Common methods for Linux security detection

Chkrootkit | grep infected

! User 24306 pts/0 grep infected

Find the specified TTY process: PS aux | grep pts/0

Rkhunter

Rkhunter--check detection. If there is a red warning message, please check carefully if you have already been recruited.

View generated logs: Cat/www.qixoo.qixoo.com/var/log/rkhunter.log | grep Warning

Technology sharing

Automatically send reports
Detect and send notification messages at 5 points per day

Crontab-e
* 5 * * */usr/local/rkhunter/bin/rkhunter--cronjob-l--nomow--rwo | Mail-s "[Rkhunter] report ' hostname ' ' Date '"

4. Upgrade rkhunter:# Rkhunter--update



# SS-L List all open network connection ports
# SS-PL View the socket used by the process

Find the PID numbers related to crypto and bash services

PS aux | Egrep ' (cron|syslog) '



With lsof detection

Lsof-i: 22

lsof filename Displays all processes that open the specified file
Lsof-a indicates that two parameters must be met before the results are displayed
Lsof-c string Displays all open files for the process containing the specified characters in the command column
Lsof-u Username Displays the files that are open by the user process
Lsof-g GID shows the process of attribution to GID
Lsof +d/dir/displays files that are opened by the process in the directory
Lsof +d/dir/, but will search all directories under the directory for a relatively long time
Lsof-d FD Displays the process for specifying the file descriptor
Lsof-n do not convert IP to hostname, the default is not to add the-n parameter
Lsof-i to show condition-eligible processes



Network behavior Analysis of grab bag I

Use the Grab Package command to view native attack programs
1

Tcpdump-i eth1 DST xxx.xxx.xxx.xxx

Kill terminates the process

There are more than 10 ways to control the process, here are some common methods:
Kill-stop [PID]
Send Sigstop (17,19,23) to stop a process without destroying it.
Kill-cont [PID]
Send Sigcont (19,18,25) to restart a stopped process.
Kill-kill [PID]
Send Sigkill (9) forces the process to stop immediately and does not implement a cleanup operation.
Kill-9-1
Stop all the processes you have.
SIGKILL and SIGSTOP signals cannot be captured, blocked, or ignored, but other signals can. So this is your ultimate weapon.



Write a script in shell script to automate the monitoring of Chkrootkit. If a rootkit is found, send an email to the root user and save the results in the/var/log/messages file.

[~]# VI mychkrootkit← establish chkrootkit autorun script

#!/bin/bash
Path=/usr/bin:/bin
tmplog= ' Mktemp '
# Run The Chkrootkit
/usr/local/chkrootkit/chkrootkit > $TMPLOG
# Output the Log
Cat $TMPLOG | Logger-t Chkrootkit
# Bindshe of Smtpsllhow to do some wrongs
if [!-Z "$ (grep 465 $TMPLOG)"] && [-Z $ (/usr/sbin/lsof-i:465|grep Bindshell)]; Then
Sed-i '/465/d ' $TMPLOG
Fi
# If The rootkit has been found,mail root
[!-Z "$ (grep infected $TMPLOG)] && grep infected $TMPLOG | Mail-s "Chkrootkit report in ' hostname '" root
Rm-f $TMPLOG



Some gadgets:

iptraf-real-time LAN IP monitoring
Htop–linux Process Monitoring
Vnstat php– Network traffic monitoring
suricata– Network Security Monitoring
iotop– simple I/O monitor similar to top



Vnstat

#初始化, bind the name of the NIC to be monitored, such as eth0
Vnstat-u-I. eth0
Vnstat



RELATED LINKS

18 command-line tools for monitoring Linux performance: http://os.51cto.com/art/201402/429890.htm

Linux 10 examples using the lsof command: http://www.tecmint.com/10-lsof-command-examples-in-linux/

Http://m.2cto.com/os/201606/517821.html

Common methods for Linux security detection