00000007.htm

一份很好的linux入门资料

<HTML>

<HEAD>
  <TITLE>BBS水木清华站∶精华区</TITLE>
</HEAD>

<BODY>

<CENTER><H1>BBS水木清华站∶精华区</H1></CENTER>

发信人:&nbsp;vertex&nbsp;(happy&nbsp;hacking),&nbsp;信区:&nbsp;Linux&nbsp;<BR>
标&nbsp;&nbsp;题:&nbsp;Kernel&nbsp;Level&nbsp;Security&nbsp;--&nbsp;News&nbsp;from&nbsp;Linux.com.&nbsp;Linuxtoday.com&nbsp;<BR>
发信站:&nbsp;BBS&nbsp;水木清华站&nbsp;(Fri&nbsp;Jan&nbsp;28&nbsp;20:57:29&nbsp;2000)&nbsp;WWW-POST&nbsp;<BR>
&nbsp;<BR>
This&nbsp;is&nbsp;article&nbsp;from&nbsp;
&nbsp;<BR>

&nbsp;<BR>
<A HREF="http://www.linux.com/development/newsitem.phtml?sid=63&aid=6484
">http://www.linux.com/development/newsitem.phtml?sid=63&aid=6484
</A>&nbsp;<BR>

&nbsp;<BR>
New&nbsp;About&nbsp;LIDS&nbsp;and&nbsp;ohters&nbsp;,:-))..
&nbsp;<BR>

&nbsp;<BR>
Kernel&nbsp;Level&nbsp;Security
&nbsp;<BR>
Wed,&nbsp;19&nbsp;Jan&nbsp;2000&nbsp;03:54:22pm
&nbsp;<BR>

&nbsp;<BR>

&nbsp;<BR>
As&nbsp;technology&nbsp;gets&nbsp;more&nbsp;and&nbsp;more&nbsp;advanced,&nbsp;the&nbsp;need&nbsp;for&nbsp;better&nbsp;electronic&nbsp;&nbsp;<BR>
security&nbsp;becomes&nbsp;higher.&nbsp;Many&nbsp;technology&nbsp;companies&nbsp;have&nbsp;made&nbsp;millions&nbsp;by&nbsp;&nbsp;<BR>
providing&nbsp;user-space&nbsp;security&nbsp;programs&nbsp;and&nbsp;Web&nbsp;Appliances.&nbsp;While&nbsp;this&nbsp;&nbsp;<BR>
top-down&nbsp;approach&nbsp;to&nbsp;security&nbsp;has&nbsp;served&nbsp;its&nbsp;purpose,&nbsp;there&nbsp;has&nbsp;been&nbsp;a&nbsp;push&nbsp;&nbsp;<BR>
towards&nbsp;a&nbsp;more&nbsp;bottom-up&nbsp;solution.&nbsp;
&nbsp;<BR>

