The following is a summary of some personal experiences. I believe it will be useful for whether UNIX or UNIX-clone freebsd, openbsd, netbsd, linux, etc. are invaded:
First of all, you can use the following System commands and configuration files to track the source path of the intruder:
1.who------(see who is logged in to the system)
2.w --------(Check who is logged in to the system and what they are doing)
3.last-----(Display the users and TTYS who have been logged in to the system)
4.lastcomm-(Display the commands that the system was running in the past)
5.netstat--(You can view the current network status, such as the IP of the user who telnetted to your machine Address, and some other network status.)
6. View router information.
7./var/log/messages View the login status of external users
8. Use finger to view all login users.
9. View the login history files (.history.rchist, etc) under /home/username in the user directory. Post-notes:'who','w','last', and'lastcomm' 'These commands rely on /var/log/pacct, /var/log/wtmp, /etc/utmp to report information to you. Many savvy system administrators will shield these log information from intruders (/var/log/*,/var/log/wtmp, etc. It is recommended that you install tcp_wrapper to illegally log in to all connections to your machine)
Next system The administrator must close all possible backdoors and must prevent intruders from accessing the internal network from the outside. If the intruder finds that the system administrator finds that he has entered the system, he may try to conceal his traces through rm -rf /*.
Third, we must protect the following system commands and system configuration files In order to prevent intruders from replacing to obtain the right to modify the system.
2. /usr/etc/in.* files (for example: in.telnetd)
3.inetd Super daemon (monitoring port, waiting for request, deriving corresponding server process) wake up service. (The following server processes are usually started by inetd:
rlogind(klogin,eklogin,etc),rshd,talkd,telnetd(23),tftpd. inetd can also start other internal services, as defined in
/etc/ inetd.conf Service.
4. Very ROOT users are not allowed to use netstat, ps, ifconfig, su
Fourth, system administrators should regularly observe system changes (such as files, System time, etc.)
1. #ls -lac to view the real modification time of the file.
2. #cmp file1 file2 to compare the file size changes.
Fifth, we must prevent illegal users from using the suid (set-user-id) program to obtain ROOT permissions.
1. First, we must discover all SUID programs in the system. < br/>
#find / -type f -perm -4000 -ls
2. Then we have to analyze the entire system to ensure that the system has no backdoor.
6. The system administrator should regularly check the user's .rhosts and .forward files
1.#find / -name .rhosts -ls -o -name .forward -ls
to check whether the .rhosts file contains'++', if there is, the user can modify this file remotely without any password.
2.#find / -ctime -2 -ctime +1- ls
To check some files that have been modified within two days to determine whether illegal users have broken into the system.
Seventh, make sure that your system has the latest The sendmail daemon, because the old sendmail daemon allows other UNIX machines to remotely run some illegal commands.
Eighth, the system administrator should obtain security patches from your machine and the operating system manufacturer. If it is free software (such as Linux platform, I suggest you can go to li nux.box.sk to get the best safety procedures and safety information. )
Ninth, there are some checking methods below to monitor whether the machine is vulnerable to attack.
1.#rpcinfo -p to check if your machine is running some unnecessary processes.
2.#vi /etc/hosts.equiv file to check your untrustworthy host, remove it.
3. If tftpd in /etc/inetd.conf is not blocked, please add tftp dgram udp wait nobody /usr/etc/in.tftpd to your /etc/inetd.conf.
in.tftpd -s /tftpboot
4. It is recommended that you back up the /etc/rc.conf file and write a shell script to compare cmp rc.conf backup.rc.conf regularly
5. Check your inetd.conf and /etc/services files to ensure that no illegal users have added some services.
6. Back up the log files under /var/log/* of your system to a safe place to prevent intruders #rm /var/log/*
7. Make sure that the configuration of the anonymous FTP server is correct. My machine uses proftpd, and it must be configured correctly in proftpd.conf.
8. Back up /etc/passwd, and then change the root password. Make sure that this file cannot be accessed by intruders to prevent it from guessing.
9. If you are not able to prevent the illegal entry of intruders, you can install the ident daemon and TCPD daemon to discover the account used by the intruder!
10. Make sure your console terminal is safe to prevent illegal users from being able to remotely log in to your network.
11. Check that hosts.equiv, .rhosts, hosts, and lpd have the comment mark #. If an intruder replaces # with its host name, it means that he does not need any password. Be able to access your machine.
This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/：http://www.internetweblist.com/Operating_system/31342.html