Study Notes

GCC is the compiler released by Slackware Linux.If we use no parameter after gcc command, a file named “a.out” which could be executed will be created.For example,
issue the following command:

# gcc test.c
# ls

We could find “a.out” created.Of course,we can identify the output file’s name by adding parameter “-o”,for example:

# gcc  -o test test.c

The output executing file is created with the name “test” instead of “a.out”. For optimizing the program,use the parameter “-O” or “-O2”.Gcc compiler always compile the code as soon as possible,and make the program compiling easily.It seems helpful,however,this program has been complied is not optimized.So,we add the parameter “-O” or “-O2”.
-O : optimize generally
-O2 : create the code which run faster and is litter.

The programmer usually debug the code during the development.The following optional parameter maybe useful:
-g : gcc create the debug information recognized by the GNU in order to optimize.
-pg : the extra code is added to the base codes by GCC.

When the program runs,a file named “gmon.out” will be created which is usually used to analyze the statue and rate when runing the codes,we could know the time of each partition running. Note,if the code contains only main funtion,the gmon.out could not be known by the gprof.(Error messages: gprof : gmon.out file is missing call-graph data). The gprof are useful when there are other funtions in the code.

# gcc -pr -o test test.c
# ./test
# gprof ./test gmon.out

gdb: The GNU Debugger.There are following commands in the gdb:
file: get the executing files which is going to be debugged.
kill: terminate the program is debugging.
list : list the code,but it seems RH9.0 does not support this option.
run : run the code.
make : do not quit gdb and create executing file again
shell : do not quit gdb and we could issue the shell commands.

Two useful commands:

# ps -auex
# tar -xjvf xxx.tbz

IP protocol group contains the following four items: IP(Internet protocol),TCP,UDP and ICMP.I’ll explain these words here.

IP: abbreviation of Internet Protocol,defined in RFC791,is a protocol without connection which means each data packet is delivered to the network and routed to the target host.IP protocol could not guaranteed all the packets would be sent to the target and even in the original order.

TCP: abbreviation of Transmisson Control Protocol,defined in RFC793.TCP enable two hosts to establish a connection and exchange streams of data.It can guatanee both the integrity and the sequence of packets.IP uses ip address to route the packets to the target,but Ports are uses by TCP to route the packets to the identified processes of the target operating systems.

UDP: abbreviation of User Datagram Protocol,defined in RFC 768,which is a protocol based on no connection as TCP.As same as IP,UDP could not guarantee the integrity and sequence of packets,however,UDP uses ports to route the packets to the identified processes running in target host.

ICMP: abbreviation of Internet Control Message Protocol,defined in RFC 792.ICMP is used to help other three protocols to do those what they could not resolve.for example,we could use ICMP to identify whether the specified system is running or tested by pinging.

Issue the following telnet command to connect any running service of target
system:

# telnet <host> <portnumber> 

Last afternoon,it is my first time to connect remote host with telnet command.when I was still happy,I found no commands of Linux could be executed in the console.however,some classic dos commands like dir or cd could be used to show the directory or return the up level. I tried many Linux commands,but all failed.It confused my a lot because I could not find the way to operate the remote machine.
Finally,I had to ask the custome for the reason.He said what I logged by telnet early is a firewall device.He also tell me to connect to the really host by telnet after logging in the firewall system.I did what he said,and logged in the remote target system by telnet successfully,of course all Linux commands work well.

I found the speed was slower than operation in localhost.and when I used VI to edit /etc/fstab,I could not insert or delete the letters.Another engineer siting by me tried this again,but he even could not save his working on the /etc/fstab.It’s strange.

X-windows system
X-windows is the GUI environment of UNIX,and its port number starts from 6000 to 6063.”xhost” tools is used to protect the security of X-window system.
server access control program for X:

# xhost + system-name
# xhost +
# whatis xhost

Show who is logged on and what they are doing:

# whatis w

TCP/IP interface configuration and router utility:

# whatis ip

There are some trouble in the installation of Marvell Ethernet device in Turbo Linux 8.0 which has been added service pack 2. The hardware platform is PR2510 using SE7520BD2 server board.This board has two Ethernet devices,Inter Pro 1000 and Marvell.We installed and configured Intel Pro 1000 quickly and it works well.but as the former operaion that install marvell,something happened.During the installation of Marvell,it showed the drivers was complied ok and there was no error message.Howerver,the marvell ethernet device would not work well when we used “ping ” command to check it.In the “/var/log/messages” and issuing “dmesg | grep eth0″,the following information was displayed:”No IPv6 routers present.”

