Nine-point UNIX Security Architecture Experience

The following is a summary of my personal experience. I believe it is useful for UNIX or UNIX-clonefreebsd, openbsd, netbsd, linux, and etc that have been infiltrated:

First, you can use the following system commands and configuration files to track the source path of intruders:

1. who ------ (view who logged on to the system)

2. w -------- (view who logs in to the system and what is it)

3. last ----- (display the users and TTYS that have been logged on to the system)

4. lastcomm-(displays the commands that were run by the system in the past)

5. netstat -- (you can view the current network status, such as the IP address of the user who telnet to your machine, and some other network statuses .)

6. view the router information.

7./var/log/messages to view the logon status of external users

8. Use finger to view all login users.

9. view the logon history file (. history. rchist, etc ). post-note: the who, w, last, and lastcomm commands rely on/var/log/pacct,/var/log/wtmp,/etc/utmp to report information to you. Many savvy System Administrators block this log information for intruders (/var/log/*,/var/log/wtmp, etc) we recommend that you install tcp_wrapper to illegally log on to all the connections on your machine)

Next, the system administrator should close all possible backdoors and prevent intruders from accessing the internal network from the outside. If an intruder finds that the system administrator has already entered the system, he may try to hide his traces through rm-rf.

Third, we need to protect the following system commands and system configuration files to prevent intruders from replacing them and obtaining the right to modify the system.

1./bin/login

2./usr/etc/in. * file (for example, in. telnetd)

3. Services awakened by the inetd super daemon (listening port, waiting for request, derived from the corresponding server process) (The following server processes are generally started by inetd:

Fingerd (79), ftpd (21 ),

Rlogind (klogin, eklogin, etc), rshd, talkd, telnetd (23), tftpd. inetd can also start other internal services,

The service defined in/etc/inetd. conf.

4. Non-ROOT users are not allowed to use netstat, ps, ifconfig, and su.

Fourth, the system administrator should regularly observe system changes (such as files, system time, and so on)

1. # ls-lac to view the real modification time of the file.

2. # cmp file1 file2 to compare the file size changes.

Fifth, we must prevent illegal users from using the suid (set-user-id) program to obtain the ROOT permission.

1. First, we need to find all the SUID programs in the system.

# Find/-type f-permb-4000-ls

2. Then we need to analyze the entire system to ensure that the system has no backdoors.

Sixth, the system administrator should regularly check the user's. rhosts and. forward files.

1. # find/-name. rhosts-ls-o-name. forward-ls

To check whether the. rhosts file contains ++. If yes, you can remotely modify the file without any password.

2. # find/-ctime-2-ctime + 1-ls

To view the files modified in less than two days to determine whether an illegal user has intruded into the system.

7. Check that your system has the latest sendmail daemon, because the old sendmail daemon allows other UNIX machines to remotely run some illegal commands.

Eighth, the system administrator should obtain security patches from your machine and operating system manufacturers. If it is a free software (such as a Linux platform, we suggest you go to linux. box. sk to obtain the best security procedures and security information .)

Ninth, there are some ways to check whether the machine is vulnerable to attacks.

1. # rpcinfo-p to check whether your machine has run unnecessary processes.

2. # vi/etc/hosts. equiv file to check your untrusted host and remove it.

3. If tftpd in/etc/inetd. conf is not blocked, add tftp dgram udp wait nobody/usr/etc/in. tftpd to your/etc/inetd. conf file.

In. tftpd-s/tftpboot

4. We recommend that you back up the/etc/rc. conf file and write a shell script to regularly compare cmp rc. conf backup. rc. conf

5. Check your inetd. conf and/etc/services files to ensure that no illegal users add some services to them.

6. Back up the log files under/var/log/* of your system to a safe place to prevent intruders # rm/var/log /*

7. Make sure that the anonymous FTP server is correctly configured. My machine uses proftpd and must be correctly configured in proftpd. conf.

8. Back up/etc/passwd and change the root password. Make sure that the file cannot be accessed by intruders to prevent them from making guesses.

9. If you cannot prevent illegal intrusion by intruders, you can install the ident background daemon and TCPD background daemon to find the account used by the intruders!

10. Make sure that your console terminal is secure to prevent unauthorized users from remotely logging on to your network.

11. check hosts. equiv ,. rhosts, hosts, and lpd all have annotation identifiers #. If an intruder replaces # with its host name, it means that he can access your machine without any password.