Because UNIX systems often undertake key tasks, they are often the first choice for intruders to attack. Therefore, intrusion detection and system security protection are one of the most important tasks of administrators. So, without the help of other tools, how can we determine the current security of the system? How can we discover intrusions? The following describes some common check methods.
Take Linux and Solaris as examples:
1. Check the system password file
First, check the passwd file, LS-L/etc/passwd, and check the file modification date.
Enter the command
awk –f:’$3==0 {print $1}’ /etc/passwd |
To check which privileged users are in the passwd file. All users whose uid is 0 in the system will be displayed. By the way, check whether there is a blank password account in the system:
Awk-F:
‘length($2)==0 {print $1}’ /etc/shadow |
2. Check the process to see if there are any strange processes.
Click "view process" Again: PS-AEF | grep inetd. Inetd is a UNIX system daemon, And the PID of the normal inetd is relatively high. If you see an output similar to inetd-S/tmp /. processes such as XXX focus on the content after inetd-s. Under normal circumstances, the inetd service in Linux does not have the-S parameter after it, and of course it does not use inetd to start a file. In Solaris, it is only inetd-s, it also does not use inetd to start a specific file. If you use the ps command to see that inetd started a file, and you did not use inetd to start this file, it means that someone has intruded into your system and started a simple backdoor with the root permission.
Enter PS-AEF to view the output information, especially if there are any processes starting with./xxx. Once a suspicious process is found, check the backdoor program left by the intruder and run kill-9 PID to kill the process. Then run PS-AEF to check whether the process is killed; once such a process is killed and restarted, it indicates that the system has been placed with a script to automatically start the program. At this time, you need to perform a careful search: Find/-name program name-print. if the system is really put into a backdoor by intruders, according to the directory where the found program is located, in UNIX, hidden processes are sometimes replaced by PS files. This method involves checking the integrity of the file. We will discuss this method later. Next, find the file directory on the server where the attacker is located, and track it step by step.
3. Check the system daemon process
Check the/etc/inetd. conf file and enter:
cat /etc/inetd.conf | grep –v “^#” |
The output information is the remote service enabled on your machine. Generally, intruders can directly replace in. xxx program to create a backdoor, such as replacing in with/bin/sh. telnetd, and then restart the inetd service. Then, all users who telnet to the server will directly obtain a rootshell without entering the user name and password.
4. Check the network connection and listening port
Enter netstat-An to list all the connection and listening ports on the local machine and check whether there are any illegal connections.
Enter netstat-Rn to check whether the local route and gateway settings are correct.
Enter ifconfig-a to view the NIC settings.
5. Check System Logs
Last | more: View historical records of all users logging on to the local machine under normal conditions. However, the last command depends on the syslog process, which has become an important target of intruders. Intruders usually stop the system syslog, view the system syslog process, and determine whether the last syslog start time is normal, because syslog is executed as root, if syslog activity is found illegal, it indicates a major intrusion event.
Enter
Enter
Check whether the integrity and modification time of wtmp utmp files, including messgae files, are normal. This is also a way to manually erase intrusion traces.
6. Check the core file in the system.
It is a conventional method to intrude into the system by sending malformed requests to attack a server's service. This is a typical RPC attack. This method has a certain success rate. That is to say, it cannot successfully intrude into the system by 100%. In addition, core files are usually generated in the corresponding directory of the server and the core files in the system are searched globally, enter find/-name core-exec LS-l {}/. Check the Core File Based on the directory where the core is located and whether there is any intrusion.
7. Check System File integrity
There are multiple methods to check the integrity of a file. Generally, you can enter the LS-l file name to query and compare the file. This method is simple but practical. However, if the LS files have been replaced, it is more troublesome. In Linux, you can use rpm-V 'rpm-QF filename 'to query and check whether the query result is normal to check whether the file is complete. In Linux, there are also many methods to use RPM to check the file integrity. Here we will not repeat them here. Man rpm can be used to obtain more formats.
In Unix systems,/bin/login is a file often replaced by a backdoor by intruders. Next, let's talk about the login BACKDOOR:
In UNIX, the login program is usually used to verify passwords of Telnet users. Attackers can obtain and modify the source code of login so that they can check the backdoor password before entering and storing the password. If you press the backdoor password, it will ignore the password set by the Administrator to drive you straight into: This will allow intruders to access any account, or even the root directory. Because the backdoor password is an access generated before the user logs on and is logged to utmp and wtmp, intruders can log on to the shell without exposing this account. After the Administrator notices this backdoor, use the "strings" command to search for the login program for text information.
In many cases, the backdoor password is exposed. Intruders will start to encrypt or change the hidden password to invalidate the strings command. Therefore, many administrators use MD5 checksum to detect such backdoors. The md5sum command is available in Unix systems. Enter the md5sum file name to check the MD5 Signature of the file. The format is as follows:
Md5sum-B reads files in binary mode; md5sum-C reverse checks MD5 signatures; md5sum-T reads files in text mode |
As mentioned above, the daemon configuration file for the daemon is inetd. the lines not commented out in conf must be carefully compared. For example, if you open the telnet service, the daemon configuration file contains the following:
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd |
The file used is/usr/sbin/in. telnetd checks the integrity of the file. Intruders often create a backdoor for themselves by replacing the service files allowed by the daemon.
In Linux, the/etc/crontab file is often used by intruders. to check the integrity of the file, you can directly CAT/etc/crontab, carefully read whether the file has been used by intruders to do other things.
There is a defect in using a process to start a backdoor without replacing files such as login, that is, the process is killed once the system restarts, so you have to enable this backdoor when the system starts. Check the files in/etc/rc. d to check whether the system starts with a backdoor. Here, we also mention that if an existing file with the property "-rwsr-XR-x 1 Root XXX" is issued in a directory. sh, which indicates that any user can obtain a rootshell after running this file. This is the setuid file. Run find-Perm 4000-print to perform global search for such files, and then delete such files.
8. Check for kernel-level Backdoors
If your system is installed with such a backdoor, it is usually troublesome. First, check the modules loaded by the system and use the lsmod command in Linux, run the modinfo command in the Solaris system. It should be noted that by default, Linux is usually installed with fewer modules, which is usually the driver of the NIC. There are many modules under Solaris, and there is no other way to do this, analysis is performed in one place. After the kernel is reinforced, the insertion or deletion of modules should be prohibited to protect system security. Otherwise, intruders may replace system calls again. We can replace create_module () and delete_module () to achieve the above purpose. In addition, the kernel should be reinforced as early as possible to prevent system calls from being replaced by intruders. If the system is loaded with backdoor modules, they are not displayed in the module list/proc/module. In this case, you need to carefully search for the/proc directory and identify the hidden and disguised processes based on the found files and experience. Of course, the directory may not be hidden.
Manual intrusion detection is only a cure for system security. Most of them rely on the skills and experience of administrators to enhance the security of the system. No, it is impossible to form a real security system, although it is better than not, it can detect and track some intrusion behaviors, but it is difficult to catch the trace if it encounters intruders who are also proficient in the system. To build a real security system, you must use an intrusion detection system. An excellent intrusion detection system, coupled with the skills and experience of system administrators, can form a real security system, effectively identifies and disconnects intrusions to protect hosts and data.