Inspect Abnormal Files in the System
Examine sensitive directories, such as files under the /tmp directory, and pay attention to hidden folders. Folders named with a
.have hidden attributes.
> ls -al
Find files accessed within the last day.
> find /opt -iname "*" -atime 1 -type f
-inameis case-insensitive,-atimeis the last access time,-typeis the file type.
Check Command History
After being compromised, check what commands have been executed on the system by logging in as the root user and examining the .bash_history files in the user home directories under /home.
By default, the system can store 1000 historical commands without recording the execution time. Security hardening may be needed as required.
Set to Save 10,000 Commands
> sed -i 's/HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
History Hardening
> vim /etc/profile
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP"=="" ]
then
USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami`"
# To prevent session exit from overwriting other session writes to HISTFILE
shopt -s histappend
export PROMPT_COMMAND="history -a"
// For the configuration to take effect
> source /etc/profile
What is PROMPT_COMMAND?
PS1-PS4 introduces some environment variables used for prompt information control. The environment variable that can be called back before this is PROMPT_COMMAND. The contents set in this environment variable will be executed before the interactive script prompt (PS1) appears.
Check System Logs
On Linux, system-related logs are typically stored in /var/log by default. If an issue arises, users can quickly locate and resolve the problem by examining the logs. Common log files include:
/var/log/btmp
Records failed login logs. This is a binary file and cannot be directly viewed with
vi, but can be viewed withlastb.
/var/log/lastlog
Records the last successful login time for all users in the system. This is a binary file and cannot be viewed with
vi, but can be viewed withlastlog.
/var/log/wtmp
Permanently records all user login and logout information, as well as system startup, reboot, and shutdown events. This is also a binary file and cannot be directly vi’ed, so use the last command to view it.
/var/log/utmp
Records currently logged-in users. This file changes continually as users log in and out, recording only information about users who are logged in. It cannot be directly vi’ed, use commands like w, who, or users to query.
/var/log/secure
Records information related to authentication and authorization. Any program involving account and password will log, such as SSH login, switching users with su, sudo authorization, and even adding users and changing user passwords are recorded in this log file.
Find the 20 Accounts with Failed Login Attempts
> lastb | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 20
Identify How Many IPs are Brute Forcing the Root Account
> grep "Failed password for root" /var/log/secure | sort | uniq -c | sort -nr | more
View All Reboot Log Entries
> last reboot
View System Uptime
> uptime -s
Identify Which IPs Are Being Brute Forced
> grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c
Identify Which IPs Successfully Logged In
> grep "Accepted" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
Dates, Usernames, and IPs of Successful Logins
> grep "Accepted" /var/log/secure | awk '{print $1,$2,$3,$9,$11}'