What are the ways to attack local processes in Linux systems?

Linux system local process attack methods include: 1. Denial of service attack (DOS); 2. Local users obtain read and write permissions for unauthorized files; 3. Remote users obtain read and write permissions for privileged files; 4. The remote user obtains root privileges.

The operating environment of this tutorial: Windows 10 system, Dell G3 computer.

What are the ways to attack local processes in Linux system?

linux system With the expansion of Linux enterprise applications, a large number of network servers use the Linux operating system. The security performance of Linux servers has received more and more attention. Here we list the Linux servers in levels according to the depth of attacks and propose different solutions.

The definition of Linux server attack is: An attack is an unauthorized behavior designed to hinder, damage, weaken, or destroy the security of a Linux server. Attacks can range from denial of service to complete compromise and destruction of a Linux server. There are many types of attacks on Linux servers. This article explains from the perspective of attack depth, we divide the attacks into four levels.

Attack Level 1. Denial of Service Attack (DOS)

Due to the proliferation of DOS attack tools and the fact that the flaws in the protocol layer targeted cannot be changed in the short term, DOS has become the most widespread and most difficult attack method to prevent.

Service denial-of-service attacks include distributed denial-of-service attacks, reflective distributed denial-of-service attacks, DNS distributed denial-of-service attacks, FTP attacks, etc. Most denial-of-service attacks cause relatively low-level dangers, and even those that might cause a system reboot are only temporary problems. This type of attack is largely different from those that want to gain network control. Generally, it will not affect data security, but denial of service attacks will last for a long time and are very difficult to deal with.

So far, there is no absolute way to stop this type of attack. But this does not mean that we should just sit back and take advantage of it. In addition to emphasizing the importance of strengthening the protection of personal hosts from being exploited, strengthening the management of servers is a very important part. Be sure to install verification software and filtering functions to verify the true address of the source address of the message. In addition, the following measures can be taken for several kinds of service denial: close unnecessary services, limit the number of Syn semi-connections opened at the same time, shorten the time out of Syn semi-connections, and update system patches in a timely manner.

Attack Level 2: A local user has obtained unauthorized file read and write permissions

A local user refers to someone who has a password on any machine on the local network. Thus there is a directory of users on a certain drive. Whether the issue of local users gaining read and write permissions to files they are not authorized to pose a risk depends largely on the criticality of the files being accessed. It is dangerous for any local user to freely access the temporary file directory (/tmp), which can potentially pave a path to the next level of attack.

The main attack method of Level 2 is: hackers trick legitimate users into telling them confidential information or performing tasks. Sometimes hackers will pretend to be network administrators and send emails to users, asking users to give them passwords for system upgrades.

Attacks initiated by local users almost always start with remote login. For Linux servers, the best approach is to place all shell accounts on a separate machine, that is, only accept registrations on one or more servers assigned shell access. This can make log management, access control management, release protocols, and other potential security issues easier to manage. The system that stores user CGI should also be distinguished. These machines should be isolated in specific network segments, that is, they should be surrounded by routers or network switches, depending on how the network is configured. The topology should ensure that hardware address spoofing cannot extend beyond this zone.

Attack Level 3: The remote user obtains read and write permissions for privileged files

The third level of attack can not only verify whether a specific file exists, but also Can read and write these files. The reason for this situation is that there are some weaknesses in the Linux server configuration: remote users can execute a limited number of commands on the server without a valid account.

Password attack method is the main attack method in the third level, and damaging the password is the most common attack method. Password cracking is a term used to describe the penetration of a network, system, or resource with or without the use of tools to unlock password-protected resources. Users often neglect their passwords, and password policies are difficult to enforce. Hackers have a variety of tools to defeat the passwords protected by technology and society. Mainly include: dictionary attack (Dictionary attack), hybrid attack (Hybrid attack), brute force attack (Brute force attack). Once a hacker has a user's password, he has many of the user's privileges. Password guessing refers to manually entering a common password or obtaining the password through the original copy of a programmed program. Some users choose simple passwords—such as birthdays, anniversaries, and spouses' names—but don't follow the rule of using a mix of letters and numbers. It doesn't take long for a hacker to guess an eight-character birthday number.

The best defense against Level 3 attacks is to strictly control access privileges, i.e. use valid passwords.

Mainly includes the rules that passwords should follow the mixed use of letters, numbers, and uppercase and lowercase (because Linux distinguishes between uppercase and lowercase).

Using special characters like "#" or "%" or "$" also adds complexity. For example, take the word "countbak", add "#$" (countbak#$) after it, and you have a pretty effective password.

