linux服務器安全監測腳本

#!/bin/bash

echo "         (__)"

echo "         (oo)"

echo "   /------\/ "

echo " / |    || "

echo " * /\---/\ "

echo "   ~~   ~~   "

echo "...."Are You Ready?"..."

read key

echo "警告：本腳本只是一個檢查的操作，未對服務器做任何修改，管理員可以根據此報告進行相應的設置。"

echo ---------------------------------------主機安全檢查-----------------------

echo "系統版本"

uname -a

echo --------------------------------------------------------------------------

echo "本機的ip地址是："

ifconfig | grep --color "$[0-9]\{1,3\}\.$\{3\}[0-9]\{1,3\}"

echo --------------------------------------------------------------------------

awk -F":" '{if($2!~/^!|^*/){print "("$1")" " 是一個未被鎖定的賬戶，請管理員檢查是否需要鎖定它或者刪除它。"}}' /etc/shadow

echo --------------------------------------------------------------------------

more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F' ' '{if($2!=90){print "/etc/login.defs裏面的"$1 "設置的是"$2"天，請管理員改成90天。"}}'

echo --------------------------------------------------------------------------

more /etc/login.defs | grep -E "PASS_MIN_LEN" | grep -v "#" |awk -F' ' '{if($2!=6){print "/etc/login.defs裏面的"$1 "設置的是"$2"個字符，請管理員改成6個字符。"}}'

echo --------------------------------------------------------------------------

more /etc/login.defs | grep -E "PASS_WARN_AGE" | grep -v "#" |awk -F' ' '{if($2!=10){print "/etc/login.defs裏面的"$1 "設置的是"$2"天，請管理員將口令到期警告天數改成10天。"}}'

echo --------------------------------------------------------------------------

grep TMOUT /etc/profile /etc/bashrc > /dev/null|| echo "未設置登錄超時限制，請設置之，設置方法：在/etc/profile或者/etc/bashrc裏面添加TMOUT=600參數"

echo --------------------------------------------------------------------------

if ps -elf |grep xinet |grep -v "grep xinet";then

echo "xinetd 服務正在運行，請檢查是否可以把xinnetd服務關閉"

else

echo "xinetd 服務未開啓"

fi

echo --------------------------------------------------------------------------

echo "查看系統密碼文件修改時間"

ls -ltr /etc/passwd

echo --------------------------------------------------------------------------

echo "查看是否開啓了ssh服務"

if service sshd status | grep -E "listening on|active $running$"; then

echo "SSH服務已開啓"

else

echo "SSH服務未開啓"

fi

echo --------------------------------------------------------------------------

echo "查看是否開啓了TELNET服務"

if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then

echo "TELNET服務已開啓 "

else

echo "TELNET服務未開啓 "

fi

echo --------------------------------------------------------------------------

echo "查看系統SSH遠程訪問設置策略(host.deny拒絕列表)"

if more /etc/hosts.deny | grep -E "sshd: ";more /etc/hosts.deny | grep -E "sshd"; then

echo "遠程訪問策略已設置 "

else

echo "遠程訪問策略未設置 "

fi

echo --------------------------------------------------------------------------

echo "查看系統SSH遠程訪問設置策略(hosts.allow允許列表)"

if more /etc/hosts.allow | grep -E "sshd: ";more /etc/hosts.allow | grep -E "sshd"; then

echo "遠程訪問策略已設置 "

else

echo "遠程訪問策略未設置 "

fi

echo "當hosts.allow和 host.deny相沖突時，以hosts.allow設置爲準。"

echo -------------------------------------------------------------------------

echo "查看shell是否設置超時鎖定策略"

if more /etc/profile | grep -E "TIMEOUT= "; then

echo "系統設置了超時鎖定策略 "

else

echo "未設置超時鎖定策略 "

fi

echo -------------------------------------------------------------------------

echo "查看syslog日誌審計服務是否開啓"

if service syslog status | egrep " active \(running";then

echo "syslog服務已開啓"

else

echo "syslog服務未開啓，建議通過service syslog start開啓日誌審計功能"

fi

echo -------------------------------------------------------------------------

echo "查看syslog日誌是否開啓外發"

if more /etc/rsyslog.conf | egrep "@...\.|@..\.|@.\.|\*.\* @...\.|\*\.\* @..\.|\*\.\* @.\.";then

echo "客戶端syslog日誌已開啓外發"

else

echo "客戶端syslog日誌未開啓外發"

fi

echo -------------------------------------------------------------------------

echo "查看passwd文件中有哪些特權用戶"

awk -F: '$3==0 {print $1}' /etc/passwd

echo ------------------------------------------------------------------------

echo "查看系統中是否存在空口令賬戶"

