📄 unixsec.html
字号:
user's files (or even root access, which means access to practically everything).</p>
<p>Also, if you gain write access to a commonly-used application (such as su,
which let's you run a sub-shell as another user by simply giving his password
instead of having to relogin. SU stands for Switch User. Oh, by the way, root
doesn't need to supply a password to su if he wants to gain access to some other
person's account), you can trojan these applications. Let's take su for example
- if you manage to change su so it'll send you every username and password which
it received, you could eventually capture your target's password or even root's
password.</p>
<p>So, kids, this is why you should beware of trojans. Be very careful with what
you run. Also, there are programs called checksum checkers. These programs perform
periodical tests (once a day, once an hour, once a week etc, depending on how
you configure them) that determine if the size of some applications (you can
descelect default applications to test or add new applications by yourself)
has changed. If someone has trojaned one of those applications, it's size should
change, but it is also possible (although much harder) to trojan a program without
affecting it's size, but that's out of the topic of this guide.</p>
<p><b><font size="4">Unix Viruses</font></b><br>
<br>
The computer virus problem is much less harsh under the Unix platform, but if
you want to keep your data intact, you should be aware of the problem, which
still exists.</p>
<p>There is an incredibly small number of viruses in the wild for the Unix operating
system (a virus that is "in the wild" is a virus that has gone through
a network of any kind and started infecting computers on this network, just
like a biological virus, when it escapes a restricted laboratory environment
and goes into "the wild" and starts infecting people). This is because
virus writers are less motivated to write viruses for Unix, because of<br>
the following reasons:</p>
<p>A) Most people who use Unix are more mature than other computer users. Virus
creators who intend to infect other computers are immature people.</p>
<p>B) Because of access restrictions in the Unix operating system, if a user runs
a file that is infected with a virus, the virus can't go far, and it can only
do what this user has priviledges to do (although, if a root-priviledged user
runs a virus, it can infect the whole system and freely travel to other systems).
So, because there are files that some users can access and some other users
can't, Unix viruses can't spread far.</p>
<p>Still, the problem exists, and we want to protect our data, right? This is
why you should still get yourself a Unix virus scanner. Because of the extreme
lack of viruses in the Unix system, there are no "big titles" of virus
scanners. Try going to altavista.com and searching for Unix virus scanners.
Download some different ones and compare the quality of their scans and the
amount of resources they consume.</p>
<p><b><font size="4">Encryption</font></b><br>
<br>
Encrypt your important files. Use PGP for better encryption.</p>
<p>If someone penetrates your computer's security, it will be much much harder
for him to get your important data if you encrypt it.</p>
<p>For more information about encryption, read Black Sun's encryption tutorials
at blacksun.box.sk (go to the tutorials page and then find the encryption section.
We have some guides for beginners about PGP and encryption in general).</p>
<p><b><font size="4">Remote Security</font></b><br>
<br>
Why would you want to improve your computer's remote security? DUH! If you ever
plan to hook your computer into a LAN, the Internet or any other kind of network,
you immediately increase the chance of you getting hacked. You should definetly
attend to your remote security (unless you like getting your ass<br>
rooted).</p>
<p>Also, you should read the local security part first, since it contains a lot
of information you need to know before you read this, and also quite a few tricks
that work for both local security and remote security.</p>
<p><b><font size="4">Remote Root Logins</font></b><br>
<br>
Before I explain to you what is the issue with remote root logins and how to
block them, I need to explain to you what a TTY is first.</p>
<p>Unix is a multi-users system, right? And on multi-users systems, many users,
each one with his own monitor or any other type of terminal, can work on the
same computer, right?</p>
<p>Now, this computer is obviously running more than one process (a process is
a running program), since it has multiple users on it. Each process receives
some input and sends out some output. Well, then, how will this computer know
which input is whom's and where to direct the output of each program? You wouldn't
want to receive the output of processes that other users are running, right?
