Product SiteDocumentation Site

10.5. Genius/Paranoia Ideas - what you could do

This is probably the most unstable and funny section, since I hope that some of the "duh, that sounds crazy" ideas might be realized. The following are just some ideas for increasing security - maybe genius, paranoid, crazy or inspired depending on your point of view.
  • 轻率的对待可插入认证模块 (PAM). 就象文章 Phrack 56 PAM 中说的一样, PAM 最好是"您只是受您思维的限制", 这是真的, 设想一下 root 通过指纹或眼睛扫描或 加密卡认证登陆(为什么我使用 或 连接词来代替 和 ?).
  • 法西斯式记录. 我把前面所做的关于日志的讨论称作"软件日志". 如果您想完成真正的日志, 就配置一台打印机, 并把所有的日志打印出来. 这听起来很滑稽, 但这样才可靠, 不会被篡改或删除.
  • 光盘版本. 这个想法很好实现, 并更具安全性. 构建一个安全化的 Debian 发行版, 并带有合适的防火墙规则. 把它转换成可引导 ISO 影像, 然后烧录成光盘. 这样您就拥有了一个只读版本, 大约有600M空间用于服务. 只要确保所有需要写入的数据都是通过网络完成的就行了. 这样入侵者就不可能拥有系统的读/写权限, 并且入侵者的任何修改都不会影像重起后的系统.
  • 禁用模块切换能力. 就象前边所谈论的, 当您在编译阶段禁用掉模块, 许多基于内核的后门就不可能实现, 因为它们中的大部分基于安装时对内核模块的修改.
  • Logging through serial cable (contributed by Gaby Schilders). As long as servers still have serial ports, imagine having one dedicated logging system for a number of servers. The logging system is disconnected from the network, and connected to the servers via a serial-port multiplexer (Cyclades or the like). Now have all your servers log to their serial ports, write only. The log-machine only accepts plain text as input on its serial ports and only writes to a log file. Connect a CD/DVD-writer, and transfer the log file to it when the log file reaches the capacity of the media. Now if only they would make CD writers with auto-changers... Not as hard copy as direct logging to a printer, but this method can handle larger volumes and CD-ROMs use less storage space.
  • Change file attributes using chattr (taken from the Tips-HOWTO, written by Jim Dennis). After a clean install and initial configuration, use the chattr program with the +i attribute to make files unmodifiable (the file cannot be deleted, renamed, linked or written to). Consider setting this attribute on all the files in /bin, /sbin/, /usr/bin, /usr/sbin, /usr/lib and the kernel files in root. You can also make a copy of all files in /etc/, using tar or the like, and mark the archive as immutable.
    This strategy will help limit the damage that you can do when logged in as root. You won't overwrite files with a stray redirection operator, and you won't make the system unusable with a stray space in a rm -fr command (you might still do plenty of damage to your data - but your libraries and binaries will be safer).
    这个策略也可使系统免受拒绝服务攻击(DoS), 或使其更加困难(因为大多数基于通过激活一些 SETUID 程序, 来重写一个文件,这并不能避免随意的 shell 命令).
    One inconvenience of this strategy arises during building and installing various system binaries. On the other hand, it prevents the make install from over-writing the files. When you forget to read the Makefile and chattr -i the files that are to be overwritten, (and the directories to which you want to add files) - the make command fails, and you just use the chattr command and rerun it. You can also take that opportunity to move your old bin's and libs out of the way, into a .old/ directory or tar archive for example.
    注意这个策略将会使您无法升级系统, 因为被更新的文件是无法重写的. 您也许需要一个脚本或机制使得在 apt-get update 前取消所有程序的不可修改标志.
  • 使用 UTP 电缆时, 去掉2根或4根线, 使其只能进行 one-way 传输. 这样, 使用 UDP 包向做为安全日志服务器或信用卡存储系统的机器发送信息包.

10.5.1. 构建蜜罐

蜜罐(honeypot)是一个设计来让系统管理员用于学习黑客如何探测和利用一个系统的系统. 这个系统的设置目的是希望被探测, 攻击, 和潜在的利用. 通过学习黑客使用的工具和方法, 系统管理员可以更好的保护他们的系统和网络.
Debian GNU/Linux systems can easily be used to setup a honeynet, if you dedicate the time to implement and monitor it. You can easily setup the fake honeypot server as well as the firewall[67] that controls the honeynet and some sort of network intrusion detector, put it on the Internet, and wait. Do take care that if the system is exploited, you are alerted in time (see 第 4.13 节 “日志与警告的重要性”) so that you can take appropriate measures and terminate the compromise when you've seen enough. Here are some of the packages and issues to consider when setting up your honeypot:
  • 您要使用的防火墙技术(由 Linux 内核提供).
  • syslog-ng, useful for sending logs from the honeypot to a remote syslog server.
  • snort, to set up capture of all the incoming network traffic to the honeypot and detect the attacks.
  • osh, a SETUID root, security enhanced, restricted shell with logging (see Lance Spitzner's article below).
  • Of course, all the daemons you will be using for your fake server honeypot. Depending on what type of attacker you want to analyse you will or will not harden the honeypot and keep it up to date with security patches.
  • Integrity checkers (see 第 4.17.3 节 “文件系统的完整性检查”) and The Coroner's Toolkit (tct) to do post-attack audits.
  • honeyd and farpd to setup a honeypot that will listen to connections to unused IP addresses and forward them to scripts simulating live services. Also check out iisemulator.
  • tinyhoneypot to setup a simple honeypot server with fake services.
If you cannot use spare systems to build up the honeypots and the network systems to protect and control it you can use the virtualisation technology available in xen or uml (User-Mode-Linux). If you take this route you will need to patch your kernel with either kernel-patch-xen or kernel-patch-uml.
You can read more about building honeypots in Lanze Spitzner's excellent article http://www.net-security.org/text/articles/spitzner/honeypot.shtml (from the Know your Enemy series). Also, the http://project.honeynet.org/ provides valuable information about building honeypots and auditing the attacks made on them.


[67] You will typically use a bridge firewall so that the firewall itself is not detectable, see 第 B.4 节 “设定网桥防火墙”.