<< >> Enterprise Security study notes Construction Guide
Open source HIDS OSSEC:
Main features: Log Analysis \ files \ registry integrity checking \ rootkit detection \ real-time alert \ dynamic response
Detection comes with some rules: ssh crack \ windows login failures \ add, modify account
Rootkit detection using netstat
Analysis of Windows security log: sysmon, suitable for windows
Using sysmon + evtsys to collect log summary SOC
Webshell detection of common ideas:
File content scanning: View function at high risk
Change file attributes and combined, in a folder other
Network traffic: detecting active even outer
Script execution of low-level functions
Excellent open source honeypot:
honeyd
Excellent open-source IDS:
SNORT BRO
Server security reinforcement:
Windows Server:
Choose NTFS disk partitions installed
Disable NetBIOS over TCP / IP
Server join a domain, to facilitate unified management
Security policies need to include the account policy (account lockout policy kerberos password policy strategy) and Local Policies (Audit Policy User Rights Assignment Security Options), etc.
Event log, unified management needs, modify the default storage size and overwrite mode
System Services configuration, disabling unnecessary services (such as Alexer, Browser, Messenger, etc.)
Open the Advanced Audit Policy, the account Logout Account Management Policy Change privileges such as the use of configurable
Turn off Autoplay, enable password-protected screen saver, turn off the auto-generation of Internet traffic, installing antivirus and other security software
Linux server:
Physical security-related configuration, disabling USB devices, add GRUB password, ban shortcuts reboot
File system mount the device on / var / tmp partition and add nodev nosuid option for the / home partition add nosuid option
Set permissions for some system files such as / etc / crontab / etc / securetty /boot/grub/grub.conf / etc / inittab /etc/login.defs ...
Turn off unnecessary services, such as cups postfix pcscd smartd alsasound iscsitarget smb acpid
On command record time stamp, and number of parameters related record command to read-only
Enable the log and audit functions, configuration monitoring rules, will spread to the real-time log SOC
Password policy configuration, including the complexity of the valid password timeout to exit the maximum number of attempts, etc.
Security configuration for SSHD (maximum number of retries, disabled Rhosts certification, specify the password type, specify the MAC algorithm) to delete related files RHOST
Tuning kernel parameters, disable the LKM, limit / dev / mem open ALSR disable NAT
Windows and Linux configuration section interlinked with reference to each other
Windows domain control sensitive events:
Security log:
1105 log archiving
1102 Clear log
Account Management
4720 account creation
4722 account enabled
4723 Change Account Password
4724 Reset account password
4725 account disabled
4726 account deletion
4738 Account modification
4740 Account Lockout
4764 Account unlock
4768 Kerberos authentication is successful
4771 Kerberos authentication fails
4781 Account renamed
4794 AD recovery mode password reset
4741 computer account creation
4743 computer account deletion
Audit Policy:
4719 to modify the system audit policy
Account Login:
4624 Account Login successful
4625 account login fails
4776 account verification success
4777 Account validation fails
Found a large number of 4771 events at a high frequency of customer log review, the final investigation was not a specific reason? Left to post-solution
After permeation domain controller in response to:
Reset the account password krbtgt
Reset DSRM account password
Reset important service account password
Checking account SIDHistory property
Check the Group Policy configuration and directory permissions SYSVOl
Check the AdminSDHolder related security account
BEST => discarded DC, synchronous data