Shulou(Shulou.com)06/01 Report--

This article is about how to implement intrusion detection in Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Account security:

1. User information file / etc/passwd

# format: account:password:UID:GID:GECOS:directory:shell # user name: password: user ID: group ID: user description: home directory: shell root:x:0:0:root:/root:/bin/bash# view after login. Login user: cat / etc/passwd | grep / bin/bash# view UID=0 user awk-F:'$3customers: 0 {print $1}'/ etc/passwd # check See the sudo user more / etc/sudoers | grep-v "^ #\ | ^ $" | grep "ALL= (ALL)"

Note: no password only allows local login, remote login is not allowed.

2. Shadow file: / etc/shadow

# username: encrypted password: date of last password modification: interval between two password changes: password validity period: warning days to which password modification expires: grace days after password expiration: account expiration time: keep root:$6 $oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

3. View the current login user and the login duration

Who # View all users currently logged in to the system (tty local login pts remote login) w # shows the users who have logged in to the system, as well as the instructions being executed uptime # to see how long it takes to log in, how many users, and the load status

4. Troubleshoot user login information

View recently logged-in successful users and their information

# displaying logged in indicates that the user is still logging in # pts means logging in remotely from SSH # tty means logging in from the console, that is, logging in to last next to the server

View recent login failed users and their information:

# ssh means logging in remotely from SSH # tty means logging in to sudo lastb from the console

Displays the last login information for all users:

Lastlog

When troubleshooting the server, the hacker is not online, you can use the last command to find out when the hacker logged in, some hackers will delete or empty the / var/log/wtmp file, so we can not use the last command to get useful information.

Before the hacker invades, the / var/log/wtmp file must be locked with chattr + a to avoid being deleted by the hacker

5. Sudo user list

/ etc/sudoers

Intrusion troubleshooting:

# query privileged users (uid is 0): awk-F:'$3privileged users 0 {print $1}'/ etc/passwd # query the account information that can be logged in remotely: awk'/\ $1 |\ $6 / {print $1}'/ etc/shadow # whether there is sudo permission for accounts other than root accounts. If not required by management, ordinary accounts should delete sudo permissions: more / etc/sudoers | grep-v "^ #\ | ^ $" | grep "ALL= (ALL)" # disable or delete redundant and suspicious accounts usermod-L user # disable accounts, the account cannot be logged in, the second column of / etc/shadow is! Starting with userdel user # deleting the user user userdel-r user # deletes the user user and deletes the user directory under the / home directory as well

View the system commands executed by the account through the .bash\ _ history file:

Open .bash _ history under each account directory of / home and view the historical commands executed by ordinary accounts.

Add information such as login IP address, execution time and so on for historical commands:

# 1. Save 10, 000 commands: sed-I's / ^ HISTSIZE = 1000 max HISTSIZE 10000 max g'/ etc/profile # 2, Add the following line number configuration information at the end of the / etc/profile file: USER_IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g' `if ["$USER_IP" = "] then USER_IP= `hostname`configuration"% F% T $USER_IP `whoami` "shopt-s histappend export PROMPT_COMMAND=" history-a "# 3, make the configuration effective source / etc/profile

Note: removal of historical operation commands: history-c

This action does not clear the records saved in the file, so you need to manually delete the records in the .bash\ _ profile file

Check port connectivity:

Netstat-antlp | more

Use the ps command to analyze the process and get the corresponding pid number:

Ps aux | grep 6666

Check the process file path corresponding to pid:

# $PID is the corresponding pid number ls-l / proc/$PID/exe or file / proc/$PID/exe

Analysis process:

# View process by pid number lsof-p 6071 # View the file opened by the process by service name lsof-c sshd # View process by port number: lsof-I: 22

View the start time of the process:

Ps-p 6071-o lstart

Forcibly stop the process according to pid:

Kill-9 6071

Note: if no suspicious files are found, the files may be deleted. The suspicious process has been saved in memory and is a memory process. At this point, you need to find PID and then kill it.

