Linux intrusion detection Basics

Linux intrusion detection Basics

In linux, there are five commands for auditing:
Last: This command can be used to check the Successful Logon, shutdown, and restart of our system. This command is used to format the/var/log/wtmp file.
Lastb: this command is used to view logon failures. This command is used to format the/var/log/btmp file.
Lastlog: this command is used to view the last logon status of a user. This command is used to format the/var/log/lastlog file and output it.
Who: This command allows you to view the current logon system status. This command is used to format the/var/log/utmp file.
W: Same as the who command.
Their usage: man last, last and lastb commands are used in a similar way:
Last [-R] [-num] [-n num] [-adFiowx] [-f file] [-t YYYYMMDDHHMMSS] [name...] [tty...]
Lastb [-R] [-num] [-n num] [-f file] [-adFiowx] [name...] [tty...]
Who [OPTION]... [FILE | ARG1 ARG2]
Parameter description:
View System logon information
Last: displays system logon and restart without any parameters

Only for shutdown/restart
You can use the-x parameter to view different situations.

Only for Logon
Use the-d parameter, and do not use any options after the Parameter

Display incorrect logon information
Lastb
View Current logon status
Who, w
0x01 view logs
In Linux, there are three main log subsystems:
Connection time log: logs are written to/var/log/wtmp and/var/run/utmp, login, and other programs to update the wtmp and utmp files, enables the system administrator to track who is logged on to the system at any time. (Utmp and wtmp log files are the key to most Linux Log subsystems. They save records of user logon and exit. Information about the current login user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; data exchange, shutdown, and restart machine information are also recorded in the wtmp file. All records contain timestamps .)
Process statistics: executed by the system kernel. When a process is terminated, a record is written for each process to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.
Error Log: It is executed by the syslogd (8) daemon. Various system Daemon Processes, user programs, and kernels run through syslogd (3) the daemon reports noteworthy events to the file/var/log/messages. In addition, many Unix programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.
Log directory:/var/log (default directory)
View process logs
Cat/var/log/messages

View service logs
Cat/var/log/maillog

0x02 User View
Different users in Linux have different operation permissions, but all users will log in the/etc/passwd/etc/shadow/etc/group-file;
View Details
Less/etc/passwd: Check whether new users exist.
Grep: 0/etc/passwd: Check for privileged users (root users)
Ls-l/etc/passwd: view the last modification time of passwd
Awk-F: '$3 = 0 {print $1}'/etc/passwd: Check for privileged users
Awk-F: 'length ($2) = 0 {print $1} '/etc/shadow: Check whether a user with a null password exists
Note: Set a blank password in linux: passwd-d username

0x03 process view
Common process view
In processes, we generally use ps to view processes; man ps
Ps-aux: View Processes
Lsof-p pid: view the port and file opened by the Process
Check hidden processes
Ps-ef | awk '{print}' | sort-n | uniq> 1
Ls/proc | sort-n | uniq> 2
Diff 1 2
Note: The preceding three steps are used to check hidden processes.
0x04 other checks
Check files
Find/-uid 0-print: find privileged user files
Find/-size + 10000 k-print: find Files larger than limit k
Find/-name "..."-prin: find the file with the username...
Find/-name core-exec ls-l {}\;: find the core file and list the details.
Md5sum-B filename: view the md5 value of the file
Rpm-qf/bin/ls: Check file integrity (there are other files in the/bin directory)
Check Network
Ip link | grep PROMISC: The promisc should not exist for a normal Nic. If yes, sniffer may exist.
Lsof-I
Netstat-nap: View abnormal ports
Arp-a: Check whether the arp record is normal
Scheduled tasks
Crontab-u root-l: view the scheduled tasks of the root user
Cat/etc/crontab
Ls-l/etc/cron. *: view the details of the changes in the cron file.
Ls/var/spool/cron/
Check Backdoor
Some public tools are available on the network for linux backdoor checks, but some information can be obtained through some commands without using these tools.
The first is to check the scheduled task. You can refer to the preceding figure. The second is to view the permanent ssh link file vim $ HOME /. ssh/authorized_keys 3: lsmod: Check kernel module 4: chkconfig -- list/systemctl list-units -- type = service: Check self-start fifth: service backdoor/abnormal port (whether shell rebound or listening exists) Other: ls/etc/rc. dls/etc/rc3.d