Product SiteDocumentation Site

第 10 章 被攻陷之前

10.1. Keep your system secure
10.1.1. Tracking security vulnerabilities
10.1.2. 系统的及时更新
10.1.3. 避免使用 unstable 分支
10.1.4. Security support for the testing branch
10.1.5. 自动完成 Debian GNU/Linux 系统的更新
10.2. 周期性入侵检测
10.3. 设置入侵检测
10.3.1. 基于网络的入侵检测
10.3.2. 基于主机的入侵检测
10.4. 避免 root-kits
10.4.1. 可加载内核模块 (LKM)
10.4.2. 检测 root-kits
10.5. Genius/Paranoia Ideas - what you could do
10.5.1. 构建蜜罐

10.1. Keep your system secure

You should strive to keep your system secure by monitoring its usage and also the vulnerabilities that might affect it, patching them as soon as patches are available. Even though you might have installed a really secure system initially you have to remember that security in a system degrades with time, security vulnerabilities might be found for exposed system services and users might expose the system security either because of lack of understanding (e.g. accessing a system remotely with a clear-text protocol or using easy to guess passwords) or because they are actively trying to subvert the system's security (e.g. install additional services locally on their accounts).

10.1.1. Tracking security vulnerabilities

Although most administrators are aware of security vulnerabilities affecting their systems when they see a patch that is made available you can strive to keep ahead of attacks and introduce temporary countermeasures for security vulnerabilities by detecting when your system is vulnerable. This is specially true when running an exposed system (i.e. connected to the Internet) and providing a service. In such case the system's administrators should take care to monitor known information sources to be the first to know when a vulnerability is detected that might affect a critical service.
This typically includes subscribing to the announcement mailing lists, project websites or bug tracking systems provided by the software developers for a specific piece of code. For example, Apache users should regularly review Apache's http://httpd.apache.org/security_report.html and subscribe to the http://httpd.apache.org/lists.html#http-announce mailing list.
In order to track known vulnerabilities affecting the Debian distribution, the Debian Testing Security Team provides a https://security-tracker.debian.org/ that lists all the known vulnerabilities which have not been yet fixed in Debian packages. The information in that tracker is obtained through different public channels and includes known vulnerabilities which are available either through security vulnerability databases or http://www.debian.org/Bugs/. Administrators can search for the known security issues being tracked for https://security-tracker.debian.org/tracker/status/release/stable, https://security-tracker.debian.org/tracker/status/release/oldstable, https://security-tracker.debian.org/tracker/status/release/testing, or https://security-tracker.debian.org/tracker/status/release/unstable.
The tracker has searchable interfaces (by http://cve.mitre.org/ name and package name) and some tools (such as debsecan, see 第 10.1.2.4 节 “Automatically checking for security issues with debsecan”) use that database to provide information of vulnerabilities affecting a given system which have not yet been addressed (i.e. those who are pending a fix).
Concious administrators can use that information to determine which security bugs might affect the system they are managing, determine the severity of the bug and apply (if available) temporary countermeasures before a patch is available fixing this issue.
Security issues tracked for releases supported by the Debian Security Team should eventually be handled through Debian Security Advisories (DSA) and will be available for all users (see 第 10.1.2 节 “系统的及时更新”). Once security issues are fixed through an advisory they will not be available in the tracker, but you will be able to search security vulnerabilities (by CVE name) using the http://www.debian.org/security/crossreferences available for published DSAs.
Notice, however, that the information tracked by the Debian Testing Security Team only involves disclosed vulnerabilities (i.e. those already public). In some occasions the Debian Security Team might be handling and preparing DSAs for packages based on undisclosed information provided to them (for example, through closed vendor mailing lists or by upstream maintainers of software). So do not be surprised to find security issues that only show up as an advisory but never get to show up in the security tracker.

10.1.2. 系统的及时更新

You should conduct security updates frequently. The vast majority of exploits result from known vulnerabilities that have not been patched in time, as this http://www.cs.umd.edu/~waa/vulnerability.html (presented at the 2001 IEEE Symposium on Security and Privacy) explains. Updates are described under 第 4.2 节 “进行安全更新”.

10.1.2.1. 手动检查有效的安全更新

Debian does have a specific tool to check if a system needs to be updated but many users will just want to manually check if any security updates are available for their system.
如果您如 第 4.2 节 “进行安全更新” 所述, 配置了系统. 那么, 仅需要:
# apt-get update
# apt-get upgrade -s
[ ... review packages to be upgraded ... ]
# apt-get upgrade 
# checkrestart
[ ... restart services that need to be restarted ... ]
And restart those services whose libraries have been updated if any. Note: Read 第 4.2 节 “进行安全更新” for more information on library (and kernel) upgrades.
第一行将从您配置的源下载可用软件包列表. -s 将做一个模拟运行, 即并不真的下载, 并安装软件包, 而只是告诉您将会下载/安装哪些. 从输出中, 您可以知道 Debian 对哪些软件包做了修补, 可以做为一个安全更新. 例如:
# apt-get upgrade -s
Reading Package Lists... Done
Building Dependency Tree... Done
2 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)
Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)
Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)
Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)
In this example, you can see that the system needs to be updated with new cvs and cupsys packages which are being retrieved from woody's security update archive. If you want to understand why these packages are needed, you should go to http://security.debian.org and check which recent Debian Security Advisories have been published related to these packages. In this case, the related DSAs are https://lists.debian.org/debian-security-announce/2003/msg00014.html (for cvs) and https://lists.debian.org/debian-security-announce/2003/msg00013.html (for cupsys).
Notice that you will need to reboot your system if there has been a kernel upgrade.

