How to Ninja – Ubuntu 10.04-阿里云开发者社区

开发者社区> cnbird> 正文

How to Ninja – Ubuntu 10.04

简介: This blog is an update to my original post on ninja here Briefly, ninja is a security tool that...
+关注继续查看

This blog is an update to my original post on ninja here

Briefly, ninja is a security tool that monitors your host (computer) for unauthorized root access (ie user privilege escalation) and, if discovered, logs and terminates (kills) the process.

From the Ninja Home Page

Ninja is a privilege escalation detection and prevention
system for GNU/Linux hosts. While running, it will monitor
process activity on the local host, and keep track of all
processes running as root. If a process is spawned with
UID or GID zero (root), ninja will log necessary informa-
tion about this process, and optionally kill the process
if it was spawned by an unauthorized user.

Since my original post the installation process and configuration has been modified and, although it is much easier to configure, ninja still requires post installation configuration.

Install ninja

sudo apt-get install ninja


Configure ninja

Most important, read the documentation. Most of the relevant information is in the configuration file,

These are the adjustments I made (for Ubuntu).

1. Add a “magic” group (only members of the magic group are allowed root access). In this blog I will call the group “ninja” , you may change the name if you wish. Take note of the group id (gid or number).

sudo addgroup ninja
Adding group `ninja’ (GID 1002 ) …
Done.

Add root, messagebus, and your administrative user(s) to the magic group.

sudo usermod -a -G ninja root
sudo usermod -a -G ninja messagebus
sudo usermod -a -G ninja bodhi

2. Make a log file, restrict access to both /etc/ninja and the log file to root.

sudo touch /var/log/ninja.log
sudo chmod o-rwx -R /etc/ninja/
sudo chmod o-rwx /var/log/ninja.log

3. Using any editor, open /etc/ninja/ninja.conf

I encourage you to read the configuration file

sudo -e /etc/ninja/ninja.conf

Make the following changes match the number with the magic group id :

group = 1002

Test ninja:

sudo ninja start

bodhi@lucid:~$ sudo -i
root@lucid:~# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
nobody@lucid:~$ whoami
nobody
nobody@lucid:~$ sudo -i
[sudo] password for nobody:
Sorry, try again.

Exit the shell and/or close the terminal.

At this time ninja is configured only to log events.

Examining the log will show the event:


bodhi@lucid:~$ sudo cat /var/log/ninja.log

NEW ROOT PROCESS: bash[2319] ppid=2015 uid=0 gid=0
- ppid uid=1000(bodhi) gid=1000 ppid=2013
+ bodhi is in magic group, all OK!
NEW ROOT PROCESS: sudo[2338] ppid=2335 uid=0 gid=0
- ppid uid=65534(nobody) gid=65534 ppid=2319
+ UNAUTHORIZED PROCESS DETECTED: sudo[2338] (parent: bash[2335])
- nokill option set, no signals sent

Notice three things :

1. bodhi was allowed to run sudo.
2. ninja detected nobody was not authorized to run sudo.
3. Last, ninja is configured with the “no kill” option, so did not take action.


Reboot

Before we complete our configuration of ninja, we need to test it. If ninja is misconfigured you may loose all root access !!!

Clear the log

sudo bash -c "> /var/log/ninja.log"

Reboot, test root (sudo) access and run your system for a few hours or days (your choice). Watch the ninja log. If there are events you will need to determine if you need to configure ninja further, either via adding users to the ninja group or white listing processes.

Add a user to the magic group

Use the graphical tool or command line to add users to the ninja group

sudo usermod -a -G ninja user_to_add

Whitelisting a process

Edit /etc/ninja/whitelist

If you examine the file you will find there are already a few processes listed. If you need to add a process the syntax is

/path_to/program:group:user

where group/user is a group/user allowed to run the process

White listing suid / sgid apps

As suggested by Geoffrey (see comments), ninja will kill “unauthorized” suid apps .

