Linux Security Series - Data Security

1. Encryption and decryption

1.1 Overview

Sender: plaintext -> ciphertext
recipient: ciphertext -> plaintext
encryption target mode and
- ensure the confidentiality of data:
- Symmetric encryption: encryption / decryption using the same key
- asymmetrical encryption: encryption / decryption with different key

• Protection of the integrity of information
  - information summary: short, fixed number of bits to generate a hash value based on information of the length of the input
  common encryption algorithm
• Symmetric encryption
  the DES, the Data Encryption Standard
  the AES, Advanced Encryption Standard
• Asymmetric encryption
  the RSA, a Rivest Shamirh Adleman
  the DSA, the Signature Algorithm Digital
• Hash hashing technique for message digest
  MD5, the Message Digest 5 Mathimatics-Numerical algorithms
  SHA, Secure Hash Mathimatics-Numerical algorithms
  MD5 integrity verification
• Use md5sum check tool
• Check with software value than for official

1.2 GPG encryption / decryption tool

1.2.1 GnuPG Introduction

GnuPG,GNU Privacy Guard

• http://www.gnupg.org/
• The most popular data encryption, digital signature tool software
  ] # gpg --version

1.2.2 GPG symmetrical encryption / decryption

加密操作:  --symmetric 或 -c
解密操作:  --decrypt 或 -d

]# gpg -c test1.txt		//弹出图形界面,设置密码
]# file test1.txt*
]# gpg -d test1.txt.gpg > dtest1.txt	//根据提示验证密码

1.2.3 GPG asymmetric encryption / decryption

基本过程:
	1.用户B把自己的公钥传给用户A;
	2.用户A使用B的公钥加密数据,将加密后的数据给用户B;
	3.用户B使用自己的私钥来解密数据
准备工作:
	B用户创建密钥对: --gen-key	
	B用户导出公钥: --export, --armor 或 -a
	A用户导入公钥: --import
注意:利用urandom随机数算法进行计算
	mv /dev/random /dev/lodrandom
	ln -s /dev/urandom /dev/random

b]# gpg --gen-key 			//设置用户信息,私钥口令
b]# gpg -list-keys
b]# gpg -a --export userb > /tmp/userb.pub
...
a]# gpg --import /tmp/userb.pub

基本用法
	加密操作: --encrypt 或 -e
	制定目标用户: --recipient 或 -r
	解密操作: --decrypt 或 -d

2.AIDE Intrusion Detection System

2.1 system initialization

• Install the package yum -y install aide (Advanced instrusion detection environment)
• Modify the configuration file (/etc/aide.conf)

vim /etc/aide.conf
	@@define DBDIR /car/lib/aide		//数据库目录
	@@define LOGDIR /var/log/aide	//日志目录
	database_out=file:@@{DBDIR}/aide.db.new.gz	//数据库文件名
		# These are the default rules.
		#p:      permissions
		#i:      inode:
		#n:      number of links
		#u:      user
		#g:      group
		#s:      size
		#b:      block count
		#m:      mtime
		#a:      atime
		#c:      ctime
		#S:      check for growing size
		#acl:           Access Control Lists
		#selinux        SELinux security context
		#xattrs:        Extended file attributes
		#md5:    md5 checksum
		#sha1:   sha1 checksum
		#sha256:        sha256 checksum
		#sha512:        sha512 checksum
		#rmd160: rmd160 checksum
		#tiger:  tiger checksum
		
		#haval:  haval checksum (MHASH only)
		#gost:   gost checksum (MHASH only)
		#crc32:  crc32 checksum (MHASH only)
		#whirlpool:     whirlpool checksum (MHASH only)

	FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

• Check initialized
  before the attack has not been compromised, according to the configuration file, the data verify operation.

	]# aide --init
	AIDE, version 0.15.1
	###AIDE database at /var/lib/aide/aide.db.new.gz initialized.

• Backup of the database
  before the invasion, the backup checksum database file to a safe place, such as USB flash drives, CD-ROM, removable hard disk or network storage.

]# mv /var/lib/aide/aide.db.new.gz  /其他路径

2.2 intrusion detection

• Implementation of intrusion detection
  will check the database files before the backup to restore
  ] # cp / other paths /var/lib/aide/aide.db.gz
• According to the database to perform intrusion detection
  ] # aide --check

3. Scan and capture

3.1 Security Analysis Overview

• Why scan?
  For some public / non-public information for the purpose
  - to detect potential risks
  - can find the target
  - collection device / host / system / software information
  - Discovery of exploitable security holes
• Scanning and tools
  typical scan
  - Scan, active detection
  - Sniff, passive listening / sniffing
  - Capture, packet capture (capture)
  Common Security Analysis Tool
  - Scanner: NMAP
  - protocol analysis: tcpdump WireShark

3.2 NMAP scans

Introduction 3.2.1 NMAP

- 一款强大的网络探测工具
- 支持多种探测技术: - ping扫描 ; - 多端口扫描; - TCP/IP指纹校验

• Basic Usage
  • nmap [Scan Type] [options] <scan target ...>
• Scan type commonly used
  - -sS, TCP SYN scan (half open)
  - -sT, the TCP connection scan (full)
  - the -sU, the UDP scan
  - -sP, ICMP scan
  - -A, a comprehensive analysis of the target system
  application example

nmap -sP 172.40.59.1-254
nmap 172.40.59.189
nmap 172.40.59.182
nmap -p 172.40.59.189
nmap -p 80 172.40.59.189
nmap -A 172.40.59.189		// -A 是复合选项,相当于: -O(OS检测),-sV(版本检测),-sC(脚本检测),traceroute跟踪...

3.3 Network capture tool (the tcpdump package)

3.3.1 tcpdump command capture

• Basic usage tcpdemp [options] [filter conditions]
• Common monitoring options
  - excuse -i designated network monitoring
  - -A converted to ASC code for easy reading
  - -w to save data packet information to the specified file
  - -r reads the packet information from the specified file
  - -c defined Ethereal The number of
• tcpdump filters
  - Type: Host, NET, Port, portrange
  - direction: the src, DST
  - protocol: TCP, UDP, IP, WLAN, ARP, ...
  - a plurality of combinations of conditions: and or not
• Application Examples

]# tcpdump  -i br1  icmp
]# tcpdump  -i br1  icmp and host 172.40.59.107
]# tcpdump  -i br1  port 22
]# tcpdump  -i br1 -c 4 port 22
]# tcpdump  -i br1  port 22  or port 80
]# tcpdump  -i br1 \(port 22  or port 80 \) and host 172.40.59.107
]# tcpdump  -i br1  dst host www.taobao.com