How to prevent mining
to prevent hackers from mining with your machine is just like anti malware. Don't visit messy websites, Download messy software, insert picked up USB flash drives, install anti-virus software (Windows Defender on windows is very good, but it's too strict), check and kill viruses regularly, and check abnormal processes and files regularly. If a program attracts UAC, If you don't understand, try to choose no, and don't believe that "it may be misled by anti-virus software". If possible, you'd better install an isolation machine, shadow system, or create a virtual machine directly with Hyper-V of windows system for daily work
for Android phones, phones before Android 6 are unlikely to win. After all, mobile phone mining also needs good hardware. After Android 6, mobile phones have the management of the authority of each application, as long as they don't go blind root, don't install applications of unknown origin, try to download apps from the official market and rece the unnecessary authority as much as possible (you can also use "refrigerator" and "black domain" to prohibit other apps from running in the background)
for the mobile phones of apple, windows and other operating systems, I think that as long as we don't break the prison blindly and keep the system in the latest version, we can prevent the hooliganism of most apps.
a new customer recently consulted with sine security company, saying that his server often fails to open the website of the card, and the remote connection to the server is extremely slow. Sometimes the Ping value reaches 300-500, and he often switches. After listening to the customer's words,
will generally judge that he has been attacked by CC + DDoS mixed traffic, It's strange to say that there is no traffic attack on the computer room. It's not a traffic attack, but it also causes the server card and website to fail to open. What kind of attack is this? In order to solve the problem of
client server card, we immediately arranged a security engineer to carry out security detection and deployment on his Linux server
{rrrrrrr}
Mining Trojan horse is also designed. If the mining process is forced to stop by customers, it will automatically start to continue mining to achieve uninterrupted mining.
careful inspection shows that it is through setting the hourly task plan, remotely downloading shell mining Trojan horse, and then executing, Check whether the current process exists or not. If not, start the Trojan horse to mine
a detailed security inspection was carried out on the client's Linux server. It was found that fortunately, there was no encrypted server data, and the worm was infected with the disease through the security detection and analysis of our security engineers, we found that the server uses Apache Tomcat environment, the open architecture of the platform is JSP + Oracle database, and Apache Tomcat uses the version of 2016, which leads to the serious remote command execution vulnerability of Apache, Through this vulnerability, the intruder can directly invade the server and get the administrator permission of the server,
virus. If the data was encrypted, the loss would be great. The client was a platform, and the client's data was very important. After finding out the mining Trojan horse,
do customers need to know how the server is attacked? Was the Trojan horse uploaded? It can prevent the attack
in the later stage
sine security engineer immediately repairs the Apache vulnerability and clears the Trojan horse. So far, the problem has been solved, the client server
runs stably, and the network station opens normally
open the website, enter the mobile phone number, select how many CPU you want to use to mine, the default is to use 50% of the CPU for mining, click to generate your exclusive command and
enter the console paste command, and click Run
is such a simple operation.
only some users can sudo
1
1. The bandwidth out of the server will run high, which is a characteristic of poisoning
because the server is used by others after poisoning, it is common to use it as a broiler to attack others. The other is to take your data and so on. Therefore, we need to pay attention to the bandwidth of the server. If the bandwidth of the server is very high, there must be some exceptions. We need to check in time
2
2. There will be rendant unknown users in the system
poisoning or intrusion will lead to some unknown users or login logs in the system, So the inspection in this aspect can also see some abnormalities
3
3. Whether to start some unknown services and whether there are some unknown tasks in crond tasks
because poisoning will start with the start of the system, it is usually started. Check whether the service or file started is abnormal, and it will be displayed in / etc / rc.local and crondtab - L. So pay attention to check, the above three points are more common features, there will be some less obvious features need to pay attention to.
in addition, it seems that RHEL's single user login can also require a password (that is, no matter how you log in, you have to enter the password), and how to set it is not clear. However, it seems that this can not be broken, because the command line at startup adds parameters to bypass the login system
the best way is to encrypt the logical volume. But the other problem is that the startup of the system without a password is all a problem...
this is an advanced function. Please search the network resources or contact RH company to pay for it...
another way I think of is to set it so that root can't log in... But grub can also bypass the login system<
the method of security protection should be mixed...
it is suggested to search for relevant information. There is still a way to crack root login in this startup mode
it seems that adding a password is the easiest way. You can't set grub without a password. This prevents bypassing root authentication. But this method can't prevent the CD from starting.
