Linux Learning: Network (firewall) and system security-related command learning

Network:

Top #查看内存, CPU, the state between processes.
Htop #在top的基础上更好显示 (perform sudo apt-get install htop installation)
Free #查看当前的内存使用情况
Pstree #查看当前进程树
Lsof file #查看哪个进程打开了文件file
sudo lsof-i: #查看22端口现在运行什么程序
sudo lsof-c vim #查看vim进行现在打开的文件

Ifconfig Ens33 | Egrep-o "inet addr:[^]*" | Grep-o "[0-9.] * "#提取本地ens33网卡的IP地址
Ifconfig ens33 hw ether 00:cc:bf:5a:aa:dd #设置MAC地址, hardware address spoofing at the software level
Ifconfig ens33 192.168.0.12 netmask 255.255.252.0 #设置IP地址的子网掩码
Ifconfig ens33 192.168.0.12 #设置网卡ens33的ip地址

Cat/etc/resolv.conf #查看DNS
echo nameserver 8.8.8.8 >>/etc/resolve.conf #追加DNS: 8.8.8.8 to/etc/resolve.conf in the DNS address file.
Host google.com #列出域名所有的IP地址
nslookup google.com #查询DNS相关的细节信息以及名字解析
Route or Netstat-rn or sudo route-n #查看路由表信息
Ping address #检查某个主机是否可以到达 address can be IP, domain name, and host name
Ping Address-c 5 #选项-C 5 indicates that the number of echo groupings that are sent is limited to 5, and 5 stops automatically after sending

Arping IP #根据IP查网卡地址
Nmblookup-a IP #根据IP查电脑名
Arp-a | awk ' {print $4} ' #查看当前网卡的物理地址
sudo ifconfig eth0:0 1.2.3.4 netmask 255.255.255.0 #同一个网卡增加第二个IP地址
Echo ' Blacklist ipv6 ' | sudo tee/etc/modprobe.d/blacklist-ipv6 #屏蔽IPV6
sudo netstat-atnp #察看当前网络连接状况以及程序
Whois test.com #查看域名的注册备案情况
Tracepath test.com #查看到某一个域名的路由情况:

NETSTAT-NTLP | grep 9052 #查看哪些进程在监听9052端口
Netstat-na|grep:80|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-r-n #统计80端口的连接并排序
Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, S[a]} ' #查看网络连接状态
Netstat-na|grep Established|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-r-n #统计当前IP连接的个数

netstat -anp|grep "php-fpm"|grep "tcp"|grep "pool"|wc -l  #查看已经有多少个php-cgi进程用来处理tcp请求

sudo tcpdump-c 10000-i eth0-n DST Port #TCP抓包工具分析80端口数据流
Nc-zv localhost 1-65535 #查看当前系统所有的监听端口
W3m-dump_head http://www.xxx.com #查看HTTP头
W3m-no-cookie-dump www.123cha.com|grep-o ' [0-9]\{1,3\}\. [0-9]\{1,3\}\. [0-9]\{1,3\}\. [0-9]\{1,3\} ' #查看当前外网的IP地址
sudo apt-get install rkhunter; Rkhunter–checkall #检查本地是否存在安全隐患

----------------------------------------------------------------------
Intrusion Reporting tool with Auth.log file as input
filename:check.sh

#!/bin/bash
Authlog=/var/log/auth.log
if [[-N $]];
Then
Authlog=$1
echo Using Log file: $AUTHLOG
Fi
Log=/tmp/valid.$$.log
Grep-v "Invalid" $AUTHLOG > $LOG
users=$ (grep "Failed password" $LOG | awk ' {print $ (NF-5)} ' | sort | uniq)
printf "%-5s|%-10s|%-10s|%-13s|%-33s|%s\n" "sr#" "User" "attempts" "IP address" "host_mapping" "Time range"
ucount=0;
Ip_list= "$ (egrep-o" [0-9]+\.[ 0-9]+\. [0-9]+\. [0-9]+] $LOG | Sort | Uniq) "
For IP in $ip _list;
Do
grep $ip $LOG >/tmp/temp.$$.log
For the user in $users;
Do
grep $user/tmp/temp.$$.log >/tmp/$$.log
Cut-c-16/tmp/$$.log > $$.time
tstart=$ (head-1 $$.time);
start=$ (date-d "$tstart" "+%s");
tend=$ (Tail-l $$.time);
end=$ (date-d "$tend" "+%s")
limit=$ (($end-$start))
If [$limit-GT 120];
Then
Let ucount++;
ip=$ (egrep-o "[0-9]+\.[ 0-9]+\. [0-9]+\. [0-9]+ "/tmp/$$.log | HEAD-1);
Time_range= "$start-$tend"
attempts=$ (CAT/TMP/$$.LOG|WC-L);
host=$ (Host $IP | awk ' {print $NF} ')
printf "%-5s|%-10s|%-10s|%-10s|%-33s|%-s\n" "$ucount" "$user" "$ATTEMPTS" "$IP" "$HOST" "$TIME _range";
Fi
Done
Done
Rm/tmp/valid.$$.log/tmp/$$.log $$.time/tmp/temp.$$.log 2>/dev/null

-------------------------------------------------------------------------------

Firewall UFW

sudo apt-get install UFW #安装ufw防火墙
sudo ufw enable #启用 UFW Firewall and automatically turn on when the system starts

sudo ufw disable #关闭ufw防火墙

sudo ufw status #查看防火墙状态

sudo ufw default deny #关闭所有外部对本机的访问, but native access is normal externally.
sudo ufw allow|deny [service] #开启/disabled
sudo ufw allow SMTP #允许所有的外部IP访问本机的25/tcp (SMTP) port
sudo ufw allow 22/tcp #允许所有的外部IP访问本机的22/tcp (SSH) port
sudo ufw allow #允许外部访问53端口 (TCP/UDP)

sudo ufw delete Allow #禁用 53 port
sudo ufw allow from 192.168.1.12 #允许此IP访问所有的本机端口

sudo ufw delete allow from 192.168.1.12 #删除上一条的规则
sudo ufw deny SMTP #禁止外部访问smtp服务
sudo ufw delete allow SMTP #删除上面建立的某条规则

sudo ufw allow proto UDP 192.168.0.1 port 192.168.0.2 port 53

User actions

1. Force a user to exit:

First: Use W to view the currently logged on user, and note the login process terminal number shown in the TTY

Second: Use pkill–9-t pts/1 to end the user login for the PTS/1 process

2. View the operation history of all logged-in users

Whether it is the root user or the other user can only log in to the system after the operation of the use of our command to view the history, but only for the logged-on user to perform effective, even if the root user can not get other users histotry history. If the root user wants to view the other user's action records, it can be implemented by adding the following code to the/etc/profile:

ps1="' whoami ' @ ' hostname ': '[$PWD] ' 

History

user_ip= ' who-u am I 2>/dev/' s/[()]//g '

"" ]

Then

User_ip= ' hostname '

Fi

if [!-d/tmp/dbasky]

Then

Mkdir/tmp/dbasky

chmod 777/tmp/dbasky

Fi

if [!-d/tmp/dbasky/${logname}]

Then

Mkdir/tmp/dbasky/${logname}

chmod 300/tmp/dbasky/${logname}

Fi

Export histsize=4096

"+%y-%m-%d_%h:%m:%s" '

Export histfile="/tmp/dbasky/${logname}/${user_ip} Dbasky. $DT"

chmod 600/tmp/dbasky/${logname}/*dbasky* 2>/dev/null

Execute source/etc/profile after adding to make script effective

Linux Learning: Network (firewall) and system security-related command learning