awk -F: '($2=="!!") {print $1}' /etc/shadow

echo "該結果不適用於Ubuntu系統"

echo ------------------------------------------------------------------------

echo "查看系統中root用戶外連情況"

lsof -u root |egrep "ESTABLISHED|SYN_SENT|LISTENING"

echo ----------------------------狀態解釋------------------------------

echo "ESTABLISHED的意思是建立連接。表示兩臺機器正在通信。"

echo "LISTENING的"

echo "SYN_SENT狀態表示請求連接"

echo ------------------------------------------------------------------------

echo "查看系統中root用戶TCP連接情況"

lsof -u root |egrep "TCP"

echo ------------------------------------------------------------------------

echo "查看系統中存在哪些非系統默認用戶"

echo "root:x:“該值大於500爲新創建用戶，小於或等於500爲系統初始用戶”"

more /etc/passwd |awk -F ":" '{if($3>500){print "/etc/passwd裏面的"$1 "的值爲"$3"，請管理員確認該賬戶是否正常。"}}'

echo ------------------------------------------------------------------------

echo "檢查系統守護進程"

more /etc/xinetd.d/rsync | grep -v "^#"

echo ------------------------------------------------------------------------

echo "檢查系統是否存在***行爲"

more /var/log/secure |grep refused

echo ------------------------------------------------------------------------

echo "-----------------------檢查系統是否存在PHP腳本後門---------------------"

if find / -type f -name *.php | xargs egrep -l "mysql_query$$query, $dbconn$|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval$|Root_CSS\($|黑狼PHP***|eval$gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP***|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|後門" |sort -n|uniq -c |sort -rn 1>/dev/null 2>&1;then

echo "檢測到PHP腳本後門"

find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn$|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval$|Root_CSS\($|黑狼PHP***|eval$gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP***|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|後門" |sort -n|uniq -c |sort -rn

find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn$|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval$|Root_CSS\($|黑狼PHP***|eval$gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP***|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|後門" |sort -n|uniq -c |sort -rn |awk '{print $2}' | xargs -I{} cp {} /tmp/

echo "後門樣本已拷貝到/tmp/目錄"

else

echo "未檢測到PHP腳本後門"

fi

echo ------------------------------------------------------------------------

echo "-----------------------檢查系統是否存在JSP腳本後門---------------------"

find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is$|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|後門" |sort -n|uniq -c |sort -rn 2>&1

find / -type f -name *.jsp | xargs egrep -l "InputStreamReader$this.is$|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|後門" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 2>&1

echo ------------------------------------------------------------------------

echo "----------------------檢查系統是否存在HTML惡意代碼---------------------"

if find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" 1>/dev/null 2>&1;then

echo "發現HTML惡意代碼"

find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn

find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/

echo "後門樣本已拷貝到/tmp/目錄"

else

echo "未檢測到HTML惡意代碼"

fi

echo "----------------------檢查系統是否存在perl惡意程序----------------------"

if find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;" 1>/dev/null 2>&1;then

echo "發現perl惡意程序"

find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn

find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/

echo "可疑樣本已拷貝到/tmp/目錄"

else

echo "未檢測到perl惡意程序"

fi

echo "----------------------檢查系統是否存在Python惡意程序----------------------"

find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn

find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/

echo ------------------------------------------------------------------------

echo "-----------------------檢查系統是否存在惡意程序---------------------"

find / -type f -perm -111 |xargs egrep "UpdateProcessER12CUpdateGatesE6C|CmdMsg\.cpp|MiniHttpHelper.cpp|y4'r3 1uCky k1d\!|execve@@GLIBC_2.0|initfini.c|ptmalloc_unlock_all2|_IO_wide_data_2|system@@GLIBC_2.0|socket@@GLIBC_2.0|gettimeofday@@GLIBC_2.0|execl@@GLIBC_2.2.5|WwW.SoQoR.NeT|2.6.17-2.6.24.1.c|Local Root Exploit|close@@GLIBC_2.0|syscall\(\__NR\_vmsplice,|Linux vmsplice Local Root Exploit|It looks like the exploit failed|getting root shell" 2>/dev/null

echo ------------------------------------------------------------------------

echo "檢查網絡連接和監聽端口"

netstat -an

echo "--------------------------路由表、網絡連接、接口信息--------------"

netstat -rn

echo "------------------------查看網卡詳細信息--------------------------"

ifconfig -a

echo ------------------------------------------------------------------------

echo "查看正常情況下登錄到本機的所有用戶的歷史記錄"

last

echo ------------------------------------------------------------------------

echo "檢查系統中core文件是否開啓"

