CN109325346A - A kind of intrusion detection method based on linux system - Google Patents
A kind of intrusion detection method based on linux system Download PDFInfo
- Publication number
- CN109325346A CN109325346A CN201811039022.3A CN201811039022A CN109325346A CN 109325346 A CN109325346 A CN 109325346A CN 201811039022 A CN201811039022 A CN 201811039022A CN 109325346 A CN109325346 A CN 109325346A
- Authority
- CN
- China
- Prior art keywords
- user
- unauthorized
- abnormal
- service
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of intrusion detection method based on linux system, detection system password security;Detection system abnormal process;Detection system service;Detect network, port;Detection system back door.The deficiency of linux system security tool and method is made up, the integrality of information security foundation structure is improved.The security level of raising system reduces consumer's risk.Realize the intrusion detection of linux system, understanding user has unauthorized user login, and unauthorized process, service etc. information, the present invention can automatic identification, automatic prompt, it is automatically closed and turns off unauthorized, illegal process, and service etc., it avoids damaging the linux system of user, or steal data.
Description
Technical field
The present invention relates to system security monitoring field more particularly to a kind of intrusion detection methods based on linux system.
Background technique
With the arrival of big data era, the application of server has been deep into scientific research, culture, economy and each neck of national defence
Domain.But the following information security issue is also continuously increased.Operating system is performed intrusion detection in advance, system can be improved
Security level.
(SuSE) Linux OS is one of common operating system currently on the market, with its stability, free property, reliability,
Safety, exploration are favored by the majority of users.With the popularization of Linux, there are more and more users to be added to
The ranks of Linux, it may be said that the development trend of Linux be it is irresistible, it is explorative, free based on (SuSE) Linux OS
Property etc. be easy to make unauthorized user invasion to log in when in use, the linux system of user is damaged, or steal data
Etc., therefore how to realize the intrusion detection of linux system, understanding user has unauthorized user login, to avoid to user
Linux system damage, or stealing data is current assistant officer technical problem to be solved.
Summary of the invention
In order to overcome the deficiencies in the prior art described above, the present invention provides a kind of intrusion detection side based on linux system
Method, method include:
S1: detection system password security;
S2: detection system abnormal process;
S3: detection system service;
S4: detection network, port;
S5: detection system back door.
Preferably, step S1 further include:
S11: checking whether there is abnormal system user, when there are system unauthorized user login system, sending is unauthorized
User logs in warning note, and obtains unauthorized user login time, the operation after log duration and unauthorized user login
Log;
S12: checking the modification time of password file, judges whether there is unauthorized Add User;
It Adds User if any system is unauthorized, then freezes the account number cipher of the user, and issue unauthorized Add User
Warning note.
Preferably, step S1 further include:
S13: the user beyond scope of authority operation is checked whether there is;
System is used if any the user beyond scope of authority operation, then stops any operation of the user based on system, publishes
The user issues and operates user's warning note beyond the scope of authority;
S14: null password password account is checked whether there is;
When system has null password password account, prompt user that password password is set within the preset time limit;
If password password is arranged not within the time limit by user, then freeze the user, until the user setting password password
After thaw.
Preferably, step S2 further include:
S21: abnormal system process is checked whether there is;
If there is abnormal system process, abnormal system process is closed;
It checks the port opened of abnormal process and file, judges whether port that abnormal process is opened and file are repaired
Change or edits;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information;
Preferably, step S2 further include:
S22: system hidden process is checked;
With the presence or absence of abnormal system process in hidden process;
If there is abnormal system process, abnormal system process is closed;
It checks the port opened of abnormal process and file, judges whether port that abnormal process is opened and file are repaired
Change or edits;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information.
Preferably, step S3 further include:
S31: abnormal system service is checked whether there is;
If there is abnormal system service, abnormal system service is closed;
Show program and the source of pathological system service;
S32: check whether the service opened at present is necessary;
When being opened if any inessential service, executes bolt down procedure and close inessential service.
Preferably, step S4 further include:
S41: network interface card basic configuration is checked;
Judge whether network interface card basic configuration is consistent with default network interface card basic configuration, it is such as inconsistent, then transfer default network interface card base
This configuration restores current network interface card basic configuration;
S42: routing gateway configuration is checked;
Judge routing gateway configuration whether with default routing gateway configuration consistency, such as it is inconsistent, then transfer default routing network
Configuration is closed, the configuration of current routing gateway is restored;
S43: all listening ports of the machine and client's connection are checked, if having illegal connection;
If any illegal connection, the illegal connection is disconnected, and issues illegal connection warning note.
