security-intro.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Introduction</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Security" href="security.html" />
<link rel="NEXT" title="Securing FreeBSD" href="securing-freebsd.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="securing-freebsd.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="SECURITY-INTRO" name="SECURITY-INTRO">14.2 Introduction</a></h1>

<p>Security is a function that begins and ends with the system administrator. While all
BSD <span class="TRADEMARK">UNIX</span>&reg; multi-user systems have some inherent
security, the job of building and maintaining additional security mechanisms to keep
those users ``honest'' is probably one of the single largest undertakings of the
sysadmin. Machines are only as secure as you make them, and security concerns are ever
competing with the human necessity for convenience. <span class="TRADEMARK">UNIX</span>
systems, in general, are capable of running a huge number of simultaneous processes and
many of these processes operate as servers -- meaning that external entities can connect
and talk to them. As yesterday's mini-computers and mainframes become today's desktops,
and as computers become networked and internetwork, security becomes an even bigger
issue.</p>

<p>Security is best implemented through a layered ``onion'' approach. In a nutshell, what
you want to do is to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to overbuild your security
or you will interfere with the detection side, and detection is one of the single most
important aspects of any security mechanism. For example, it makes little sense to set
the <var class="LITERAL">schg</var> flags (see <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=chflags&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">chflags</span>(1)</span></a>) on every
system binary because while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change that may result in
your security mechanisms not detecting the attacker at all.</p>

<p>System security also pertains to dealing with various forms of attack, including
attacks that attempt to crash, or otherwise make a system unusable, but do not attempt to
compromise the <tt class="USERNAME">root</tt> account (``break root''). Security concerns
can be split up into several categories:</p>

<ol type="1">
<li>
<p>Denial of service attacks.</p>
</li>

<li>
<p>User account compromises.</p>
</li>

<li>
<p>Root compromise through accessible servers.</p>
</li>

<li>
<p>Root compromise via user accounts.</p>
</li>

<li>
<p>Backdoor creation.</p>
</li>
</ol>

<p>A denial of service attack is an action that deprives the machine of needed resources.
Typically, DoS attacks are brute-force mechanisms that attempt to crash or otherwise make
a machine unusable by overwhelming its servers or network stack. Some DoS attacks try to
take advantage of bugs in the networking stack to crash a machine with a single packet.
The latter can only be fixed by applying a bug fix to the kernel. Attacks on servers can
often be fixed by properly specifying options to limit the load the servers incur on the
system under adverse conditions. Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop, short of cutting your
system off from the Internet. It may not be able to take your machine down, but it can
saturate your Internet connection.</p>

<p>A user account compromise is even more common than a DoS attack. Many sysadmins still
run standard <b class="APPLICATION">telnetd</b>, <b class="APPLICATION">rlogind</b>, <b
class="APPLICATION">rshd</b>, and <b class="APPLICATION">ftpd</b> servers on their
machines. These servers, by default, do not operate over encrypted connections. The
result is that if you have any moderate-sized user base, one or more of your users
logging into your system from a remote location (which is the most common and convenient
way to login to a system) will have his or her password sniffed. The attentive system
admin will analyze his remote access logs looking for suspicious source addresses even
for successful logins.</p>

<p>One must always assume that once an attacker has access to a user account, the
attacker can break <tt class="USERNAME">root</tt>. However, the reality is that in a well
secured and maintained system, access to a user account does not necessarily give the
attacker access to <tt class="USERNAME">root</tt>. The distinction is important because
without access to <tt class="USERNAME">root</tt> the attacker cannot generally hide his
tracks and may, at best, be able to do nothing more than mess with the user's files, or
crash the machine. User account compromises are very common because users tend not to
take the precautions that sysadmins take.</p>

<p>System administrators must keep in mind that there are potentially many ways to break
<tt class="USERNAME">root</tt> on a machine. The attacker may know the <tt
class="USERNAME">root</tt> password, the attacker may find a bug in a root-run server and
be able to break <tt class="USERNAME">root</tt> over a network connection to that server,
or the attacker may know of a bug in a suid-root program that allows the attacker to
break <tt class="USERNAME">root</tt> once he has broken into a user's account. If an
attacker has found a way to break <tt class="USERNAME">root</tt> on a machine, the
attacker may not have a need to install a backdoor. Many of the <tt
class="USERNAME">root</tt> holes found and closed to date involve a considerable amount
of work by the attacker to cleanup after himself, so most attackers install backdoors. A
backdoor provides the attacker with a way to easily regain <tt class="USERNAME">root</tt>
access to the system, but it also gives the smart system administrator a convenient way
to detect the intrusion. Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security, because it will not close off the hole the
attacker found to break in the first place.</p>

<p>Security remedies should always be implemented with a multi-layered ``onion peel''
approach and can be categorized as follows:</p>

<ol type="1">
<li>
<p>Securing <tt class="USERNAME">root</tt> and staff accounts.</p>
</li>

<li>
<p>Securing <tt class="USERNAME">root</tt>-run servers and suid/sgid binaries.</p>
</li>

<li>
<p>Securing user accounts.</p>
</li>

<li>
<p>Securing the password file.</p>
</li>

<li>
<p>Securing the kernel core, raw devices, and file systems.</p>
</li>

<li>
<p>Quick detection of inappropriate changes made to the system.</p>
</li>

<li>
<p>Paranoia.</p>
</li>
</ol>

<p>The next section of this chapter will cover the above bullet items in greater
depth.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="securing-freebsd.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Security</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Securing FreeBSD</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>