Click on “Road of Technology for Migrant workers” and choose “Top or Star label”

10 o ‘clock every day for you to share different dry goods

Original: https://www.toutiao.com/a6688547181718143499/

Security is always relative, no matter how secure the server may be attacked. As a security o&M personnel, you must follow the following principles: do your best to protect the system, repair all known dangerous behaviors, and promptly and effectively deal with attacks to minimize the impact of attacks on the system.

First, the general idea of dealing with server attacks

It is not terrible that the system is attacked, but terrible that it is helpless in the face of attack. The following is a detailed introduction of the general processing ideas after the server is attacked.

1. Disconnect the network

All attacks come from the network. Therefore, after knowing that the system is being attacked by hackers, the first thing to do is to disconnect the network connection of the server. In this way, in addition to cutting off the attack source, other hosts on the network where the server is located can be protected.

2. Locate the attack source

You can analyze system logs or login log files to check for suspicious information, as well as which ports are opened and which processes are running in the system, and analyze which programs are suspicious through these processes. This process should be traced and analyzed based on experience and comprehensive judgment ability. The following sections describe how this process is handled.

3. Analyze the cause and route of the intrusion

Since the system was breached, then the reason is various, may be system vulnerabilities, also may be bugs, be sure to find out what causes, and to find out ways to attack, find the source of attacks, because only know the cause of the attack and way, to delete the source at the same time to repair the vulnerability of the attack.

4. Back up user data

After the server is attacked, you need to back up user data on the server immediately and check whether the attack source is hidden in the data. If the source of the attack is in user data, delete it completely and then back up the user data to a secure place.

5. Reinstall the system

Don’t ever think I can thoroughly remove the source of attacks, because no one can understand better than hackers attack programs, after the server was attacked, the safest and most simple way is to reinstall the system, because most of the attacks program will depend on the system files or kernel, so reinstall system can thoroughly remove attack source.

6. Fix program or system bugs

After discovering system vulnerabilities or application vulnerabilities, the first thing to do is to fix system vulnerabilities or change program bugs, because only after the program vulnerabilities are repaired can it officially run on the server.

7. Restore data and connect to the network

Copy the backup data to the newly installed server, enable the service, and enable the network connection of the server to provide services externally.

Check and lock suspicious users

When found the server after the attack, the first to cut off the network connection, but in some cases, such as unable to immediately cut off the network connection, you must login system to check whether there is a suspicious users, if there is a suspicious user login the system, you need to lock the user immediately, then interrupt the user remote connection.

1. Log in to the system to view suspicious users

Log in as the root user and run the W command to list all users who have logged in to the system, as shown in the following figure.

This output can be used to check for suspicious or unfamiliar user logins and to determine if the user is an illegal user based on the user name and the source address from which the user logged in and the process they are running.

2. Lock suspicious users

If a suspicious user is found, lock the user immediately. For example, if user nobody is found to be a suspicious user after the W command is executed, perform the following operations to lock the user:

[root@server ~]# passwd -l nobodyCopy the code

After the lock, the user may still be in the login state, so you need to kick the user offline. According to the output of the “w” command, you can obtain the PID value of the user login. The operation is as follows:

[root@server ~]# ps -ef|grep @pts/3531 6051 6049 0 19:23 ? 00:00:00 sshd: nobody@pts/3[root@server ~]# kill -9 6051Copy the code

This kicks the suspicious user nobody off the line. If the user tries to log in again it cannot log in.

3. Run the last command to view user login events

The last command records logs of all user login to the system, which can be used to search for unauthorized user login events. The output result of the last command is derived from the /var/log/wtmp file. Experienced intruders will delete /var/log/wtmp to clear their tracks, but traces will still be found in this file.

3. View system logs

System logs include /var/log/messages and /var/log/secure, which record the running status of the software and the login status of remote users. You can also view the. Bash_history file in each user directory. In particular, the.bash_history file in the /root directory contains all the historical commands executed by the user.

Check and close suspicious processes in the system

You can run many commands to check suspicious processes, such as ps and top. However, you can run the following command to check the path of a suspicious process if you only know the process name:

You can run the pidof command to search for the PID of the running process. For example, to search for the PID of the SSHD process, run the following command:

Then enter the memory directory and check the information of the EXE file in the corresponding PID directory:

This will find the full execution path for the process. If you still have a handle to view a file, you can view the following directory:

[root@server ~]# ls -al /proc/13276/fdCopy the code

In this way, you can find the complete execution information of any process. In addition, there are many similar commands to help o&M personnel find suspicious processes. For example, you can find the process PID using the specified port or TCP or UDP protocol to find the related process:

In some cases, the attacker’s programs are deeply hidden, such as rootKits backdoor program. In this case, ps, top, netstat and other commands may have been replaced. If you use the system’s own commands to check the suspicious process, it becomes unreliable. For example, the tools such as chkRootKit and RKHunter introduced earlier can be used to easily find programs that are replaced or tampered with in the system.

5. Check the integrity of the file system

Checking whether the file attributes are changed is the simplest and most direct method to verify the integrity of the file system. For example, you can check whether the size of the /bin/ls file on the invaded server is the same as that of the file on the normal system to verify whether the file is replaced. However, this method is relatively low-level. At this point, you can use the RPM tool under Linux to complete the verification, as follows:

The meaning of each tag in the output is described as follows:

  • S indicates that the file length has changed

  • M indicates that the access permission or file type is changed

  • 5 indicates that the MD5 checksum is changed

  • D indicates that the attributes of the device node have changed

  • L indicates that the symbolic link of the file has changed

  • U indicates that the owner of the file, subdirectory, or device node has changed

  • G indicates that the group of the file/subdirectory/device node has changed

  • T indicates that the time when the file was last modified has changed

If the “M” mark appears in the output result, the corresponding file may have been tampered with or replaced. In this case, you can uninstall the RPM package and reinstall it to remove the attacked file.

However, this command has a limitation, that is, it can only check all files installed by RPM package, not files installed by non-RPM package. At the same time, if the RPM tool is also replaced, this method cannot be passed. In this case, you can copy an RPM tool from a normal system to check.

You can also use the chkRootKit and RKHunter tools to check file systems. The next section describes how to use the chkRootKit and RKHunter tools.

– MORE excellent articles – |

  • Operation and maintenance engineers to fight strange upgrade road V2.0

  • High salary, helpless pain, this is the current situation of Chinese programmers?

  • Learn Docker, the 11 most common mistakes beginners make!

  • SegmentFault stands out against CSDN download sites

  • Pay list: Don’t eat or drink a year still can’t buy 3 square meters of room?

  • What problems did Redis solve when it became so popular?

  • The right posture for server Performance optimization (Good article recommended)

If you enjoyed this article

Please click the QR code to pay attention to the road of technology

Scan code to pay attention to the public number, reply to the “directory” can view the public number of articles catalog, reply to the “group” can join the reader technical exchange group, communicate with you together.

All the best of the official account is here

You are watching, click here to have a surprise oh ~