Here is some of the experience of some personal experience. I believe it is useful for UNIX or UNIX-Clone (FreeBSD, OpenBSD, NetBSD, Linux, ETC):
First of all, you can track the source path of intruders through the following system commands and profiles:
1.Who ------ (view who landed in the system)
2.w -------- (View who landed into the system, what is doing)
3.Last ----- (Show system used by users and TTYS)
4.Lastcomm- (Display the system's past running command)
5.NetStat - (You can view the current network status, such as telnet to the IP address of the user coming over your machine, and some other network status.)
6. View the information of Router.
7./var/log/messages View external users login status
8. View all login users with Finger.
9. View the login history file under / home / username under the user directory (.history.rchist, etc). Back: 'who', 'w', 'last', and 'lastcomm' These commands depend on / var / log / pACCT, / var / log / wtmp, / etc / utmp, report information for you. Many savvy system administrators will block these log information (/ var / log / *, / var / log / wtm / log / *, / var / log / wtMP, etc) for intruders (/ VAR / log / *, / varc).
Next, the system administrator wants to close all possible backsheets, be sure to prevent the invaders from accessing the internal network from the outside. (For FreeBSD, you can look at the safety framework (1) of the FreeBSD website in the safety document in the green corps. If the invader finds that the system administrator finds that he has entered the system, he may pass RM-RF / * Try to conceal your traces.
Third, we must protect the following system commands and system profiles to prevent intruders from replacing the right to modify the system.
1. / bin / login
2. /usr/etc/in.* file (for example: in.telnetd)
3. IneETD Super daemon (listening port, waiting request, derived server process) Wake-up service. (The following server processes are usually started by inetd:
Fingerd (79), FTPD (21),
Rlogind (Klogin, Eklogin, ETC), RSHD, TALKD, TELNETD (23), TFTPD. inetd can also initiate other internal services, / etc / inetd.conf.
4. Do not allow very root users to use NetStat, PS, IFCONFIG, SU
Fourth, the system administrator should regularly observe the changes in the system (eg, file, system time, etc.)
1. #LS -LAC to view the real modification time of the file.
2. #cmp file1 file2 to compare changes in the file size.
Fifth, we must prevent illegal users from using the SUID (SET-User-ID) program to get ROOT permissions.
1. First we have to discover all the SUID programs in the system.
#find / -type f -perm -4000 -ls
2. Then we want to analyze the entire system to ensure that the system has no back door.
Sixth, the system administrator should check the user's .rhosts, .forward file,
1. # Find / -Name .rhosts -ls -o -name .forward -ls
To check if the.rhosts file contains ' ', and the user can modify this file remotely without any password.
2. # find / -ctime -2 -ctime 1 -ls
To see some files that can be modified within two days, it is judged whether or not there is illegal user to enter the system.
Seventh, to confirm that your system has the latest Sendmail daemons because the old Sendmail daemon allows other UNIX machines to remotely run some illegal commands. Eighth, system administrators should get safely spreading from your machine, operating system manufacturer, if it is free software, such as Linux platform, it is recommended to get the best security program to Linux.box.sk to get the best security program and Safety information.)
Ninth, there are some inspection methods to monitor whether the machine is easily attacked.
1. # rpcinfo -p Check if your machine has run some unnecessary processes.
2. # vi /etc/hosts.equiv files Check the host you are not worth trust and remove.
3. If there is no TFTPD in /etc/inetd.conf, please add TFTP DGRAM UDP WAIT NOBODY /USR/Etc/in.tftpd in your /etc/inetd.conf
In.tftpd -s / tftpboot
4. I suggest you back up the /etc/rc.conf file, write a shell script periodic comparison Cmp rc.conf backup.rc.conf
5. Check your inetd.conf and / etc / services file, make sure there is no illegal user to add some services inside.
6. Back up your system / var / log / * below the log file below to a safe place to prevent intruders from #RM / VAR / log / *
7. Be sure to make sure the anonymous FTP server is configured correctly, and my machine is Proftpd, and you must configure it correctly in Proftpd.conf.
8. Back up / etc / passwd, then change the root password. Be sure to make sure this file cannot be invaded to prevent it from guess.
9. If you still can't prevent the illegal intrusion of intruders, you can install the Ident background daemon and TCPD background daemon to discover the account used by the invaders!
10. Make sure your console terminal is safe to prevent illegal users from being able to log in to your network remotely.
11. Check Hosts.equiv, .rhosts, Hosts, LPD has a comment identity #, if an intruder uses its hostname instead #, then it means that he does not need any password to access your machine.