Attack level four, remote user obtains root privileges

The fourth attack level refers to things that should never happen. This is a fatal attack. Indicates that the attacker has root, superuser or administrator permissions on the Linux server and can read, write and execute all files. In other words, the attacker has full control over the Linux server and can completely shut down or even destroy the network at any time.

The main attack forms of attack level four are TCP/IP serial theft, passive channel listening and packet interception. TCP/IP serial theft, passive channel listening and packet interception are methods to collect important information for entering the network. Unlike denial-of-service attacks, these methods have more theft-like properties and are more covert and difficult to detect.

A successful TCP/IP attack allows a hacker to block transactions between two parties, providing a good opportunity for a man-in-the-middle attack. The hacker can then take control of one or both parties' transactions without the victim noticing. . Through passive eavesdropping, hackers will manipulate and register information, deliver files, and find passable critical points from all passable channels on the target system. Hackers will look for the connection point between the connection and the password to identify the legitimate channel. Packet interception involves constraining an active listener program on a target system to intercept and redirect all or specific messages. Information can be redirected to an illegal system for reading and then sent back to the hacker unchanged.

TCP/IP continuous theft is actually network sniffing. Note that if you are sure that someone has connected a sniffer to your network, you can find some verification tools. This tool is called a Time Domain Reflectometer (TDR). TDR measures the propagation and changes of electromagnetic waves. Connecting a TDR to the network can detect unauthorized devices that access network data. However, many small and medium-sized companies do not have such expensive tools.

The best way to prevent sniffer attacks is:

1. Secure topology. The sniffer can only capture data on the current network segment. This means that the more granular you segment your network, the less information a sniffer can collect.

2. Session encryption. Don't worry specifically about the data being sniffed, but find a way to make the sniffer not recognize the sniffed data. The advantage of this approach is obvious: even if the attacker sniffs the data, the data is of no use to him.

Special Tips: Counterattack Measures to Deal with Attacks

You should pay special attention to attacks exceeding the second level. Because they can continuously increase the level of attack to penetrate Linux servers. At this time, the countermeasures we can take are:

First back up important key enterprise data.

Change all passwords in the system and notify users to find new passwords from the system administrator.

Isolate the network segment so that the attack behavior only occurs in a small range.

Allow the behavior to continue. If possible, do not rush to get the attacker out of the system and prepare for the next step.

Record all actions and collect evidence. These evidences include: system login files, application login files, AAA (Authentication, Authorization, Accounting, Authentication, Authorization, Accounting) login files, RADIUS (Remote Authentication Dial-In User Service) login, Network Element Logs (Network Element Logs) , firewall login, HIDS (Host-base IDS, host-based intrusion detection system) events, NIDS (network intrusion detection system) events, disk drives, hidden files, etc.

Be careful when collecting evidence: take photos before moving or dismantling any equipment; follow the two-person rule during investigations and have at least two people in information collection to prevent tampering with information; all information should be recorded Keep a record of all steps taken and any changes to configuration settings in a safe place. Check the access permissions of all directories in the system and detect whether the Permslist has been modified.

Make various attempts (using different parts of the network) to identify the source of the attack.

In order to use legal weapons to fight crimes, evidence must be preserved, and it takes time to form evidence. In order to do this, the brunt of the attack must be endured (although some security measures can be put in place to ensure that the attack does not harm the network). In this case, we not only need to take some legal measures, but also ask at least one authoritative security company to help prevent this crime. The most important feature of this type of operation is to obtain evidence of a crime, find the address of the perpetrator, and provide the logs in possession. The evidence collected should be effectively preserved. Make two copies at the beginning, one for evaluating the evidence and one for legal verification.

After finding the system vulnerability, try to block it and conduct a self-attack test.

Network security is not just a technical issue, but a social issue. Enterprises should pay more attention to network security. If they blindly rely only on technical tools, they will become more and more passive. Only by leveraging social and legal aspects to combat cybercrime can they be more effective. Our country has a clear judicial interpretation of the fight against cybercrime. Unfortunately, most companies only focus on the role of technical links and ignore legal and social factors. This is also the purpose of writing this article.

Explanation of terms: Denial of Service Attack (DOS)

DOS is Denial Of Service, the abbreviation of Denial of Service. It cannot be considered as Microsoft’s DOS operating system! A DOS attack causes the target machine to stop providing services or resource access, usually with the goal of consuming server-side resources. By forging request data that exceeds the server's processing capabilities, the server response is blocked, so that normal user requests cannot be responded to in order to achieve the attack. Purpose.

For more related knowledge, please visit the FAQ column!

The above is the detailed content of What are the ways to attack local processes in Linux systems?. For more information, please follow other related articles on the PHP Chinese website!