&nbsp;<BR>
The&nbsp;flexibility&nbsp;of&nbsp;the&nbsp;Linux&nbsp;kernel&nbsp;allows&nbsp;for&nbsp;such&nbsp;an&nbsp;approach.&nbsp;There&nbsp;are&nbsp;&nbsp;<BR>
several&nbsp;new&nbsp;kernel&nbsp;patches&nbsp;that&nbsp;can&nbsp;prevent&nbsp;the&nbsp;basic&nbsp;exploits&nbsp;used&nbsp;to&nbsp;breech&nbsp;&nbsp;<BR>
security.&nbsp;The&nbsp;Linux&nbsp;Intrusion&nbsp;Detection&nbsp;System&nbsp;(LIDS)&nbsp;is&nbsp;a&nbsp;kernel&nbsp;patch&nbsp;that&nbsp;&nbsp;<BR>
can&nbsp;completely&nbsp;secure&nbsp;files&nbsp;on&nbsp;your&nbsp;hard&nbsp;disk.&nbsp;When&nbsp;the&nbsp;LIDS&nbsp;kernel&nbsp;&nbsp;<BR>
components&nbsp;are&nbsp;in&nbsp;effect,&nbsp;a&nbsp;specified&nbsp;list&nbsp;of&nbsp;files&nbsp;CANNOT&nbsp;be&nbsp;changed,&nbsp;not&nbsp;&nbsp;<BR>
even&nbsp;by&nbsp;root.&nbsp;An&nbsp;instance&nbsp;where&nbsp;this&nbsp;patch&nbsp;would&nbsp;be&nbsp;exceptionally&nbsp;handy&nbsp;is&nbsp;&nbsp;<BR>
preventing&nbsp;the&nbsp;new&nbsp;trend&nbsp;of&nbsp;web&nbsp;graffiti.&nbsp;If&nbsp;you&nbsp;don't&nbsp;think&nbsp;web&nbsp;page&nbsp;&nbsp;<BR>
defacing&nbsp;is&nbsp;a&nbsp;problem,&nbsp;visit&nbsp;www.2600.com&nbsp;and&nbsp;view&nbsp;the&nbsp;archive&nbsp;of&nbsp;hacked&nbsp;web&nbsp;&nbsp;<BR>
sites.&nbsp;The&nbsp;LIDS&nbsp;patch&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;secure&nbsp;the&nbsp;HTML&nbsp;and&nbsp;CGI&nbsp;scripts&nbsp;used&nbsp;by&nbsp;&nbsp;<BR>
your&nbsp;web&nbsp;server.&nbsp;This&nbsp;means&nbsp;that&nbsp;even&nbsp;if&nbsp;a&nbsp;hacker&nbsp;obtains&nbsp;root&nbsp;access,&nbsp;he&nbsp;&nbsp;<BR>
cannot&nbsp;edit&nbsp;or&nbsp;remove&nbsp;these&nbsp;files.&nbsp;
&nbsp;<BR>

&nbsp;<BR>
Another&nbsp;popular&nbsp;hacking&nbsp;technique&nbsp;is&nbsp;to&nbsp;replace&nbsp;'ls'&nbsp;command&nbsp;with&nbsp;an&nbsp;altered&nbsp;&nbsp;<BR>
version&nbsp;which&nbsp;will&nbsp;not&nbsp;list&nbsp;the&nbsp;extraneous&nbsp;directories&nbsp;the&nbsp;hacker&nbsp;is&nbsp;placed&nbsp;&nbsp;<BR>
on&nbsp;your&nbsp;filesystem.&nbsp;One&nbsp;of&nbsp;the&nbsp;more&nbsp;advanced&nbsp;features&nbsp;of&nbsp;LIDS&nbsp;is&nbsp;its&nbsp;ability&nbsp;&nbsp;<BR>
to&nbsp;protect&nbsp;the&nbsp;Master&nbsp;Boot&nbsp;Record.&nbsp;Webmotion,&nbsp;Inc.&nbsp;has&nbsp;merged&nbsp;their&nbsp;own&nbsp;&nbsp;<BR>
intrusion&nbsp;detection&nbsp;system&nbsp;with&nbsp;the&nbsp;LIDS&nbsp;product.&nbsp;The&nbsp;new&nbsp;features&nbsp;that&nbsp;&nbsp;<BR>
Webmotion&nbsp;has&nbsp;added&nbsp;are&nbsp;an&nbsp;alert&nbsp;mechanism&nbsp;for&nbsp;security&nbsp;breach&nbsp;attempts,&nbsp;the&nbsp;&nbsp;<BR>
ability&nbsp;to&nbsp;block&nbsp;insertion&nbsp;of&nbsp;modules&nbsp;into&nbsp;the&nbsp;kernel,&nbsp;or&nbsp;to&nbsp;require&nbsp;a&nbsp;&nbsp;<BR>
password,&nbsp;and&nbsp;the&nbsp;ability&nbsp;to&nbsp;hide&nbsp;processes&nbsp;in&nbsp;ps&nbsp;and&nbsp;in&nbsp;the&nbsp;/proc&nbsp;&nbsp;<BR>
filesystem.&nbsp;
&nbsp;<BR>