I searched in the Internet and found SuSE and Fedore Core2 also have the same matters.what a disappointed result,I’ve not resolve this problem.After all our expriences failed,we have to install another Ethernet device on this server board.What we choosed is an Enthernet device with “e100” chipset.It was in good working status.It’s different between Turbo Linux and Red Hat Linux.According to Red Hat Linux operating system,new hardware will be cheched in the starting up progress which is controlled by the “kutzu”,and then the hardware would be used whenever reboot.In the Turbo Linux,when the init progress is completed,and issued the following commands:

# lsmod

Neither sk98lin modules or e1000 modules would be found in the module list.(“/proc/modules”),and so if we execute the “ifconfig” command,only “lo” configuration is displayed.To fix this problem,i used the following method.first I insert the modules again by issuing “insmod sk98lin”,and then “insmod e1000″.second,used”# lsmod” to identify these modules have been inserted in the running kernel.Finally,execute the following command to make these ethernet device actively:

# ./etc/sysconfig/network restart

We can find all these two ethernet devices were active and working well. As a summary,the modules inserted sequence is the same to the ifcfg-ethx.if the marvell module (sk98lin) is inserted first,it will take the configuration of ifcfg-eth0 which is the first file,and then insert the Inter PRO1000 module(e1000),for the same reason,it will be configured by the ifcfg-eth1.

Note,Red Hat uses “netconfig” to configure the Ethernet device.In turbo Linux,it was used in “netcfg” strings.

As an administrator,we must pay attention to the security of system.Some people ofen required to need those information,maybe this is not necessary.we could identify their privilege and the reason given by them.Hackers want others take their suggestion,however, when it is happened to the hackers themselves,they will never do it.Hmmm,it seems that there will be other better ways completing the mission.

Check the strangers’s ID and identify their telephone number’s reality,or contact with their masters for identifing their information supplied.It is useful.We shoule learn to say no.Believe ours feeling which always is right for our decision.Trainning the users is also useful to decrease these matters that the whole systems are hacked and can not work any more.

Hackers will collect these information:Employee’s Item,telephone system structure,officer’s structure and the employee’s homepage.Even they searche the key work about people who they are intrested in the Internet,for example,Google website.The more information hackers know,the more easily they could control the target system.The following website maybe useful:www.hacklinux.com.

wget is used to download from internet.

# wget

find differences between two files.

# diff

Many hackers write those special code into the general source code so that they could use these “backdoors” to access the target servers.So we should check the integrity of the source codes between the original codes and those we download from internet.The following commands would be issues for checking :

# md5sum
# sum

What is sum?checksum and count the blocks in a file.There are two types algorithm for sum command:

-BSD algorithm

# sum -r

-System V algorithm

# sum -s

We can also check the signatures of rpm packages:

# rpr --chechsig  program.rpm

Gnu Privacy Guard(gpg),encryption and signing tool.It is not easily for Linux to be destoried by virtus,but worms could have great effect to Linux system.Morris worm(born in 1998) and Ramen worm(born in 2001) are the only two worms to UNIX systems.

Some people would like to install two different systems in one machine,for example,windows operating system and Linux.However,it is not safety.If the hackers have conquered one system,for example windows,they could delete the partition of Linux file system.So Linux is destroied.It is strongly recommended that we would not install two operating system in the same machine.

How to prevent the hackers used floppy or CD-ROM to access your system?First,in the BIOS setting,change the sequence of booting so that harddisk is in the first position,and then mask the option of floppy and CD-ROM,setting the bios password for the superuser.howerver,hackers could open the chassis and flashing the bios so that floppy and CD-ROM could be used again.In this way,choosing a security room to hold the servers machine is more and more necessary.

First Part: DNS traceroute

In the internet,hackers always want to find more informations about target machine,such as IP address and domain name.So DNS becomes the target hackes want to attack first.

The best DNS server is BIND in the Linux world, are developed and maintained by Internet Software Consortium who also do the same thing in DHCP and INN projects.BIND 4.0 is the stablest, BIND8.0 is released later,and BIND 9.0 is the latest release. Note: keep the BIND release to the latest will be benifit for higher security.

There are three common tools working on DNS information:nslookup,dig,host.

# nslookup

Query Internet name servers interactively.Note:nslookup is deprecated and may be removed from future releases.Consider using the “dig” or “host” programs instead.We could get the DNS server IP in the /etc/resolv.conf,for example:

# cat /etc/resolve.conf
 nameserver 202.96.143.133

DNS lookup utility.DNS criterion contains the following items:
SOA: include the email of Administrotor and updating information.
A: IP of local host
CNAME: alies name of local host
PTR: mapping from IP to host
HINFO: the structure and operating system of host
TXT: Additional descritption
RP: the master’s email address

 
# host -t txt www.example.com
# host -t '*' www.expample.com

Reverse resolving by issuing the following command:

# host 202.112.20.133
sea.whnet.edu.cn
 

DNS criteron should be in high security mode but they are so weak now.Hackers invades the DNS server,and response the cheaping program to the user’s request before the really IP resolving result sent by DNS,then hackers could control the user’s system.To make DNS more stronger,DNSSEC was developed.

The location of host is useful,if hackers want to start Dos attacking from invaded hosts,it seems more effective from those machines invaded which is near the target host.Traceroute are used for detecting hosts passed from localhost to target host.

#traceroute

Second Part: Scan ports

# nmap

nmap is used to detect which port of remote host is opened.and issue the following command could get the operating system of remote host:

# nmap -O remote-host
# nmap -P0(number zero) remote-host  (forcing scan mode)

How to prevent nmap scan? /etc/issue records those information including operating system and kernel release.we could change the information or recommend those lines in order to do not let the hacker know more about our system.In some case,/etc/issue would be modified by other processes or operating system after rebooting system,we could issue the following command to protect it:

# chattr + i  /etc/issue

As the same as /etc/issue,the file locates in “/etc/mail/sendmail.cf” shuold be noticed,too.

Polite reply words: Any help gladly appreciated,Thanks.

Ping attacking contains two methods,ICMP ping and responsible ping.

1.ICMP: ICMP send ICMP ECHO REQUEST to the destination host,if the destination is running,it will response for the ICMP ECHO REPLY.

# ping -c 3 target

Parameter c means continuous and 3 is the ping times.

2.The other ping attacking method is connecting with the remote host’s responsiblity port(port 7)by UDP or TCP packages.This port will reply the sending messages from localhost directly.for example:

# telnet target.example.com echo
 connect to target.example.com
 Escape character is '^]'
 pack my box with five dozen liquar juys.(send from local host)
 pack my box with five dozen liquar juys.(reply from remote host)

Nmap: network exploratin tool and security scanner.

Proxy server:202.97.142.40
Port:3128

How to prevent ping attacking?
We could configure the ipchains/iptables to refuse those access which request ECHO REQUEST and ECHO REPLY.In the /etc/inetd.conf,recommend the following two lines will disable those ping attacking request:

# echo stream tcp nowait root internal
# echo dgram udp wait root internal

And then,issue “kill – HUP inetd” to restart the inetd process for making the configuration actively.

MD5 invented by RSA data security company, is algorithm of checking summary.SHA1 is a hash algorithm,it runs slower than MD5.

Computer check md5 message digest:

#md5sum

Issue the above command,we could get a string created by md5 algorithm.If the file is modified,and we use md5sum command later,a different string would be created.This is always used to check file’s integrity and ensure the identified file is not modified.

How to identify the system has been invaded? We could estimate by the following situations:

1.Homepage of explorers has been modified.
2.Spaces of harddisk reduce rappidly.
3.Detecting contract from other administrators.
4.System’s log has been erased.
5.New account has been created.
6.There are unknown processes running.
7.CPU always work in high rate which can not be explained.
8.The remote account of localhost was detected by hackers.

