Experience in security architecture of UNIX system with advanced hacker

First you can track the source path of intruders through the following system commands and configuration files:

1.who------(see who logged in to the system.) )

2.W--------(see who logged into the system and what it is doing.) )

3.last-----(Display system once logged in user and TTYs. ）

4.lastcomm-(Displays the commands that the system used to run.) )

5.netstat--(You can view the current network status, such as the IP address of the user who telnet to your machine, and some other network states.) ）

6. View the router information.

7./var/log/messages View the login status of the external user.

8. Use finger to view all landing users.

9. View the login history file (. history.rchist,etc) under/home/username under the user's directory.

Post Note: 0?who?0?,? 0?w?0?,? 0?last?0, and 0?lastcomm?0? These commands rely on/VAR/LOG/PACCT,/VAR/LOG/WTMP,/ETC/UTMP to report the information to you. Many savvy system administrators will block these log messages for intruders (/VAR/LOG/*,/VAR/LOG/WTMP,ETC) (it is recommended that you install Tcp_wrapper to illegally log on to all connections to your machine).

The system administrator then shuts down all possible backdoor, and must prevent intruders from externally accessing the internal network. If the intruder discovers that the system administrator has found that he has entered the system, he may try to conceal his traces through RM-RF/*.

Third, we need to protect the following system commands and system configuration files to prevent intruders from replacing the right to modify the system.

1./bin/login

2./usr/etc/in.* (for example: IN.TELNETD)

A service awakened by the 3.INETD Super Daemon (listening port, waiting for request, deriving the corresponding server process).

(The following server processes are typically started by inetd: Fingerd (), ftpd (), Rlogind (KLOGIN,EKLOGIN,ETC), rshd,talkd,telnetd (23), Tftpd.inetd can also start other internal services,/etc/inetd.conf services defined in.

4. Netstat,ps,ifconfig,su is not allowed for very root users.

The system administrator should periodically observe the system changes (e.g. file, system time, etc.).

1. #ls-lac to see the actual modification time of the file.

2. #cmp file1 file2 to compare changes in file size.

We must prevent illegal users from using the SUID (Set-user-id) program to get root privileges.

1. First we need to discover all the SUID programs in the system.

#find / -type f -perm -4000 -ls

2. Then we have to analyze the entire system to ensure that the system does not have a back door.

The system administrator will periodically check the user's. rhosts,.forward file.

1. The #find/-name. Rhosts-ls-o-name. Forward-ls to check that the. rhosts file contains the 0?++?0, and that a user can modify the file remotely without requiring any password.

2. The #find/-ctime-2-ctime +1-ls to view some of the documents modified within less than two days to determine whether any illegal users broke into the system.

To make sure that you have the latest SendMail daemons in your system, the old SendMail daemon allows other Unix machines to run some illegal commands remotely.

VIII, the system administrator should be from your machine, operating system manufacturers to obtain a safe shop ding program, if it is free software (such as Linux platform, we recommend that you can go to linux.box.sk to obtain the best security procedures and security information. )

Ninth, there are some checks to see if the machine is vulnerable to attack.

1. #rpcinfo-P to check if your machine is running some unnecessary processes.

2. #vi/etc/hosts.equiv file to check your untrusted host and remove it.

3. If there is no shielding/etc/inetd.conf in the TFTPD, please add in your/etc/inetd.conf:

tftp dgram udp wait nobody /usr/etc/in.tftpdin.tftpd -s /tftpboot

4. It is recommended that you back up the/etc/rc.conf file and write a shell script to compare regularly.

cmp rc.conf backup.rc.conf

5. Check your inetd.conf and/etc/services files to ensure that no illegal users add some services inside.

6./var/log/* The log files below your system to a secure location to prevent intruders from #rm/var/log/*.

7. Be sure to ensure that the anonymous FTP server configuration is correct, my machine is proftpd, in proftpd.conf must be configured correctly.

8. Back up the good/etc/passwd and change the root password. Be sure that this file cannot be accessed by intruders to prevent it from guessing.

9. If you are not yet able to prevent intruders from trespassing, you can install the Ident daemon and the TCPD daemon to discover the accounts used by intruders!

10. Make sure your console terminal is secure to prevent illegal users from logging on to your network remotely.

11. Check the HOSTS.EQUIV,.RHOSTS,HOSTS,LPD with a note ID #, if an intruder replaces # with its hostname, it means he can access your machine without any password.