Security is not just a technical problem; more than anything, it is about good practices and understanding the risks. This section reviews some of the more common risks, as well as a few best practices which should, depending on the case, increase security or lessen the impact of a successful attack.
Web 应用的普遍性导致其剧增。往往是几个并行运行:网页邮件,维基,群件系统,论坛,图片库,博客等等。许多应用依赖于“LAMP”(Linux, Apache, MySQL, PHP)。不幸的是,很多这种应用在编写的时候没有考虑安全问题。而源于外部世界的数据通常很少或者不去验证。使用特别数值可以将一个调用暗中转换成一个指令,以便于执行另外的替代程序。许多明显的问题随着时间的推移都被修正了,然而新的安全问题又时不时的跳出来。
Updating web applications regularly is therefore a must, lest any cracker (whether a professional attacker or a “script kiddy“) can exploit a known vulnerability. The actual risk depends on the case, and ranges from data destruction to arbitrary code execution, including web site defacement.
网页应用程序的弱点常常是攻击尝试的起点。下面简单的回顾一下可能的后果。
The consequences of an intrusion will have various levels of obviousness depending on the motivations of the attacker. “Script-kiddies“ only apply recipes they find on web sites; most often, they deface a web page or delete data. In more subtle cases, they add invisible contents to web pages so as to improve referrals to their own sites in search engines.
A more advanced attacker will go beyond that. A disaster scenario could go on in the following fashion: the attacker gains the ability to execute commands as the www-data user, but executing a command requires many manipulations. To make their life easier, they install other web applications specially designed to remotely execute many kinds of commands, such as browsing the filesystem, examining permissions, uploading or downloading files, executing commands, and even provide a network shell. Often, the vulnerability will allow running a wget command that will download some malware into /tmp/, then executing it. The malware is often downloaded from a foreign website that was previously compromised, in order to cover tracks and make it harder to find out the actual origin of the attack.
此时,攻击者就有足够的行动自由了,他们常常会安装一个 IRC 机器人-bot(一个连接到 IRC 服务器的机器人并且可以通过频道来控制)。该机器人常常用来共享非法文件(未授权的电影或软件拷贝,等等)。一个坚决的攻击者可能会走到更远。www-data 账户不允许对机器的完全存取,攻击者会尝试获取管理员权限。现在,这个还不可能,但是如果网页应用程序不是最新的,内核和其他程序有可能也是过期的;这有时候源于管理员的决断,尽管知道容易遭受攻击,由于没有本地用户仍然忽略更新。然后,攻击者就会利用第二个弱点来取得超级用户权限。
Now the attacker owns the machine; they will usually try to keep this privileged access for as long as possible. This involves installing a
rootkit, a program that will replace some components of the system so that the attacker will be able to obtain the administrator privileges again at a later time (see also
速览 checksecurity 和 chkrootkit/rkhunter 软件包); the rootkit also tries hiding its own existence as well as any traces of the intrusion. A subverted
ps program will omit to list some processes,
netstat will not list some of the active connections, and so on. Using the root permissions, the attacker was able to observe the whole system, but didn't find important data; so they will try accessing other machines in the corporate network. Analyzing the administrator's account and the history files, the attacker finds what machines are routinely accessed. By replacing
sudo or
ssh with a subverted program, the attacker can intercept some of the administrator's passwords, which they will use on the detected servers… and the intrusion can propagate from then on.
这种噩梦可以通过几种方法阻止。接下来的章节会讲述几种方法。
Once the potential security problems are known, they must be taken into account at each step of the process of deploying a service, especially when choosing the software to install. Many web sites keep a list of recently-discovered vulnerabilities, which can give an idea of a security track record before some particular software is deployed. Of course, this information must be balanced against the popularity of said software: a more widely-used program is a more tempting target, and it will be more closely scrutinized as a consequence. On the other hand, a niche program may be full of security holes that never get publicized due to a lack of interest in a security audit.
In the free software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements.
Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine. As a general guideline in security matters, unneeded software is best uninstalled. Indeed, there is no point in securing an FTP server, if a vulnerability in a different, unused service can be used to get administrator privileges on the whole machine.
出于同样的原因,防火墙通常配置为只允许访问公共服务。
Current computers are powerful enough to allow hosting several services on the same physical machine. From an economic viewpoint, such a possibility is interesting: only one computer to administrate, lower energy consumption, and so on. From the security point of view, however, such a choice can be a problem. One compromised service can bring access to the whole machine, which in turn compromises the other services hosted on the same computer. This risk can be mitigated by isolating the services. This can be attained either with virtualization (each service being hosted in a dedicated virtual machine or container), or with AppArmor/SELinux (each service daemon having an adequately designed set of permissions).
谈到安全,要马上考虑保护免受隐藏在互联网丛林里匿名破坏者的攻击;但是,经常被遗忘的事实是-风险也来自内部:离职雇员会下载重要敏感的项目文件并买给竞争对手;大意的销售可能在开前景规划会议时,离开电脑而没有锁定桌面;笨拙的用户可能误删目录;等等。
对付这些风险可以使用技术手段:授予用户的权限不多于所需求的权限,并且必须进行常规备份。但是在许多情况下,适当的保护也包含培训用户进而规避风险。
如果计算机本身没有受到保护,保护服务和网络是没有意义的。重要数据应该存储在 RAID 阵列可热交换硬盘上,即使硬盘失效,但是数据必须可用。如果送披萨的小伙子能进入大楼,溜进服务器房间并带着几块硬盘逃跑,那么安全的重要方面没有满足。谁可以进入服务器房间?出入被监控了吗?当评估物理安全时,需要考虑这些问题。
物理安全也包括考虑事故风险,例如火灾。这种特殊风险说明有理由将备份介质保存在单独的建筑物,或者至少保存在防火保险箱内。
管理员或多或少被用户和网络用户所信任。因此,应避免任何可能被恶人利用的漏洞。
An attacker taking control of your machine then using it as a forward base (known as a “relay system”) from which to perform other nefarious activities could cause legal trouble for you, since the attacked party would initially see the attack coming from your system, and therefore consider you as the attacker (or as an accomplice). In many cases, the attacker will use your server as a relay to send spam, which shouldn't have much impact (except potentially registration on black lists that could restrict your ability to send legitimate emails), but won't be pleasant, nevertheless. In other cases, more important trouble can be caused from your machine, for instance, denial of service attacks. This will sometimes induce loss of revenue, since the legitimate services will be unavailable and data can be destroyed; sometimes this will also imply a real cost, because the attacked party can start legal proceedings against you. Rights-holders can sue you if an unauthorized copy of a work protected by copyright law is shared from your server, as well as other companies compelled by service level agreements if they are bound to pay penalties following the attack from your machine.
如果此类情况发生了,自称清白通常是不够的;至少,你要出示在你系统上进行可疑活动源于指定 IP 的证据。这几乎是不可能的,如果你忽略了本章的推荐,让攻击者获得特权账户(特别是超级用户)并使用它来掩盖痕迹。