Preferably, step S5 further include:
S51: unauthorized plan target is checked whether there is;
If any unauthorized plan target, then stop unauthorized plan target, and issues unauthorized plan target alarm
Prompt;
S52: check whether kernel module is abnormal;
If kernel module is operating abnormally, issues kernel module and be operating abnormally warning note;
S53: unauthorized self-starting service is checked whether there is;
If any unauthorized self-starting service, then stop unauthorized self-starting service, and issues unauthorized self-starting service
Warning note.
As can be seen from the above technical solutions, the invention has the following advantages that
In the present invention, detection system password security;Detection system abnormal process;Detection system service;Detect network, end
Mouthful;Detection system back door.The deficiency of linux system security tool and method is made up, the complete of information security foundation structure is improved
Property.The security level of raising system reduces consumer's risk.The intrusion detection for realizing linux system has user's understanding unauthorized
User log in and unauthorized process, service etc. information, the present invention can automatic identification, automatic prompt, be automatically closed shutdown it is non-
Authorization, illegal process, and service etc., avoid damaging the linux system of user, or steal data.
Detailed description of the invention
In order to illustrate more clearly of technical solution of the present invention, attached drawing needed in description will be made below simple
Ground introduction, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ordinary skill
For personnel, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the intrusion detection method flow chart based on linux system.
Specific embodiment
The present invention provides a kind of intrusion detection method based on linux system, as shown in Figure 1, method includes:
S1: detection system password security;
S2: detection system abnormal process;
S3: detection system service;
S4: detection network, port;
S5: detection system back door.
It can successively execute and detect in the order described above in the present invention.An execution wherein step can also be only transferred,
It is detected, can also jump and execute detection.Specific execution order and execute step here without limitation.
It in order to make the invention's purpose, features and advantages of the invention more obvious and easy to understand, below will be with specific
Examples and drawings, the technical solution protected to the present invention are clearly and completely described, it is clear that implementation disclosed below
Example is only a part of the embodiment of the present invention, and not all embodiment.Based on the embodiment in this patent, the common skill in this field
Art personnel all other embodiment obtained without making creative work belongs to the model of this patent protection
It encloses.
In embodiment provided by the invention, step S1 further include:
S11: abnormal system user is checked whether there is;
Specifically, checking whether system has abnormal system user using cat/etc/passwd order.
When there are system unauthorized user login systems, sending unauthorized user logs in warning note, and obtains unauthorized
Operation log after user's login time, log duration and unauthorized user login;
S12: checking the modification time of password file, judges whether there is unauthorized Add User;
Specifically, check the modification time of passwd file using ls-l/etc/passwd order, judge system whether
There is illegally newly-increased user in the case where not knowing.
It Adds User if any system is unauthorized, then freezes the account number cipher of the user, and issue unauthorized Add User
Warning note.
S13: the user beyond scope of authority operation is checked whether there is;
Exceed specifically, checking whether system has using awk-F:'$ 3==0 { print $ 1 } '/etc/passwd order
Authorized user.
System is used if any the user beyond scope of authority operation, then stops any operation of the user based on system, publishes
The user issues and operates user's warning note beyond the scope of authority;
S14: null password password account is checked whether there is;
Specifically, being using awk-F:'length ($ 2)==0 { print $ 1 } '/etc/shadow order system of checking
It is no to have empty password user.
When system has null password password account, prompt user that password password is set within the preset time limit;
If password password is arranged not within the time limit by user, then freeze the user, until the user setting password password
After thaw.
In embodiment provided by the invention, S21: abnormal system process is checked whether there is;
Specifically, checking that system process, emphasis check that UID is whether 0 process has exception using ps-ef order.It uses
The port and file that the abnormal process is opened are checked in lsof-p pid order.
If there is abnormal system process, abnormal system process is closed;
It checks the port opened of abnormal process and file, judges whether port that abnormal process is opened and file are repaired
Change or edits;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information;
S22: system hidden process is checked;
Specifically, proceeding as follows in order line, hidden process is obtained
ps-ef|awk'{print}'|sort-n|uniq>1
ls/proc|sort-n|uniq>2
diff 1 2
With the presence or absence of abnormal system process in hidden process;
If there is abnormal system process, abnormal system process is closed;
It checks the port opened of abnormal process and file, judges whether port that abnormal process is opened and file are repaired
Change or edits;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information.
In embodiment provided by the invention, step S3 further include:
S31: abnormal system service is checked whether there is;
Check in all services of system whether there is exception service using systemctl list-unit-files order.
