1 #!/bin/bash 2 3 #name: safe_check.sh 4 #Author: lipc 5 #Date: 2019-11-30 6 #Version: 1.0 7 #Notes: 此腳本用來做系統的安全巡檢 8 9 read key 10 11 echo "警告:本腳本只是一個檢查的操作,未對服務器做任何修改,管理員可以根據此報告進行相應的設置。" 12 13 14 echo ---------------------------------------主機安全檢查----------------------- 15 16 echo "系統版本" 17 18 uname -a 19 20 echo -------------------------------------------------------------------------- 21 22 echo "本機的ip地址是:" 23 24 ifconfig | grep --color "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}" 25 26 echo -------------------------------------------------------------------------- 27 28 awk -F":" '{if($2!~/^!|^*/){print "("$1")" " 是一個未被鎖定的賬戶,請管理員檢查是否需要鎖定它或者刪除它。"}}' /etc/shadow 29 30 echo -------------------------------------------------------------------------- 31 32 more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F' ' '{if($2!=90){print "/etc/login.defs里面的"$1 "設置的是"$2"天,請管理員改成90天。"}}' 33 34 echo -------------------------------------------------------------------------- 35 36 more /etc/login.defs | grep -E "PASS_MIN_LEN" | grep -v "#" |awk -F' ' '{if($2!=6){print "/etc/login.defs里面的"$1 "設置的是"$2"個字符,請管理員改成6個字符。"}}' 37 38 echo -------------------------------------------------------------------------- 39 40 more /etc/login.defs | grep -E "PASS_WARN_AGE" | grep -v "#" |awk -F' ' '{if($2!=10){print "/etc/login.defs里面的"$1 "設置的是"$2"天,請管理員將口令到期警告天數改成10天。"}}' 41 42 echo -------------------------------------------------------------------------- 43 44 grep TMOUT /etc/profile /etc/bashrc > /dev/null|| echo "未設置登錄超時限制,請設置之,設置方法:在/etc/profile或者/etc/bashrc里面添加TMOUT=600參數" 45 46 echo -------------------------------------------------------------------------- 47 48 if ps -elf |grep xinet |grep -v "grep xinet";then 49 50 echo "xinetd 服務正在運行,請檢查是否可以把xinnetd服務關閉" 51 52 else 53 54 echo "xinetd 服務未開啟" 55 56 fi 57 58 echo -------------------------------------------------------------------------- 59 60 echo "查看系統密碼文件修改時間" 61 62 ls -ltr /etc/passwd 63 64 echo -------------------------------------------------------------------------- 65 66 echo "查看是否開啟了ssh服務" 67 68 if service sshd status | grep -E "listening on|active \(running\)"; then 69 70 echo "SSH服務已開啟" 71 72 else 73 74 echo "SSH服務未開啟" 75 76 fi 77 78 echo -------------------------------------------------------------------------- 79 80 echo "查看是否開啟了TELNET服務" 81 82 if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then 83 84 echo "TELNET服務已開啟 " 85 86 else 87 88 echo "TELNET服務未開啟 " 89 90 fi 91 92 echo -------------------------------------------------------------------------- 93 94 echo "查看系統SSH遠程訪問設置策略(host.deny拒絕列表)" 95 96 if more /etc/hosts.deny | grep -E "sshd: ";more /etc/hosts.deny | grep -E "sshd"; then 97 98 echo "遠程訪問策略已設置 " 99 100 else 101 102 echo "遠程訪問策略未設置 " 103 104 fi 105 106 echo -------------------------------------------------------------------------- 107 108 echo "查看系統SSH遠程訪問設置策略(hosts.allow允許列表)" 109 110 if more /etc/hosts.allow | grep -E "sshd: ";more /etc/hosts.allow | grep -E "sshd"; then 111 112 echo "遠程訪問策略已設置 " 113 114 else 115 116 echo "遠程訪問策略未設置 " 117 118 fi 119 120 echo "當hosts.allow和 host.deny相沖突時,以hosts.allow設置為准。" 121 122 echo ------------------------------------------------------------------------- 123 124 echo "查看shell是否設置超時鎖定策略" 125 126 if more /etc/profile | grep -E "TIMEOUT= "; then 127 128 echo "系統設置了超時鎖定策略 " 129 130 else 131 132 echo "未設置超時鎖定策略 " 133 134 fi 135 136 echo ------------------------------------------------------------------------- 137 138 echo "查看syslog日志審計服務是否開啟" 139 140 if service syslog status | egrep " active \(running";then 141 142 echo "syslog服務已開啟" 143 144 else 145 146 echo "syslog服務未開啟,建議通過service syslog start開啟日志審計功能" 147 148 fi 149 150 echo ------------------------------------------------------------------------- 151 152 echo "查看syslog日志是否開啟外發" 153 154 if more /etc/rsyslog.conf | egrep "@...