10.1.2.2. Checking for updates at the Desktop

Since Debian 4.0 lenny Debian provides and installs in a default installation update-notifier. This is a GNOME application that will startup when you enter your Desktop and can be used to keep track of updates available for your system and install them. It uses update-manager for this.
In a stable system updates are only available when a security patch is available or at point releases. Consequently, if the system is properly configured to receive security updates as described in 第 4.2 节 “进行安全更新” and you have a cron task running to update the package information you will be notified through an icon in the desktop notifcation area.
The notification is not intrusive and users are not forced to install updates. From the notification icon a desktop user (with the administrator's password) can access a simple GUI to show available updates and install them.
This application works by checking the package database and comparing the system with its contents. If the package database is updated periodically through a cron task then the contents of the database will be newer than the packages installed in the system and the application will notify you.
Apt installs such a task (/etc/cron.d/apt) which will run based on Apt's configuration (more specifically APT::Periodic). In the GNOME environment this configuration value can be adjusted by going to System > Admin > Software origins > Updates, or running /usr/bin/software-properties.
If the system is set to download the packages list daily but not download the packages themselves your /etc/apt/apt.conf.d/10periodic should look like this:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
You can use a different cron task, such as the one installed by cron-apt (see 第 10.1.2.3 节 “使用 cron-apt 自动完成更新检查”). You can also just manually check for upgrades using this application.
Users of the KDE desktop environment will probably prefer to install adept and adept-notifier instead which offers a similar functionality but is not part of the standard installation.

10.1.2.3. 使用 cron-apt 自动完成更新检查

Another method for automatic security updates is the use of cron-apt. This package provides a tool to update the system at regular intervals (using a cron job), and can also be configured to send mails to the system administrator using the local mail transport agent. It will just update the package list and download new packages by default but it can be configured to automatically install new updates.
Notice that you might want to check the distribution release, as described in 第 7.5.3 节 “Per distribution release check”, if you intend to automatically updated your system (even if only downloading the packages). Otherwise, you cannot be sure that the downloaded packages really come from a trusted source.
More information is available at the http://www.debian-administration.org/articles/162.

10.1.2.4. Automatically checking for security issues with debsecan

The debsecan program evaluates the security status of by reporting both missing security updates and security vulnerabilities. Unlike cron-apt, which only provides information related to security updates available, but this tool obtains information from the security vulnerability database maintained by the Debian Security Team which includes also information on vulnerabilities which are not yet fixed through a security update. Consequently, it is more efficient at helping administrators track security vulnerabilities (as described in 第 10.1.1 节 “Tracking security vulnerabilities”).
Upon installing the Debian package debsecan, and if the administrator consents to it, it will generate a cron task that will make it run and send the output to a specific user whenever it finds a vulnerable package. It will also download the information from the Internet. The location of the security database is also part of the questions ask on installation and are later defined /etc/default/debsecan, it can be easily adjusted for systems that do not have Internet access so that they all pull from a local mirror so that there is a single point that access the vulnerability database.
Notice, however, that the Security Team tracks many vulnerabilities including low-risk issues which might not be fixed through a security update and some vulnerabilities initially reported as affecting Debian might, later on, upon investigation, be dismissed. Debsecan will report on all the vulnerabilities, which makes it a quite more verbose than the other tools described above.
More information is available at the http://www.enyo.de/fw/software/debsecan/.

10.1.2.5. Other methods for security updates

There is also the apticron, which, similarly to cron-apt will check for updates and send mails to the administrator. More information on apticron is available at the http://www.debian-administration.org/articles/491.
You might also want to take a look at http://clemens.endorphin.org/secpack/ which is an unofficial program to do security updates from security.debian.org with signature checking written by Fruhwirth Clemens. Or to the Nagios Plugin http://www.unixdaemon.net/nagios_plugins.html#check_debian_packages written by Dean Wilson.

