Home > Article > Operation and Maintenance > What to do after a Linux server is hacked
Scenario:
CentOS server SSH is unavailable at work on Monday, and applications such as web and database do not respond. Fortunately, vnc can be logged in
Use the last command to query. The login information before the 2nd has been cleared, and the sshd file was modified on Saturday night. The server was remotely restarted at 2 o'clock on Sunday night
root pts/1 :1.0 Mon Jul 3 11:09 still logged in
root pts/1 :1.0 Mon Jul 3 11:08 - 11:0 9 (00:01)
root pts/0 :0.0 Mon Jul 3 10:54 still logged in
root tty1 :0 Mon Jul 3 10:53 still logged in
reboot system boot 2.6.32-696.3.2 .e Mon Jul 3 10:46 - 11:11 (00:25)
root pts/0 :0.0 Mon Jul 3 10:42 - down (00:01)
root tty1 ;
reboot system boot 2.6.32-431.el6.x Sun Jul 2 02:27 - 02:27 (00:00)
Jul 2 03:11:20 oracledb rsyslogd: [ origin software="rsyslogd" swVersion="5.8.10
" x-pid="1960" x-info="
"] rsyslogd was HUPed
Jul 2 03:35:11 oracledb sshd[13864]: Did not receive identification string from
Use the less /var/log/messages command at 2 points combined with the last command to determine that IPATABLES takes effect after restarting at 2 points, and there are a large number of ssh Scanning information for brute force cracking. Since the machine is a test environment, ORACLE and Squid are installed on it, and iptables is temporarily managed. After restarting, iptables starts. It should not be logged in again, but some files in the system have been modified
Some of the information in the message file is as follows:
103.207.37.86
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 186
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 187
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 188
Jul 2 03:35:13 oracledb sshd[13865]: Failed password for illegal user support f
103.207.37.86 port 58311 ssh2
Jul 2 03:45:05 oracledb sshd[13887]: Illegal user support from
103.79.143.234
113.108.21.16
Jul 2 05:10:37 oracledb sshd[14126]: Illegal user support from
103.79.143.234
Jul 2 05:10: 37 oracledb sshd[14126]: Failed password for illegal user support f
rom
##103.79.143.234 port 57019 ssh2Jul 2 05:10:43 oracledb sshd[14128] : Did not receive identification string fromSolution1. Modify the root user password2. Since the sshd file has been modified, reinstall ssh and set only the specified content The network IP can be accessed3. Configure iptables to enable iptablesReinstall SSHD1.rpm -qa | grep ssh to query installed packages The system has installed packages: openssh-clients, openssh-server, openssh, openssh-askpassDelete these four packages. When deleting, centos prompts that there are dependencies between the packages. Follow the prompts from Start deleting the innermost layer of dependencies. Just delete them in the order openssh-askpass openssh openssh-server openssh-clients. 2. InstallationUse yum to install one by one, yum install openssh-askpass **Prompt when installingopenssh-server:
unpacking of archive failed on file /user/sbin/sshd cpio:rename
Deleting the file prompts Operation not permitted error
Query the hidden attributes of files
lsattr /usr/sbin/sshd
-u---ia--e /usr/sbin/sshd
i: The setting file cannot be deleted, renamed, or linked. At the same time Cannot write or add content. The i parameter is very helpful for the security settings of the file system.
a is append. After setting this parameter, data can only be added to the file, but cannot be deleted. It is mostly used for server log file security. Only root can set this attribute
Use chattr -ia /usr/sbin/sshdModify the hidden attributes of the file, cancel the corresponding settings and then delete it successfully
+: Add parameters based on the original parameter settings.
-: Based on the original parameter settings, remove the parameters
yum install openssh-server again successfully
3. Configure ssh login control, set management IP, black and white list
vi /etc/ssh/sshd_config
#Modify the port number
Port 52111
#Only allow SSH2 connections
Protocol 2
#Allow root user login, because it will be set later Login IP, so it is allowed here
PermitRootLogin yes
#Empty passwords are not allowed
PermitEmptyPasswords no
#Block all SSH connection requests
vi /etc/hosts.deny
sshd: ALL
#Allow SSH connection requests from the specified IP within the intranet
vi /etc/hosts. allow
sshd: 192.168.0
sshd: 192.168.253.**
Configure corresponding iptables settings
1.iptables configuration rules
iptables [-t table name] [-A|I|D|R chain name] [-i network card name] [-p protocol] [-s source IP] [-d target ip] [--dport target Port number] [-j action]
What needs to be configured here is the filter table. There are three rule chains in the filter table: input, output, and forward. If there are many local services and the rules are complicated, this is a more convenient method. It is to restart the ssh service after writing the shell script
#Restrict the SSH connection IP
iptables -A INPUT -s 192.168.101.32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.101.35 -p tcp --dport 22 -j ACCEPT
#SSH support 52111 is the modified SSH port
iptables -A OUTPUT -p tcp --sport 52111 -j ACCEPT
This is just a simple configuration for SSH, specifically iptables For configuration, please refer to the article iptables configuration for details
After configuration, /etc/rc.d/init.d/iptables save is saved. Use service iptables restart to restart the service and the configuration will take effect.
The above is the detailed content of What to do after a Linux server is hacked. For more information, please follow other related articles on the PHP Chinese website!