账号安全
必看文件
/etc/passwd
/etc/shadow
必会命令:who,w,uptime,usermod,userdel
入侵排查
查询特权用户:awk -F: ‘$3==0{print $1}’ /etc/passwd
查询可以远程登录的账号:awk ‘/$1|$6/{print KaTeX parse error: Expected 'EOF', got '}' at position 2: 1}̲’ /etc/shadow 查…” grep “ALL=(ALL)”
历史命令
必会命令:history
入侵排查:cat .bash_history >>history.txt
检查异常端口
netstat -antlp
检查异常进程
ps aux
检查开机启动项
more /etc/rc.local
/etc/rc.d/rc[0-6].d
ls -l /etc/rc.d/rc3.d/
检查定时任务
检查以下目录下是否有可疑文件
/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*
/etc/cron.daily/*
检查服务
chkconfig
修改/etc/re.d/rc.local文件,加入/etc/init.d/httpd start
使用nesysv命令管理自启动
检查异常文件
查看敏感目录,如tmp目录下的文件,同时注意隐藏文件夹,以”…”为名的文件夹具有隐藏属性
检查系统日志
日志默认存放位置:/var/log
日志分析技巧
1、定位有多少IP在爆破主机的root帐号:
grep “Failed password for root” /var/log/secure | awk ‘{print KaTeX parse error: Expected 'EOF', got '}' at position 3: 11}̲' | sort | uniq…_=<>){ /for(.*?) from/; print “$1\n”;}’|uniq -c|sort -nr
2、登录成功的IP有哪些:
grep "Accepted " /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | more
登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk ‘{print $1,$2,$3,$9,$11}’
3、增加一个用户kali日志:
Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for kali
#grep “useradd” /var/log/secure
4、删除用户kali日志:
Jul 10 00:14:17 localhost userdel[2393]: delete user ‘kali’
Jul 10 00:14:17 localhost userdel[2393]: removed group ‘kali’ owned by ‘kali’
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group ‘kali’ owned by ‘kali’
#grep “userdel” /var/log/secure
5、su切换用户:
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)
sudo授权执行:
sudo -l
Jul 10 00:43:09 localhost sudo: good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now
如果想了解更多安全知识,或者有问题,都可以关注以下公众号,私信我:
扫一扫
256
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
