Previous article "Emergency Response in Linux (Basic Knowledge Record)", this is a supplementary article that can be used in conjunction with the previous one, and will be updated later.
Account Security#
Attackers on Linux generally do not add accounts, but their actions are significant.
who
w
uptime
last
Disable or delete unnecessary and suspicious accounts.
sudo usermod --expiredate 1 username #disable login
sudo userdel -r username #delete account
awk -F: '($3 < 1000) {print $1,$3}' /etc/passwd #check for suspicious accounts
Command History#
history
.bash_history file in each user's home directory
Ports#
Analyze suspicious ports, IP addresses, PIDs, and other information.
netstat -tnlp
ss -tnlp
Processes#
ps -aux
Startup Items#
systemctl list-unit-files --type=service #ubuntu
chkconfig --list | grep "3:enabled\|3:on\|5:enabled\|5:on" #centos
Scheduled Tasks#
crontab -l
/var/spool/cron/*
/etc/cron/*
Services#
chkconfig —list #contos
Logs#
Default log storage location: /var/log/*
Configuration files: /etc/rsyslog.conf, /etc/syslog.conf
Log service: service auditd status
last
lastlog
lastb
The information of each log location is as follows:
| Log Location | Description |
|---|---|
| /var/log/message | Core system log file, including system boot, system running status, and most error messages. |
| /var/log/dmesg | Core boot log, including hardware-related information during system boot. |
| /var/log/auth.log or /var/log/secure | Authentication log, records successful logins, failed login attempts, and authentication methods. |
| /var/log/spooler | Log information related to UUCP and news devices. |
| /var/log/cron | Log information for scheduled tasks. |
| /var/log/maillog | Log of email activities. |
| /var/log/boot | System boot log. |
| /var/log/wtmp and /var/run/utmp | Records user login time. (last) |
| /var/log/kern | Records kernel errors and warnings, used to troubleshoot faults related to customized kernels. |
| /var/log/btmp | Records failed login attempts, binary file. (lastb) |
| /var/log/cups | Log of printing information. |
| /var/log/lastlog | Records the last login time of all users in the system, binary file. (lastlog) |
| /var/log/rpmpkgs | Records the list of installed RPM packages in the system. |
SSH Logs#
/var/log/auth.log #ubuntu
/var/log/secure
View the IP addresses of successful logins.
grep “Accepted “ /var/log/auth.log | awk ‘{print $11}’ | sort | uniq -c | sort -nr | more #ubuntu
grep ‘Accepted’ /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr #centos
Middleware Logs#
C:\WINDOWS\system32\LogFiles #iis
/etc/httpd/logs/ #httpd
/var/log/apache2 or /usr/local/apache/logs #apache, specific path defined in [httpd.conf](https://httpd.co)nf file
/var/log/nginx/access.log #nginx
localhost_access.log #tomcat, specific path defined in conf/logging.properties file
$MW_HOME\user_projects\domains\<domain_name>\servers\<server_name>\logs\access.log #weblogic9, $MW_HOME is the weblogic installation directory
$MW_HOME\user_projects\domains\<domain_name>\<server_name>\access.log #weblogic8
Files#
Suspicious files
find / -ctime -2 #view files created within the last 72 hours
find ./ -**mtime** 0 -name “*.jsp” #view files modified within the last 24 hours
find / *.jsp -perm 4777 #view files with permissions set to 777
find ./ -type f -perm /u+x -mtime -10 #find files with executable permissions modified in the last 10 days
Security Devices#
#Situation awareness #Honeypot #Firewall #IPS #IDS #WAF