【Linux 入侵检测】

检查linux系统是否被入侵或者中毒的步骤?

一、检查操作系统

(1)检查带宽,查看网卡流量

(2)检查系统登录登出日志,安全日志,和/etc/passwd是否被修改过

(3)查看系统是否存在异常进程:

       pwdx -- 查看进程的路径;

       lsof  --  查看系统打开的库文件

       百度异常进程的名字

(4)查看开机启动服务和定时任务: /etc/rc.local 和 crontab –l

(5)分析系统日志

二、检查应用是否存在漏洞,检查应用的版本信息(日志和进程)

三、常用的入侵检测工具

PSAD 、SNORT

chkrootit、rootkithunter、Tripwire、

四、入侵分析网页

http://www.chinaunix.net/old_jh/4/480362.html

五、附带系统初始化、安全部署脚本

----------------------------------------------------------------------------------------------------------------------------------

cat << EOF
+--------------------------------------------------------------+
| === Welcome to SuSE11_SP1_x64 System init === |
+----------------------Author:Tango --------------------------+
EOF
echo "alias vi=‘vim‘" >> /root/.bashrc
echo ‘syntax on‘ > /root/.vimrc
echo "* soft nofile 52100
* hard nofile 52100" >> /etc/security/limits.conf
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Tunoff services === |
+--------------------------------------------------------------+
EOF
for i in `ls /etc/rc.d/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 20-`
echo $CURSRV
case $CURSRV in
cron |  rpcbind | irq_balancer | dbus | haldaemon | microcode.ctl | network | network-remotefs | sshd | syslog )
echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Tuning sysctl.conf === |
+--------------------------------------------------------------+
EOF
> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 134217728
net.ipv4.ip_local_port_range = 1024 65536
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_tw_recycle = 1
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save = 1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
vm.swappiness = 6" >> /etc/sysctl.conf
echo "optimizited kernel configure was done!"
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Account Lock === |
+--------------------------------------------------------------+
EOF
passwd -l lp
passwd -l nobody
passwd -l ftp
passwd -l postfix
passwd -l at
passwd -l games
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Lock Important Files === |
+--------------------------------------------------------------+
EOF
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +a /root/.bash_history
chattr +i /root/.bash_history
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Modify SSH Config === |
+--------------------------------------------------------------+
EOF
echo ""

----------------------------------------------------------------------------------------------------------------------------------

 

 

【Linux 入侵检测】,古老的榕树,5-wow.com

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。