A summary of the troubleshooting methods of Linux Server Security Incident Emergency response

  Linux is the most commonly used operating system in server operating systems because of its high performance, high scalability, and high security, which has been sought after by more and more operators. But there are also a lot of security incidents for Linux server operating systems. The main methods of attack are weak password attack, remote overflow attack and other application vulnerability attack. My VPS suffered a bad password security problem in a few days before being maliciously exploited to scan other hosts for SSH. The following is my response to this attack, combined with the work of Linux security event analysis approach, summed up the Linux security Emergency response process analysis.

  First, analytical principles   1. The important data is backed up and analyzed first, try not to analyze in the original system;   2. Systems that have been compromised are no longer secure, and if conditions permit it is best to use a third-party system for analysis   II, analysis objectives   1. Find the source of the attack IP   2. Find an intrusion Path   3. Analysis of Impact range &NBSP 　　; 4. Quantitative impact level   Data backup collection   1. Trace data is always the most important data for analyzing security events   in the analysis process, trace data is always the most important data. So the first thing naturally is to back up the relevant trace data. Trace data mainly includes the following points:   1. System log: Message, secure, cron, mail and other system log;   2. Application log: Apache log, nginx log, ftp log, MySQL and other logs;   3. Custom log: Many programs in the development process will customize the program log, these logs are very important data, can help us analyze the intrusion path and other information;   4.bash_history: This is the bash log information that was recorded during bash execution to help us see which commands the bash executed.   5. Other security events related log records   Analysis of these logs must be backed up, we can compress the backup through the tar, and then analysis, if you encounter a large log, you can, as far as possible through the Splunk and other mass log analysis tools to analyze. The following is the command for all files under the full backup Var/log path, and other logs can refer to this command:   Copy code   code as follows:   #备份系统日志及默认的httpd服务日志   TAR-CXVF LOGS.T 　　ar.gz/var/html   #备份last   last > Last.log   #此时在线用户   w > W.log   2. System Status   System State is mainly the network, service, port, process and other state information backup work:   Copy code   code as follows:   #系统服务备份   chkconfig--list > Services.Log   #进程备份   ps-ef > Ps.log   #监听端口备份   NETSTAT-UTNPL > Port-listen.log   #系统所 　　Port conditions   Netstat-ano > Port-all.log   3. View system, file exception   mainly for file change time, belong to group main information problem, add users and other issues, other can be analogy:   Copy code   Code as follows:   #查看用户信息:   cat/etc/passwd   #查找最近5天内更改的文件   Find-type f-mtime-5 &nbs 　　P 4. The final sweep of Rootkit   Rootkit Hunter and Chkrootkit can be   IV, analysis methods   Bold guess is the most important, guessing the way of intrusion, and then analysis will generally be twice as much.   In general, the analysis log can find a lot of things, for example, the secure log can view the Accept keywords, the last can view the login information, bash_history can view the command execution information, and so on, different logs have different ways of viewing, It is best to be accompanied by a system administrator to step through, because the system administrator understands his server system best. Do not do too much to repeat here.   V, analysis of impact   according to the use of the server, file content, confidential situation combined with data leakage, loss of risk, the impact of the system users and other impact quantification, and record related security incidents, summary analysis, in order to summarize later.   If has been carried out intranet infiltration, but also need to promptly troubleshoot intranet machine security risks, timely treatment.   VI, the reinforcement method   has been invaded the machine, can be put on the dangerous label, the most direct and effective way is to reload the system or System Restore. So regular backup operations are essential, especially for source code and database data.   Through the analysis of the intrusion path, further reinforcement can be carried out, such as weak passwords and application vulnerabilities.