\.|@..\.|@.\.|\*.\* @...\.|\*\.\* @..\.|\*\.\* @.\.";then 155 156 echo "客戶端syslog日志已開啟外發" 157 158 else 159 160 echo "客戶端syslog日志未開啟外發" 161 162 fi 163 164 echo ------------------------------------------------------------------------- 165 166 echo "查看passwd文件中有哪些特權用戶" 167 168 awk -F: '$3==0 {print $1}' /etc/passwd 169 170 echo ------------------------------------------------------------------------ 171 172 echo "查看系統中是否存在空口令賬戶" 173 174 awk -F: '($2=="!!") {print $1}' /etc/shadow 175 176 echo "該結果不適用於Ubuntu系統" 177 178 echo ------------------------------------------------------------------------ 179 180 echo "查看系統中root用戶外連情況" 181 182 lsof -u root |egrep "ESTABLISHED|SYN_SENT|LISTENING" 183 184 echo -------重要文件權限檢查中------------------------------------------------ 185 186 file1=`ls -l /etc/passwd | awk '{print $1}'` 187 if [ $file1 = "-rw-r--r--." ];then 188 echo " [ √ ] /etc/passwd文件權限為644,符合要求" 189 else 190 echo " [ X ] /etc/passwd文件權限為[$file1.],不符合要求" 191 fi 192 193 file2=`ls -l /etc/shadow | awk '{print $1}'` 194 if [ $file2 = "-rw-r--r--." ] || [ $file2 = "----------." ];then 195 echo " [ √ ] /etc/shadow文件權限為400或000,符合要求" 196 else 197 echo " [ X ] /etc/shadow文件權限為${file2},不符合要求" 198 fi 199 200 file3=`ls -l /etc/group | awk '{print $1}'` 201 if [ $file3 = "-rw-r--r--." ];then 202 echo " [ √ ] /etc/group文件權限為644,符合要求" 203 else 204 echo " [ X ] /etc/group文件權限為$file3,不符合要求" 205 fi 206 207 file4=`ls -l /etc/securetty | awk '{print $1}'` 208 if [ $file4 = "-rw-------." ];then 209 echo " [ √ ] /etc/security文件權限為600,符合要求" 210 else 211 echo " [ X ] /etc/security文件權限不為600,不符合要求,建議設置權限為600" 212 fi 213 214 file5=`ls -l /etc/services | awk '{print $1}'` 215 if [ $file5 = "-rw-r--r--." ];then 216 echo " [ √ ] /etc/services文件權限為644,符合要求" 217 else 218 echo " [ X ] /etc/services文件權限不為644,不符合要求,建議設置權限為644" 219 fi 220 221 file6=`ls -l /etc/xinetd.conf | awk '{print $1}'` 222 if [ !-f $file6 ];then 223 echo " [ √ ] /etc/xinetd.conf文件不存在,暫略此項" 224 else 225 if [ $file6 = "-rw-------." ];then 226 echo " [ √ ] /etc/xinetd.conf文件權限為600,符合要求" 227 else 228 echo " [ X ] /etc/xinetd.conf文件權限不為600,不符合要求,建議設置權限為600" 229 fi 230 fi 231 232 file7=`ls -l /etc/grub.conf | awk '{print $1}'` 233 if [ $file7 = "-rw-------." ];then 234 echo " [ √ ] /etc/grub.conf文件權限為600,符合要求" 235 else 236 echo " [ X ] /etc/grub.conf文件權限為$file7,不符合要求,建議設置權限為600" 237 fi 238 239 file8=`ls -l /etc/lilo.conf | awk '{print $1}'` 240 if [ -f /etc/lilo.conf ];then 241 if [ $file8 = "-rw-------" ];then 242 echo " [ √ ] /etc/lilo.conf文件權限為600,符合要求" 243 else 244 echo " [ X ] /etc/lilo.conf文件權限不為600,不符合要求,建議設置權限為600" 245 fi 246 else 247 echo " [ √ ] /etc/lilo.conf文件不存在,暫略此項" 248 fi 249 250 echo ------------------------------------------------------------------------ 251 252 253 echo ----------------------------狀態解釋------------------------------ 254 255 echo "ESTABLISHED的意思是建立連接。表示兩台機器正在通信。" 256 257 echo "LISTENING的" 258 259 echo "SYN_SENT狀態表示請求連接" 260 261 echo ------------------------------------------------------------------------ 262 263 echo "查看系統中root用戶TCP連接情況" 264 265 lsof -u root |egrep "TCP" 266 267 echo ------------------------------------------------------------------------ 268 269 echo "查看系統中存在哪些非系統默認用戶" 270 271 echo "root:x:“該值大於500為新創建用戶,小於或等於500為系統初始用戶”" 272 273 more /etc/passwd |awk -F ":" '{if($3>500){print "/etc/passwd里面的"$1 "的值為"$3",請管理員確認該賬戶是否正常。"