What should I do if my server is attacked?

Recently, it was found that the passwords of some customer machines are often changed, or the remote port connection is not secure.

I will summarize some of the security operations based on my usual experience. This time I will mainly talk about servers, including Windows and Linux.

Windows security considerations:

1. Modify the remote port 3389 (often the scan port used to scan bots)

2. Anti-Virus Software. 360 is recommended,

General operations: Computer health check, vulnerability repair, acceleration and optimization of startup items, and quick detection and removal,

The function Daquan has anti-Black reinforcement, and the directories shared by the system by default after the installation is suspected to be disabled,

With the task manager, you can view the processes that are normal and dangerous,

System first aid box, network disconnection first aid box, strong uninstallation, file shredder,

3. Windows Firewall

1. In Windows, applications, software, and ports to be used are added, except for all applications or ports;

2. Add entry and exit rules for the windows2008 system, mainly targeting the corresponding ports;

4. Enable Nic attribute TCPIP filtering to allow corresponding ports;

5. Modify the name of the default administrator. Do not use admin, which is commonly used;

6. Modify the administrator password. Not quantity, but complexity.

[Email protected], 1qaz2wsx, and admin123 are the passwords used by hackers to crack the dictionary.

7. Change the default port of the application. For example, MySQL: 3306 and SQL Server: 1433 can be changed to another port, and the connection pipe such as the app for application development can be connected accordingly.

8. The database is backed up in time and system patches are updated in time.

Complete notes for Linux:

1. disable root remote logon if possible, and use a common account to remotely log on, and then switch to root for routine operations.

2. the passwords of root users and other users must be complex.

3. Modify the default ssh port 22;

4. Use iptables for policy control;

5. disable unnecessary services. The command chkconfig is used here;

Chkconfig -- list the boot or shutdown of various services in Linux from 0 to 6 boot modes.

Chkconfig -- add XXX Add a startup Item

Chkconfig -- del XXX Delete the startup Item

Chkconfig -- level 35 XXX on/off specifies to enable or disable the xxx service in the third and fifth startup modes.

6. Modify the default port of the application, for example, MySQL: 3306.

7. Check whether/etc/rc. Local is started abnormally.

8. Check whether crontab is started abnormally.

If you have been poisoned:

In addition to the preceding windows operations, msconfig manually checks the startup items and disables suspicious operations;

Check the directory of drive C, which is generally c: \ windows; C: \ windowsc: \ windows \ system32; c: \ windows \ system32 \ tasks; user desktop directory; 360 can be killed. If it doesn't work, you can view the latest file,

After the virus is cleared, all user accounts, passwords, and remote port numbers must be modified one by one.

In addition to the above, Linux requires a command to find where the trojan is located.

PS-Ef view suspicious Processes

Netstat-An view of suspicious ports

Top view CPU or memory usage of suspicious Processes

In the Linux system, files of .exe or. Bat cannot be forced. If they are common viruses, they will be uploaded to you.

 To sum up, hackers usually scan ports of commonly used services, such as ports 3389, 1433, 25, and so on. If you modify the ports, the ports are enhanced. Then the user accounts and passwords must be complex, it cannot be a general-purpose complex, or a vulnerability such as software or website programs, such as vulnerabilities such as JSP, ASP, and PHP backdoors. directory permissions should be emphasized, I strongly recommend that you do not install anti-virus software from multiple vendors, so that the computer performance is poor and the anti-virus software is easy to use. After the check, the system must restart to check whether there are still vulnerabilities. Of course, reinstallation is the simplest, best, and safest method, but we recommend that you check the server Before reinstallation and find the cause. Otherwise, subsequent problems may be repeated.

In the end, I wish you a better server security and fewer attacks. The so-called high-foot magic, continuous learning, is king!

If you have any questions, comments, or suggestions, you can post comments. I hope you can discuss network security together.

This article from the "Yang donhao" blog, please be sure to keep this source http://506554897.blog.51cto.com/2823970/1572751

What should I do if my server is attacked?