如何快速的为系统做安全检测

2020-06-17 20:18:15 浏览数 (1)

shell脚本实现系统安全巡检

在使用脚本前需要安装:ag命令

安装方式如下:

代码语言:javascript复制
[root@xinsz08-63 LinuxCheck]# yum install epel-release
[root@xinsz08-63 LinuxCheck]# yum install the_silver_searcher

ag的日常使用:

ag类似于grep和find,但是执行效率比后两者高

ag -g a.txt 查找名字为a.txt的文件 ag -i test 忽略大小写搜索包含test的文本 ag -A 5 abc 显示搜索到的包含abc的行以及他之后的5行文本信息

演示:

代码语言:javascript复制
[root@xinsz08-63 ~]# cp  /etc/passwd /root/passwd
[root@xinsz08-63 ~]# ag -A 5 geoc passwd
34:geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin
35-setroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin
36-saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
37-gdm:x:42:42::/var/lib/gdm:/sbin/nologin
38-gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin
39-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinPrivilege-separated SSH:/var/empty/sshd:/sbin/nologin

此脚本涉及到系统的安全检测,比如MD5校验,检测常用命令是否被别人改动过,检测是否有挖矿病毒,是否有木马,登陆用户是否正常,等等。

代码语言:javascript复制
#!/usr/bin/env bash

  3 echo ""
  4 echo " ========================================================= "
  5 echo "                  Linux应急响应/信息搜集脚本 V3.0                    / "
  6 echo " ========================================================= "
  7 echo " # 支持Centos、Debian系统检测                    "
  8 echo " # author:al0ne                    "
  9 echo " # https://github.com/al0ne                    "
 10 echo -e "n"
 11 
 12 # WEB Path
 13 # 设置web目录 默认的话是从/目录去搜索 性能较慢
 14 webpath='/'
 15 
 16 echo -e "e[00;31m[ ]环境检测e[00m"
 17 # 验证是否为root权限
 18 if [ $UID -ne 0 ]; then
 19         echo -e "ne[00;33m请使用root权限运行 e[00m"
 20         exit 1
 21 else
 22         echo -e "e[00;32m当前为root权限 e[00m"
 23 fi
 24 
 25 # 验证操作系统是debian系还是centos
 26 OS='None'
 27 
 28 if [ -e "/etc/os-release" ]; then
 29         source /etc/os-release
 30         case ${ID} in
 31         "debian" | "ubuntu" | "devuan")
 32                 OS='Debian'
 33                 ;;
 34         "centos" | "rhel fedora" | "rhel")
 35                 OS='Centos'
 36                 ;;
 37         *) ;;
 38         esac
 39 fi
 40 
 41 if [ $OS = 'None' ]; then
 42         if command -v apt-get >/dev/null 2>&1; then
 43                 OS='Debian'
 44         elif command -v yum >/dev/null 2>&1; then
 45                 OS='Centos'
 46         else
 47                 echo -e "n不支持这个系统n"
 48                 echo -e "已退出"
 49                 exit 1
 50         fi
 51 fi
 52 
 53 #ifconfig
 54 if ifconfig >/dev/null 2>&1; then
 55         echo -e "e[00;32mifconfig已安装 e[00m"
 56 else
 57         if [ $OS = 'Centos' ]; then
 58                 yum -y install net-tools >/dev/null 2>&1
 59         else
 60                 apt-get -y install net-tools >/dev/null 2>&1
 61         fi
 62 
 63 fi
 64 
 65 #Centos安装lsof
 66 if lsof -v >/dev/null 2>&1; then
 69         if [ $OS = 'Centos' ]; then
 70                 yum -y install lsof >/dev/null 2>&1
 71         else
 72                 apt-get -y install lsof >/dev/null 2>&1
 73         fi
 74 
 75 fi
 80 else
 81         if [ $OS = 'Centos' ]; then
 82                 yum -y install the_silver_searcher >/dev/null 2>&1
 83         else
 85         fi
 86 
 87 fi
 88 
 89 echo -e "n"
 90 
 91 # 设置保存文件
 94 filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date  %s)'.log'
 95 
 96 #对比hash,看看有没有系统文件被替换掉
 99         rpm -Va | tee -a $filename
102         debsums -e | ag -v 'OK' | tee -a $filename
107 #当前用户
108 echo -e "USER:tt" $(whoami) 2>/dev/null | tee -a $filename
109 #版本信息
110 echo -e "OS Version:t" $(uname -r) | tee -a $filename