And then,when we find this issues happen in our system,we should do the following step:

1.Shutdown the network service and change to single user mode by booting from floppy.
2.Estimate the degree of having been destoried.
3.Try to recovery online.

The first thing that hackers will do before they invade computer systems is scan throught the network.If there are specified monitor software which could detect their accesses immediately,we could protect our system.In the worst situation,it seemed we had to shut down the system,however,it was useful.

The three common monitor tools are listed here:

1.klaxon: if we used klaxon to listen many ports,perhaps the system will be attacked by refusing access which lead heavy load to the inetd process.
2.courtney: sniff and tcpdump
3.scanlogd: if scanlogd detects 7 connection of super privilege in 3 seconds,or 5 times scan in 20 seconds, it will stop recording the connection log in order to avoid so many refusing messages being full of the system’s log.

As the name indicated,scanlogd only logs ports scans.It does not prevent them.You will only receive summaried informateion in the system’s log.

Obviously,the source address of port scans can be spoofed.Don’t take any action against the source of attacks unless other evidence is available.Sometimes IP addresses are shared between many people,this is the case for ISP shell servers,dynamics dialog pools, and corporate network bebind NAT(This action is also called masquerading).

Note:IDE and SATA harddisk device is the same except for the interface.

Nautilus is the GUI interface of gnome.

Strengthen system:
Strengthem system raise the security by checking the system’s granting overflowed.There are some strengthem system listed here: Bastillie,Openwall Linux, LIDS.

syslog process records the information into system’s logs by the lever of issues: emerg,alert,crit,err,warning,notice,info and debug.

/etc/syslog.conf is the configuration of syslog process.The formation of each line in /etc/syslog.conf is listed here:
facility.loglevel logtarget
for example:

daemon.notice   /var/log/daemon.log

Note,logtarget could be configured as not only local path but also remote system’s log server which should add “@” before the logtarget strings.It is very useful when local system was crashed by hackers.Even everything of localhost was erased by hacker who want nobody snaping his trace,we can also find the log information in the remote log server.

In some case,user types the password text as the username, yes,this log issue would be recorded in the system’s log.How dangerous it is! Hackers could analyze the log file and detect these type log information string so that the password was acquired easily.How to prevent this? I think nobady except root is permited to read the system’s log.

These software are used to analyzing system’s log: Swatch,Logsurfer.

First Part: Quota

Linux’s quota is used to configure the user’s harddisk spaces in order to prevent few users occupy nearly the most of resources.we could configure the quota by following steps:

1.Add “usrquota” to the fourth table position of “/etc/fstab”,for example:

 /etc/hda7    /home    ext2    default, usrquota,1,2 

2.Create two files in the identified partition:

 # touch /home/quota.user
 # touch /home/quota.group 

and then grant the privileges:

 # chmod 600 /home/quota.user
 # chmod 600 /home/quota.group 

3.reboot the system
4.Issue the following command to configure quota for identified user:

# edquota -u username 

Second Part: Limitation
Hard limitation: user can not overflow the specified limitation
Soft limitation: when spaces used reach the specified limitation,system will display a worning message.

# ulimit
# ulimit -a 
(list all limitation parameters which including
 cpu time and counts of files opened.)
 

There are two ways to configure the limitation:

1.Add “ulimit” lines to /etc/profile
2.Modify the /etc/security/limits.conf.It is very important.When I installed Oracle 10g in Red Hat,this file always was modified by adding hard and soft limitation for nproc.The formation of /etc/security/limits.conf is listed here:

    domain    type    item    value 

domain: this parameter startes with “@” first and contains username and group name.if “*” is used,it means all the users and groups.
type: this parameter indicates whether the limitation is hard or soft.
item: this parameter indicates which resouce will be limited.
value:this parameter indicates the setting value.

Issue the following command to list all attribute of file:

# lsattr 

This command is used for modifing the attribute of file:

# chattr 

All the above is operated on EXT2 and EXT3 file system.
Note: parameter “i” means no operation could be done on the specified file.It is very useful.