1. Preparation

Get as much physical access to suspicious systems as possible to prevent hackers from eavesdropping remotely on your detected hard drive make a physical backup, if necessary, disconnect all network connections from available machines require a computer dedicated to the inspection process record the intrusion detection results find the personnel who maintain this server to cooperate with youCopy the code

2, steps,

Test Item 1: Whether common programs are replaced The commonly replaced programs are login, ls, ps, ifconfig, du, find, and netstat. Md5sum /bin/netstat = md5sum /bin/netstat = md5sum You are advised to disable pre-linking to upload chkRootKit and RkHunter and check whether rootkit uses the clamav antivirus engine. Check bin FreshClam Clamscan -r PATH Check item 2: Find / -name '... ' find / -name '.. 'find / -name '.' find / -name' check item 3: Check recent system logins last Command Check item 4: Check system users less /etc/passwd Check whether new users exist grep ': 0' /etc/passwd Check whether a privileged user exists. Stat /etc/passwd Check the last modification time of passwd. Awk -f: 'length($2)**0 print{$1}' /etc/shadow: If the ps-aux process starts with no./ XXX, use KIL-9 PID to kill the process, and then run ps-aux. If the process appears again, it indicates that the system has placed the automatic start script. Therefore, use the find / -name process name - print lsof -p pid view the inspection process has open ports and hidden process ps - ef | awk 'print ($2)' | sort - n | uniq > 1 ls/proc | sort - n | uniq > 2 diff 1 2 check item 6: Check the network connection and listen on port IP link | grep PROMISC check whether there might be sniffing netstat LNTP view the listener port nestat - antp view all external links have been established, pay attention to the native active connection to the external address connection, Shell arp-an check whether ARP records are normal check Item 7: Scheduled task crontab -u root -l Check the scheduled task of user root cat /etc/crontab check whether there are abnormal entries ls /var/spool/corn check whether there are abnormal entries ls -l /etc/cron.* Check the changes in the cron file. 8: Startup items Check the contents of the /etc/rc.local file. Systemctl or chkconfig Check the startup items. Message, Secure, Cron, Mail and other applications: Apache, Nginx, FTP, Mysql, and Oracle program development logs bash_history Other security event log analysis Abnormal users log in at abnormal times The incomplete log file login IP address is different from previous failed log records The su command is used illegally or improperly Unauthorized or unjustified restart of network services Content Check item 10: Webshell check Web directories Use tools such as D-shield, LMD, or Security dogCopy the code

3. Notice of detection

If the services on the machine are important and cannot be disconnected from the network, back up all important data. If the services on the machine are not important, disconnect the network and store the hard disks externally. Tools such as DD can be used to try to find evidence of hacking activities. Forensics tools can be used to look for files used by attackers and find out whether there are remote controls or backdoors to fix vulnerabilities exploited by attackersCopy the code

4, repair

Reinstall the system with the original tool and install all patches. Change the passwords of all system-related accounts (including database connection strings) of the Web server according to the security standard configuration directory permissions and configuration files. Try to check and restore the files tampered by the attackerCopy the code

5. Issue test report

Detection summary Steps Preliminary detection results A problem may occur at (XX). Impact of intrusion events on services Improvement SuggestionsCopy the code

6. Prevent the server from being invaded

In computer security technology, we can start to analyze the risk of server from four aspects, as well as preventive measures.

1. Physical environment is safe

Physical environment refers to the location where our server is stored, and we need to analyze whether it has the following risks:

If you own your own server, you must have a relatively isolated dedicated space with access control and video surveillance. There’s nothing secure about a server if everyone can touch it. Because as long as it is physically accessible, it is likely to be stolen by malicious people, and then slowly crack the server to obtain the information of the server. If the server is hosted, you must require the hosting party to have access control, video surveillance, etc., as mentioned above. However, they usually do. If it is a cloud server, that is, a virtual machine, then you require that the physical server of the cloud service provider must be in China, which also has the basic physical security mentioned above.

2. Communication network security

Communication network is the network system that the server needs to provide services externally. This is the one we’re familiar with. We need to take the following measures to ensure safety:

The egress must have a firewall, (conditional use of two-node cluster) through the firewall rules, you can shield ports that do not need to open. It allows hackers to narrow their range of attack. The server and desktop terminal must not reside in the same area. At least, separate them by VLAN. The access to external services is encrypted as far as possible. For example, Web services are provided by HTTPS as far as possible. If branches are deployed, use encrypted IPsec VPN or SSL VPN. The server itself needs to have a TPM chip (a common one these days), which is a trusted computing module that helps our server encrypt internal computing information. Ensure that there are no security issues due to information theft during the calculation process.

