① First, we must ensure the absolute security of our servers. I usually set the root password to more than 28 characters, and only a few people must know the root password for some important servers, this is set based on the company's permissions. If a company's system administrator leaves, the root password must be changed. Anyone who has been playing linux For A Long Time should know that, changing the root password does not affect linux crontab scheduled tasks, but does not affect windows2003. Changing the administrator password will directly affect the running of the scheduled tasks.
② My Nagios Internet monitoring server, whose password was redhat at the beginning of the test, was changed one day after being put into the public network, and I was depressed; after mature environment deployment, many Internet ip addresses are still being scanned and tested. It seems that no tool is required. Oh, DenyHosts is a program written in Python2.3, it will analyze/var/log/secure and other log files. When it finds that the same IP address is trying multiple SSH password attempts, it will record the IP address to/etc/hosts. deny file to automatically block the IP address.
DenyHosts Official Website: http://denyhosts.sourceforge.net
I. Check installation conditions
1. First, determine whether the sshd installed in the system supports tcp_wrappers (supported by default)
# Ldd/usr/sbin/sshdlibwrap. so.0 =>/usr/lib/libwrap. so.0 (0x0046e000)
2. Determine the Python version installed by default.
# Python-VPython 2.3.4
Ii. Python and later versions installed
1. Install DenyHosts
# Cd/usr/local/src # wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz# tar zxf DenyHosts-2.6.tar.gz # cd DenyHosts-2.6 # python setup. py install
The program script is automatically installed in/usr/share/denyhosts.
Library files are automatically installed in/usr/lib/python2.3/site-packages/DenyHosts
Denyhosts. py is automatically installed in/usr/bin.
2. Set the Startup Script
# Cd/usr/share/denyhosts/# cp daemon-control-dist daemon-control # chown root daemon-control # chmod 700 daemon-control # grep-v "^ #" denyhosts. cfg-dist> denyhosts. cfg # vi denyhosts. cfg
Modify as needed
---------------- Denyhosts. cfg ---------------------- SECURE_LOG =/var/log/secure # RedHat/Fedora Core to analyze the log file # other linux versions are selected based on the prompts in denyhosts. cfg-dist. PURGE_DENY = 30 m # How long will it take to clear DENY_THRESHOLD_INVALID = 1 # Number of Logon failures allowed by Invalid users (not listed in/etc/passwd) DENY_THRESHOLD_VALID = 5 # valid (normal) number of user logon failures DENY_THRESHOLD_ROOT = 3 # Number of root logon failures HOSTNAME_LOOKUP = NO # domain name reverse resolution -------------- denyhosts. cfg ------------------------
If you need to enable the DenyHosts automatically when the system restarts, you also need to make the following settings:
# Vi/etc/rc. local
Add the following command
/Usr/share/denyhosts/daemon-control start
3. Start
#/Usr/share/denyhosts/daemon-control start
If You Want To Enable Automatic startup of DenyHosts after each restart, you also need to make the following settings:
# Cd/etc/init. d # ln-s/usr/share/denyhosts/daemon-control denyhosts # chkconfig -- add denyhosts # chkconfig -- level 345 denyhosts on
Then you can start it:
Service denyhosts start
DenyHosts configuration file:
Vi/etc/denyhosts. cfg
SECURE_LOG =/var/log/secure # ssh log file, which is determined based on this file.
HOSTS_DENY =/etc/hosts. deny # control user login files
PURGE_DENY = 5 m # How long will it take to clear prohibited
BLOCK_SERVICE = sshd # Name of the service to be banned
DENY_THRESHOLD_INVALID = 1 # number of failures allowed for invalid users
DENY_THRESHOLD_VALID = 10 # number of failed login attempts allowed by common users
DENY_THRESHOLD_ROOT = 5 # number of failures allowed for root Login
HOSTNAME_LOOKUP = NO # Do You Want To reverse domain name resolution?