&nbsp;<BR>
The&nbsp;Secure&nbsp;Linux&nbsp;Patch&nbsp;adds&nbsp;limitations&nbsp;to&nbsp;user-space&nbsp;memory&nbsp;to&nbsp;decrease&nbsp;the&nbsp;&nbsp;<BR>
ability&nbsp;of&nbsp;an&nbsp;attacker&nbsp;to&nbsp;perform&nbsp;the&nbsp;more&nbsp;common&nbsp;buffer&nbsp;exploits.&nbsp;Secure&nbsp;&nbsp;<BR>
Linux&nbsp;Patch&nbsp;also&nbsp;limits&nbsp;the&nbsp;ability&nbsp;tp&nbsp;place&nbsp;symbolic&nbsp;links&nbsp;and&nbsp;FIFOs&nbsp;in&nbsp;the&nbsp;&nbsp;<BR>
/tmp&nbsp;directory.&nbsp;Since&nbsp;the&nbsp;/tmp&nbsp;directory&nbsp;is&nbsp;world&nbsp;readable&nbsp;and&nbsp;writable,&nbsp;&nbsp;<BR>
programs&nbsp;could&nbsp;take&nbsp;advantage&nbsp;of&nbsp;this&nbsp;to&nbsp;exploit&nbsp;race&nbsp;conditions.&nbsp;Another&nbsp;&nbsp;<BR>
popular&nbsp;exploitation&nbsp;is&nbsp;to&nbsp;redirect&nbsp;the&nbsp;0,&nbsp;1,&nbsp;and&nbsp;2&nbsp;file&nbsp;descriptors&nbsp;of&nbsp;a&nbsp;&nbsp;<BR>
file.&nbsp;These&nbsp;descriptors&nbsp;(standard&nbsp;input,&nbsp;standard&nbsp;output,&nbsp;and&nbsp;standard&nbsp;error&nbsp;&nbsp;<BR>
respectively)&nbsp;would&nbsp;then&nbsp;be&nbsp;directed&nbsp;to&nbsp;write&nbsp;to&nbsp;or&nbsp;take&nbsp;input&nbsp;from&nbsp;another&nbsp;&nbsp;<BR>
file&nbsp;or&nbsp;FIFO.&nbsp;Secure&nbsp;Linux&nbsp;insures&nbsp;that&nbsp;these&nbsp;file&nbsp;descriptors&nbsp;are&nbsp;opened&nbsp;&nbsp;<BR>
properly&nbsp;upon&nbsp;each&nbsp;process&nbsp;execution.&nbsp;This&nbsp;patch&nbsp;can&nbsp;also&nbsp;block&nbsp;certain&nbsp;parts&nbsp;&nbsp;<BR>
of&nbsp;the&nbsp;/proc&nbsp;filesystem&nbsp;from&nbsp;being&nbsp;viewed&nbsp;by&nbsp;all&nbsp;users.&nbsp;This&nbsp;keeps&nbsp;potential&nbsp;&nbsp;<BR>
hackers&nbsp;from&nbsp;gaining&nbsp;precious&nbsp;user&nbsp;and&nbsp;process&nbsp;information&nbsp;about&nbsp;your&nbsp;server.&nbsp;&nbsp;<BR>