3. Regional border security

Although different areas are isolated from each other by VLAN, a firewall system needs to be deployed to prevent low-security areas from entering high-security areas at will. In addition to the egress firewall mentioned above, the border area of the egress can also be equipped with IPS to defend against attacks. Because firewalls only narrow the attack surface. It’s like a security guard in the neighborhood helping to filter people in and out. However, it cannot prevent attacks that impersonate normal traffic. Therefore, IPS must be configured to defend against intrusion. The server must be equipped with an antivirus system. If there are many servers, configure antivirus gateways. The server is 1-2, then secure enterprise antivirus software on the server to prevent virus invasion.

4. Computing security

The system must be hardened, that is, the operating system must be patched in time, especially security patches. If there are many servers, harden the system on the servers. Identity security: that is, server passwords must be complex and change regularly. If conditions permit, two-factor authentication combining dynamic and static passwords can be adopted. Scan for vulnerabilities periodically to prevent vulnerabilities during server use. Once a vulnerability is detected, it needs to be fixed immediately. Server logs must be collected in a centralized manner and analyzed periodically by O&M personnel. If abnormal intrusion behavior logs are discovered, early warning should be given immediately and defensive actions should be taken. Finally, in order to prevent malicious intrusion by internal personnel, we also need a fortress machine, through which all operation and maintenance personnel can control the operation of the server. Ensure that the permissions are always there and that the actions can be traced.

7. Check step examples

7.1 Intruders may delete machine logs. You can run the following command to check whether the logs still exist or are cleared:

/ root @ hlmcen69n3 ~ # ll - h/var/log / * - rw. -- -- -- -- -- -- -- 1 root root 2.6 K Jul 7 when the/var/log/anaconda ifcfg. Log rw -- -- -- -- -- -- --. 1  root root 23K Jul 7 18:31 /var/log/anaconda.log -rw-------. 1 root root 26K Jul 7 18:31 /var/log/anaconda.program.log Rw -- -- -- -- -- -- --. 1 root root 63 K Jul 7 when/var/log/anaconda. Storage. The log/root @ hlmcen69n3 ~ # du - sh/var/log / * 8.0 K / var/log/anaconda 4.0 K/var/log/anaconda ifcfg. 24 K/var/log/anaconda. The log log 28 K/var/log/anaconda. The program. The log 64 K /var/log/anaconda.storage.logCopy the code

7.2 Intruders may create a new user name and password file. You can run the /etc/passwd and /etc/shadow files.

[root@hlmcen69n3 ~]# ll /etc/pass*
 
-rw-r--r--. 1 root root 1373 Sep 15 11:36 /etc/passwd
 
-rw-r--r--. 1 root root 1373 Sep 15 11:36 /etc/passwd-
 
 
[root@hlmcen69n3 ~]# ll /etc/sha*
 
----------. 1 root root 816 Sep 15 11:36 /etc/shadow
 
----------. 1 root root 718 Sep 15 11:36 /etc/shadow-
Copy the code

7.3. You can view the /etc/passwd and /etc/shadow files to identify intruders who may modify user names and passwords.

[root@hlmcen69n3 ~]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
 
[root@hlmcen69n3 ~]# more /etc/shadow
root:*LOCK*:14600::::::
bin:*:17246:0:99999:7:::
daemon:*:17246:0:99999:7:::
Copy the code

7.4 Run the /var/og/lastlog command to view the event of the last successful login and the event of the last unsuccessful login.

[root@hlmcen69n3 ~]# lastlog
Username         Port     From             Latest
root                                       **Never logged in**
bin                                        **Never logged in**
daemon                                     **Never logged in**
Copy the code

7.5. Run the following commands to view the log file “/var/run/utmp” of all current login users:

[root@hlmcen69n3 ~]# who
stone    pts/0        2017-09-20 16:17 (X.X.X.X)
test01   pts/2        2017-09-20 16:47 (X.X.X.X)
Copy the code

7.6. Run the /var/log/wtmp command to view the log file “/var/log/wtmp”.

[root@hlmcen69n3 ~]# last
 
test01   pts/1        X.X.X.X   Wed Sep 20 16:50   still logged in  
 
test01   pts/2        X.X.X.X   Wed Sep 20 16:47 - 16:49  (00:02)   
 
stone    pts/1        X.X.X.X   Wed Sep 20 16:46 - 16:47  (00:01)   
 
stone    pts/0        X.X.X.X   Wed Sep 20 16:17   still logged in
Copy the code

7.7 Run the following command to query the connection time (hours) of all users of the machine, which corresponds to the file log “/var/log/wtmp” :

[root@hlmcen69n3 ~]# ac-dp stone 11.98 Sep 15 total 11.98 stone 67.06 Sep 18 total 67.06 stone 1.27 test01 0.24 Today Total 1.50Copy the code

7.8 if abnormal traffic is generated on the machine, you can run the “tcpdump” command to capture network packets or use the “iperf” tool to view the traffic

7.9. You can run the /var/log/secure log file to discover intruders.