Directory:
1. BIOS
2. SSH security
3. Disable telnet
4. Disable code compilation
5. Proftp
6. Tcpwrappers
7. Create a su group
8. Root notification
9. History security
10. Welcome message
11. Disable all special accounts
12. Chmod dangerous files
13. Specify TTY devices that allow root login
14. Select a security device Check rootkit
16. Install patch
17. Hide Apache information
18. Hide PHP information
19. Close unused services
20. Detect ports in monitoring
21. Close open ports and services
22. Delete unused RPM package
23. Disable dangerous PHP functions
24. Install and configure firewall
25. Install and configure BFD
26. Kernel reinforcement (sysctl. CONF)
27. Change SSH port
28. / TMP / var / tmp, / dev / SHM partition security
29. PHP IDS
summary
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Introction
this tutorial will guide you step by step to make your Linux system safe
any operating system installed by default is not safe enough. This article will show you how to build a relatively safe Linux system< BIOS
you should always set a BIOS password and disable booting from CD-ROM and floppy disk when the system starts< This will prevent some people from accessing your system and changing BIOS settings without permission
2. SSH security
SSH is a protocol, which can be used to log in to a remote system or execute system commands remotely.
root login is allowed by default, and sshv1 is defective. We should_ Config forbids root access and uses sshv2 to make SSH more secure
method:
VI / etc / SSH / sshd_ Config
change the protocol to 2
permitrootlogin = no
Restart sshd / etc / RC. D / init. D / sshd restart
3. Disable telnet
in early Linux, Telnet, FTP and rlogin are all plaintext transport protocols
which are easily sniffed. That's why we recommend using secure Version (SFTP, SCP, rlogin), If you have to use Telnet, you should at least hide the banner information
method:
Modify / etc / xinetd. D / telnet
disable = yes
4. Disable code compilation
you can disable code compilation and assign compilation permission to only one user group
method:
Add compilation user group / usr / SBIN / groupadd compiler, CD / usr / bin
assign common compiler group to compiler user group
chgrp compiler * CC *
chgrp compiler * + + *
chgrp compiler LD
chgrp compiler as
set access to mysqlaccess
chgrp root mysqlaccess
set permissions
Chmod 750 * CC *
Chmod 750 * + + *
Chmod 750 LD
Chmod 750 as
Chmod 755 mysqlaccess
Chmod 750 />Add users to group
Modify / etc / group
compiler:x :520:user1, User2
5. Proftpd
you can disable root login by modifying proftpd.conf.
methods:
Modify / etc / proftpd. Conf
add rootlogin off
Restart proftpd / SBIN / service proftpd stop
/ SBIN / service proftpd start
6. TCP wrappers
Edit hosts.allow and hosts.deny to restrict or allow access to INET services
methods:
restrict access to INET services
Modify / etc / hosts. Allow
suggested format:
? Approved IP addresses
all: 192.168.0.1
all: 192.168.5.2
? CSV uploader machine
proftpd:10.0.0.5
? POP3 from anywhere
ipop3: all
Modify / etc / hosts.deny
all: all except localhost
7. Create Su user group
because we are in S SH has disabled the access of root user and disabled Telnet, so we should
assign some users Su permission to obtain root privilege
method:
VI / etc / group
add a line wheel:x :10:root,user1, User2
chgrp wheel / bin / Su
Chmod o-rwx / bin / Su
8. Root notification
send mail when a user with root permission logs in
method:
Edit. Bashrc under / root, and email notification occurs when a user with root permission logs in
echo 'alert – root shell access (server name) on:' date '` who' | mail - S