Account Security:

1. User information file /etc/passwd

Format: account: password: UID, GID: GECOS: directory: shell user name: password: user ID, group ID, user details: the home directory: after landing shell root: x: 0-0: root: / root: / bin/bash

View login users:

cat /etc/passwd | grep /bin/bash

Query the user whose UID is 0

awk -F: '$3==0{print $1}' /etc/passwd

View the user with sudo permissions

More/etc/sudoers | grep -v “^ # \ | ^ $” | grep” ALL = (ALL) “note: password-less allows only native land, are not allowed to login remotely

2. Shadow files:/etc/shadow

Username: encryption password: last password change date: Interval between password changes: Password validity period: warning days before password change expires: grace days after password expiration: Account expiration time: Reserved

root:$6$
oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.F
t7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::
Copy the code

3. View the current login user and login duration

Who # View all users currently logged in to the system (TTY local logins PTS remote logins) W # View all current users logged in to the system, and the command being executed uptime # View how long logged in, how many users, load statusCopy the code

*

4. Check user login information

View information about the recently logged in users

Logged in indicates that the user is still logged in. PTS indicates that the user is logged in remotely from SSH. Tty indicates that the user is logged in from the console, that is, next to the server.

SSH Indicates remote login over SSH

Tty stands for login from console sudo lastb displays last login information for all users:

When lastlog was checking the server, the hacker was not online. We can use the last command to check when the hacker logged in. Some hackers would delete or empty /var/log/wtmp files when they logged in, so we can’t use the last command to get useful information.

Before hacking, the /var/log/wtmp file must be locked with chattr +a to prevent it from being deleted by hackers

5. Sudo user list

Query the privileged user. The privileged user (uid is 0) :

awk -F: ‘3==0{print 1}’ /etc/passwd

To query information about accounts that can be remotely logged in to:

Awk ‘/ $1 | $6 / {1} print’/etc/shadow except the root account, other account if there is a sudo permissions. Such as the management needs, normal account should be deleted sudo permissions: more/etc/sudoers | grep -v “^ # \ | ^” | grep “ALL = (ALL)”

Disable or delete unnecessary or suspicious accounts

• Usermod -l user # disable account, account cannot log in, /etc/shadow At the beginning
• Userdel user # delete user
• Userdel -r user # will delete the user user and delete the user directory in /home

Use the. Bash_history file to view the system commands executed by the account:

Open the. Bash_history directory of each account in /home to view the history commands of common accounts.

To add information about a historical command, such as the login IP address and command execution time:

1, save 10,000 commands:

sed -i ‘s/^HISTSIZE=1000/HISTSIZE=10000/g’ /etc/profile

2. Add the following information to the end of the /etc/profile file:

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
Copy the code

3. Make the configuration take effect

Source /etc/profile Note: Clearing the history operation command: history -c

This operation does not clear the records saved in the file, so you need to manually delete the records in the.bash_profile file

Check port connections:

netstat -antlp | more

Use ps command to analyze the process and get the corresponding PID number:

Ps aux | grep 6666 check the pid of the process file path:

$PID indicates the PID number

Ls -l /proc/$pid/exe or file /proc/$pid/exe Analysis process:

View processes based on pid numbers

lsof -p 6071

View files opened by the process by service name

lsof -c sshd

View processes by port number:

Lsof -i :22 Query the start time of a process:

Forcibly stop process according to PID:

kill -9 6071

Note: If no suspicious file is found, the file may be deleted. The suspicious process has been saved to memory and is an in-memory process. You need to find the PID and kill it

Check startup items:

Schematic diagram of system operation level:

View run level commands:

Runlevel Startup profile:

/etc/rc.local /etc/rc.d/rc[0~6]. D Scripts are run to configure the environment when Linux is started. After the kernel initializes and loads all modules, the kernel starts a daemon called init or init.d. The daemon starts running some scripts in /etc/init.d/rc. These scripts include commands to start the services needed to run the Linux system

There are two ways to execute scripts on startup:

Add the startup script between exit 0 statements in /etc/rc.local. The script must have executable permissions

Use update-rc.d to add the boot execution script

1. Modify /etc/rc.local

Update-rc. d: This command is used to install or remove the System -v style initialization script connection. The script is stored in the /etc/init.d/ directory, and of course you can create connection files in this directory to connect to script files stored elsewhere.

Using this command, you can specify the serial number of the script. The serial number ranges from 0 to 99. The higher the serial number, the later the script is executed.

