What to do after a Linux server is hacked

Scenario:

CentOS server SSH is unavailable at work on Monday, and applications such as web and database do not respond. Fortunately, vnc can be logged in

Use the last command to query. The login information before the 2nd has been cleared, and the sshd file was modified on Saturday night. The server was remotely restarted at 2 o'clock on Sunday night

root pts/1 :1.0 Mon Jul 3 11:09 still logged in

root pts/1 :1.0 Mon Jul 3 11:08 - 11:0 9 (00:01)

root pts/0 :0.0 Mon Jul 3 10:54 still logged in

root tty1 :0 Mon Jul 3 10:53 still logged in

reboot system boot 2.6.32-696.3.2 .e Mon Jul 3 10:46 - 11:11 (00:25)

root pts/0 :0.0 Mon Jul 3 10:42 - down (00:01)

root tty1 ;

reboot system boot 2.6.32-431.el6.x Sun Jul 2 02:27 - 02:27 (00:00)

Jul 2 03:11:20 oracledb rsyslogd: [ origin software="rsyslogd" swVersion="5.8.10

" x-pid="1960" x-info="

"] rsyslogd was HUPed

Jul 2 03:35:11 oracledb sshd[13864]: Did not receive identification string from

Use the less /var/log/messages command at 2 points combined with the last command to determine that IPATABLES takes effect after restarting at 2 points, and there are a large number of ssh Scanning information for brute force cracking. Since the machine is a test environment, ORACLE and Squid are installed on it, and iptables is temporarily managed. After restarting, iptables starts. It should not be logged in again, but some files in the system have been modified

Some of the information in the message file is as follows:

103.207.37.86

Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 186

Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 187

Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 188

Jul 2 03:35:13 oracledb sshd[13865]: Failed password for illegal user support f

103.207.37.86 port 58311 ssh2

Jul 2 03:45:05 oracledb sshd[13887]: Illegal user support from

103.79.143.234

113.108.21.16

Jul 2 05:10:37 oracledb sshd[14126]: Illegal user support from

103.79.143.234

Jul 2 05:10: 37 oracledb sshd[14126]: Failed password for illegal user support f

rom

##103.79.143.234 port 57019 ssh2

Jul 2 05:10:43 oracledb sshd[14128] : Did not receive identification string from

Solution

1. Modify the root user password

2. Since the sshd file has been modified, reinstall ssh and set only the specified content The network IP can be accessed

3. Configure iptables to enable iptables

Reinstall SSHD

1.rpm -qa | grep ssh to query installed packages

The system has installed packages:

openssh-clients, openssh-server, openssh, openssh-askpass

Delete these four packages. When deleting, centos prompts that there are dependencies between the packages. Follow the prompts from Start deleting the innermost layer of dependencies.

Just delete them in the order openssh-askpass openssh openssh-server openssh-clients.

2. Installation

Use yum to install one by one, yum install openssh-askpass **

Prompt when installing

openssh-server:

unpacking of archive failed on file /user/sbin/sshd cpio:rename

Deleting the file prompts Operation not permitted error

Query the hidden attributes of files

lsattr /usr/sbin/sshd

-u---ia--e /usr/sbin/sshd

i: The setting file cannot be deleted, renamed, or linked. At the same time Cannot write or add content. The i parameter is very helpful for the security settings of the file system.

a is append. After setting this parameter, data can only be added to the file, but cannot be deleted. It is mostly used for server log file security. Only root can set this attribute

Use chattr -ia /usr/sbin/sshdModify the hidden attributes of the file, cancel the corresponding settings and then delete it successfully

+: Add parameters based on the original parameter settings. -: Based on the original parameter settings, remove the parameters

yum install openssh-server again successfully

3. Configure ssh login control, set management IP, black and white list

vi /etc/ssh/sshd_config

#Modify the port number

Port 52111

#Only allow SSH2 connections

Protocol 2

#Allow root user login, because it will be set later Login IP, so it is allowed here

PermitRootLogin yes

#Empty passwords are not allowed

PermitEmptyPasswords no

#Block all SSH connection requests

vi /etc/hosts.deny

sshd: ALL

#Allow SSH connection requests from the specified IP within the intranet

vi /etc/hosts. allow

sshd: 192.168.0

sshd: 192.168.253.**

Configure corresponding iptables settings

1.iptables configuration rules

iptables [-t table name] [-A|I|D|R chain name] [-i network card name] [-p protocol] [-s source IP] [-d target ip] [--dport target Port number] [-j action]

What needs to be configured here is the filter table. There are three rule chains in the filter table: input, output, and forward. If there are many local services and the rules are complicated, this is a more convenient method. It is to restart the ssh service after writing the shell script

#Restrict the SSH connection IP

iptables -A INPUT -s 192.168.101.32 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 192.168.101.35 -p tcp --dport 22 -j ACCEPT

#SSH support 52111 is the modified SSH port

iptables -A OUTPUT -p tcp --sport 52111 -j ACCEPT

This is just a simple configuration for SSH, specifically iptables For configuration, please refer to the article iptables configuration for details

After configuration, /etc/rc.d/init.d/iptables save is saved. Use service iptables restart to restart the service and the configuration will take effect.

The above is the detailed content of What to do after a Linux server is hacked. For more information, please follow other related articles on the PHP Chinese website!