DAEMON_LOG =/var/log/denyhosts # Your Own log File
ADMIN_EMAIL = yuhongchun027@163.com # administrator email address, which sends emails to administrators
③ Except for the root user on the server, the fewer Linux users, the better. If you want to add an authorized user, set the login shell to nologin and terminate the unauthorized user, it is necessary to regularly check whether there are any unnecessary users in the system.
④ Analyze the system log files to find clues that intruders once attempted to intrude into the system. The last command is another tool used to find logon events of unauthorized users.
Lyychee pts/2 running Mon May 22 still logged inlyychee pts/2 running Thu May 18-() lyychee pts/2 61.130.107.51 Tue May 16) root pts/2 61.130.107.58 Sat May 13-() lyychee pts/2 210.32.178.253 Fri May 12) root pts/2 58.107.130.61.di Wed May 10-() root pts/2 61.130.107.58 Tue May 9) root pts/2 59.78.34.62 Sun May 7-() lyychee pts/2 59.78.34.62 Sat May 6) lyychee pts/2 222.64.24.144 Sat May 6-() root pts/2 192.168.0.111 Sat May 6) lyychee pts/2 222.64.22.144 Thu May 4-(00: 0 root pts/2 59.78.34.62 Tue May 2)
The following is a demo of a machine:
The last command input is from/var/log/wtmp. This file records in detail the access activities of each system user. However, experienced intruders often delete/var/log/wtmp to clear evidence of their own illegal behaviors. However, such cleanup behaviors still reveal clues: in the log file, leave a logon operation corresponding to the non-exit Operation (because when you delete wtmp, your logon record will be lost, but you will log out later, the system will still write you down), but if it is better, use at or cron to log out and then delete the file. (But this method can still be checked. In short, none of the linux operations are the strongest, so strong as there is no leakage. Like Gu Long's novels, no one is the first in the world. This looks strong)
⑤ In addition, you can run the grep error/var/log/messages command to check whether your server is damaged by hardware.
⑥ Try to use the Chkrootkit application to search for the rootkit trace and feature, and analyze from its report whether your server has been infected with Trojans.
7. Try to use AIDE to check the integrity of the file system.
Alibaba recommends that you use Snort to automatically detect intrusions. It integrates the most advanced technologies of similar software and is open source.
Refer to your email server as an example. As this is an independent server, the front-end does not have a hardware firewall or a Web firewall. Therefore, you must enable iptables for protection. Its/root/firewall. sh content is as follows:
#/Bin/bashiptables-Fiptables-F-t natiptables-Xiptables-p input DROPiptables-p output ACCEPTiptables-p forward accep # load connection-tracking modulesmodeprobe cannot receive too many messages-a input- I lo-j ACCEPTiptables-A INPUT-m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-a input-p tcp-m multiport -- dport80, 443,25, 465,110,995,143,993,587,465, 22-j ACCEPT
Scan with scan King nmap on another machine
[Root @ mail postfix] # nmap-P0-sS 211.143.6.XStarting Nmap 4.11 (http://www.insecure.org/nmap/) at CSTInteresting ports on 211.143.6.X: Not shown: 1668 closed portsPORT STATE SERVICE22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3111/tcp open rpcbind143/tcp open imap443/tcp open https465/tcp open smtps587/tcp open submission993/tcp open imaps995/tcp open pop3s1014/tcp open unknown
Lsof-I: 1014, found to be rpc again. statd, which is different from the port used each time. It cannot correctly process SIGPID signals. Remote attackers can use this vulnerability to Close processes and initiate DoS attacks. rpc is discovered. statd is enabled by the Service nfslock. Just disable it.
Service nfslock stopchkconfig nfslock off
The kernel stops unnecessary services in the system and reinforces the kernel. pay more attention to the kernel vulnerabilities on the server. Many linux attacks are targeted at the kernel and ensure that the kernel version is 2.6.9 or later (excluding 2.6.9 ).