ulimit -c

echo "core是unix系統的內核。當你的程序出現內存越界的時候,操作系統會中止你的進程,並將當前內存狀態倒出到core文件中,以便進一步分析，如果返回結果爲0，則是關閉了此功能，系統不會生成core文件"

echo ------------------------------------------------------------------------

echo "檢查系統中關鍵文件修改時間"

ls -ltr /bin/ls /bin/login /etc/passwd /bin/ps /usr/bin/top /etc/shadow|awk '{print "文件名："$8" ""最後修改時間："$6" "$7}'

echo "ls文件：是存儲ls命令的功能函數，被刪除以後，就無法執行ls命令，***可利用篡改ls文件來執行後門或其他程序。

login文件：login是控制用戶登錄的文件，一旦被篡改或刪除，系統將無法切換用戶或登陸用戶

user/bin/passwd是一個命令，可以爲用戶添加、更改密碼，但是，用戶的密碼並不保存在/etc/passwd當中，而是保存在了/etc/shadow當中

etc/passwd是一個文件，主要是保存用戶信息。

sbin/portmap是文件轉換服務，缺少該文件後，無法使用磁盤掛載、轉換類型等功能。

bin/ps 進程查看命令功能支持文件，文件損壞或被更改後，無法正常使用ps命令。

usr/bin/top top命令支持文件，是Linux下常用的性能分析工具,能夠實時顯示系統中各個進程的資源佔用狀況。

etc/shadow shadow 是 /etc/passwd 的影子文件，密碼存放在該文件當中，並且只有root用戶可讀。"

echo --------------------------------------------------------------------------

echo "-------------------查看系統日誌文件是否存在--------------------"

log=/var/log/syslog

log2=/var/log/messages

if [ -e "$log" ]; then

echo "syslog日誌文件存在！ "

else

echo "/var/log/syslog日誌文件不存在！ "

fi

if [ -e "$log2" ]; then

echo "/var/log/messages日誌文件存在！ "

else

echo "/var/log/messages日誌文件不存在！ "

fi

echo --------------------------------------------------------------------------

echo "檢查系統文件完整性2(MD5檢查)"

echo "該項會獲取部分關鍵文件的MD5值併入庫，默認保存在/etc/md5db中"

echo "如果第一次執行，則會提示md5sum: /sbin/portmap: 沒有那個文件或目錄"

echo "第二次重複檢查時，則會對MD5DB中的MD5值進行匹配，來判斷文件是否被更改過"

file="/etc/md5db"

if [ -e "$file" ]; then md5sum -c /etc/md5db 2>&1;

else

md5sum /etc/passwd >>/etc/md5db

md5sum /etc/shadow >>/etc/md5db

md5sum /etc/group >>/etc/md5db

md5sum /usr/bin/passwd >>/etc/md5db

md5sum /sbin/portmap>>/etc/md5db

md5sum /bin/login >>/etc/md5db

md5sum /bin/ls >>/etc/md5db

md5sum /bin/ps >>/etc/md5db

md5sum /usr/bin/top >>/etc/md5db;

fi

echo ----------------------------------------------------------------------

echo "------------------------主機性能檢查--------------------------------"

echo "CPU檢查"

dmesg | grep -i cpu

echo -----------------------------------------------------------------------

more /proc/cpuinfo

echo -----------------------------------------------------------------------

echo "內存狀態檢查"

vmstat 2 5

echo -----------------------------------------------------------------------

more /proc/meminfo

echo -----------------------------------------------------------------------

free -m

echo -----------------------------------------------------------------------

echo "文件系統使用情況"

df -h

echo -----------------------------------------------------------------------

echo "網卡使用情況"

lspci -tv

echo ----------------------------------------------------------------------

echo "查看殭屍進程"

ps -ef | grep zombie

echo ----------------------------------------------------------------------

echo "耗CPU最多的進程"

ps auxf |sort -nr -k 3 |head -5

echo ----------------------------------------------------------------------

echo "耗內存最多的進程"

ps auxf |sort -nr -k 4 |head -5

echo ----------------------------------------------------------------------

echo ---------------------------------------------------------------------

linux服務器安全監測腳本

AI模型 Llama 3體驗筆記

【面試準備】又一次失敗的面試經歷，題目離譜～資深軟件測試工程師

dotnet 8 版本與銀河麒麟V10和UOS系統的 glibc 兼容性

Centos 7 部署harbor

Open-falcon部署文檔（繪圖及報警）

linux服務器安全監測腳本

Centos 6.7下 jira7.1.1+confluence5.96+mysql結合（破解）

防CC***自動拉黑IP

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結