Article Title: UNIX and UNIX-like system security check notes. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Here are some personal experience notes. I believe it is useful for UNIX or UNIX-clone (freebsd, openbsd, netbsd, Linux, etc) that have been intruded:
First, you can use the following system commands and configuration files to track the source path of intruders:
1. who ------ (view who logged on to the system)
2. w -------- (view who logs in to the system and what is it)
3. last ----- (display the users and TTYS that have been logged on to the system)
4. lastcomm-(displays the commands that were run by the system in the past)
5. netstat -- (you can view the current network status, such as the IP address of the user who telnet to your machine, and some other network statuses .)
6. view the router information.
7./var/log/messages to view the logon status of external users
8. Use finger to view all login users.
9. view the logon history file (. history. rchist, etc ). post-Note: The 'who ', 'w', 'last', and 'lastcomm' commands depend on/var/log/pacct,/var/log/wtmp, /etc/utmp to report the information to you. Many savvy System Administrators block this log information for intruders (/var/log/*,/var/log/wtmp, etc) we recommend that you install tcp_wrapper to illegally log on to all connections to your machine.) Next, the system administrator should close all possible backdoors and prevent intruders from accessing the internal network from outside. (If you are interested in FREEBSD, take a look at the security architecture of the FreeBSD website in the security document of the green Corps (1 )). if an intruder finds that the system administrator has already entered the system, he may try to hide his traces through rm-rf.
Third, we need to protect the following system commands and system configuration files to prevent intruders from replacing them and obtaining the right to modify the system.
1./bin/login
2./usr/etc/in. * file (for example, in. telnetd)
3. Services awakened by the inetd super daemon (listening port, waiting for request, derived from the corresponding server process) (The following server processes are generally started by inetd:
Fingerd (79), ftpd (21), rlogind (klogin, eklogin, etc), rshd, talkd, telnetd (23), tftpd. inetd can also start other internal services,
The service defined in/etc/inetd. conf.
4. Non-ROOT users are not allowed to use netstat, ps, ifconfig, and su.
Fourth, the system administrator should regularly observe system changes (such as files, system time, and so on)
1. # ls-lac to view the real modification time of the file.
2. # cmp file1 file2 to compare the file size changes.
[1] [2] Next page