shell腳本實現系統安全巡檢
在使用腳本前須要安裝:ag命令php
安裝方式以下:java
[root@xinsz08-63 LinuxCheck]# yum install epel-release[root@xinsz08-63 LinuxCheck]# yum install the_silver_searcher
ag的平常使用:
ag相似於grep和find,可是執行效率比後二者高node
ag -g a.txt 查找名字爲a.txt的文件
ag -i test 忽略大小寫搜索包含test的文本
ag -A 5 abc 顯示搜索到的包含abc的行以及他以後的5行文本信息python
演示:nginx
[root@xinsz08-63 ~]# cp /etc/passwd /root/passwd[root@xinsz08-63 ~]# ag -A 5 geoc passwd34:geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin 35-setroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin 36-saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin 37-gdm:x:42:42::/var/lib/gdm:/sbin/nologin 38-gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin 39-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
此腳本涉及到系統的安全檢測,好比MD5校驗,檢測經常使用命令是否被別人改動過,檢測是否有挖礦病毒,是否有***,登錄用戶是否正常,等等。git
#!/usr/bin/env bash
3 echo ""
4 echo " ========================================================= "
5 echo " \ Linux應急響應/信息蒐集腳本 V3.0 / "
6 echo " ========================================================= "
7 echo " # 支持Centos、Debian系統檢測 "
8 echo " # author:al0ne "
9 echo " # https://github.com/al0ne "
10 echo -e "\n"
11
12 # WEB Path
13 # 設置web目錄 默認的話是從/目錄去搜索 性能較慢
14 webpath='/'
15
16 echo -e "\e[00;31m[+]環境檢測\e[00m"
17 # 驗證是否爲root權限
18 if [ $UID -ne 0 ]; then
19 echo -e "\n\e[00;33m請使用root權限運行 \e[00m"
20 exit 1
21 else
22 echo -e "\e[00;32m當前爲root權限 \e[00m"
23 fi
24
25 # 驗證操做系統是debian系仍是centos
26 OS='None'
27
28 if [ -e "/etc/os-release" ]; then
29 source /etc/os-release
30 case ${ID} in
31 "debian" | "ubuntu" | "devuan")
32 OS='Debian'
33 ;;
34 "centos" | "rhel fedora" | "rhel")
35 OS='Centos'
36 ;;
37 *) ;;
38 esac
39 fi
40
41 if [ $OS = 'None' ]; then
42 if command -v apt-get >/dev/null 2>&1; then
43 OS='Debian'
44 elif command -v yum >/dev/null 2>&1; then
45 OS='Centos'
46 else
47 echo -e "\n不支持這個系統\n"
48 echo -e "已退出"
49 exit 1
50 fi
51 fi
52
53 #ifconfig
54 if ifconfig >/dev/null 2>&1; then
55 echo -e "\e[00;32mifconfig已安裝 \e[00m"
56 else
57 if [ $OS = 'Centos' ]; then
58 yum -y install net-tools >/dev/null 2>&1
59 else
60 apt-get -y install net-tools >/dev/null 2>&1
61 fi
62
63 fi
64
65 #Centos安裝lsof
66 if lsof -v >/dev/null 2>&1; then
69 if [ $OS = 'Centos' ]; then
70 yum -y install lsof >/dev/null 2>&1
71 else
72 apt-get -y install lsof >/dev/null 2>&1
73 fi
74
75 fi
80 else
81 if [ $OS = 'Centos' ]; then
82 yum -y install the_silver_searcher >/dev/null 2>&1
83 else
85 fi
86
87 fi
88
89 echo -e "\n"
90
91 # 設置保存文件
94 filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)'.log'
95
96 #對比hash,看看有沒有系統文件被替換掉
99 rpm -Va | tee -a $filename102 debsums -e | ag -v 'OK' | tee -a $filename107 #當前用戶108 echo -e "USER:\t\t" $(whoami) 2>/dev/null | tee -a $filename109 #版本信息110 echo -e "OS Version:\t" $(uname -r) | tee -a $filename111 #主機名112 echo -e "Hostname: \t" $(hostname -s) | tee -a $filename113 #uptime115 #cpu信息117 #ipaddress120 echo -e "\n" | tee -a $filename121
126 "Used " (total-free)/total*100"%"}' | tee -a $filename127 done
128 echo -e "\n" | tee -a $filename129 #登錄用戶
130 echo -e "\e[00;31m[+]登錄用戶\e[00m" | tee -a $filename131 who $filename132 echo -e "\n" | tee -a $filename133 #CPU佔用TOP 15
136 #內存佔用TOP 15
139 #內存佔用
142 echo -e "\n" | tee -a $filename143 #剩餘空間
