- Basic concepts
This is about two monitoring
- Port
- File
Simple Port view command netstat TULNP
Then the port corresponding service information is located in the file/etc/services
The file is monitored by installing the aide software and then etc under the aide.conf this configuration file, in the file to select the file to be monitored, and then a scan, the monitoring of the original data of the file memory, then when the monitoring of the file has changed, through two scans can be found. for processing.
View commands related to ports
RouterOS Internet Behavior Management
Netstate Network Status Monitoring
-T TCP
-L Listen
-P Pid/grogram Name
-A Show all connections
-U UDP
-N uIP
-e Extension
-S statistics
NETSTATE-TULNP Check Port
/etc/service record ports for all services on the computer
Related commands for monitoring files
Aide init scan (raw data for recording files)
Aide Check two scans (record data after changing the file)
Three types of SELinux states
Enforcing forced access not allowed
Permissive can be accessed once the validation is successful
Disabled Forbidden (does not enable SELinux functionality)
The first is the command netstat TULNP This command looks at the port opening situation
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/47/wKiom1SJdM2TMauqAAEIR5Db6bY215.jpg "/>
If you need to see whether the specific port is open, you can query, here is the port number 21st, is open
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWXgbaRVAABegb-hWJU110.jpg "/>
If you turn it off, you'll see that there's no port 21st information.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdM2R_CgQAABqyRrh4Os375.jpg "/>
If you want to know the port-specific services, you can go to/etc/services to find
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWXB3F-OAADxRGUwIss501.jpg "/>
2. Intrusion Detection test
Aide intrusion detection software
/etc/aide.conf configuration files for aide
Aide--init scan (Initialize database)
--check (check the complete data)
Next do intrusion detection, then you need to install a software aide
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/48/wKiom1SJdM6yze63AAIrux0w30A198.jpg "/>
After installation, a aide.conf file is generated in/etc, which is the configuration file of the aide software.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdWagRS3cAAAxKRtzgu4623.jpg "/>
After entering the/etc/aide.conf, you can see the following, these files can be monitored, if set to normal, the following files if they are hacked and can be detected by string change, here is the case of/boot
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/48/wKiom1SJdM7Al3XQAABKYcOSdUw346.jpg "/>
Here is an explanation of the normal, we can know the detection of something very detailed
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWagLns8AAA5AcoxhZ8434.jpg "/>650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdNLggTj6AACtdlDzqdU633.jpg "/>
In the/var/lib/aide under the command aide--init to scan, note aide under a file aide.db.new.gz, which is the original data of the monitoring files, should be copied with a U disk, you need to check whether the monitoring of the file is changed, you can take it out
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWqCpLH4AACMqSZb43M396.jpg "/>
Next, we'll simulate an intruder, create a file in/boot and want to destroy the/boot.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/48/wKiom1SJdNOSGdWRAAD5wnRxhbo299.jpg "/>
Under normal circumstances, we are not able to find, but the/boot is very important, so you must use monitoring to see
Then we only need to use the command aide--check to scan, we can see if there is something changed in/boot
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdWvCHzHKAAHMYeV2_5c171.jpg "/>650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/48/wKiom1SJdNOA-v8XAAGkD9TZzg4938.jpg "/>
- Do SELinux experiments
/etc/sysconfig/config
/etc/selinux/config
Enforcing mandatory
Permissive warning only applies to judging whether the system is the service itself or the SELinux problem (this is the default selinux for the system)
Disable Disabled ()
Getenforce View current SELinux status
Setenforce 0 Set level to permissive
Setenforce 1 Set level to enforcing
Policycoreutils-gui installation Package
System-config-selinux Graphical Setup SELinux
Go into/etc/sysconfig/selinux and you can change selinux.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWvgts9qAACp_jSUbwc006.jpg "/>
Then the command Getenforce is the view level, the following must be restarted after the system can not see
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdNOQOdYVAAAh7uduEsg600.jpg "/>
Next is the application of SELinux, which distinguishes SELinux from the permissive and enforcing states.
When SELinux is in the enforcing state, through the remote access to the host, the file under the FTP, found that the user login to the other side of the normal user can not see the users home directory files
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWuT2paXAACjIhepG10671.jpg "/>
Then change SELinux to permissive
You can check it again.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdW3BN8xnAACbaselet4315.jpg "/>
It can be seen that when SELinux is in enforcing, even if the login is successful, the file cannot be viewed.
When SELinux is in permissive, the login is successful and you can see the file.
So how to solve selinxu in enforcing, log on successfully after the issue of the file can be viewed? This needs to use the bool switch, this will be in the context value and the BOOL switch experiment report to solve!
Simple application of monitoring and SELinux