111 #主机名
112 echo -e "Hostname: t" $(hostname -s) | tee -a $filename
113 #uptime
115 #cpu信息
117 #ipaddress
120 echo -e "n" | tee -a $filename
121 
126         "Used " (total-free)/total*100"%"}' | tee -a $filename
127 done
128 echo -e "n" | tee -a $filename
129 #登陆用户
130 echo -e "e[00;31m[ ]登陆用户e[00m" | tee -a $filename
131 who $filename
132 echo -e "n" | tee -a $filename
133 #CPU占用TOP 15
136 #内存占用TOP 15
139 #内存占用
142 echo -e "n" | tee -a $filename
143 #剩余空间
146 echo -e "n" | tee -a $filename
147 echo -e "e[00;31m[ ]硬盘挂载e[00m" | tee -a $filename
149 echo -e "n" | tee -a $filename
150 #ifconfig
151 echo -e "e[00;31m[ ]ifconfige[00m" | tee -a $filename
152 /sbin/ifconfig -a | tee -a $filename
155 echo -e "e[00;31m[ ]网络流量 e[00m" | tee -a $filename
157 awk ' NR>2' /proc/net/dev | while read line; do
158         echo "$line" | awk -F ':' '{print "  "$1"  " $2}' | 
162 #端口监听
163 echo -e "e[00;31m[ ]端口监听e[00m" | tee -a $filename
164 netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a $filename
165 echo -e "n" | tee -a $filename
166 #对外开放端口
167 echo -e "e[00;31m[ ]对外开放端口e[00m" | tee -a $filename
169 echo -e "n" | tee -a $filename
170 #网络连接
173 echo -e "n" | tee -a $filename
174 #连接状态
175 echo -e "e[00;31m[ ]TCP连接状态e[00m" | tee -a $filename
177 echo -e "n" | tee -a $filename
180 /sbin/route -nee | tee -a $filename
181 echo -e "n" | tee -a $filename
182 #路由转发
183 echo -e "e[00;31m[ ]路由转发e[00m" | tee -a $filename
185 if [ -n "$ip_forward" ]; then
187 else
188         echo "该服务器未开启路由转发" | tee -a $filename
189 fi
190 echo -e "n" | tee -a $filename
191 #DNS
192 echo -e "e[00;31m[ ]DNS Servere[00m" | tee -a $filename
194 echo -e "n" | tee -a $filename
195 #ARP
196 echo -e "e[00;31m[ ]ARPe[00m" | tee -a $filename
197 arp -n -a | tee -a $filename
198 echo -e "n" | tee -a $filename
199 #混杂模式
200 echo -e "e[00;31m[ ]网卡混杂模式e[00m" | tee -a $filename
201 if ip link | ag PROMISC >/dev/null 2>&1; then
202         echo "网卡存在混杂模式!" | tee -a $filename
203 else
204         echo "网卡不存在混杂模式" | tee -a $filename
205 
206 fi
207 echo -e "n" | tee -a $filename
208 #安装软件
209 echo -e "e[00;31m[ ]常用软件e[00m" | tee -a $filename
210 cmdline=(
211         "which perl"
212         "which gcc"
213         "which g  "
214         "which python"
215         "which php"
216         "which cc"
217         "which go"
218         "which node"
219         "which nodejs"
220         "which bind"
221         "which tomcat"
222         "which clang"
223         "which ruby"
224         "which curl"
225         "which wget"
228         "which ssserver"
229         "which vsftpd"
230         "which java"
231         "which apache"
232         "which nginx"
233         "which git"
234         "which mongodb"
235         "which docker"
236         "which tftp"
237         "which psql"
242         if [ "$soft" ] 2>/dev/null; then
244         fi
245 done
246 echo -e "n" | tee -a $filename
247 #crontab
248 echo -e "e[00;31m[ ]Crontabe[00m" | tee -a $filename
249 crontab -u root -l | ag -v '#' --nocolor | tee -a $filename
250 ls -alht /etc/cron.*/* | tee -a $filename
251 echo -e "n" | tee -a $filename
252 #crontab可疑命令
253 echo -e "e[00;31m[ ]Crontab Backdoor e[00m" | tee -a $filename
255 echo -e "n" | tee -a $filename
256 #env
257 echo -e "e[00;31m[ ]enve[00m" | tee -a $filename
258 env | tee -a $filename
259 echo -e "n" | tee -a $filename
260 #PATH
261 echo -e "e[00;31m[ ]PATHe[00m" | tee -a $filename
262 echo $PATH | tee -a $filename
263 echo -e "n" | tee -a $filename
