14.6. 其他安全相关事项

Security is not just a technical problem; more than anything, it is about good practices and understanding the risks. This section reviews some of the more common risks, as well as a few best practices which should, depending on the case, increase security or lessen the impact of a successful attack.

14.6.1. 网页应用程序的内在风险

Web 应用的普遍性导致其剧增。往往是几个并行运行:网页邮件,维基,群件系统,论坛,图片库,博客等等。许多应用依赖于“LAMP”(Linux, Apache, MySQL, PHP)。不幸的是,很多这种应用在编写的时候没有考虑安全问题。而源于外部世界的数据通常很少或者不去验证。使用特别数值可以将一个调用暗中转换成一个指令,以便于执行另外的替代程序。许多明显的问题随着时间的推移都被修正了,然而新的安全问题又时不时的跳出来。

词汇 SQL 注入

When a program inserts data into SQL queries in an insecure manner, it becomes vulnerable to SQL injections; this name covers the act of changing a parameter in such a way that the actual query executed by the program is different from the intended one, either to damage the database or to access data that should normally not be accessible.

https://en.wikipedia.org/wiki/SQL_Injection

因此,定期更新 web 应用是必须的,以减少任何攻击者(无论是专业攻击者或者脚本小子)可以利用的已知漏洞。实际的风险取决于所处的情况,从数据销毁到执行任意代码,也包括网络涂改。

14.6.2. 知道预期什么

网页应用程序的弱点常常是攻击尝试的起点。下面简单的回顾一下可能的后果。

速览过滤 HTTP 查询

Apache 2 includes modules allowing filtering incoming HTTP queries. This allows blocking some attack vectors. For instance, limiting the length of parameters can prevent buffer overflows. More generally, one can validate parameters before they are even passed to the web application and restrict access along many criteria. This can even be combined with dynamic firewall updates, so that a client infringing one of the rules is banned from accessing the web server for a given period of time.

设定这些检查是费时,费劲的任务。但当网页应用有一条可疑追踪记录时,就会有所回报。

mod-security2 (in the libapache2-mod-security2 package) is the main such module. It even comes with many ready-to-use rules of its own (in the modsecurity-crs package) that you can easily enable.

侵入的结果会留下各自痕迹,取决于攻击者的动机。脚本小子(Script-kiddies)只会用他们在网上找到的方法;常常是涂改页面或者删除数据。狡猾一点的,会在网页中添加无形内容,来提高他们自己网站在搜索引擎中的引用次数。

A more advanced attacker will go beyond that. A disaster scenario could go on in the following fashion: the attacker gains the ability to execute commands as the www-data user, but executing a command requires many manipulations. To make their life easier, they install other web applications specially designed to remotely execute many kinds of commands, such as browsing the filesystem, examining permissions, uploading or downloading files, executing commands, and even provide a network shell. Often, the vulnerability will allow running a wget command that will download some malware into /tmp/, then executing it. The malware is often downloaded from a foreign website that was previously compromised, in order to cover tracks and make it harder to find out the actual origin of the attack.

此时,攻击者就有足够的行动自由了,他们常常会安装一个 IRC 机器人-bot(一个连接到 IRC 服务器的机器人并且可以通过频道来控制)。该机器人常常用来共享非法文件(未授权的电影或软件拷贝,等等)。一个坚决的攻击者可能会走到更远。www-data 账户不允许对机器的完全存取,攻击者会尝试获取管理员权限。现在,这个还不可能,但是如果网页应用程序不是最新的,内核和其他程序有可能也是过期的;这有时候源于管理员的决断,尽管知道容易遭受攻击,由于没有本地用户仍然忽略更新。然后,攻击者就会利用第二个弱点来取得超级用户权限。

词汇特权升级

该术语涵盖了任何用于获得比给定用户正常情况下更多权限的行为。sudo 程序被设计用来将管理员权限赋予某些用户。但是,同样的术语也用来描述攻击者利用漏洞获取不当权限。

现在攻击者拥有了机器;他们将试图尽可能长时间的保持其权限。这就要安装 后门-rootkit,一个取代系统组件的程序,以便攻击者可以在随后的时间重新获取管理员特权;后门软件也会试图隐藏自己和入侵痕迹。被破坏的 ps 程序会漏掉一些进程,netstat 也不会列出一些活动链接,等等。拥有超级用户权限,攻击者可以观察整个系统,但是不一定能找到重要数据;因此他们会尝试侵入协作网络中其他的机器。分析管理员的账户和历史记录,攻击者会发现哪些机器被经常访问。使用被修改的程序替换 sudo 或者 ssh,攻击者能截取到部分管理员密码,并将其用在探测到的服务器上...入侵就会传播开来。