(well, technically, if you're a malicious cracker, you'd love to receive the
output of other users' processes, but we're getting off-topic now).</p>
<p>This is why each user has a TTY. TTY stands for Terminal TYpe. Each user has
it's own TTY, which can be composed of letters and numbers. That way, the computer
knows where the input comes from (from which TTY) and where to direct the output
to.</p>
<p>Okay, first, let's make an experiment. Run a text-based console of an XTerm
window (a console window from within X-Windows, the popular Graphical User Interface,
or GUI, of Unix systems) and type the command who. This will show who is logged
into the system (his username), when he logged in and what is his TTY. By the
way, if you prefer a graphical version of the who command, try typing gw within
an XTerm or within a "run command" box in X. This program should come
with the gnome window manager.</p>
<p>Okay, let's move on. Now, that we know what TTYs are, let's edit the file /etc/securetty
with a simple text editor. Now, what do we have here? We have a list of all
TTYs that can log in as a root-priviledged user. My /etc/securetty file looks
like this:</p>
<p>tty1<br>
tty2<br>
tty3<br>
tty4<br>
tty5<br>
tty6<br>
tty7<br>
tty8</p>
<p>Okay, let me explain myself. Your computer should have eight virtual consoles.
You can switch virtual consoles by pressing ctrl+alt+F1 for console #1, ctrl+alt+F2
for console #2 etc'. You can imagine how useful this could be.</p>
<p>Consoles #7 and #8 are usually reserved for graphical displays, so if you run
X, it should appear in #7, and if you run another X process, it should appear
in #8.</p>
<p>These eight local consoles have these TTYs: tty1 for #1, tty2 for #2 etc'.
Now, as you can see, my /etc/securetty file contains only those local TTYs,
so no remote user can login as a root-priviledged user into my computer, even
if he has all the usernames and the passwords.</p>
<p>Now, of course, if someone has all the passwords, he could log in as another
user and then use su to switch to root. So the /etc/securetty thing isn't exactly
some fail-proof method, but it'll block off some intruders.</p>
<p><b><font size="4">Watching Your Processes</font></b><br>
<br>
If you intend to have several users logged into your system, you should really
watch for what they're running, and how much system resources they're hogging.</p>
<p>Here are a few methods to watch your users:</p>
<p><b><font size="4">Using PS</font></b><br>
<br>
Type in the command ps -aux. Quite a list, huh? Now, if you want it to be more
readable, try doing ps -aux | more or directing it's output into a file, like
this: ps -aux > some-file-name. If you want to look for specific entries
within this list, try doing ps -aux | grep some-text and it'll display lines
within the output of ps -aux that contain some-text (or whatever you type in).</p>
<p>Oh, by the way, as far as I know, PS stands for ProcesseS.</p>
<p><b><font size="4">Using Top</font></b><br>
<br>
Type the command top. Cool program, huh? Quite useful... you should have a whole
virtual console or a whole XTerm devoted exclusively for it.</p>
<p>If you prefer a graphical display, try typing gtop (a graphical version of
top that comes with the gnome window manager) or kpm (stands for KDE Process
Manager. Comes with the KDE window manager).</p>
<p><b><font size="4">Eavasdropping</font></b><br>
<br>
If you're a root-priviledged user and you want to see what the other users on
your system are typing, consider using a command called TTY Watch. It will eavasdrop
on the TTY of the user(s) you choose to eavasdrop on, and let you know exactly
what they're typing and exactly what they see on their monitors.</p>
<p>Try searching for the latest version of ttywatch at Packet Storm Security (packetstorm.securify.com),
Security Focus (securityfocus.com), Linux.Box (linux.box.sk), Astalavista (astalavista.box.sk)
etc'.</p>
<p><b><font size="4">Playing With INetD</font></b><br>
<br>
First of all, you need to learn what network daemons are and what INetD is.</p>
<p>A daemon is a program similar to TSR programs on Microsoft platforms. TSR stands
for Terminate and Stay Resident. TSRs locate themselves on your computer's memory,
and then stay silent and watch everything. Once certain credentials are met,
the program awakes and does something. For example: when your free disk space
reaches less than, say, 200MBs, the program alerts you.</p>
<p>A daemon is the Unix equivelant of Microsoft's TSRs (well, actually, Unix and
it's daemons were around waaaaaaaaay before Microsoft DOS and later Microsoft
Windows started selling). So what is a network daemon? Well, obviously, it's
a daemon that watches for certain credentials that have something to do with
networks. Here are several examples:</p>
<p>Example #1: The telnet daemon. Usually listens for incoming connections on
port 23, and then, once this credential is met, it displays a login screen to
the second party. Once the second party enters the correct combination of a
username and a password, it is given a shell environment, where it can interact
with your computer and run commands on it.</p>
<p>Example #2: The FTP daemon. FTP stands for File Transfer Protocol, and makes
it easier for different computers to exchange computer files. More info on my
FTP security for extreme newbies tutorial (blacksun.box.sk/ftp.txt).</p>
<p>Example #3: A firewall is also a network daemon. Firewalls are programs that
filter incoming and outgoing network packets. They awake once a network event
occurs, and decide whether to allow or disallow it.</p>
<p>Now, let's think. Suppose you have twelve different network daemons on your
system. That would take up too much memory for us, right? Then why not just
have a single daemon to do all the ditry work for us and consume less memory?
