"Linux Intrusion Detection"

Check the Linux system for intrusion or poisoning steps?

First, check the operating system

(1) Check the bandwidth to see the network card traffic

(2) Check the system log out log, security log, and/etc/passwd have been modified

(3) To see if the system has an abnormal process:

PWDX--View the path of the process;

Lsof--View the system open library file

The name of the unusual process of Baidu

(4) View boot start service and Scheduled tasks:/etc/rc.local and Crontab–l

(5) Analysis System log

Second, check the application for vulnerabilities, check the application version information (logs and processes)

Iii. Common intrusion detection tools

PSAD, SNORT

Chkrootit, Rootkithunter, Tripwire,

Iv. Intrusion Analysis Webpage

Http://www.chinaunix.net/old_jh/4/480362.html

V. Included system initialization, security deployment script

--------------------------------------------------------------------------------------------------------------- -------------------

Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to suse11_sp1_x64 System init = = = |
+----------------------Author:tango--------------------------+
Eof
echo "Alias vi= ' Vim '" >>/ROOT/.BASHRC
echo ' syntax on ' >/ROOT/.VIMRC
echo "* Soft nofile 52100
* Hard Nofile 52100 ">>/etc/security/limits.conf
Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to tunoff services = = = |
+--------------------------------------------------------------+
Eof
For i in ' ls/etc/rc.d/rc3.d/s* '
Do
Cursrv= ' echo $i |cut-c 20-'
Echo $CURSRV
Case $CURSRV in
Cron | Rpcbind | Irq_balancer | Dbus | Haldaemon | Microcode.ctl | Network | Network-remotefs | sshd | syslog)
echo "Base services, skip!"
;;
*)
echo "Change $CURSRV to Off"
Chkconfig--level 235 $CURSRV off
Service $CURSRV Stop
;;
Esac
Done
Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to Tuning sysctl.conf = = = |
+--------------------------------------------------------------+
Eof
>/etc/sysctl.conf
echo "Net.ipv4.ip_forward = 0
Net.ipv4.conf.default.rp_filter = 1
Net.ipv4.conf.default.accept_source_route = 0
KERNEL.SYSRQ = 0
Kernel.core_uses_pid = 1
Net.ipv4.tcp_syncookies = 1
KERNEL.MSGMNB = 65536
Kernel.msgmax = 65536
Kernel.shmmax = 68719476736
Kernel.shmall = 134217728
Net.ipv4.ip_local_port_range = 1024 65536
Net.core.rmem_max = 16777216
Net.core.wmem_max = 16777216
Net.ipv4.tcp_rmem = 4096 87380 16777216
Net.ipv4.tcp_wmem = 4096 65536 16777216
Net.ipv4.tcp_fin_timeout = 3
Net.ipv4.tcp_tw_recycle = 1
Net.core.netdev_max_backlog = 30000
Net.ipv4.tcp_no_metrics_save = 1
Net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
Net.ipv4.tcp_max_orphans = 262144
Net.ipv4.tcp_max_syn_backlog = 262144
Net.ipv4.tcp_synack_retries = 2
Net.ipv4.tcp_syn_retries = 2
vm.swappiness = 6 ">>/etc/sysctl.conf
echo "optimizited kernel Configure was done!"
Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to account Lock = = = |
+--------------------------------------------------------------+
Eof
PASSWD-L LP
Passwd-l Nobody
Passwd-l FTP
passwd-l postfix
Passwd-l at
Passwd-l Games
Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to Lock Important Files = = = |
+--------------------------------------------------------------+
Eof
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +a/root/.bash_history
Chattr +i/root/.bash_history
echo "Net.ipv4.tcp_syncookies=1" >>/etc/sysctl.conf
Sysctl-p
Cat << EOF
+--------------------------------------------------------------+
| = = = Welcome to Modify SSH Config = = = |
+--------------------------------------------------------------+
Eof
echo ""

--------------------------------------------------------------------------------------------------------------- -------------------

&NBSP;