10.1.3. 避免使用 unstable 分支

Unless you want to dedicate time to patch packages yourself when a vulnerability arises, you should not use Debian's unstable branch for production-level systems. The main reason for this is that there are no security updates for unstable.
The fact is that some security issues might appear in unstable and not in the stable distribution. This is due to new functionality constantly being added to the applications provided there, as well as new applications being included which might not yet have been thoroughly tested.
为了对 unstable 分支进行安全更新, 您可能必须全部更新到新版本(其影响远远不止对软件包). 尽管存在一些例外, 安全补丁通常只进入 stable 分支. 其主要想法是在更新之间不再加入新的代码, 主要进行修补重大问题.
Notice, however, that you can use the security tracker (as described in 第 10.1.1 节 “Tracking security vulnerabilities”) to track known security vulnerabilities affecting this branch.

10.1.4. Security support for the testing branch

如果您正在使用 testing 分支,那么您则必须考虑一些有关可用安全更新的问题:
  • When a security fix is prepared, the Security Team backports the patch to stable (since stable is usually some minor or major versions behind). Package maintainers are responsible for preparing packages for the unstable branch, usually based on a new upstream release. Sometimes the changes happen at nearly the same time and sometimes one of the releases gets the security fix before. Packages for the stable distribution are more thoroughly tested than unstable, since the latter will in most cases provide the latest upstream release (which might include new, unknown bugs).
  • 通常也有用于 unstable 的更新, 当软件包的维护者制作了一个新的软件包, 并且当安全小组制作了新的上载, 并公布了 DSA. 注意这两者都不会更改 testing 分支
  • If no (new) bugs are detected in the unstable version of the package, it moves to testing after several days. The time this takes is usually ten days, although that depends on the upload priority of the change and whether the package is blocked from entering testing by its dependency relationships. Note that if the package is blocked from entering testing the upload priority will not change the time it takes to enter.
根据发行版的发行状态, 这种方式可能会改变. 当一个发行版将要放出时, 安全小组或软件包维护者可能对 testing 直接提供更新.
Additionally, the http://secure-testing-master.debian.net can issue Debian Testing Security Advisories (DTSAs) for packages in the testing branch if there is an immediate need to fix a security issue in that branch and cannot wait for the normal procedure (or the normal procedure is being blocked by some other packages).
Users willing to take advantage of this support should add the following lines to their /etc/apt/sources.list (instead of the lines described in 第 4.2 节 “进行安全更新”):
    deb http://security.debian.org testing/updates main contrib non-free
# This line makes it possible to donwload source packages too
    deb-src  http://security.debian.org testing/updates main contrib non-free
For additional information on this support please read the http://lists.debian.org/debian-devel-announce/2006/05/msg00006.html. This support officially started in http://lists.debian.org/debian-devel-announce/2005/09/msg00006.html in a separate repository and was later integrated into the main security archive.

10.1.5. 自动完成 Debian GNU/Linux 系统的更新

首先,并不十分推荐自动更新, 因为管理员应当查阅 DSA, 并了解每次安全更新的影响.
如果要自动完成系统的更新, 您应该:
  • Configure apt so that those packages that you do not want to update stay at their current version, either with apt's pinning feature or marking them as hold with aptitude or dpkg.
    To pin the packages under a given release, you must edit /etc/apt/preferences (see apt_preferences(5)) and add:
      Package: *
      Pin: release a=stable
      Pin-Priority: 100
    
    FIXME: 检查这种配置的正确性.
  • Either use cron-apt as described in 第 10.1.2.3 节 “使用 cron-apt 自动完成更新检查” and enable it to install downloaded packages or add a cron entry yourself so that the update is run daily, for example:
      apt-get update && apt-get -y upgrade
    
    The -y option will have apt assume 'yes' for all the prompts that might arise during the update. In some cases, you might want to use the --trivial-only option instead of the --assume-yes (equivalent to -y).[61]
  • Configure debconf so no questions will be asked during upgrades, so that they can be done non-interactively. [62]
  • 检查 cron 的执行结果, 它将会通过mail发送给超级用户(除非修改了与 MAILTO 环境变量相关的脚本).
使用 -d(或 --download-only)选项也许会更加安全, 这样只下载所需的软件包, 而并不安装. 然后如果 cron 执行的结果显示系统需要更新, 就手动完成.
为了完成这些工作, 需要正确配置系统以下载安全更新如第 4.2 节 “进行安全更新”中建议的.
但是,如果没有经过仔细的分析, 并不推荐在 unstable 中这样做, 因为如果您安装到系统中的一个重要的软件包中存在严重 bug, 可能会使系统崩溃. 对于这种问题, testing 相对要好一点. 因为严重的 bug 在进入 testing 分支前有更多机会被检测出来.(尽管,您可能没有任何安全更新可用).
If you have a mixed distribution, that is, a stable installation with some packages updated to testing or unstable, you can fiddle with the pinning preferences as well as the --target-release option in apt-get to update only those packages that you have updated.[63]


[61] You may also want to use the --quiet (-q) option to reduce the output of apt-get, which will stop the generation of any output if no packages are installed.
[62] Note that some packages might not use debconf and updates will stall due to packages asking for user input during configuration.
[63] This is a common issue since many users want to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects evolving faster than the time between Debian's stable releases.