As network attacks become more and more intense, it is particularly important to do a good job in the defense of virtual machines. Therefore, it is of great benefit to choose a highly defensive Huawei virtual machine for defense attacks. But what should we do if our virtual machine is attacked? So today, Micronet will take you to learn about these points, so that the virtual machine will not be in a hurry when attacked!
1. Log in to the system to check whether the user is abnormal
Log in based on the root user, and then execute the "w" command to list all users who have logged in to the system software. After that, you can check whether there is an abnormal user or a strange user has logged in according to this information. In addition, you can judge whether the user is an illegal user according to the user name, the login source address and the running process.
2. Lock abnormal or unfamiliar users
When an abnormal or unfamiliar user is found, it needs to be locked immediately. For example, after the previous "w" command is executed, it is found that the nobody user should be an abnormal user (because nobody has no login management permission by default), so first lock the user and perform the following operations:
[ root@server ~]# passwd -l nobody
After the machine is locked, the user may actually be online. In order to completely expel the user, it is necessary to forcibly pull the user offline. According to the output of the "w" command above, the pid value of the user login can be obtained. The specific operations are as follows:
[ root@server ~]# ps -ef|grep @pts/3
531 6051 6049 0 19:23 ? 00:00:00 sshd: nobody@pts /3
[ root@server ~]# kill -9 6051
This will kick the abnormal user nobody out of the network. If the user tries to log in again for a long time, he may not be able to log in.
3. Query the user login event based on the last command
The last command records the system log of the entire user logging into the system, which can be used to search for the login events of unauthorized users. The output result of the last command comes from the/var/log/wtmp file. In addition, attackers with experience in attacks will delete/var/log/wtmp to eliminate their own tracks. As long as they do this, there will be tracks, so the tracks will still be exposed in the file.
Query system event record
When searching for the attack source, querying the event log is the best method. The event logs that can be searched include/var/log/messages,/var/log/secure, etc. These two system log files can count the running status of the software and remotely control the user's login. You can also query the. bash_history file under each user's file directory, In particular, the. bash_history file in the/root file directory records all the historical time commands executed by the user.
View and close exception handling
There are many commands that can check abnormal processes, such as ps, top, and so on, but sometimes only know the name of the process, not the path. First search the running process PID according to the pidof command, then enter the running memory file directory, and query the information content of the exe file matching the PID file directory. In this way, the process of matching the details of the implementation process is found. Assuming you also have a handle to the query file, you can query the following file directories:
[ root@server ~]#Ls - al/proc/13276/fd In some cases, network attack programs are hidden very deeply, such as the rootkits trojan program. In this case, the ps, top, netstat and other commands may have been replaced long ago. If you check the abnormal process according to the command of the system software itself, it will become more and more unreliable. At this time, It is necessary to check the abnormal program of system software with the help of special tools of a third party.
Review file system software integrity
Checking file characteristics is a simple and most intuitive method to verify the integrity of file system software. For example, check whether the size of the/bin/ls file on the network virtual machine is the same as that of the file on all normal system software, and verify whether the file is replaced, but this method is relatively low-level. At this time, the special tool rpm under Linux can be used for authentication. If the "M" mark appears in the output result, the matching file may have been forged or replaced long ago. At this time, the attacked file can be eliminated by uninstalling the rpm package.
However, this command has a limitation, that is, it can only check all files installed according to the rpm package method, while it is powerless for files installed based on non rpm package methods. In addition, if the rpm special tool is also replaced, this method is not applicable. At this time, you can copy an rpm special tool from all normal system software for inspection.
The above is the analysis of Micronet on how to solve the attack on virtual machine. Nowadays, hacker attacks are so rampant, and attacks are increasingly fierce. It is very important to improve protection awareness and protection technology. As long as you do these things, you will not be in a hurry when virtual machine is attacked! Of course, the simplest way is to rent a defensive Huawei VM, so that the service provider can provide solutions in time even if its own VM fails. The advanced anti DDoS virtual machine of Huawei Cloud can effectively resist high traffic attacks, and the defense can reach T-level. Multiple lines can be selected, and the access is fast, safe and reliable.