If there is abnormal system service, abnormal system service is closed;
Show program and the source of pathological system service;
S32: check whether the service opened at present is necessary;
Using systemctl list-unit-files | grep enabled order checks that the service opened in system is
No is that must be turned on.
When being opened if any inessential service, executes bolt down procedure and close inessential service.
In embodiment provided by the invention, step S4 further include:
S41: network interface card basic configuration is checked;
Check whether network interface card essential information has exception in system using ifconfig-a order.
Judge whether network interface card basic configuration is consistent with default network interface card basic configuration, it is such as inconsistent, then transfer default network interface card base
This configuration restores current network interface card basic configuration;
S42: routing gateway configuration is checked;
Check whether routing in system, gateway configuration have exception using netstat-rn order.
Judge routing gateway configuration whether with default routing gateway configuration consistency, such as it is inconsistent, then transfer default routing network
Configuration is closed, the configuration of current routing gateway is restored;
S43: all listening ports of the machine and client's connection are checked, if having illegal connection;
All listening ports of the machine are listed using netstat-an order and client connects, and are checked whether there is and are illegally connected
It connects.
If any illegal connection, the illegal connection is disconnected, and issues illegal connection warning note.
In embodiment provided by the invention, S51: unauthorized plan target is checked whether there is;
It is proceeded as follows in order line, checks whether there is unwitting plan target.
crontab-uroot–l
cat/etc/crontab
ls-l/etc/cron.*
If any unauthorized plan target, then stop unauthorized plan target, and issues unauthorized plan target alarm
Prompt;
S52: check whether kernel module is abnormal;
Check whether kernel has abnormal module using lsmod order.
If kernel module is operating abnormally, issues kernel module and be operating abnormally warning note;
S53: unauthorized self-starting service is checked whether there is;
Use systemctl list-unit-files | grep enabled order check in system whether have it is ignorant
Self-starting service.
If any unauthorized self-starting service, then stop unauthorized self-starting service, and issues unauthorized self-starting service
Warning note.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (8)
1. a kind of intrusion detection method based on linux system, which is characterized in that method includes:
S1: detection system password security;
S2: detection system abnormal process;
S3: detection system service;
S4: detection network, port;
S5: detection system back door.
2. the intrusion detection method according to claim 1 based on linux system, which is characterized in that
Step S1 further include:
S11: checking whether there is abnormal system user, when there are system unauthorized user login system, sending unauthorized users
Warning note is logged in, and obtains unauthorized user login time, the operation log after log duration and unauthorized user login;
S12: checking the modification time of password file, judges whether there is unauthorized Add User;
It Adds User if any system is unauthorized, then freezes the account number cipher of the user, and issue the unauthorized alarm that Adds User
Prompt.
3. the intrusion detection method according to claim 2 based on linux system, which is characterized in that
Step S1 further include:
S13: the user beyond scope of authority operation is checked whether there is;
System is used if any the user beyond scope of authority operation, then stops any operation of the user based on system, is published described
User issues and operates user's warning note beyond the scope of authority;
S14: null password password account is checked whether there is;
When system has null password password account, prompt user that password password is set within the preset time limit;
If password password is arranged not within the time limit by user, then freeze the user, until solving after the user setting password password
Freeze.
4. the intrusion detection method according to claim 1 based on linux system, which is characterized in that
Step S2 further include:
S21: abnormal system process is checked whether there is;
If there is abnormal system process, abnormal system process is closed;
Check the port opened of abnormal process and file, judge port that abnormal process is opened and file whether modified or
Editor;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information.
5. the intrusion detection method according to claim 4 based on linux system, which is characterized in that
Step S2 further include:
S22: system hidden process is checked;
With the presence or absence of abnormal system process in hidden process;
If there is abnormal system process, abnormal system process is closed;
Check the port opened of abnormal process and file, judge port that abnormal process is opened and file whether modified or
Editor;
It is such as modified or is edited, show the port modified or edited and file, issue prompt information.
6. the intrusion detection method according to claim 1 based on linux system, which is characterized in that
Step S3 further include:
S31: abnormal system service is checked whether there is;
If there is abnormal system service, abnormal system service is closed;
Show program and the source of pathological system service;
S32: check whether the service opened at present is necessary;
When being opened if any inessential service, executes bolt down procedure and close inessential service.
