个比例上看,在Windows的漏洞要多得多。也不能讲Linux是绝对安全的,是完全不可能有漏洞的,这也不可能。当然,偶尔会出现一两个漏洞,这一点也不奇怪。正因为Linux是一个开源的阶段,出现漏洞的时候大家一起来找毛病,这个代码大家都看得到,而不是少数人关起门带找漏洞,Linux出现漏洞它的解决也比Windows容易。对于黑客来讲他比较容易找你的漏洞,没错,但正是这样的交锋,大家都摆明了,你来攻我的漏洞,我来防,很快就把这个漏洞补上了。Windows的漏洞是一个黑箱子,发现漏洞的人发现了,防的人也不知道那个黑箱子是什么,我的意思是说,尽管Linux也会有安全漏洞的事情发生,但是从总体上讲,Linux远远比Windows要安全得多。
远程防范
听完上述讲解后,我们就服务器安全进行配置(kernel为2.4.20)。
首先,我们需要关闭以下服务:finger、talk、ntalk、shell、login、tftp、linuxconf、ftp、telnet。这些服务的特点是它们都是由inetd进程启动的,也就是说这些服务并不直接启动,而是由inetd代其监听自己的服务端口,当有服务请求到来以后,inetd才会启动真正的服务进程,处理请求。
finger服务的特点是能远程刺探出本机用户的一些信息。由于条件限制,我在本机测试。如图1:
root@squall:~# finger –l root
Login: root Name: (null)
Directory: /root Shell: /bin/bash
On since Wed Jan 14 23:51 (AKST) on tty1 10 minutes 30 seconds idle
Mail last read Sun Jan 11 12:19 2004 (AKST)
No Plan.
root@squall:~#
(注:finger后面加参数-l的作用是详细列出用户信息)
当一“黑客”知道你的服务器上用户的信息后,他就会对其进行攻击。一旦他取得root用户口令后,对服务器的危害是不堪设想的,所以我们有必要来关闭它。关闭finger服务的方法很简单,只要将/etc/inetd.conf中的finger那句话注释掉即可。如图2:
root@squall:~# vi /etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# The first 4 services are really only used for debugging purposes, so
# we comment them out since they can otherwise be used for some nasty
# denial-of-service attacks. If you need them, uncomment them.
# echo stream tcp nowait root internal
# echo dgram udp wait root internal
# discard stream tcp nowait root internal
# discard dgram udp wait root internal
# daytime stream tcp nowait root internal
# daytime dgram udp wait root internal
# chargen stream tcp nowait root internal
# chargen dgram udp wait root internal
time stream tcp nowait root internal
time dgram udp wait root internal
#
# These are standard services:
#
# File Transfer Protocol (FTP) server:
#ftp stream tcp nowait root /usr/sbin/tcpd proftpd
#
# Telnet server:
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#
# The comsat daemon notifies the user of new mail when biff is set to y:
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
#
# Shell, login, exec and talk are BSD protocols
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
# exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
# talk dgram udp wait root /usr/sbin/tcpd in.talkd
# ntalk dgram udp wait root /usr/sbin/tcpd in.talkd
#
# To use the talk daemons from KDE, comment the talk and ntalk lines above
# and uncomment the ones below:
# talk dgram udp wait root /usr/sbin/tcpd /opt/kde/bin/kotalkd
# ntalk dgram udp wait root /usr/sbin/tcpd /opt/kde/bin/ktalkd
#
# Kerberos authenticated services
#
# klogin stream tcp nowait root /usr/sbin/tcpd rlogind -k
# eklogin stream tcp nowait root /usr/sbin/tcpd rlogind -k -x
# kshell stream tcp nowait root /usr/sbin/tcpd rshd -k
#
# Services run ONLY on the Kerberos server
#
# krbupdate stream tcp nowait root /usr/sbin/tcpd registerd
# kpasswd stream tcp nowait root /usr/sbin/tcpd kpasswdd
#
# POP and IMAP mail servers
#
# Post Office Protocol version 3 (POP3) server:
#pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d
# Internet Message Access Protocol (IMAP) server:
#imap2 stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet Unix to Unix copy (UUCP) service:
# uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
# tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd
# bootps dgram udp wait root /usr/sbin/bootpd bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
# Try "telnet localhost systat" and "telnet localhost netstat" to see that
# information yourself!
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -u
# systat stream tcp nowait nobody /usr/sbin/tcpd /bin/ps -auwwx
# netstat stream tcp nowait root /usr/sbin/tcpd /bin/netstat -a
#
# Ident service is used for net authentication
# Since we start identd as nobody, it can't write a .pid file in /var/run, so tell it
# to use /dev/null. This is of little importance unless you run identd as a
# standalone daemon anyway.
auth stream tcp wait nobody /usr/sbin/in.identd in.identd -P/dev/null
#
# These are to start Samba, an smb server that can export filesystems to
# Pathworks, Lanmanager for DOS, Windows for Workgroups, Windows95, Lanmanager
# for Windows, Lanmanager for OS/2, Windows NT, etc.
# If you're running smbd and nmbd as daemons in /etc/rc.d/rc.samba, then you
# shouldn't uncomment these lines.
#netbios-ssn stream tcp nowait root /usr/sbin/smbd smbd
#netbios-ns dgram udp wait root /usr/sbin/nmbd nmbd
#
#Samba Web Administration Tool:
#swat stream tcp nowait.400 root /usr/sbin/swat swat
#
# Sun-RPC based services.
# <service name/version><sock_type><rpc/prot><flags><user><server><args>
# rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rstatd
# rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rusersd
# walld/1 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rwalld
#
# End of inetd.conf.
我们找到finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd –u,在前面加#号即可,如图3:
#finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd –u,
这样我们就把finger服务关闭掉了,我们用nmap来扫描一下,
如图4:
root@squall:~/nmap# nmap -sS 127.0.0.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
WARNING! The following files exist and are readable: /usr/share/nmap/nmap-services and ./nmap-services. I am choosing /usr/share/nmap/nmap-services for security reasons. set NMAPDIR=. to give priority to files in your local directory
Interesting ports on localhost (127.0.0.1):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
37/tcp open time
111/tcp open sunrpc
113/tcp open auth
515/tcp open printer
587/tcp open submission
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
root@squall:~/nmap#
从扫描结果来看,finger服务我们已经关闭掉了。
其他的服务“talk、ntalk、shell、login、tftp、linuxconf、ftp、telnet”。我们也用同样的方法,在其前面加#就可以了。
有人会说,关掉telnet服务,我们应如何远程管理?这个问题大不可操心,我们可以用SSH来代替。SSH是英文Secure Shell的简写形式。通过使用SSH,你可以把所有传输的数据进行加密,使用SSH,还有一个额外的好处就是传输的数据是经过压缩的,所以可以加快传输的速度。SSH有很多功能,它既可以代替Telnet,又可以为FTP、Pop、甚至为PPP提供一个安全的"通道"。下面我就在本机做一下测试,我们先来看一下SSH的进程是否启动,如图5:
root@squall:~# ps -aux|grep sshd
root 946 0.0 0.5 3044 1384 ? S 18:57 0:00 /usr/sbin/sshd
root@squall:~#
(注:如果SSH服务没有启动,我们可以用命令sshd start来启动它。)
如图6:
root@squall:~# ssh –l localhost
root@localhost's password:
Last login: Thu Jan 15 19:07:42 2004 from localhost
Linux 2.4.20.
A well-used door needs no oil on its hinges.
A swift-flowing steam does no grow stagnant.
Neither sound nor thoughts can travel through a vacuum.
Software rots if not used.
These are great mysteries.
