About the Author
Zhu Lin is a
senior developer and author of "Elasticsearch Technical Analysis and Actual Combat". He has 16 years of development experience, 11 years of safety product development experience, and has in-depth research on safety technology and log analysis. Founded Nanjing Secland Network Technology Co., Ltd. in 2013. The company focuses on the development of security products. The main product currently developed is Secland log analysis software.
Guide
Due to space limitations, this article is divided into two parts. The first part focuses on the principle, and the second part will describe a number of practical cases based on the principle.
Overview
Let’s start with Google’s BeyondCorp project.
Google’s plan of action is called BeyondCorp, and the purpose is to completely break the distinction between internal and external networks. The basic assumption is that the internal network is actually as dangerous as the Internet for two reasons:
Once the internal network boundary is breached, it is easy for the hacker to access the internal applications of the enterprise.
Now that enterprises are increasingly adopting mobile and cloud technologies, border protection has become increasingly difficult. So simply treat them equally, without distinguishing between internal and external networks, and treat them in the same way.
This article does not elaborate on how Google’s solution is done. From this case, I only want to illustrate one problem. With the emergence of information security vulnerabilities, and the use of more sophisticated techniques, the internal network will also face great risks (unless it is completely physical Isolated intranet). Therefore, we need to pay attention to the security of the internal network and the border network at the same time.
1. Principles
For a while, I often read the "Today's Statement" published by the Central Committee of the Communist Party of China. I was very impressed by the process of finding clues to solve one case. At that time, the general case was that a woman was kidnapped on a road that was not monitored. At this time, it is very important to find the vehicle that committed the kidnapping.
Since the road section of the incident was not monitored, it was difficult to find the vehicle that committed the crime. The police officers later came up with a very simple way to find the vehicle that committed the crime.
There was no surveillance at the kidnapping scene, but there was surveillance at both ends of the road. Police officers used the method of timing each vehicle to find the vehicle that committed the crime. If you want to commit a crime, you must have time to commit the crime, which means that the passing time of this vehicle is longer than that of other vehicles. This is the simplest logical reasoning to solve a case.
Similarly, the occurrence of network security incidents will have a similar logic. It is often difficult to find *** behavior through direct means, but if you use reasoning, there will be some unusual behaviors in ***. Just like the case just now, there is no direct monitoring discovery, but the time for vehicles to pass will be longer than other times.
If we have diversified defense-in-depth capabilities and a systematic defense of offensive behavior, we will bring more defense points and monitoring points, which can greatly reduce security risks.
Defense has the first-mover advantage of platooning troops. With careful planning, defense-in-depth can be used to prevent a single-point breakthrough. We take the host VPN as an example to illustrate the defense-in-depth architecture. For the host, there are mainly several levels of content, such as network, process, files, operation commands, file operations, and system events. Through the comprehensive analysis of these aspects, the vast majority of *** behaviors can be found.
We start with some hypothetical *** analysis, most *** start from weakness, including some vulnerabilities, weak passwords, 0day, etc., which is 0day, and most rule-based security protections are invalid .
***The first step is to step on the spot. There are many ways to step on the spot. The most commonly used is scanning, including host scanning, port scanning, vulnerability scanning, etc. The scanning discovery can be found from two aspects:
One is to discover abnormal behaviors of traffic on the network. For example, a port scan will find that a host will have a large number of different port requests in a short time.
One is that it can be found from the host. For example, a password guess scan will find a large number of login failure logs.
When a host is found to be vulnerable, the next thing to do is to exploit the vulnerability. Sometimes it is difficult to perceive the exploit process, such as buffer overflow, etc., but the result of exploitation can still be found in the system. For example, if you have a weak password, you will find abnormal login behaviors, including abnormal time, abnormal login source IP, and so on.
For example, file upload behavior, user operation behavior, most of them will upload some files to the server after successful, and will do some operation behaviors, such as creating some hidden accounts.
When a host is controlled by an ***, the machine will often become a *** broiler. At this time, some abnormal behaviors will also occur. For example, on the network, there will be illegal outreach, whether it is *** Actively initiated or passive monitoring will generate these abnormal information on the network.
At the process level, abnormal processes are often generated. Many processes will be disguised as system process names, but they can still be found as long as they pay attention.
2. Technology
For Linux systems, these parameters and indicators are relatively easy. Below are some scripts I often use for reference.
1. Process:
Return value example:
Description: This script is mainly to analyze again according to the process information of ps aux, format, sort, remove duplicates, and then filter out some system processes.
2. Port:
Examples of return values:
Note: This script mainly obtains the ip port information according to ss -ntu, excludes the IP from the machine to the machine, and then formats the output.
3. Operation command audit:
Note: This script mainly obtains the content in the history command, and then after formatting, it can be sent out through syslog, so that the command line operations of the logged-in system users can be audited in real time.
4. System events:
Normally in the /var/log/secure file, such as successful login failure, etc.
For example, the login session:
Jan 1 11:29:45 localhost sshd[29778]: Accepted password for secisland from xx.xx.xx.72 port 14630 ssh2
Jan 1 11:29:45 localhost sshd[29778]: pam_unix(sshd:session): session opened for user secilog by (uid=0)
Jan 1 11:29:45 localhost sshd[29780]: subsystem request for sftp by user secilog
Jan 1 11:29:45 localhost sshd[29778]: pam_unix(sshd:session): session closed for user secilog
5. Upload and download:
Currently, Linux sshd comes with its own sftp protocol log, which can be configured to record sftp logs.
Configuration:#vi /etc/ssh/sshd_config
modifySubsystem sftp /usr/libexec/openssh/sftp-server
as followsSubsystem sftp internal-sftp -l INFO -f local0
Uncomment the following line#LogLevel INFO
Modify syslog configurationvi /etc/rsyslog.conf
Add a line
local0.* @ip
6. File modification:
The monitoring of file modification is a bit more troublesome. You can poll the file modification time and implement tagging and comparison of files. The better way is to use Linux's Inotify mechanism to monitor file operations.
Inotify is a Linux feature that monitors file system operations such as reading, writing, and creation. Inotify is responsive, very simple to use, and much more efficient than busy polling of cron tasks. It is mostly used in host anti-tampering and web page anti-tampering, which is more important, so the system also integrates this function.
Install SeciInofify. This version supports syslog sending. After installation, run:
nohup ./inotifywait -c -rme create,modify,delete,move,attrib,delete_self /home /etc &
In this way, the specified directory /home/etc will be monitored, and any changes in the files in these two directories will be sent to the log server.
Note: The open source Inotify does not have a log output function. I rewritten this code and added a logger output function, so that the file changes can be sent to syslog in real time. The code download location:
https://github.com/zhulinu/SeciInotify
to sum up
If a defense-in-depth system can be built in daily operation and maintenance, real-time analysis of the network, process, operation commands, file operations, system operations, upload and download behaviors in the host can be recorded and analyzed, it should be in most cases You can find *** behavior in the first time, which reduces a lot of risk.
But if these things are done manually, the efficiency is still relatively low. You can use log collection and analysis tools for analysis, such as splunk, arcsight, secilog, elk, etc. This will achieve a multiplier effect with half the effort.