264 #LD_PRELOAD
265 echo -e "e[00;31m[ ]LD_PRELOADe[00m" | tee -a $filename
266 echo ${LD_PRELOAD} | tee -a $filename
267 echo -e "n" | tee -a $filename
268 #LD_ELF_PRELOAD
269 echo -e "e[00;31m[ ]LD_ELF_PRELOADe[00m" | tee -a $filename
270 echo ${LD_ELF_PRELOAD} | tee -a $filename
271 echo -e "n" | tee -a $filename
274 echo ${LD_LIBRARY_PATH} | tee -a $filename
279 if [ -e "${preload}" ]; then
280         cat ${preload} | tee -a $filename
281 else
282         echo -e "/etc/ld.so.preload 文件不存在" | tee -a $filename
283 fi
284 echo -e "n" | tee -a $filename
285 #passwd信息
286 echo -e "e[00;31m[ ]可登陆用户e[00m" | tee -a $filename
287 cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $filename
288 echo -e "n" | tee -a $filename
290 echo -e "n" | tee -a $filename
293 echo -e "n" | tee -a $filename
294 #防火墙
298 #登陆信息
299 echo -e "e[00;31m[ ]登录信息e[00m" | tee -a $filename
300 w | tee -a $filename
301 echo -e "n" | tee -a $filename
304 lastlog | tee -a $filename
307 echo -e "n" | tee -a $filename
308 #SSH爆破IP
309 echo -e "e[00;31m[ ]SSH爆破e[00m" | tee -a $filename
318 fi
319 echo -e "n" | tee -a $filename
320 #查看history文件
321 echo -e "e[00;31m[ ]Historye[00m" | tee -a $filename
322 ls -alht ~/.*_history | tee -a $filename
323 ls -alht /root/.*_history | tee -a $filename
324 echo -e "n" | tee -a $filename
326 echo -e "n" | tee -a $filename
327 #HOSTS
328 echo -e "e[00;31m[ ]/etc/hosts e[00m" | tee -a $filename
329 cat /etc/hosts | ag -v "#" | tee -a $filename
330 echo -e "n" | tee -a $filename
331 #/etc/profile
334 echo -e "n" | tee -a $filename
335 #/etc/rc.local
336 echo -e "e[00;31m[ ]/etc/rc.local e[00m" | tee -a $filename
337 cat /etc/rc.local | ag -v '#' | tee -a $filename
340 echo -e "e[00;31m[ ]~/.bash_profile e[00m" | tee -a $filename
341 cat ~/.bash_profile | ag -v '#' | tee -a $filename
342 echo -e "n" | tee -a $filename
343 #~/.bashrc
346 echo -e "n" | tee -a $filename
347 #bash反弹shell
348 echo -e "e[00;31m[ ]bash反弹shell e[00m" | tee -a $filename
350 echo -e "n" | tee -a $filename
351 #SSHD
352 echo -e "e[00;31m[ ]SSHD e[00m" | tee -a $filename
353 echo -e "/usr/sbin/sshd"
360 echo -e "n" | tee -a $filename
361 #tmp目录
362 echo -e "e[00;31m[ ]/tmp e[00m" | tee -a $filename
363 ls /tmp /var/tmp /dev/shm -alht | tee -a $filename
364 echo -e "n" | tee -a $filename
365 #alias 别名
372 echo -e "n" | tee -a $filename
378 #近7天改动
381 echo -e "n" | tee -a $filename
382 #近7天改动
387 #有些黑客会将数据库、网站打包成一个文件然后下载
388 echo -e "e[00;31m[ ]大文件>100mb e[00m" | tee -a $filename
424 echo -e "n" | tee -a $filename
425 #挖矿木马检测
426 echo -e "e[00;31m[ ]挖矿木马检测e[00m" | tee -a $filename
428 echo -e "n" | tee -a $filename
429 #Rkhunter查杀
432         rkhunter --checkall --sk | ag -v 'OK|Not found|None found'
433 else
434         if [ -e "rkhunter.tar.gz" ]; then
435                 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
436                 cd rkhunter-1.4.6/
437                 ./installer.sh --install >/dev/null 2>&1
438                 rkhunter --checkall --sk | ag -v 'OK|Not found|Non    e found'
439         else
440                 echo -e "找不到rkhunter.tar.gz尝试下载"
441                 wget https://github.com/al0ne/LinuxCheck/raw/maste    r/rkhunter.tar.gz >/dev/null 2>&1;
442                 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
443                 cd rkhunter-1.4.6/
444                 ./installer.sh --install >/dev/null 2>&1
445                 rkhunter --checkall --sk | ag -v 'OK|Not found|Non    e found'
446         fi
447 fi

执行后如下:

0 人点赞