Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to conduct Linux server security incident emergency response troubleshooting". In daily operation, I believe many people have doubts about how to conduct Linux server security incident emergency response troubleshooting. The editor has consulted all kinds of materials and sorted out simple and useful operation methods. I hope it will be helpful for you to answer the doubt of "how to conduct Linux server security incident emergency response troubleshooting". Next, please follow the editor to study!

Linux is the most commonly used operating system in the server operating system. Because of its high performance, high scalability and high security, it is sought after by more and more operators. But there are also a lot of security incidents against the Linux server operating system. The main attacks are weak password attacks, remote overflow attacks and other application vulnerability attacks. My VPS suffered a security problem when it was maliciously exploited to scan SSH weak passwords on other hosts a few days ago. The following is my analysis method for this attack, combined with the analysis and handling methods of Linux security incidents at work, and summarizes the analysis methods of Linux security emergency response.

I. principles of analysis

1. Important data should be backed up before analysis. Try not to analyze it in the original system.

two。 Systems that have been hacked are no longer secure. If conditions permit, it is best to use third-party systems for analysis.

Second, analyze the goal

1. Find the source of the attack, IP

two。 Find a way to invade.

3. Analyze the scope of influence

4. Quantify the impact level

III. Data backup and collection

1. Trace data is always the most important data for analyzing security incidents.

In the process of analysis, trace data is always the most important data. So the first thing of course is to back up the relevant trace data. The trace data mainly includes the following points:

1. Syslog: message, secure, cron, mail, etc.

two。 Application log: Apache log, Nginx log, FTP log, MySQL log, etc.

3. Custom log: many program development process will customize the program log, these logs are also very important data, can help us analyze intrusion routes and other information

4.bash_history: this is the bash log information recorded during bash execution, which can help us see which commands bash executed.

5. Log records related to other security events

When analyzing these logs, be sure to back up first. We can compress and back up these logs through tar, and then analyze them. If you encounter large logs, you can analyze them through massive log analysis tools such as splunk as far as possible. The following is the command to fully back up all files under the var/log path, and other logs can refer to this command:

The code is as follows:

# backup system log and default httpd service log

Tar-cxvf logs.tar.gz / var/html

# backup last

Last > last.log

# online users at this time

W > w.log

two。 System statu

The system state is mainly the backup of network, service, port, process and other status information:

The code is as follows:

# system service backup

Chkconfig-- list > services.log

# process backup

Ps-ef > ps.log

# listening port backup

Netstat-utnpl > port-listen.log

# all ports of the system

Netstat-ano > port-all.log

3. View system, file exception

Mainly aimed at the file change time, group master information, new users and other issues, others can be analogous:

The code is as follows:

# View user information:

Cat / etc/passwd

# find files that have changed in the last 5 days

Find-type f-mtime-5

4. Finally, scan rootkit.

Both Rootkit Hunter and chkrootkit are fine.

IV. Methods of analysis

Bold guess is the most important, guess the way of invasion, and then analyze will generally get twice the result with half the effort.

Generally speaking, analyzing logs can find many things, for example, secure logs can view Accept keywords; last can view login information; bash_history can view command execution information, and so on. Different logs can be viewed in different ways, preferably accompanied by a system administrator, who knows his server system best. I won't go into much detail here.

Fifth, analyze the impact

According to the use of the server, file content, confidential information combined with data leakage, loss risk, the impact of system users are quantified, and relevant security events are recorded, summarized and analyzed for later summary.

If it has been infiltrated into the intranet, it is also necessary to check the security risks of the intranet machines and deal with them in a timely manner.

VI. Reinforcement methods

Machines that have been hacked can be labeled as dangerous. The most direct and effective way is to reinstall the system or restore the system. So frequent backup operations are essential, especially source code and database data.

Through the analysis of the intrusion approaches, further reinforcement can be carried out, such as weak passwords and application vulnerabilities.

At this point, the study on "how to conduct Linux server security incident emergency response troubleshooting" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.