Shulou(Shulou.com)06/03 Report--

Here are some personal experience notes that I believe are useful for UNIX or UNIX-clone (freebsd,openbsd,netbsd,Linux,etc) that are subject to *

First of all, you can track the source path of the * * through the following system commands and configuration files:

1.Whowi-(see who logs in to the system)

2.w Murray-(to see who is logged in to the system and what is doing)

3. Lastmuri-(shows the users and TTYS who have been logged in to the system)

4. Lastcomms-(shows commands that the system has been run in the past)

5. Netstats-(you can check the current network status, such as telnet to the IP address of the user on your machine, as well as some other network status.)

6. View information about router.

7./var/log/messages to check the login status of external users

8. Use finger to view all login users.

9. View the login history file (.history.rchist, etc) under / home/username in the user directory. Post note: the commands' who','w','last', and 'lastcomm' rely on / var/log/pacct, / var/log/wtmp,/etc/utmp to report information to you. Many shrewd system administrators will block these log messages (/ var/log/*,/var / log/wtmp,etc). It is recommended that you install tcp_wrapper to illegally log in to all connections to your machine.) then the system administrator should close all possible back doors and be sure to prevent people from accessing the internal network from the outside. For articles interested in FREEBSD, take a look at the security architecture of the FreeBSD website in my security literature in the Green Corps (1). If the system administrator discovers that he has entered the system, he may try to cover his tracks through rm-rf / *.

Third, we need to protect the following system commands and system configuration files to prevent replacement from gaining the right to modify the system.

1. / bin/login

2. / usr/etc/in.* file (for example: in.telnetd)

A service awakened by 3.inetd super daemons (listening on ports, waiting for requests, spawning corresponding server processes). (the following server processes are usually started by inetd:

Fingerd (79), ftpd (21), rlogind (klogin,eklogin,etc), rshd,talkd,telnetd (23), tftpd. Inetd can also start other internal services

Services defined in / etc/ inetd.conf.

4. Very ROOT users are not allowed to use netstat,ps,ifconfig,su

Fourth, the system administrator should observe the changes of the system regularly (such as files, system time, etc.)

1. # ls-lac to check the actual modification time of the file.

2. # cmp file1 file2 to compare file size changes.

Fifth, we must prevent illegal users from using suid (set-user-id) programs to gain access to ROOT.

1. First of all, we need to find all the SUID programs in the system.

# find /-type f-perm-4000-ls

two。 Then we have to analyze the whole system to ensure that there is no back door.

Sixth, the system administrator should check the user's .rhosts and .forward files regularly.

1.#find /-name .rhosts-ls-o-name .forward-ls

To check whether the .rhosts file contains'+', and if so, the user can modify the file remotely without any password.

2.#find /-ctime-2-ctime + 1-ls

To check some files modified in less than two days to determine whether there are illegal users breaking into the system.

Seventh, make sure you have the latest sendmail daemon on your system, because the old sendmail daemon allows other UNIX machines to run remotely

Some illegal orders.

Eighth, the system administrator should obtain a secure program from your machine, the operating system manufacturer, if it is free software (such as the Linux platform)

It is recommended that you can go to Linux.box.sk to get the best security procedures and security information.)

Ninth, here are some check methods to monitor whether the machine is vulnerable.

1.#rpcinfo-p to check whether your machine is running some unnecessary processes.

2.#vi / etc/hosts.equiv file to check your untrusted hosts and remove them.

3. If the tftpd in / etc/inetd.conf is not blocked, please add tftp dgram udp wait nobody / usr/etc/in.tftpd to your / etc/inetd.conf

In.tftpd-s / tftpboot

4. It is recommended that you back up the / etc/rc.conf file and write a shell script to compare cmp rc.conf backup.rc.conf regularly.

5. Check your inetd.conf and / etc/services files to make sure there are no illegal users adding services to it.

6. Back up the log files under / var/log/* of your system to a safe place to prevent # rm / var/log/*

7. Make sure that the anonymous FTP server is configured correctly, my machine uses proftpd, and the proftpd.conf must be configured correctly.

8. Back up / etc/passwd, and then change the root password. Be sure to make sure that this file is not accessible to the public to prevent it from guessing.

9. If you can't prevent the intruder, you can install the ident daemon and the TCPD daemon to find the account used by the user!

10. Make sure your console terminal is secure to prevent illegal users from logging on to your network remotely.

11. Check that hosts.equiv,.rhosts,hosts,lpd has a comment mark #. If a person uses its hostname instead of #, it means that he does not

You need any password to access your machine.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.