This is where INetD comes into the picture.</p>
<p>INetD stands for InterNet Daemon. You can configure inetd by editing /etc/inetd.conf
(conf stands for configurations). This file should contain instructions on how
to edit it.</p>
<p><b><font size="4">Updating Your Network Daemons</font></b><br>
<br>
You've just got the latest version of your favorite Unix distribution. It came
with an FTP daemon, which you want to run on your system so you could turn it
into an FTP server. But then, someone discovers a hole within this FTP daemon,
and a new version with a fix for this problem goes out. You don't wanna get
caught with your pants down, running an old and buggy FTP daemon, right? Hell,
you could get cracked by some script kiddie and lose your entire hard drive!
We don't want THAT to happen, now do we?</p>
<p>First of all, you need to know when a new hole is discovered. You should watch
packetstorm.securify.com on a daily basic, and also subscribe to the BugTraq
mailing list (securityfocus.com). You should also look for mailing lists concerning
the network daemons (also referred to as network services) you are using.</p>
<p>Then, once there are new versions of the network daemons you use, you should
download the latest version and update the files on your system.</p>
<p><b><font size="4">Network Sniffers</font></b><br>
<br>
For an excellent paper on network sniffers (what are they, how can they risk
your computer's security and how to fight against them), read this excellent
paper: blacksun.box.sk/sniffer.txt.</p>
<p><b><font size="4">DO NOT Use Telnetd!</font></b><br>
<br>
DO NOT run the telnet daemon on your system! If you want people to be able to
remotely login to your system and run commands on your system, DO NOT use telnet
for this purpose.</p>
<p>Instead, you should use SSH (SSH stands for Secure SHell). SSH encrypts your
sessions, so it'll be harder for intruders to eavasdrop you and/or capture any
passwords you enter.</p>
<p>Of course, you have to use a special client for SSH, since SSH is very different
than telnet, because of the following reasons:</p>
<p>A) SSH encrypts your sessions. Telnet merely creates plain-text TCP sessions.
B) SSH runs on port 22 by default, while telnet stays on port 23. Although almost
every telnet application in existence allows you to create telnet sessions with
any remote host and port specified, some telnet applications still use port
23. Anyway, ALL telnet applications have port 23 as their default, so if you
type telnet some-host or telnet some-ip, it'll telnet to that host/IP and into
port 23.</p>
<p>Get sshd and ssh clients at packetstorm.securify.com, securityfocus.com, linux.box.sk,
astalavista.box.sk etc'.</p>
<p><b><font size="4">Basic Packet Filtering</font></b><br>
<br>
First, find these two files: /etc/hosts.allow and /etc/hosts.deny. These two
files can be used to form a basic packet filtering system. Let's start with
/etc/hosts.deny first.</p>
<p>Each line in this file should look like this: host:service</p>
<p>Host - a hostname or an IP. You can also use wildcards. For example: *.aol.com
would stand for every host that has a hostname that ends with aol.com.</p>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -