Study Notes

There are some trouble in the installation of Marvell Ethernet device in Turbo Linux 8.0 which has been added service pack 2. The hardware platform is PR2510 using SE7520BD2 server board.This board has two Ethernet devices,Inter Pro 1000 and Marvell.We installed and configured Intel Pro 1000 quickly and it works well.but as the former operaion that install marvell,something happened.During the installation of Marvell,it showed the drivers was complied ok and there was no error message.Howerver,the marvell ethernet device would not work well when we used “ping ” command to check it.In the “/var/log/messages” and issuing “dmesg | grep eth0″,the following information was displayed:”No IPv6 routers present.”

I searched in the Internet and found SuSE and Fedore Core2 also have the same matters.what a disappointed result,I’ve not resolve this problem.After all our expriences failed,we have to install another Ethernet device on this server board.What we choosed is an Enthernet device with “e100” chipset.It was in good working status.It’s different between Turbo Linux and Red Hat Linux.According to Red Hat Linux operating system,new hardware will be cheched in the starting up progress which is controlled by the “kutzu”,and then the hardware would be used whenever reboot.In the Turbo Linux,when the init progress is completed,and issued the following commands:

# lsmod

Neither sk98lin modules or e1000 modules would be found in the module list.(“/proc/modules”),and so if we execute the “ifconfig” command,only “lo” configuration is displayed.To fix this problem,i used the following method.first I insert the modules again by issuing “insmod sk98lin”,and then “insmod e1000″.second,used”# lsmod” to identify these modules have been inserted in the running kernel.Finally,execute the following command to make these ethernet device actively:

# ./etc/sysconfig/network restart

We can find all these two ethernet devices were active and working well. As a summary,the modules inserted sequence is the same to the ifcfg-ethx.if the marvell module (sk98lin) is inserted first,it will take the configuration of ifcfg-eth0 which is the first file,and then insert the Inter PRO1000 module(e1000),for the same reason,it will be configured by the ifcfg-eth1.

Note,Red Hat uses “netconfig” to configure the Ethernet device.In turbo Linux,it was used in “netcfg” strings.

As an administrator,we must pay attention to the security of system.Some people ofen required to need those information,maybe this is not necessary.we could identify their privilege and the reason given by them.Hackers want others take their suggestion,however, when it is happened to the hackers themselves,they will never do it.Hmmm,it seems that there will be other better ways completing the mission.

Check the strangers’s ID and identify their telephone number’s reality,or contact with their masters for identifing their information supplied.It is useful.We shoule learn to say no.Believe ours feeling which always is right for our decision.Trainning the users is also useful to decrease these matters that the whole systems are hacked and can not work any more.

Hackers will collect these information:Employee’s Item,telephone system structure,officer’s structure and the employee’s homepage.Even they searche the key work about people who they are intrested in the Internet,for example,Google website.The more information hackers know,the more easily they could control the target system.The following website maybe useful:www.hacklinux.com.

wget is used to download from internet.

# wget

find differences between two files.

# diff

Many hackers write those special code into the general source code so that they could use these “backdoors” to access the target servers.So we should check the integrity of the source codes between the original codes and those we download from internet.The following commands would be issues for checking :

# md5sum
# sum

What is sum?checksum and count the blocks in a file.There are two types algorithm for sum command:

-BSD algorithm

# sum -r

-System V algorithm

# sum -s

We can also check the signatures of rpm packages:

# rpr --chechsig  program.rpm

Gnu Privacy Guard(gpg),encryption and signing tool.It is not easily for Linux to be destoried by virtus,but worms could have great effect to Linux system.Morris worm(born in 1998) and Ramen worm(born in 2001) are the only two worms to UNIX systems.

Some people would like to install two different systems in one machine,for example,windows operating system and Linux.However,it is not safety.If the hackers have conquered one system,for example windows,they could delete the partition of Linux file system.So Linux is destroied.It is strongly recommended that we would not install two operating system in the same machine.

How to prevent the hackers used floppy or CD-ROM to access your system?First,in the BIOS setting,change the sequence of booting so that harddisk is in the first position,and then mask the option of floppy and CD-ROM,setting the bios password for the superuser.howerver,hackers could open the chassis and flashing the bios so that floppy and CD-ROM could be used again.In this way,choosing a security room to hold the servers machine is more and more necessary.

First Part: DNS traceroute

In the internet,hackers always want to find more informations about target machine,such as IP address and domain name.So DNS becomes the target hackes want to attack first.

The best DNS server is BIND in the Linux world, are developed and maintained by Internet Software Consortium who also do the same thing in DHCP and INN projects.BIND 4.0 is the stablest, BIND8.0 is released later,and BIND 9.0 is the latest release. Note: keep the BIND release to the latest will be benifit for higher security.

There are three common tools working on DNS information:nslookup,dig,host.

# nslookup

Query Internet name servers interactively.Note:nslookup is deprecated and may be removed from future releases.Consider using the “dig” or “host” programs instead.We could get the DNS server IP in the /etc/resolv.conf,for example:

# cat /etc/resolve.conf
 nameserver 202.96.143.133

DNS lookup utility.DNS criterion contains the following items:
SOA: include the email of Administrotor and updating information.
A: IP of local host
CNAME: alies name of local host
PTR: mapping from IP to host
HINFO: the structure and operating system of host
TXT: Additional descritption
RP: the master’s email address

 
# host -t txt www.example.com
# host -t '*' www.expample.com

Reverse resolving by issuing the following command:

# host 202.112.20.133
sea.whnet.edu.cn
 

DNS criteron should be in high security mode but they are so weak now.Hackers invades the DNS server,and response the cheaping program to the user’s request before the really IP resolving result sent by DNS,then hackers could control the user’s system.To make DNS more stronger,DNSSEC was developed.

The location of host is useful,if hackers want to start Dos attacking from invaded hosts,it seems more effective from those machines invaded which is near the target host.Traceroute are used for detecting hosts passed from localhost to target host.

#traceroute

Second Part: Scan ports

# nmap

nmap is used to detect which port of remote host is opened.and issue the following command could get the operating system of remote host:

# nmap -O remote-host
# nmap -P0(number zero) remote-host  (forcing scan mode)

How to prevent nmap scan? /etc/issue records those information including operating system and kernel release.we could change the information or recommend those lines in order to do not let the hacker know more about our system.In some case,/etc/issue would be modified by other processes or operating system after rebooting system,we could issue the following command to protect it:

# chattr + i  /etc/issue

As the same as /etc/issue,the file locates in “/etc/mail/sendmail.cf” shuold be noticed,too.

Polite reply words: Any help gladly appreciated,Thanks.

Ping attacking contains two methods,ICMP ping and responsible ping.

1.ICMP: ICMP send ICMP ECHO REQUEST to the destination host,if the destination is running,it will response for the ICMP ECHO REPLY.

# ping -c 3 target

Parameter c means continuous and 3 is the ping times.

2.The other ping attacking method is connecting with the remote host’s responsiblity port(port 7)by UDP or TCP packages.This port will reply the sending messages from localhost directly.for example:

# telnet target.example.com echo
 connect to target.example.com
 Escape character is '^]'
 pack my box with five dozen liquar juys.(send from local host)
 pack my box with five dozen liquar juys.(reply from remote host)

Nmap: network exploratin tool and security scanner.

Proxy server:202.97.142.40
Port:3128

How to prevent ping attacking?
We could configure the ipchains/iptables to refuse those access which request ECHO REQUEST and ECHO REPLY.In the /etc/inetd.conf,recommend the following two lines will disable those ping attacking request:

# echo stream tcp nowait root internal
# echo dgram udp wait root internal

And then,issue “kill – HUP inetd” to restart the inetd process for making the configuration actively.

MD5 invented by RSA data security company, is algorithm of checking summary.SHA1 is a hash algorithm,it runs slower than MD5.

Computer check md5 message digest:

#md5sum

Issue the above command,we could get a string created by md5 algorithm.If the file is modified,and we use md5sum command later,a different string would be created.This is always used to check file’s integrity and ensure the identified file is not modified.

How to identify the system has been invaded? We could estimate by the following situations:

1.Homepage of explorers has been modified.
2.Spaces of harddisk reduce rappidly.
3.Detecting contract from other administrators.
4.System’s log has been erased.
5.New account has been created.
6.There are unknown processes running.
7.CPU always work in high rate which can not be explained.
8.The remote account of localhost was detected by hackers.

And then,when we find this issues happen in our system,we should do the following step:

1.Shutdown the network service and change to single user mode by booting from floppy.
2.Estimate the degree of having been destoried.
3.Try to recovery online.

The first thing that hackers will do before they invade computer systems is scan throught the network.If there are specified monitor software which could detect their accesses immediately,we could protect our system.In the worst situation,it seemed we had to shut down the system,however,it was useful.

The three common monitor tools are listed here:

1.klaxon: if we used klaxon to listen many ports,perhaps the system will be attacked by refusing access which lead heavy load to the inetd process.
2.courtney: sniff and tcpdump
3.scanlogd: if scanlogd detects 7 connection of super privilege in 3 seconds,or 5 times scan in 20 seconds, it will stop recording the connection log in order to avoid so many refusing messages being full of the system’s log.

As the name indicated,scanlogd only logs ports scans.It does not prevent them.You will only receive summaried informateion in the system’s log.

Obviously,the source address of port scans can be spoofed.Don’t take any action against the source of attacks unless other evidence is available.Sometimes IP addresses are shared between many people,this is the case for ISP shell servers,dynamics dialog pools, and corporate network bebind NAT(This action is also called masquerading).

Note:IDE and SATA harddisk device is the same except for the interface.

Nautilus is the GUI interface of gnome.

Strengthen system:
Strengthem system raise the security by checking the system’s granting overflowed.There are some strengthem system listed here: Bastillie,Openwall Linux, LIDS.

syslog process records the information into system’s logs by the lever of issues: emerg,alert,crit,err,warning,notice,info and debug.

