Linux Security check

Source: Internet
Author: User

1 ssh Backdoor

Prosecution Statement :

Grep-e "User,pas|user:pas"/usr/bin/*/usr/local/sbin/*/usr/local/bin/*/bin/*/usr/sbin/*/root/bin/*-al

procuratorial method : If found in the following three red box one of the Please and record , basically identified as the existence of the backdoor

2 Nginx rear door

Prosecutorial Statement : grep "pwnginx=" ' which Nginx '-al

procuratorial method : If the search out the basic can determine the existence of the back door, please and record .

no Ann NGINX words can be Ctrl + C exit query

3rd Log Search

Prosecution Statement :

More/var/log/messages* |grep Drawing

more/var/log/messages* | grep glistering

more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '

procuratorial method : above the first two procuratorial sentences , such as search , as follows

the above two are mainly detected network card modification information , such as the non-native IP address , please record .

The following is more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '

Search out the login success and failure , please detailed troubleshooting the following IP, and recording time and IP.

4 procuratorial Anomaly Account

Prosecution Statement :

more/etc/passwd

More/etc/sudoer

procuratorial method : View user identification number : Group identification number if one of the 0 is an exception user ( except ROOT and self-established ). Also See if the/etc/sudoer file has other users such as :

5 Login IP and Time

Prosecution Statement :

Who/var/log/wtmp

procuratorial method : Check the abnormal login time and IP, If there is an exception, please record the time IP

6 Abnormal Port prosecution

Prosecution Statement :

Netstat-an|more

procuratorial method : Check the abnormal connection to the local IP and the non-known port . If the problem please record .

7 Network card Query

Prosecution Statement :

Ifconfig

procuratorial method : If there are anomalies , such as the network clamp interface and other non-self-configuration , please record

8 Full-site scanning using the Trojan Scan Tool

useful tools for the time being recommended WINDOWS version of the tool , LINUX version false positives too much , and do not take advantage of observation .

The directory can be copied out for scanning , scanning the 4-5 level of the problem can be identified as a malicious file .

9 Use the query statement , in the server query about illegal pages included in the keywords or words , Locate the location of the illegal page . and query creation time and so on , and focus on checking the files produced during that time period, etc.

10 procuratorial History Operation Information

Prosecution Statement :

History

Inspection method "to see if there are abnormal operations , if there is an exception, please confirm the record

Linux Security check

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.