Check the boot entry:

Schematic diagram of the system run level:

Runlevel meaning 0 shutdown 1 single user mode, can be thought of as windows security mode, mainly used for system repair 2 incomplete command line mode, does not include NFS service 3 complete command line mode, that is, standard character interface 4 system retains 5 graphics mode 6 restart

View run-level commands:

Runlevel

Boot configuration file:

/ etc/rc.local / etc/rc.d/rc [00006] .d

When you start the Linux system, you run some scripts to configure the environment-- the rc script. After the kernel initializes and loads all the modules, the kernel starts a daemon called init or init.d. The daemon starts running some of the scripts in / etc/init.d/rc. These scripts include commands to start the services required to run the Linux system

There are two ways to boot up and execute scripts:

Add a startup script between the exit 0 statements of / etc/rc.local. The script must have executable permissions

Add a boot execution script with the update-rc.d command

1. Edit and modify / etc/rc.local

2. Update-rc.d: this command is used to install or remove System-V-style initialization script connections. Scripts are stored in the / etc/init.d/ directory, where you can of course create connection files to connect to script files stored elsewhere.

This command can specify the execution sequence number of the script. The value range of the sequence number is 0-99. The larger the sequence number, the later the execution.

When we need to boot up and start our own script, we just need to drop the executable script in the / etc/init.d directory and establish a soft link in the / etc/rc.d/rc_.d file

Syntax:

Update-rc.d script name or service

# 1. Create a link file in the / etc/init.d directory to the backdoor script: ln-s / home/b4yi/kali-6666.elf / etc/init.d/backdoor # 2, and add the connection file backdoor to the startup script to sudo update-rc.d backdoor defaults 99 with the update-rc.d command

Execute as soon as it is powered on.

Intrusion troubleshooting:

More / etc/rc.local / etc/rc.d/rc [06.6] .d ls-l / etc/rc.d/rc3.d/

Scheduled task troubleshooting:

There are several ways to take advantage of cron:

Crontab-l # lists the timer settings for the current user crontab-r # deletes the cron task for the current user

The above command actually lists the contents of the / var/spool/cron/crontabs/root file:

/ etc/crontab allows only root users to modify

/ var/spool/cron/ stores each user's crontab task, each named after the creator

/ etc/cron.d/ writes files to this directory in the same format as / etc/crontab

Put the script in the / etc/cron.hourly/, / etc/cron.daily/, / etc/cron.weekly/, / etc/cron.monthly/ directory and let it be executed every hour / day / week / month

Tips:

More / etc/cron.daily/* view all files in the directory

Intrusion troubleshooting:

Focus on whether there are malicious scripts in the following directories

/ var/spool/cron/* / etc/crontab / etc/cron.d/* / etc/cron.daily/* / etc/cron.hourly/* / etc/cron.monthly/* / etc/cron.weekly/ / etc/anacrontab / var/spool/anacron/*

Intrusion troubleshooting:

Query installed services:

Services installed by the RPM package:

Chkconfig-- list to check the self-startup status of the service, you can see the service ps aux installed by all RPM packages | grep crond to view the Chinese environment chkconfig-- list of the current service system at levels 3 and 5. | grep "3: enable\ | 5: enable" English environment chkconfig-- list | grep "3:on\ | 5:on"

Services installed by the source package:

Check the service installation location, usually in / user/local/ service httpd start search / etc/rc.d/init.d/ to see if it exists.

Exception file check:

Find the modified file in three ways:

By name

Based on file size

Search by time

Find a file by name

Find /-name a.Test # if the file name is not fully memorized, use the wildcard character * to complete # if it is not case-sensitive, replace-name with-iname

Find by file size:

Find /-size + 1000m # + 1000m represents files larger than 1000m, and-10m represents files less than 10m

Find based on time:

#-atime file access time #-mtime file content modification time #-ctime file status modification time (file permissions, owner / group, file size, etc., of course, the file content changes, ctime will also change) # Note: when the system process / script accesses the file, atime/mtime/ctime will also be modified It doesn't have to be artificial changes to be recorded # find files modified within the last day: find /-mtime-1-ls | more # find files modified 50 days ago: find. /-mtime + 50-ls

Look up according to the owner and group:

-user search according to owner-group search based on group-nouser search for files without ownership-nogroup search for files without ownership # check files whose owner is root find. /-user root-type f #-type f means to find files, and-type d means to find files # Note: there are no owners or files or directories belonging to groups in the system, which can also cause security risks. It is recommended to delete.