&nbsp;<BR>

&nbsp;<BR>
The&nbsp;International&nbsp;Kernel&nbsp;Patch&nbsp;allows&nbsp;for&nbsp;the&nbsp;inclusion&nbsp;of&nbsp;strong&nbsp;&nbsp;<BR>
cryptography&nbsp;in&nbsp;the&nbsp;Linux&nbsp;Kernel.&nbsp;This,&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;other&nbsp;software,&nbsp;&nbsp;<BR>
can&nbsp;allow&nbsp;the&nbsp;inclusion&nbsp;of&nbsp;strong&nbsp;cryptography&nbsp;in&nbsp;almost&nbsp;every&nbsp;aspect&nbsp;of&nbsp;the&nbsp;&nbsp;<BR>
kernel.&nbsp;One&nbsp;of&nbsp;the&nbsp;most&nbsp;impressive&nbsp;implementations&nbsp;of&nbsp;this&nbsp;is&nbsp;the&nbsp;EHD&nbsp;patch&nbsp;&nbsp;<BR>
to&nbsp;the&nbsp;util-linux&nbsp;set&nbsp;of&nbsp;basic&nbsp;Linux&nbsp;utilities,&nbsp;allowing&nbsp;for&nbsp;encryption&nbsp;of&nbsp;&nbsp;<BR>
mounted&nbsp;devices,&nbsp;to&nbsp;prevent&nbsp;hijacking&nbsp;of&nbsp;information.&nbsp;EHD&nbsp;will&nbsp;encrypt&nbsp;a&nbsp;&nbsp;<BR>
user's&nbsp;home&nbsp;directory&nbsp;so&nbsp;that&nbsp;only&nbsp;those&nbsp;who&nbsp;know&nbsp;the&nbsp;passphrase&nbsp;can&nbsp;access&nbsp;&nbsp;<BR>
his/her&nbsp;files.&nbsp;The&nbsp;encryption&nbsp;is&nbsp;implemented&nbsp;via&nbsp;the&nbsp;International&nbsp;kernel&nbsp;&nbsp;<BR>
patch&nbsp;and&nbsp;an&nbsp;encrypted&nbsp;loop&nbsp;device.&nbsp;Combining&nbsp;the&nbsp;two&nbsp;allows&nbsp;a&nbsp;user&nbsp;to&nbsp;mount&nbsp;&nbsp;<BR>
and&nbsp;decrypt&nbsp;their&nbsp;home&nbsp;directory&nbsp;across&nbsp;an&nbsp;encypted&nbsp;loop&nbsp;device.&nbsp;This&nbsp;makes&nbsp;&nbsp;<BR>
sniffing&nbsp;data&nbsp;virtually&nbsp;impossible.&nbsp;
&nbsp;<BR>

&nbsp;<BR>
Another&nbsp;implementation&nbsp;of&nbsp;the&nbsp;International&nbsp;kernel&nbsp;patch&nbsp;is&nbsp;the&nbsp;Crypto&nbsp;IP&nbsp;&nbsp;<BR>
Encapsulation&nbsp;(CIPE).&nbsp;This&nbsp;implements&nbsp;the&nbsp;transmission&nbsp;of&nbsp;encrypted&nbsp;UDP&nbsp;&nbsp;<BR>
packets&nbsp;between&nbsp;routers.&nbsp;This&nbsp;makes&nbsp;for&nbsp;a&nbsp;quick&nbsp;and&nbsp;dirty&nbsp;sort&nbsp;of&nbsp;Virtual&nbsp;&nbsp;<BR>
Private&nbsp;Network.&nbsp;You&nbsp;can&nbsp;use&nbsp;this&nbsp;encrypted&nbsp;correspondance&nbsp;between&nbsp;routers&nbsp;to&nbsp;&nbsp;<BR>
connect&nbsp;two&nbsp;secured&nbsp;subnets&nbsp;across&nbsp;an&nbsp;unsecure&nbsp;network&nbsp;in&nbsp;between.&nbsp;One&nbsp;&nbsp;<BR>
example&nbsp;would&nbsp;be&nbsp;to&nbsp;use&nbsp;CIPE&nbsp;to&nbsp;connect&nbsp;two&nbsp;corporate&nbsp;networks&nbsp;across&nbsp;an&nbsp;&nbsp;<BR>
insecure&nbsp;production&nbsp;network&nbsp;in&nbsp;between.&nbsp;
&nbsp;<BR>

&nbsp;<BR>
These&nbsp;tips,&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;a&nbsp;secure&nbsp;network&nbsp;layout,&nbsp;will&nbsp;keep&nbsp;your&nbsp;data&nbsp;&nbsp;<BR>
safe&nbsp;from&nbsp;the&nbsp;prying&nbsp;eyes&nbsp;of&nbsp;the&nbsp;internet.
&nbsp;<BR>

&nbsp;<BR>
&nbsp;<BR>
&nbsp;<BR>
--&nbsp;<BR>
※&nbsp;来源:·BBS&nbsp;水木清华站&nbsp;smth.org·[FROM:&nbsp;159.226.91.59]&nbsp;&nbsp;<BR>


<CENTER><H1>BBS水木清华站∶精华区</H1></CENTER>



</BODY>

</HTML>