This book from the Unix/linux system of raw logs (raw log) collection and analysis, and gradually into the log audit and computer forensics link. The book provides a number of cases, each case with a vivid note of the network after the invasion, management personnel to carry out the process of system forensics and recovery, case analysis techniques with the storyline, so that the reader immersive to test their own emergency response and computer forensics ability.
This book is used in the case of the author from the system maintenance and forensics work summarized, screened out, these content to improve network maintenance level and event analysis ability has important reference value. If you are concerned about cyber security, the case in the book will certainly resonate with you. This book is suitable for Unix/linux system administrators and information security professionals with some experience.
1. Why did you write this book?
Domestic has published a lot of internet security, such as defense books, most of which are based on the Windows platform. But most of the Internet application servers are architected on the unix/linux system, and readers need to know about the security cases of these systems. So I am determined to write a book based on Unix/linux, from a white hat perspective, for everyone to tell the enterprise network in the face of various network threats, how to find clues to the problem through log information, repair network vulnerabilities, build a secure network environment.
2. Features and structure of the book
The case covers typical types of attacks in today's web applications, such as DDoS, malicious code, buffer overflow, Web application attacks, IP fragmentation attacks, man-in-the-middle attacks, wireless network attacks, and SQL injection attacks. Each story first describes a security incident. Then by the Administrator on-site survey, collect various information (including log files, topology map and device configuration file), and then the various security incident alarm information cross-correlation analysis, and guide the reader to analyze the cause of the intrusion, the reader into the case. Finally, the author gives the ins and outs of the invasion process, at the end of each case to put forward a precautionary approach to such attacks and remedial measures, the focus is to tell the reader how to conduct system and network forensics, find and repair various loopholes, so as to effectively defend.
There are 14 chapters in the book, which can be divided into three articles.
The First Log Analysis Foundation (1th to 3rd chapter), is the foundation of the book, for IT operations personnel is particularly important, systematically summarizes the unix/linux system and various network application log characteristics, distribution location and the role of each field, including Apache logs, FTP logs, squid logs, NFS logs, samba logs, iptables logs, DNS logs, DHCP logs, mail system logs, and various network device logs, and for the first time, the implementation of visual log analysis, the first exposure of the computer system in the forensic evidence of the use of ideas, methods, techniques and tools, This provides a solid foundation for readers to log and analyze logs effectively, which solves the problem of "what to look for" and "How to check" when the reader is in the log analysis. Finally, the paper introduces the realization principle and technical method of log collection, including the construction process of open source and commercial log analysis system.
The second log analysis of the actual combat (the 4th to 12th chapter), according to the author's own experience adaptation of a number of small stories, reproduced the author of the various network intrusion events encountered in the occurrence, development and treatment methods, preventive measures, and a network operation on the road encountered on the "bloody" lesson to warn everyone, What happens if you do not upgrade the patch, and what happens if you do not perform a system security hardening. Examples include web site crashes, DNS failures, Dos attacks, Solaris placement backdoors, overflow attacks, rootkit attacks, worm attacks, SQL injection of databases, servers becoming a springboard, IP fragmentation attacks, and more.
The third part of the network traffic and log monitoring (13th, 14 chapters), with a large number of examples to explain the flow monitoring principles and methods, such as open source software xplico application skills, NetFlow in the application of abnormal traffic. The paper also introduces the establishment of a network log traffic monitoring network with open source Ossim security system.
This book, from the perspective of cyber security personnel, shows how the network intrusion occurs when you are confronted with a multitude of clues about how to tap into key issues and ultimately solve them. The case of the book in the original scenario-based description, through a fresh it scene, reflects the IT practitioners in the work of the difficulties encountered. In the case of interactive questioning and open-ended answers, readers unknowingly grasp some important network security knowledge and practical technical solutions.
The case of the book IP address, domain name information are fictitious, and the solution involved in the download site and a variety of information query site is true, with a high reference value. The book has a large number of system logs, which are important evidence of network failure forensics processing, because of the confidentiality issues involved, all the logs have been technical processing.
Due to the tight time, limited capacity, the book is unavoidable, but also please readers to my blog a lot of mistakes.
3. The experimental environment of this book
The UNIX platform selected for this book is primarily Red Hat and Debian Linux for the Solaris and Freebsd,linux platforms. The Forensic Investigation tool disk is deft 8.2 and back Track5. The http://chenguang.blog.51cto.com (author's blog) provides Deft-vmware, Bt5-vmware, ossim-vmware virtual machines for readers to download and study.
"Unix/linux Network log analysis and Traffic monitoring" new book release