How to disguise Linux system Set the system illusion for hackers

Computers on the network are easily scanned by hackers using tools or other means to find vulnerabilities in the system and then attack the vulnerabilities.

By disguising the Linux system and setting the system illusion for hackers, it is possible to increase the difficulty of hackers' analysis of the system and entice them to go astray, thereby further improving the security of the computer system. Let's take Red Hat Linux as an example to introduce some commonly used methods of Linux system masquerading for several hackers.

For HTTP Services

By analyzing the type of Web server, you can roughly guess the type of operating system. For example, Windows uses IIS to provide HTTP services, and the most common Linux is Apache.

There is no information protection mechanism in the default Apache configuration and directory browsing is allowed. By browsing through the directory, you can usually get information like "Apache/1.3.27 Server at apache.linuxforum.net Port 80" or "Apache/2.0.49 (Unix) PHP/4.3.8".

Apache related information can be hidden by modifying the ServerTokens parameter in the configuration file. However, Apache running Red Hat Linux is a compiled program. The prompt information is compiled in the program. To hide this information, you need to modify the Apache source code, and then recompile the installer to replace the prompts.

Using Apache 2.0.50 as an example, edit the ap_release.h file and modify “#define AP_SERVER_BASEPRODUCT \\"Apache\\"”#“#define AP_SERVER_BASEPRODUCT \\"Microsoft-IIS/5.0\\ "”. Edit the os/unix/os.h file and modify “#define PLATFORM \\"Unix\\"” as “#define PLATFORM \\"Win32\\"”. After the modification, recompile and install Apache.

After the Apache installation is complete, modify the httpd.conf configuration file and change "ServerTokens Full" to "ServerTokens Prod"; change "ServerSignature On" to "ServerSignature Off" and save and exit. After restarting Apache, use the tool to scan and find that the operating system is Windows in the prompt message.

For FTP services

Through the FTP service, you can also speculate on the type of operating system. For example, the FTP service under Windows is mostly Serv-U, while the Linux is commonly used vsftpd, proftpd, and pureftpd. software.

Using proftpd as an example, modify the configuration file proftpd.conf and add the following content:

The following is the code snippet: ServerIdent on \\"Serv-U FTP Server v5.0 for WinSock ready...\\"

After saving and exiting, restart the proftpd service and log in to the FTP server with the modified information for testing:

Here is the code Fragment: C:\\\\>ftp 192.168.0.1 Connected to 192.168.0.1. 220 Serv-U FTP Server v5.0 for WinSock ready... User (192.168.0.1:(none)): 331 Password required for (none Password: 530 Login incorrectly. ftp > quit 221 Goodbye

So on the surface, the server is a Windows running Serv-U.

For TTL return value

You can use the ping command to probe a host, and you can guess the type of operating system based on the TTL base. For a network that does not pass any gateways and routes, the TTL value obtained by directly pinging the other system is called "TTL base". In the network, the TTL is decremented by 1 for each packet passing through the router. When the TTL is 0, the packet is discarded.

Normally, Windows' TTL base is 128, while the early Red Hat Linux and Solaris TTL base is 255. FreeBSD and the new version of Red Hat Linux have a TTL base of 64. For example, ping a Red Hat system, the display is as follows:

The following is a code snippet: Pinging 192.168.0.1 with 32 bytes of data: Reply from 192.168.0.1: bytes=32 time <10ms TTL= 64 Reply from 192.168.0.1: bytes=32 time <10ms TTL=64 Reply from 192.168.0.1: bytes=32 time <10ms TTL=64 Reply from 192.168.0.1: bytes=32 time <10ms TTL=64 Ping Statistics for 192.168.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip in in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

The command modifies Red Hat Linux's TTL base to 128 (which is originally 64):

The following is the code snippet: # echo 128 > /proc/sys/net/ipv4/Ip_default_ttl

To make the settings permanent, you can modify the /etc/sysctl.conf configuration file and add the following line:

Here is the code Fragment: net.ipv4.ip_default_ttl = 1 28

After saving and exiting, ping 192.168.0.1, the TTL base becomes 128.

Here is the code snippet: #iptables -I INPUT -s ! xx.xx.xx.xx -p tcp --dport 22 -j DROP

For 3389 ports and 22 ports

Sometimes by scanning 3389 ports and 22 ports, you can also speculate on the type of operating system. Windows generally uses the 3389 port of the TCP protocol for remote control, while Linux may use the 22 port of the TCP protocol to provide an SSH service with encrypted transmission.

For security, you can use iptables to limit 22-port SSH logins, so that unauthorized IP scans do not exist on TCP 22 ports:

Is the code snippet: #iptables -I INPUT -s ! xx.xx.xx.xx -p tcp --dport 22 -j DROP

Using iptables, transfer the TCP 3389 port of this machine to On other computers with ports 3389, the Linux system is pretending to be a TCP 3389 port that provides services. The command is as follows:

The following is the code snippet: #echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -t nat -I PREROUTING -p tcp - -dport 3389 -j DNAT --to xx.xx.xx.xx #iptables -t nat -I POSTROUTING -p tcp --dport 3389 -j MASQUERADE

The first command indicates the allowed data Packet forwarding; the second command indicates forwarding TCP 3389 to xx.xx.xx.xx; the third command indicates that the forwarding packet implements "bidirectional path" to set a correct return channel for the packet. If you want to make forwarding permanent, you can add the above command to the /etc/rc.local file.

Thus, when a hacker scans the port opened by the server, he cannot find port 22, but sees a masqueraded port 3389, which cannot correctly determine the type of operating system.

For netcraft

netcraft is a very powerful scanning engine. It can know the operating system, web service program and server boot time (Uptime) of the tested server through simple TCP 80. And other information.

The methods described above are not effective for netcraft. For netcraft, you can use iptables for system masquerading, so that netcraft misjudges the operating system:

The following is the code snippet: #iptables -t nat -I PREROUTING -s 195.92.95.0 /24 -p tcp --dport 80 -j DNAT --to xx.xx.xx.xx #iptables -t nat -I POSTROUTING -s 195.92.95.0/24 -p tcp --dport 80 -j MASQUERADE

Because of the discovery of the packet, netcraft has more than one server, so it needs to forward and spoof the network segment where it is located.

Summary

The above method can only prevent and block the analysis of system vulnerabilities by hackers from a certain angle, and to some extent reduce the possibility of computer being attacked, but it is still “ Anti-gentleman, not against villains, is just to provide you with a new idea of ​​learning and using.