-- Geoffrey James, "The Tao of Programming"
root@squall:~# exit
logout
Connection to localhost closed.
root@squall:~#
上面表示已经成功连入一台计算机,由于我是在本机测试,所以我写成了ssh –l localhost或ssh –l 127.0.0.1,如果要是连接远程主机,要写成ssh –l root(远程主机的用户名)squall.testLinux.cn(域名)/或(远程主机的IP地址)
我们再来看一下输入错口令的错误提示,如图7:
root@squall:~# ssh –l localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied (publickey,password,keyboard-interactive).
root@squall:~#
有关SSH服务我就给大家介绍完了。好,下面我再谈谈有关配置FTP服务器安全的注意事项。(别走开,马上回来!)
FTP服务器的相关配置文件有三个:/etc/inetd.conf、/etc/ftpusers和/etc/proftpd.conf文件。说明一下:/etc/inetd.conf是启动FTP进程的配置文件(注:不要通过inetd进程来启动它,原因后面会介绍),/etc/ftpusers是存放禁止访问FTP服务器用户列表,/etc/proftpd.conf是配置FTP服务器的启动方式,端口号,以及其他设置等。
这里还需提醒大家的是:LINUX下的FTP服务,应该开匿名用户(anonymous),而不应该开real用户(你自己建立的合法用户)。因为在FTP连接时,匿名用户的权限只能做到浏览以及下载,不能
上传和目录转向。而real用户可以访问整个目录结构,比如你想进入这台主机的WEB服务器,直接cd /var/www/htdocs,然后put index.html(“黑客”是这样替换网站主页的”)。real用户对系统安全会构成极大的威胁,所以我们应该尽量避免使用real用户登陆。(注:这和WINDOWS下FTP服务正好相反,请大家不要混淆!)
所以我们要对其进行设置,配置的文件是:/etc/ftpusers。如图8:
root@squall:~# vi /etc/ftpusers
#
# ftpusers This file describes the names of the users that may
# _*NOT*_ log into the system via the FTP server.
# This usually includes "root", "uucp", "news" and the
# like, because those users have too much power to be
# allowed to do "just" FTP...
#
#
# Version: @(#)/etc/ftpusers 3.00 02/25/2001 volkerdi
#
# Original Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>
#
# The entire line gets matched, so no comments or extra characters on
# lines containing a username.
#
# To enable anonymous FTP, remove the "ftp" user:
ftp
root
uucp
news
# End of ftpusers.
开启FTP匿名登陆,要将ftp前面加#(注释掉即可)。
然后我们还要配置/etc/proftpd.conf,如图9:
root@squall:~# vi /etc/proftpd.conf
# This is a basic ProFTPD configuration file.
# It establishes a single server and a single anonymous login.
# It assumes that you have a user/group "nobody" and "ftp"
# for normal/anonymous operation.
ServerName "roFTPD Default Installation"
ServerType standalone
#ServerType inetd
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# This next option is required for NIS or NIS+ to work properly:
#PersistentPasswd off
SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog
# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>
# A basic anonymous FTP server configuration.
# To enable this, remove the user ftp from /etc/ftpusers.
<Anonymous ~ftp>
RequireValidShell off
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 50
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
# <Directory incoming/*>
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
</Anonymous>
看这段英文“# To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)”防止Dos/DDos攻击,要设置子进程数为30。只有以独立进程运行方式才会有效,所以我们要注释掉inetd进程,换成以standalone(独立进程运行方式)。如图10:
root@squall:~# ps -aux|grep inetd
root 930 0.0 0.2 1396 524 ? S 18:49 0:00 /usr/sbin/inetd
root@squall:~# kill -HUP 930
root@squall:~# proftpd start
root@squall:~# ps -aux|grep proftpd
nobody 1088 0.0 0.4 2296 1172 ? S 19:01 0:00 [proftpd]
root@squall:~# ftp localhost
Connected to localhost.