/etc/syslog.conf is the configuration of syslog process.The formation of each line in /etc/syslog.conf is listed here:
facility.loglevel logtarget
for example:

daemon.notice   /var/log/daemon.log

Note,logtarget could be configured as not only local path but also remote system’s log server which should add “@” before the logtarget strings.It is very useful when local system was crashed by hackers.Even everything of localhost was erased by hacker who want nobody snaping his trace,we can also find the log information in the remote log server.

In some case,user types the password text as the username, yes,this log issue would be recorded in the system’s log.How dangerous it is! Hackers could analyze the log file and detect these type log information string so that the password was acquired easily.How to prevent this? I think nobady except root is permited to read the system’s log.

These software are used to analyzing system’s log: Swatch,Logsurfer.

First Part: Quota

Linux’s quota is used to configure the user’s harddisk spaces in order to prevent few users occupy nearly the most of resources.we could configure the quota by following steps:

1.Add “usrquota” to the fourth table position of “/etc/fstab”,for example:

 /etc/hda7    /home    ext2    default, usrquota,1,2 

2.Create two files in the identified partition:

 # touch /home/quota.user
 # touch /home/quota.group 

and then grant the privileges:

 # chmod 600 /home/quota.user
 # chmod 600 /home/quota.group 

3.reboot the system
4.Issue the following command to configure quota for identified user:

# edquota -u username 

Second Part: Limitation
Hard limitation: user can not overflow the specified limitation
Soft limitation: when spaces used reach the specified limitation,system will display a worning message.

# ulimit
# ulimit -a 
(list all limitation parameters which including
 cpu time and counts of files opened.)
 

There are two ways to configure the limitation:

1.Add “ulimit” lines to /etc/profile
2.Modify the /etc/security/limits.conf.It is very important.When I installed Oracle 10g in Red Hat,this file always was modified by adding hard and soft limitation for nproc.The formation of /etc/security/limits.conf is listed here:

    domain    type    item    value 

domain: this parameter startes with “@” first and contains username and group name.if “*” is used,it means all the users and groups.
type: this parameter indicates whether the limitation is hard or soft.
item: this parameter indicates which resouce will be limited.
value:this parameter indicates the setting value.

Issue the following command to list all attribute of file:

# lsattr 

This command is used for modifing the attribute of file:

# chattr 

All the above is operated on EXT2 and EXT3 file system.
Note: parameter “i” means no operation could be done on the specified file.It is very useful.

Linux user’s group is collection of users who have the same property.This is a convenience for defining a group of users.The configuration is located in /etc/group.

The privilege of file is list as the following formation: -rw-rw-rwr. In the above string showed the information about file type and operating privilege.The first signature of this string indicate the type of file.”-” means general files,”d” means directory,”l” means link,and “s” means security socket.The follow three signature “rw-” indicates the privilege of the file’s owner.”r” means read,”w” means write, and “x” means execute.”-” means no privilege for operate the file.The middle three signature such as “rw-” is used for identifing the privelege of group.and the final three indicate the privilege of others.

If user A has the privilege of the directory,he can delete the file belong to others.How to forbid this?We could use the following command :

# chmod + t 

And then,the file could not be deleted by others including those men who have the operating privilege of the specific directory.For example, the /tmp directory could be benifit from this.All the user could only operate their own files and directories.

When a general user creates a directory,the default privilege is set as “drwxrwxr-x” 664; if a general file is created,its default property is “-rw-rw-r–” which also be called 775.

umask command is used to set the customer’s default privilege.For example,if the umask value is 002,the realy privilege is the value set by user substrate “002”.if the value set by user is 666,then the result is 664 which is created by substation between 666 and 002.

In this way,we could create the strictest privilege by setting the umask value to 777 because 777 is the maximal number and any other number substrate with 777 will get the result “0” that means no privilege for operating. But the most common way is setting the umask value to 077.It means only the owner could operate the file,groups and others have no privilege.

The grant rules: first,grant the strictest privilege by setting the umask value to 077,and then modify the privileges for identified usage.This method could avoid many unnecessary troubles because adding privilege is easier than deleting them.

Wisdom words : Victory belongs to the last second man who was wrong.

The hacker’s target why they attack your system is get the privilege of root. If they’ve gotten this privilege,they could do anything they want. So the security problem of Linux is concentred in administration of accout,file system and application services.

Many Linux users think their system which have no important information would not be attacked by hackers. They are wrong. Hackers always used these machines have been conquered to attacked other more important computers which are their really targets.

All the account’s information are stored in the file named “/etc/passwd” whose each line indicates the information of indentified accout. The root account’s user id is “0”(number zero). Those users whose id is “0” have the root privilege whatever their names are. For example. both toor and super belong to root. System account which belong to nobody would never login because they are used for special application.For example, “nobody” account response the user’s http request, and the “lp” account works on print request.

Summary: Three type account of Linux: root(toor,super), system account(nobody,lp), general account.