146 echo -e "\n" | tee -a $filename147 echo -e "\e[00;31m[+]硬盤掛載\e[00m" | tee -a $filename149 echo -e "\n" | tee -a $filename150 #ifconfig
151 echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a $filename152 /sbin/ifconfig -a | tee -a $filename155 echo -e "\e[00;31m[+]網絡流量 \e[00m" | tee -a $filename157 awk ' NR>2' /proc/net/dev | while read line; do
158 echo "$line" | awk -F ':' '{print " "$1" " $2}' | \
162 #端口監聽
163 echo -e "\e[00;31m[+]端口監聽\e[00m" | tee -a $filename164 netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a $filename165 echo -e "\n" | tee -a $filename166 #對外開放端口
167 echo -e "\e[00;31m[+]對外開放端口\e[00m" | tee -a $filename169 echo -e "\n" | tee -a $filename170 #網絡鏈接
173 echo -e "\n" | tee -a $filename174 #鏈接狀態
175 echo -e "\e[00;31m[+]TCP鏈接狀態\e[00m" | tee -a $filename177 echo -e "\n" | tee -a $filename180 /sbin/route -nee | tee -a $filename181 echo -e "\n" | tee -a $filename182 #路由轉發
183 echo -e "\e[00;31m[+]路由轉發\e[00m" | tee -a $filename185 if [ -n "$ip_forward" ]; then
187 else
188 echo "該服務器未開啓路由轉發" | tee -a $filename189 fi
190 echo -e "\n" | tee -a $filename191 #DNS
192 echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a $filename194 echo -e "\n" | tee -a $filename195 #ARP
196 echo -e "\e[00;31m[+]ARP\e[00m" | tee -a $filename197 arp -n -a | tee -a $filename198 echo -e "\n" | tee -a $filename199 #混雜模式
200 echo -e "\e[00;31m[+]網卡混雜模式\e[00m" | tee -a $filename201 if ip link | ag PROMISC >/dev/null 2>&1; then
202 echo "網卡存在混雜模式!" | tee -a $filename203 else
204 echo "網卡不存在混雜模式" | tee -a $filename205
206 fi
207 echo -e "\n" | tee -a $filename208 #安裝軟件
209 echo -e "\e[00;31m[+]經常使用軟件\e[00m" | tee -a $filename210 cmdline=(
211 "which perl"
212 "which gcc"
213 "which g++"
214 "which python"
215 "which php"
216 "which cc"
217 "which go"
218 "which node"
219 "which nodejs"
220 "which bind"
221 "which tomcat"
222 "which clang"
223 "which ruby"
224 "which curl"
225 "which wget"
228 "which ssserver"
229 "which vsftpd"
230 "which java"
231 "which apache"
232 "which nginx"
233 "which git"
234 "which mongodb"
235 "which docker"
236 "which tftp"
237 "which psql"
242 if [ "$soft" ] 2>/dev/null; then
244 fi
245 done
246 echo -e "\n" | tee -a $filename247 #crontab
248 echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a $filename249 crontab -u root -l | ag -v '#' --nocolor | tee -a $filename250 ls -alht /etc/cron.*/* | tee -a $filename251 echo -e "\n" | tee -a $filename252 #crontab可疑命令253 echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a $filename255 echo -e "\n" | tee -a $filename256 #env257 echo -e "\e[00;31m[+]env\e[00m" | tee -a $filename258 env | tee -a $filename259 echo -e "\n" | tee -a $filename260 #PATH261 echo -e "\e[00;31m[+]PATH\e[00m" | tee -a $filename262 echo $PATH | tee -a $filename263 echo -e "\n" | tee -a $filename264 #LD_PRELOAD265 echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a $filename266 echo ${LD_PRELOAD} | tee -a $filename267 echo -e "\n" | tee -a $filename268 #LD_ELF_PRELOAD269 echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a $filename270 echo ${LD_ELF_PRELOAD} | tee -a $filename271 echo -e "\n" | tee -a $filename274 echo ${LD_LIBRARY_PATH} | tee -a $filename279 if [ -e "${preload}" ]; then280 cat ${preload} | tee -a $filename281 else282 echo -e "/etc/ld.so.preload 文件不存在" | tee -a $filename283 fi284 