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [squall.linux.cn]
Name (localhost:root): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 root root 0 Jan 17 04:04 testFTP
226 Transfer complete.
ftp>
(小技巧:为了使FTP服务更加安全,我们可以使用户登陆时不显示ftp服务器版本信息)
在proftpd.conf中添加如下内容:
ServerIdent off
重新启动proftpd进程后,我们再来测试一下,如图11:
root@squall:~# ftp localhost
Connected to localhost.
220 squall.linux.cn FTP server ready
Name (localhost:root): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 root root 0 Jan 17 04:04 testFTP
226 Transfer complete.
ftp>
比较图10和图11,我们清楚地看到FTP服务器版本号已经屏蔽掉了,从而增强了FTP服务器的安全性。
最后,我们再来谈谈设置防火墙规则。如图12:
root@squall:~# cd /usr/sbin
root@squall:/usr/sbin# ps -aux|grep ip6tables
root 1110 0.0 0.1 1468 452 pts/0 R 19:44 0:00 grep ip6tables
root@squall:/usr/sbin# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@squall:/usr/sbin#
如出现上述情况,表示iptables已经可以使用了。我们可以用iptable –h来看看帮助说明。
以下是比较常见的防火墙规则:
iptables –F
#删除已经存在的规则
iptables -P INPUT DROP
#配置默认的拒绝规则。基本规则是:先拒绝所有的服务,然后根据需要再添加新的规则。
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#打开WEB服务端口的tcp协议
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#打开POP3服务端口的tcp协议
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#打开SMTP服务端口的tcp协议
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#打开FTP服务端口的tcp协议
iptables -A INPUT -p tcp -s 202.106.12.130 --dport 22 -j ACCEPT
#允许IP地址为202.106.12.130这台主机连接本地的SSH服务端口
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#允许DNS服务端口的tcp数据包流入
iptables -A INPUT -p udp --dport 53 -j ACCEPT
#允许DNS服务端口的udp数据包流入
iptables -A INPUT -p icmp -icmp-type echo-request -i eth1 -j DROP
#防止死亡之ping,从接口eth1进入的icmp协议的请求全部丢弃。
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#防止SYN Flood (拒绝服务攻击)
根据服务器情况,你也可以自行添加规则。
本地安全
本地安全注意的一点是防止怀有恶意的人接触服务器。大家都知道登陆LINUX系统要输入用户名和密码,如果输入错误,系统就禁止你登陆。有些管理员会设置相当复杂的密码,例如16位的。对WINDOWS+NTFS来言可以说是很安全的,而且WINDOWS还附带一个syskey程序。但,对LINUX来说,本地安全就显得很脆弱。为什么会这么说呢?LINUX系统上的用户密码是以加密形式存放在/etc/shadow文件里,所以我们只需进入内核,修改shadow文件里的内容即可。具体做法:
① 用LINUX安装光盘启动,BIOS里改成CDROM。
② 引导系统后,把LINUX分区(EXT2/EXT3)加载进来,命令:
mount /dev/hda2 /mnt/hd
cd /mnt/hd
vi etc/shadow
root1$5ig1TfW.$Zipfo65yirniGtxnYN8940:12428:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
sshd:*:9797:0:::::
squall1$l0e/wZq/$TGUE/EoqCBD5YWYs.YxpX1:12433:0:99999:7:::
把划线部分删掉,重新启动,密码即可清空。
小结:只要我们平时多注意漏洞发布、时常打补丁,更新内核。总体上来讲,LINUX系统还是比较安全的。好了,到这里我就给大家初步介绍完了,本人水平有限,如果哪点有误,也请大家多多包涵。
Kernel内核下载地址:
http://www.kernel.org/
nmap扫描器下载地址
http://packetstorm.linuxsecurity ... nmap-3.10ALPHA1.tgz
iptables防火墙下载地址
http://www.iptables.com/downloads.html |
|