Previous article [Emergency Response Basics in Linux], this is a supplementary article that can be used in conjunction. Updates will be provided later.
Account Security#
Attackers in Linux generally do not add accounts, but their actions are significant.
who
w
uptime
last
Disable or delete unnecessary and suspicious accounts.
sudo usermod --expiredate 1 username # Disable login
sudo userdel -r username # Delete account
awk -F: '($3 < 1000) {print $1,$3}' /etc/passwd # Check for suspicious accounts
Command History#
history
.bash_history files in each user's home directory
Ports#
Analyze suspicious port, IP, PID, and other information.
netstat -tnlp
ss -tnlp
Processes#
ps -aux
Startup Items#
systemctl list-unit-files --type=service # Ubuntu
chkconfig --list | grep "3:Enabled\|3:On\|5:Enabled\|5:On" # CentOS
Scheduled Tasks#
crontab -l
/var/spool/cron/*
/etc/cron/*
Services#
chkconfig —list # CentOS
Logs#
Default log storage location: /var/log/*
Configuration files: /etc/rsyslog.conf, /etc/syslog.conf
Log service: service auditd status
last
lastlog
lastb
The information for each log location is as follows:
| Log Location | Description |
|---|---|
| /var/log/message | Core system log file, including system boot, system running status, and most error messages. |
| /var/log/dmesg | Core boot log, including hardware-related information during system startup. |
| /var/log/auth.log or /var/log/secure | Authentication log, records successful logins, failed login attempts, and authentication methods. |
| /var/log/spooler | Log information related to UUCP and news devices. |
| /var/log/cron | Log information for scheduled tasks. |
| /var/log/maillog | Log information for mail activities. |
| /var/log/boot | System boot log. |
| /var/log/wtmp and /var/run/utmp | Records user login time. (last) |
| /var/log/kern | Records kernel errors and warnings, used to troubleshoot faults related to customizing the kernel. |
| /var/log/btmp | Records failed login logs, it is a binary file. (lastb) |
| /var/log/cups | Log information for printing. |
| /var/log/lastlog | Records the last login time of all users in the system, it is a binary file. (lastlog) |
| /var/log/rpmpkgs | Records the list of installed RPM packages in the system. |
SSH Logs#
/var/log/auth.log # Ubuntu
/var/log/secure
View the IP addresses of successful logins.
grep "Accepted " /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more # Ubuntu
grep 'Accepted' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr # CentOS
Middleware Logs#
C:\WINDOWS\system32\LogFiles # IIS
/etc/httpd/logs/ # HTTPD
/var/log/apache2 or /usr/local/apache/logs # Apache, specific path defined in [httpd.conf](https://httpd.co)
/var/log/nginx/access.log # Nginx
localhost_access.log # Tomcat, specific path defined in conf/logging.properties
$MW_HOME\user_projects\domains\<domain_name>\servers\<server_name>\logs\access.log # WebLogic 9, $MW_HOME is the WebLogic installation directory
$MW_HOME\user_projects\domains\<domain_name>\<server_name>\access.log # WebLogic 8
Files#
Suspicious files
find / -ctime -2 # View files created within the last 72 hours
find ./ -mtime 0 -name "*.jsp" # View files modified within the last 24 hours
find / *.jsp -perm 4777 # View files with permissions set to 777
find ./ -type f -perm /u+x -mtime -10 # Find files with executable permissions modified in the last 10 days
Security Devices#
# Situational awareness # Honeypot # Firewall # IPS # IDS # WAF