Sort by CPU usage from highest to lowest:

Ps-ef-sort-pcpu

Sort by memory usage from high to low:

Ps-ef-sort-pmem

Add:

1. Check sensitive directories, such as files in / tmp directory, and hide folders to ".." The folder named has hidden properties.

2. How to find out the files created within the same time range when you get the creation time of WEBSHELL and remote control Trojans?

You can use the find command, such as find / opt-iname "*"-atime 1-type f to find the files that / opt visited the day before.

3. You can use stat to create and modify files for suspicious files.

Syslog check:

Default location of logs: / var/log/

Must-see logs: secure, history

Check log configuration: more / etc/rsyslog.conf

Log file description / var/log/cron records the log related to the system timing task / var/log/cups record print information / var/log/dmesg records the kernel self-test information when the system is booted, you can also use the dmesg command to directly view the kernel self-test information / var/log/mailog log email message / var/log/message log to record important information of the system. This log file will record most of the important information of the Linux system. If there is a problem with the system, the first thing to check is the log file / var/log/btmp record error login log. This file is a binary file and cannot be viewed directly by vi. Instead, use the lastb command to view / var/log/lastlog the log of the last login time of all users in the system. This file is a binary file. Instead of vi directly, use the lastlog command to view / var/log/wtmp to permanently record the login and logout information of all users, as well as the startup, restart and shutdown events of the system. Similarly, this file is also a binary file, which cannot be vi directly. Instead, you need to use the last command to view / var/log/utmp the information of the currently logged-in user. This file will change with the login and logout of the user, recording only the information of the currently logged-in user. Similarly, this file can not be directly vi, but to use commands such as wQuery whowhousers to query / var/log/secure record authentication and authorization information, as long as the account and password related to the program will record, such as SSH login, su switch users, sudo authorization, and even add users and change the user password will be recorded in this log file / var/log/wtmp login, exit The data exchange, shutdown and restart records / var/log/lastlog file records the last login information of the user, which can be viewed by the lastlog command. / var/log/secure records files that log in to the system to access data, such as pop3/ssh/telnet/ftp, etc. / var/log/cron log information related to scheduled tasks / var/log/message system startup information and error log / var/log/apache2/access.log apache access log

Log analysis skills:

1 、 Locate how many IP are blasting host's root account: grep "Failed password for root" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more locate which IP is blasting: grep "Failed password" / var/log/secure | grep-E-o "(25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) "| what is the user name dictionary for uniq-c blasting? Grep "Failed password" / var/log/secure | perl-e 'while ($_ =) {/ for (. *?) From/; print "$1\ n" }'| uniq-c | sort-nr 2. Which IP have successfully logged in: grep "Accepted" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more login success date, user name, IP: grep "Accepted" / var/log/secure | awk'{print $1meme, 3dint, Q11), add a user kali log: Jul 10 00:12:15 localhost useradd [2382]: new group name=kali: GID=1001 Jul 10 00:12:15 localhost useradd [2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali Shell=/bin/bash Jul 10 00:12:58 localhost passwd: pam_unix (passwd:chauthtok): password changed for kali # grep "useradd" / var/log/secure 4. Delete user kali log: Jul 10 00:14:17 localhost userdel [2393]: delete user 'kali' Jul 10 00:14:17 localhost userdel [2393]: removed group' kali' owned by 'kali' Jul 10 00:14:17 localhost userdel [2393]: removed shadow group' kali' owned by 'kali' # grep "userdel" / var/log/secure 5, Su switching user: Jul 10 00:38:13 localhost su: pam_unix (su-l:session): session opened for user good by root (uid=0) sudo authorized execution: sudo-l Jul 10 00:43:09 localhost sudo: good: TTY=pts/4 PWD=/home/good; USER=root; COMMAND=/sbin/shutdown-r now Thank you for reading! This is the end of this article on "how to achieve intrusion detection in Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.