echo -e "\n" | tee -a $filename285 #passwd信息286 echo -e "\e[00;31m[+]可登錄用戶\e[00m" | tee -a $filename287 cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $filename288 echo -e "\n" | tee -a $filename290 echo -e "\n" | tee -a $filename293 echo -e "\n" | tee -a $filename294 #防火牆298 #登錄信息299 echo -e "\e[00;31m[+]登陸信息\e[00m" | tee -a $filename300 w | tee -a $filename301 echo -e "\n" | tee -a $filename304 lastlog | tee -a $filename307 echo -e "\n" | tee -a $filename308 #SSH爆破IP309 echo -e "\e[00;31m[+]SSH爆破\e[00m" | tee -a $filename318 fi319 echo -e "\n" | tee -a $filename320 #查看history文件321 echo -e "\e[00;31m[+]History\e[00m" | tee -a $filename322 ls -alht ~/.*_history | tee -a $filename323 ls -alht /root/.*_history | tee -a $filename324 echo -e "\n" | tee -a $filename326 echo -e "\n" | tee -a $filename327 #HOSTS328 echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a $filename329 cat /etc/hosts | ag -v "#" | tee -a $filename330 echo -e "\n" | tee -a $filename331 #/etc/profile334 echo -e "\n" | tee -a $filename335 #/etc/rc.local336 echo -e "\e[00;31m[+]/etc/rc.local \e[00m" | tee -a $filename337 cat /etc/rc.local | ag -v '#' | tee -a $filename340 echo -e "\e[00;31m[+]~/.bash_profile \e[00m" | tee -a $filename341 cat ~/.bash_profile | ag -v '#' | tee -a $filename342 echo -e "\n" | tee -a $filename343 #~/.bashrc346 echo -e "\n" | tee -a $filename347 #bash反彈shell348 echo -e "\e[00;31m[+]bash反彈shell \e[00m" | tee -a $filename350 echo -e "\n" | tee -a $filename351 #SSHD352 echo -e "\e[00;31m[+]SSHD \e[00m" | tee -a $filename353 echo -e "/usr/sbin/sshd"360 echo -e "\n" | tee -a $filename361 #tmp目錄362 echo -e "\e[00;31m[+]/tmp \e[00m" | tee -a $filename363 ls /tmp /var/tmp /dev/shm -alht | tee -a $filename364 echo -e "\n" | tee -a $filename365 #alias 別名372 echo -e "\n" | tee -a $filename378 #近7天改動381 echo -e "\n" | tee -a $filename382 #近7天改動387 #有些***會將數據庫、網站打包成一個文件而後下載388 echo -e "\e[00;31m[+]大文件>100mb \e[00m" | tee -a $filename424 echo -e "\n" | tee -a $filename425 #挖礦***檢測426 echo -e "\e[00;31m[+]挖礦***檢測\e[00m" | tee -a $filename428 echo -e "\n" | tee -a $filename429 #Rkhunter查殺432 rkhunter --checkall --sk | ag -v 'OK|Not found|None found'433 else434 if [ -e "rkhunter.tar.gz" ]; then435 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
436 cd rkhunter-1.4.6/
437 ./installer.sh --install >/dev/null 2>&1
438 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'439 else440 echo -e "找不到rkhunter.tar.gz嘗試下載"441 wget https://github.com/al0ne/LinuxCheck/raw/maste r/rkhunter.tar.gz >/dev/null 2>&1;442 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
443 cd rkhunter-1.4.6/
444 ./installer.sh --install >/dev/null 2>&1
445 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'446 fi447 fi
執行後以下:
github
相關文章
- 1. linux系統巡檢腳本shell實例
- 2. shell巡檢腳本
- 3. 系統巡檢腳本
- 4. linux系統巡檢腳本
- 5. Linux系統巡檢腳本
- 6. shell腳本:平常巡檢
- 7. shell腳本------巡檢腳本--xunjian2.sh
- 8. shell腳本實現-----自動巡檢腳本.sh
- 9. 巡檢腳本 全面
- 10. 巡檢腳本
- 更多相關文章...
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • Swift 下標腳本 - Swift 教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. linux系統巡檢腳本shell實例
- 2. shell巡檢腳本
- 3. 系統巡檢腳本
- 4. linux系統巡檢腳本
- 5. Linux系統巡檢腳本
- 6. shell腳本:平常巡檢
- 7. shell腳本------巡檢腳本--xunjian2.sh
- 8. shell腳本實現-----自動巡檢腳本.sh
- 9. 巡檢腳本 全面
- 10. 巡檢腳本