这种噩梦可以通过几种方法阻止。接下来的章节会讲述几种方法。

14.6.3. 明智地选择软件

一旦潜在的安全问题被暴露,就必须在配置服务的每个步骤都要考虑,特别是在选择安装软件的时候。许多网站,例如 SecurityFocus.com,会列出最近发现的漏洞,在一些特殊软件部署之前会给出安全记录。当然,要平衡此信息和所述软件的普及程度:越是使用广泛的软件,越是诱人,因而审查也更严密。

词汇 安全审核

安全审核是彻底地阅读和分析某些软件的源代码,并寻找它可能包含的潜在安全漏洞。这种审核通常是预先的,并用于确保程序符合特定的安全需求。

In the free software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements.

词汇 0day 漏洞

零日漏洞攻击很难预防;该术语用于描述程序中那些作者还不知道的漏洞。

14.6.4. 将机器作为整体管理

Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine. As a general guideline in security matters, unneeded software is best uninstalled. Indeed, there is no point in securing an FTP server, if a vulnerability in a different, unused service can be used to get administrator privileges on the whole machine.

出于同样的原因,防火墙通常配置为只允许访问公共服务。

Current computers are powerful enough to allow hosting several services on the same physical machine. From an economic viewpoint, such a possibility is interesting: only one computer to administrate, lower energy consumption, and so on. From the security point of view, however, such a choice can be a problem. One compromised service can bring access to the whole machine, which in turn compromises the other services hosted on the same computer. This risk can be mitigated by isolating the services. This can be attained either with virtualization (each service being hosted in a dedicated virtual machine or container), or with AppArmor/SELinux (each service daemon having an adequately designed set of permissions).

14.6.5. 用户是参与者

谈到安全,要马上考虑保护免受隐藏在互联网丛林里匿名破坏者的攻击;但是,经常被遗忘的事实是-风险也来自内部:离职雇员会下载重要敏感的项目文件并买给竞争对手;大意的销售可能在开前景规划会议时,离开电脑而没有锁定桌面;笨拙的用户可能误删目录;等等。

对付这些风险可以使用技术手段:授予用户的权限不多于所需求的权限,并且必须进行常规备份。但是在许多情况下,适当的保护也包含培训用户进而规避风险。

速览 autolog

autolog 软件包可以在设定的延时过后自动断开非活动用户。也可以在会话结束后,杀死用户进程,进而防止用户运行守护进程。

14.6.6. 物理安全

如果计算机本身没有受到保护,保护服务和网络是没有意义的。重要数据应该存储在 RAID 阵列可热交换硬盘上,即使硬盘失效,但是数据必须可用。如果送披萨的小伙子能进入大楼,溜进服务器房间并带着几块硬盘逃跑,那么安全的重要方面没有满足。谁可以进入服务器房间?出入被监控了吗?当评估物理安全时,需要考虑这些问题。

物理安全也包括考虑事故风险,例如火灾。这种特殊风险说明有理由将备份介质保存在单独的建筑物,或者至少保存在防火保险箱内。

14.6.7. 法律责任

管理员或多或少被用户和网络用户所信任。因此,应避免任何可能被恶人利用的漏洞。

An attacker taking control of your machine then using it as a forward base (known as a “relay system”) from which to perform other nefarious activities could cause legal trouble for you, since the attacked party would initially see the attack coming from your system, and therefore consider you as the attacker (or as an accomplice). In many cases, the attacker will use your server as a relay to send spam, which shouldn’t have much impact (except potentially registration on black lists that could restrict your ability to send legitimate emails), but won’t be pleasant, nevertheless. In other cases, more important trouble can be caused from your machine, for instance, denial of service attacks. This will sometimes induce loss of revenue, since the legitimate services will be unavailable and data can be destroyed; sometimes this will also imply a real cost, because the attacked party can start legal proceedings against you. Rights-holders can sue you if an unauthorized copy of a work protected by copyright law is shared from your server, as well as other companies compelled by service level agreements if they are bound to pay penalties following the attack from your machine.

如果此类情况发生了,自称清白通常是不够的;至少,你要出示在你系统上进行可疑活动源于指定 IP 的证据。这几乎是不可能的,如果你忽略了本章的建议,让攻击者获得特权账户(特别是超级用户)并使用它来掩盖痕迹。