To list your suid applications run this command :

find / -perm -4000 2>/dev/null

To list your sgid applications

find / -perm -2000 2>/dev/null | grep {bin,lib} 2>/dev/null

Review these applications and, if desired, whitelist them for your users.

Either edit /etc/ninja/whitelist or use a script :

One long line :

# suid
for i in `find / -perm -4000 2>/dev/null`; do
echo ${i}:users: >> /etc/ninja/whitelist
done

#sgid
for i in `find / -perm -4000 2>/dev/null | grep {bin,lib} 2>/dev/null`; do
echo ${i}:users: >> /etc/ninja/whitelist
done


Enable ninja

Assuming you have configured ninja and you are not getting alerts in the ninja log, it is time to activate ninja.

Using any editor, open /etc/ninja/ninja.conf

sudo -e /etc/ninja/ninja.conf

Change these lines:

no_kill = no
no_kill_ppid = no

restart ninja

sudo service ninja restart

Test ninja


bodhi@lucid:/usr/share/doc/ninja$ sudo -i
root@lucid:~# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
nobody@lucid:~$ sudo -i
[sudo] password for nobody: Killed
nobody@lucid:~$ Killed


Adding an automated alert

Using any editor, open /etc/ninja/ninja.conf and make some changes. The “problem” is that the external command now runs as the user who triggered ninja, so we need some modifications to the scripts (from my original post).

external_command = /etc/alert

YOU must write this script if you wish to use it.

Examples might include (save this script in /etc/alert ):

#!/bin/bash
echo "Ninja attack" | mail -s "Alert" you@secret-service.com
echo "Ninja attack" > /home/.ninja/ALERT

Note : I suggest putting the script OFF the normal path of users to prevent users from running the script.

Make the script executable:

sudo chmod 555 /etc/alert

Now add this to the end of .bashrc (at least for root and I would suggest adding it to your admin user as well):

#Ninja alert
RED='/e[0;31m'
if [ -e /home/.ninja/ALERT ]; then
clear
echo ''
echo -e "${RED}NINJA ATTACK"
echo ''
fi

If you use this script, to clear the alert use

sudo rm /home/.ninja/ALERT


Ninja in action


root@karmic# sudo -u nobody /bin/bash
bash: /root/.bashrc: Permission denied


nobody@karmic$ whoami
nobody


nobody@karmic$ sudo -i
[sudo] password for nobody: Killed
nobody@karmic$ Killed
root@karmic#


Notice how ninja killed not only the sudo attempt, but the bash shell as well.

If you used my alert script and configured ~/.bashrc you will also see a warning when you log in or sudo -i to root. If you receive an alert, review your ninja log.

To clear the alert:

sudo rm /home/.ninja/ALERT

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
4055 0
怎么设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程
6845 0
阿里云服务器端口号设置
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
4407 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
5412 0
阿里云服务器远程登录用户名和密码的查询方法
阿里云服务器远程连接登录用户名和密码在哪查看?阿里云服务器默认密码是什么?云服务器系统不同默认用户名不同
408 0
阿里云ECS云服务器初始化设置教程方法
阿里云ECS云服务器初始化是指将云服务器系统恢复到最初状态的过程,阿里云的服务器初始化是通过更换系统盘来实现的,是免费的,阿里云百科网分享服务器初始化教程: 服务器初始化教程方法 本文的服务器初始化是指将ECS云服务器系统恢复到最初状态,服务器中的数据也会被清空,所以初始化之前一定要先备份好。
3191 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
16745 0
阿里云服务器ECS登录用户名是什么?系统不同默认账号也不同
阿里云服务器Windows系统默认用户名administrator,Linux镜像服务器用户名root
1084 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
3242
文章
3
问答
文章排行榜
最热
最新
相关电子书
更多
文娱运维技术
立即下载
《SaaS模式云原生数据仓库应用场景实践》
立即下载
《看见新力量:二》电子书
立即下载