When we need to start our own script on startup, we simply drop the executable script in /etc/init.d and create a soft link in /etc/rc.d/rc.d

Grammar:

Update – rc. D script name or service < remove | defaults | disable | enable >

Elf /etc/init.d/backdoor: ln -s /home/b4yi/kali-6666

Update-rc. d backdoor defaults 99 Sudo update-rc.d backdoor defaults 99

Intrusion detection:

More /etc/rc.local /etc/rc.d/rc[0~6]. D ls -l /etc/rc.d/rc3.d/ Check whether a scheduled task is performed:

A few paths to note using Cron:

Crontab – l # list the current user timer Settings crontab – r # to delete the current user’s cron job The above command is, in fact, lists the/var/spool/cron/crontabs/root the contents of the file:

/etc/crontab Can only be modified by the root user

/var/spool/cron/ stores crontab tasks for each user, with each task named after the creator

/etc/cron.d/ Writes the file to the directory in the same format as /etc/crontab

Hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly/ respectively, and the scripts can be executed hourly, daily, weekly, and monthly

Tip:

Run the following command to query all files in the /etc/cron.daily/* directory:

Pay attention to whether malicious scripts exist in the following directories.

/var/spool/cron/* /etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/ /etc/anacrontab/var/spool/anacron/ * Query the installed services: RPM package Installed services:

Since the launch of the chkconfig — list to check the service status, you can see all of the RPM package installed service ps aux | grep crond view the current service

System startup item under 3 and 5 level Chinese environment the chkconfig — list | grep “3: enable | 5: enable”

The chkconfig English environment — the list | grep “5:3: on | on” source package installation services:

/user/local/ service HTTPD start Search for /etc/rc.d/init.d/ to check whether abnormal files exist.

You can find modified files in three ways:

According to the name

Depending on file size

Search by time

Find files by name

find / -name a.Test

If the file name is not complete, use wildcard character * to complete the file name

If case insensitive, you can replace -name with -iname

Search by file size:

find / -size +1000M

+1000M indicates files larger than 1000 MB, and -10m indicates files smaller than 10 MB

Find by time:

-atime Indicates the access time of the file

-mtime Time when the file content is modified

-ctime Indicates the time when the file status is changed (file permission, owner/group, file size, etc.). Of course, the ctime changes with the file content.

Note: Atime /mtime/ctime will be modified when system processes/scripts access files

Find files modified within the last day:

find / -mtime -1 -ls | more

Find files modified 50 days ago:

Find./ -mtime + 50-ls Search by owner and owner group:

-user Searches by owner -group Searches by owner group -nouser searches for files without owner -nogroup Searches for files without owner group

View the file whose owner is root

find ./ -user root -type f

-type f searches for files and -type d searches for directories

Note: Files or directories that have no owner or no owner group in the system may also cause security risks. You are advised to delete them.

Sorted by CPU usage from highest to lowest:

Ps -ef — sort-pCPU Sort by memory usage from highest to lowest:

Ps -ef — sort-pmem add: 1, Check the sensitive directory, such as/TMP files, and hide the folder in the.. The folder with the name has hidden properties. 2. How to find out the creation time of WEBSHELL and remote control Trojan horse within the same time range? You can run the find command, for example, find /opt -iname “*” -atime 1-type f To find the files accessed by /opt one day earlier. 3. For suspicious files, you can use stat to create and modify the time.

Checking system logs:

Default directory for storing logs: /var/log/ Mandatory logs: Secure, history View the log configuration: more /etc/rsyslog.conf

/var/log/wtmp Log in Log in, log out, data exchange, shutdown, and restart Record /var/log/lastlog records the information about the last login. You can run the lastlog command to view the information. /var/log/secure Records data access files, such as POP3, SSH, Telnet, and FTP. / var/log/cron log information related to timing task/var/log/message information and error log after the system startup/var/log/apache2 / access. Log apache access log

Log analysis techniques:

1. Locate how many IP addresses are in the root account of the blasting host:

grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
Copy the code

Locate which IP addresses are blasting:

grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) "|uniq -cCopy the code

What is a burst username dictionary?

grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; }'|uniq -c|sort -nrCopy the code

2. What are the successful LOGIN IP addresses?

grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
Copy the code

Date, user name, and IP address of successful login:

grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' 

Copy the code

3, add user kali log:

Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for kali
#grep "useradd" /var/log/secure 
Copy the code

4, delete user kali log:

Jul 10 00:14:17 localhost userdel[2393]: delete user 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'kali' owned by 'kali'
Copy the code

grep “userdel” /var/log/secure

5, su switch user:

Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)
Copy the code

Sudo authorized to perform:

sudo -l
Jul 10 00:43:09 localhost sudo:    good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now
Copy the code