The server is protected from intrusion

Enterprise 2023-04-09 20:58:00 views: null

I believe everyone should be familiar with the term server hacking. Some hackers invade servers to steal game versions and sell them to others. Some hackers steal game data to extort server users. Destructive operations are directly deleting server data or even formatting disks. All in all, these hacker intrusions are all for their own selfish desires, which have brought great risks and harm to users' property security, privacy security, etc. Therefore, server anti-intrusion security is also something that every user must prevent and avoid in advance. Little Ant Jun’s handling of anti-intrusion:

 

1. When delivering to customers, the Ant Cloud team modified the user name and remote port by default;

2. System optimization, closed some shared drives;

3. Firewall policy, Xiaoyi Jun can add a policy according to the fixed IPV4 address provided by the customer. Except this IP can be used for remote login, all other IPs are prohibited from logging in. The actual effect is as follows:

a) First of all, under normal circumstances, we can remote server, b) Then we formulate a policy on the firewall. That is to intercept the remote desktop port. At this time, it can be found that the port is blocked, and the remote desktop is disconnected. C) At this time, we will formulate another strategy (establish a fixed IPV4 address), and then release the remote port for this IP. d) At this time, we will try again Log in remotely and find that you can log in normally. Through the port ping query, the port is also connected. e) After we found a different IP test, we found that except for the specified IP address, other addresses cannot log in to the server remotely. From this, we can formulate a relatively strict remote desktop restriction. Since we cannot see the loopholes in the client program itself, so in addition to this strategy, the client should try to avoid the loopholes in the program itself. When these two points are achieved, you can That said, the chances of the server being hacked are almost none!

For investigation, you can start from the following aspects:

1. Logs Check the logs under /var/log. If you find a large number of SSH login failure logs, and there are records of root users successfully logging in after multiple login failures, this is in line with the characteristics of brute force cracking.

2. System analysis Check the key configurations, accounts, and historical records of the system to confirm the impact on the system. It is found that the historical records in /root/.bash_history have been cleared, and there are no other abnormalities.

3. Process analysis Check the current active process, network connection, startup items, scheduled tasks, etc.

4. The file system checks whether the key files of the system have been modified, etc.

5. Backdoor check Use RKHunter to scan the system for backdoor vulnerabilities

Reinforcement suggestions 1) Disable unnecessary services and scheduled tasks 2) Modify all system user passwords, and meet the password complexity requirements: more than 8 characters, including a combination of uppercase and lowercase letters + numbers + special symbols; 3) Disable SSH if not necessary Open the port to the external network, or modify the default SSH port and restrict access to IP; You can take a look at this security tip for the system: 14 Linux system security tips, there is always a trick! Security compliance check and hardening of the Linux operating system: Necessary security settings for Linux security compliance check and hardening: Necessary security settings for Linux servers, it is recommended to bookmark! It is necessary to understand the intrusion methods commonly used by hackers. Are there any common means of hacking into Linux systems that you don't know? After you understand these common methods, it may still be far from enough. If one day you really encounter an attack, what should you do? Let me bring you a good solution: After the server is attacked, this kind of investigation and handling will not be blamed! Advance inspection and monitoring Advance inspection

  1. Server and website vulnerability detection, regular scanning of web vulnerabilities, weak passwords, potential malicious behaviors, illegal information, etc.

  2. Regular inspection of code, security inspection, vulnerability inspection.

  3. Server security hardening, security baseline setting, security baseline check.

  4. The commands executed by the database, such as adding fields and adding indexes, must be tested and checked before they can be run in the official environment.

data backup

  1. Server data backup, including website program file backup, database file backup, configuration file backup, hourly backup and remote backup if resources are available.

  2. Establish a five-layer backup mechanism: regular backup, automatic synchronization, LVM snapshot, Azure backup, and S3 backup.

  3. Regularly check whether the backup file is available to avoid unavailable backup data after a failure.

  4. Important data is encrypted with multiple encryption algorithms.

  5. Program file version control, testing, release, failure rollback.

Security Monitoring

  1. Nagios monitors the server's general state CPU load, memory, disk, and traffic, and alarms when the threshold is exceeded.

  2. Zabbix or cacti monitors the general status of the server such as CPU load, memory, disk, traffic, etc., and can display historical curves to facilitate troubleshooting.

  3. Monitor server SSH login records, iptables status, process status, and alarm if there are abnormal records.

  4. Monitoring website WEB logs (including nginx logs, php logs, etc.), can use EKL to collect and manage, and there are abnormal log alarms.

  5. Operation and maintenance personnel must receive alarm emails and text messages, at least the business alarm emails and text messages they are responsible for must receive, and the operation and maintenance manager receives important business alarm emails and text messages. (Unless it is a full-time operation and maintenance development)

  6. In addition to the internal monitoring of the server, it is best to use third-party monitoring to monitor whether the business is normal from the outside (monitoring URL, port, etc.).

Guess you like

Origin blog.csdn.net/xyyaq/article/details/123812701
Recommended
Ranking
[Clear the game] Choose those things that can produce compound interest, and improve yourself
GitHub Getting Started Tutorial-GitHub remote warehouse creation and submission pull
[People Archive] [AI] [girls] Characteristic Appreciation pinched face data 2
Nearly three most popular invitation code to fill 35,003,700
(1) Kirin system (arm64/aarch64) install docker and docker-compose offline
Study Notes: oracle study three: to retrieve the data base of the SQL language: simple query, filter query
IDEA Tool Pit Avoidance Guide (11): After git imports SpringBoot | does not recognize dependencies | a large number of popular | cannot start
Working with Java - Print four iterations per 9 character wide line
Forgot password
linux file mount
Daily
More
2024-08-02(0)
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)

Code World

© 2018 codetd.com