banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Emergency Response on Linux (Basic Knowledge Record Supplement)

Previous article [Emergency Response Basics in Linux], this is a supplementary article that can be used in conjunction. Updates will be provided later.

Account Security#

Attackers in Linux generally do not add accounts, but their actions are significant.

who
w
uptime
last

Disable or delete unnecessary and suspicious accounts.

sudo usermod --expiredate 1 username # Disable login
sudo userdel -r username # Delete account
awk -F: '($3 < 1000) {print $1,$3}' /etc/passwd # Check for suspicious accounts

Command History#

history

.bash_history files in each user's home directory

Ports#

Analyze suspicious port, IP, PID, and other information.

netstat -tnlp

ss -tnlp

Processes#

ps -aux

Startup Items#

systemctl list-unit-files --type=service # Ubuntu

chkconfig --list | grep "3:Enabled\|3:On\|5:Enabled\|5:On" # CentOS

Scheduled Tasks#

crontab -l

/var/spool/cron/*

/etc/cron/*

Services#

chkconfig —list # CentOS

Logs#

Default log storage location: /var/log/*

Configuration files: /etc/rsyslog.conf, /etc/syslog.conf

Log service: service auditd status

last

lastlog

lastb

The information for each log location is as follows:

Log LocationDescription
/var/log/messageCore system log file, including system boot, system running status, and most error messages.
/var/log/dmesgCore boot log, including hardware-related information during system startup.
/var/log/auth.log or /var/log/secureAuthentication log, records successful logins, failed login attempts, and authentication methods.
/var/log/spoolerLog information related to UUCP and news devices.
/var/log/cronLog information for scheduled tasks.
/var/log/maillogLog information for mail activities.
/var/log/bootSystem boot log.
/var/log/wtmp and /var/run/utmpRecords user login time. (last)
/var/log/kernRecords kernel errors and warnings, used to troubleshoot faults related to customizing the kernel.
/var/log/btmpRecords failed login logs, it is a binary file. (lastb)
/var/log/cupsLog information for printing.
/var/log/lastlogRecords the last login time of all users in the system, it is a binary file. (lastlog)
/var/log/rpmpkgsRecords the list of installed RPM packages in the system.

SSH Logs#

/var/log/auth.log # Ubuntu

/var/log/secure

View the IP addresses of successful logins.

grep "Accepted " /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more # Ubuntu

grep 'Accepted' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr # CentOS

Middleware Logs#

C:\WINDOWS\system32\LogFiles # IIS

/etc/httpd/logs/ # HTTPD

/var/log/apache2 or /usr/local/apache/logs # Apache, specific path defined in [httpd.conf](https://httpd.co)

/var/log/nginx/access.log # Nginx

localhost_access.log # Tomcat, specific path defined in conf/logging.properties

$MW_HOME\user_projects\domains\<domain_name>\servers\<server_name>\logs\access.log # WebLogic 9, $MW_HOME is the WebLogic installation directory

$MW_HOME\user_projects\domains\<domain_name>\<server_name>\access.log # WebLogic 8

Files#

Suspicious files

find / -ctime -2 # View files created within the last 72 hours

find ./ -mtime 0 -name "*.jsp" # View files modified within the last 24 hours

find / *.jsp -perm 4777 # View files with permissions set to 777

find ./ -type f -perm /u+x -mtime -10 # Find files with executable permissions modified in the last 10 days

Security Devices#

# Situational awareness # Honeypot # Firewall # IPS # IDS # WAF

References#

https://github.com/Blue-number/Security/blob/9ade37050b1f8e164208191545d457d14a1e341d/1earn/Security/BlueTeam/%E5%BA%94%E6%80%A5.md#%E6%83%85%E6%8A%A5%E4%B8%AD%E5%BF%83

https://github.com/Lorna-Dane/Blue-Team/blob/8e0e2e9dde536bc3941b56f915165db764d7119e/%E5%BA%94%E6%80%A5/linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%89%8B%E5%86%8C.md

Resources#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.