7. the intrusion detection method according to claim 1 based on linux system, which is characterized in that
Step S4 further include:
S41: network interface card basic configuration is checked;
Judge whether network interface card basic configuration is consistent with default network interface card basic configuration, it is such as inconsistent, then it transfers default network interface card and matches substantially
It sets, current network interface card basic configuration is restored;
S42: routing gateway configuration is checked;
Judge routing gateway configuration whether with default routing gateway configuration consistency, such as it is inconsistent, then transfer default routing gateway and match
It sets, the configuration of current routing gateway is restored;
S43: all listening ports of the machine and client's connection are checked, if having illegal connection;
If any illegal connection, the illegal connection is disconnected, and issues illegal connection warning note.
8. the intrusion detection method according to claim 1 based on linux system, which is characterized in that
Step S5 further include:
S51: unauthorized plan target is checked whether there is;
If any unauthorized plan target, then stop unauthorized plan target, and issues unauthorized plan target warning note;
S52: check whether kernel module is abnormal;
If kernel module is operating abnormally, issues kernel module and be operating abnormally warning note;
S53: unauthorized self-starting service is checked whether there is;
If any unauthorized self-starting service, then stop unauthorized self-starting service, and issues unauthorized self-starting service alerts
Prompt.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811039022.3A CN109325346A (en) | 2018-09-06 | 2018-09-06 | A kind of intrusion detection method based on linux system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811039022.3A CN109325346A (en) | 2018-09-06 | 2018-09-06 | A kind of intrusion detection method based on linux system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109325346A true CN109325346A (en) | 2019-02-12 |
Family
ID=65264800
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811039022.3A Pending CN109325346A (en) | 2018-09-06 | 2018-09-06 | A kind of intrusion detection method based on linux system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109325346A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
| CN115051905A (en) * | 2022-07-19 | 2022-09-13 | 广东泓胜科技股份有限公司 | Port security monitoring and analyzing method, device and related equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246849A (en) * | 2013-05-30 | 2013-08-14 | 浪潮集团有限公司 | Safe running method based on ROST under Windows |
| CN106228078A (en) * | 2016-07-29 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | Safe operation method based on enhanced ROST under Linux |
-
2018
- 2018-09-06 CN CN201811039022.3A patent/CN109325346A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246849A (en) * | 2013-05-30 | 2013-08-14 | 浪潮集团有限公司 | Safe running method based on ROST under Windows |
| CN106228078A (en) * | 2016-07-29 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | Safe operation method based on enhanced ROST under Linux |
Non-Patent Citations (1)
| Title |
|---|
| 散尽浮华: "LInux系统木马植入排查分析及应用漏洞修复配置(隐藏bannner版本等)", <HTTPS://WWW.CNBLOGS.COM/KEVINGRACE/P/5895116.HTML> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
| CN115051905A (en) * | 2022-07-19 | 2022-09-13 | 广东泓胜科技股份有限公司 | Port security monitoring and analyzing method, device and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107493265B (en) | A kind of network security monitoring method towards industrial control system | |
| US7464158B2 (en) | Secure initialization of intrusion detection system | |
| CN103391216B (en) | A kind of illegal external connection is reported to the police and blocking-up method | |
| US10719604B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
| CN108632276B (en) | Computer network information safety system | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| CN111683157B (en) | Network security protection method for Internet of things equipment | |
| US20080276295A1 (en) | Network security scanner for enterprise protection | |
| CN104753936A (en) | Opc security gateway system | |
| WO2023098406A1 (en) | Access control method and apparatus for usb device, and electronic device | |
| WO2023098407A1 (en) | Communication control method and apparatus for usb device and protected device, and electronic device | |
| CN112231781A (en) | Anti-theft method for edge computing server and server | |
| CN102184371B (en) | Detecting method and system for database operation authority of SQL (Structured Query Language) | |
| CN109325346A (en) | A kind of intrusion detection method based on linux system | |
| CN111404948A (en) | Security system and method based on computer network monitoring | |
| CN115314286A (en) | Safety guarantee system | |
| CN112615842A (en) | Network security implementation system and method based on big data platform | |
| US8954624B2 (en) | Method and system for securing input from an external device to a host | |
| CN106295323A (en) | Senior measuring system malware detection method based on cloud security | |
| CN116591916B (en) | Wind driven generator updating monitoring visualization system and method | |
| CN117851154A (en) | Computer host operation abnormality screening system based on data analysis | |
| CN109413111B (en) | Security access system and method based on intelligent data center | |
| CN111259405A (en) | Computer safety coefficient based on artificial intelligence | |
| JP2002236619A (en) | Security processor and its tampering resistance method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190212 |
|
| RJ01 | Rejection of invention patent application after publication |