14.2 介紹

安全,對系統管理者而言,是至始至終最基本的要求。 由於所有的 BSD UNIX® multi-user 系統都提供了與生俱來的基本安全,所以建立、 維護額外的安全機制,以確保使用者的『可靠』, 可能也就是系統管理員最需要慎思的艱巨任務了。 機器的安全性取決於您所建立的安全措施,而許多安全方面的考量, 則會與人們使用電腦時的便利相矛盾。 一般來說, UNIX 系統可同時執行許多數目的程式 process,並且其中許多 process 也同時以 Server 端來運作。 ── 這意味著, 外部實體機器能夠與它們互相連接,並產生互動。現在的一般桌機, 已經能夠達到以前小型主機甚至大型主機的性能, 而隨著這些電腦的網路連接和在更大範圍內互相連接, 安全也成為了一個日益嚴峻的課題。

安全最好的方式,是能夠透過像『洋蔥』那樣的層層防護模式。 簡單講,應該儘可能的建立多層次安全防護, 並小心地監視各類針對系統的入侵疑點。 You do not want to overbuild your security or you will interfere with the detection side, and detection is one of the single most important aspects of any security mechanism. For example, it makes little sense to set the schg flag (see chflags(1)) on every system binary because while this may temporarily protect the binaries, it prevents an attacker who has broken in from making an easily detectable change that may result in your security mechanisms not detecting the attacker at all.

System security also pertains to dealing with various forms of attack, including attacks that attempt to crash, or otherwise make a system unusable, but do not attempt to compromise the root account (“break root”). Security concerns can be split up into several categories:

  1. 服務阻斷攻擊(DoS)

  2. 竊取其他使用者的帳號。

  3. 透過各式 Server 上所提供的 Service 來竊取 root 帳號。

  4. 透過使用者帳號竊取 root 帳號。

  5. 開後門。

A denial of service attack is an action that deprives the machine of needed resources. Typically, DoS attacks are brute-force mechanisms that attempt to crash or otherwise make a machine unusable by overwhelming its servers or network stack. Some DoS attacks try to take advantage of bugs in the networking stack to crash a machine with a single packet. The latter can only be fixed by applying a bug fix to the kernel. Attacks on servers can often be fixed by properly specifying options to limit the load the servers incur on the system under adverse conditions. Brute-force network attacks are harder to deal with. A spoofed-packet attack, for example, is nearly impossible to stop, short of cutting your system off from the Internet. It may not be able to take your machine down, but it can saturate your Internet connection.

A user account compromise is even more common than a DoS attack. Many sysadmins still run standard telnetd, rlogind, rshd, and ftpd servers on their machines. These servers, by default, do not operate over encrypted connections. The result is that if you have any moderate-sized user base, one or more of your users logging into your system from a remote location (which is the most common and convenient way to login to a system) will have his or her password sniffed. The attentive system admin will analyze his remote access logs looking for suspicious source addresses even for successful logins.

One must always assume that once an attacker has access to a user account, the attacker can break root. However, the reality is that in a well secured and maintained system, access to a user account does not necessarily give the attacker access to root. The distinction is important because without access to root the attacker cannot generally hide his tracks and may, at best, be able to do nothing more than mess with the user's files, or crash the machine. User account compromises are very common because users tend not to take the precautions that sysadmins take.

System administrators must keep in mind that there are potentially many ways to break root on a machine. The attacker may know the root password, the attacker may find a bug in a root-run server and be able to break root over a network connection to that server, or the attacker may know of a bug in a suid-root program that allows the attacker to break root once he has broken into a user's account. If an attacker has found a way to break root on a machine, the attacker may not have a need to install a backdoor. Many of the root holes found and closed to date involve a considerable amount of work by the attacker to cleanup after himself, so most attackers install backdoors. A backdoor provides the attacker with a way to easily regain root access to the system, but it also gives the smart system administrator a convenient way to detect the intrusion. Making it impossible for an attacker to install a backdoor may actually be detrimental to your security, because it will not close off the hole the attacker found to break in the first place.

Security remedies should always be implemented with a multi-layered “onion peel” approach and can be categorized as follows:

  1. Securing root and staff accounts.

  2. Securing root-run servers and suid/sgid binaries.

  3. Securing user accounts.

  4. Securing the password file.

  5. Securing the kernel core, raw devices, and file systems.

  6. Quick detection of inappropriate changes made to the system.

  7. Paranoia.

The next section of this chapter will cover the above bullet items in greater depth.

本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/

若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢 <questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。