}}' 274 275 echo ------------------------------------------------------------------------ 276 277 echo "檢查系統守護進程" 278 279 more /etc/xinetd.d/rsync | grep -v "^#" 280 281 echo ------------------------------------------------------------------------ 282 283 echo "檢查系統是否存在入侵行為" 284 285 more /var/log/secure |grep refused 286 287 echo ------------------------------------------------------------------------ 288 289 echo "-----------------------檢查系統是否存在PHP腳本后門---------------------" 290 291 if find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn 1>/dev/null 2>&1;then 292 293 echo "檢測到PHP腳本后門" 294 295 find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn 296 297 find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn |awk '{print $2}' | xargs -I{} cp {} /tmp/ 298 299 echo "后門樣本已拷貝到/tmp/目錄" 300 301 else 302 303 echo "未檢測到PHP腳本后門" 304 305 fi 306 307 echo ------------------------------------------------------------------------ 308 309 echo "-----------------------檢查系統是否存在JSP腳本后門---------------------" 310 311 find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|后門" |sort -n|uniq -c |sort -rn 2>&1 312 313 find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|后門" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 2>&1 314 315 echo ------------------------------------------------------------------------ 316 317 echo "----------------------檢查系統是否存在HTML惡意代碼---------------------" 318 319 if find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" 1>/dev/null 2>&1;then 320 321 echo "發現HTML惡意代碼" 322 323 find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn 324 325 find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 326 327 echo "后門樣本已拷貝到/tmp/目錄" 328 329 else 330 331 echo "未檢測到HTML惡意代碼" 332 333 fi 334 335 echo "----------------------檢查系統是否存在perl惡意程序----------------------" 336 337 if find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;" 1>/dev/null 2>&1;then 338 339 echo "發現perl惡意程序" 340 341 find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn 342 343 find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 344 345 echo "可疑樣本已拷貝到/tmp/目錄" 346 347 else 348 349 echo "未檢測到perl惡意程序" 350 351 fi 352 353 echo "----------------------檢查系統是否存在Python惡意程序----------------------" 354 355 find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn 356 357 find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 358 359 echo ------------------------------------------------------------------------ 360 361 echo "-----------------------檢查系統是否存在惡意程序---------------------" 362 363 find / -type f -perm -111 |xargs egrep "UpdateProcessER12CUpdateGatesE6C|CmdMsg\.cpp|MiniHttpHelper.cpp|y4'r3 1uCky k1d\!|execve@@GLIBC_2.0|initfini.c|ptmalloc_unlock_all2|_IO_wide_data_2|system@@GLIBC_2.0|socket@@GLIBC_2.0|gettimeofday@@GLIBC_2.0|execl@@GLIBC_2.2.5|WwW.SoQoR.NeT|2.6.17-2.6.24.1.c|Local Root Exploit|close@@GLIBC_2.0|syscall\(\__NR\_vmsplice,|Linux vmsplice Local Root Exploit|It looks like the exploit failed|getting root shell" 2>/dev/null 364 365 echo ------------------------------------------------------------------------ 366 367 echo "檢查網絡連接和監聽端口" 368 369 netstat -an 370 371 echo "--------------------------路由表、網絡連接、接口信息--------------" 372 373 netstat -rn 374 375 echo "------------------------查看網卡詳細信息--------------------------" 376 377 ifconfig -a 378 379 echo ------------------------------------------------------------------------ 380 381 echo "查看正常情況下登錄到本機的所有用戶的歷史記錄" 382 383 last 384 385 echo ------------------------------------------------------------------------ 386 387 echo -----------內核文件dump配置檢查中--------------------------------------- 388 389 echo "檢查系統中core文件是否開啟" 390 391 cat /etc/security/limits.conf | grep -v ^# | grep core 392 if [ $? = 0 ];then 393 #soft=`cat /etc/security/limits.conf| grep -V ^# | grep core | awk {print $2}` 394 soft=`cat /etc/security/limits.conf| grep -v '^#' | awk '{print $2}'` &> /dev/null 395 for i in $soft 396 do 397 if [ $i = "soft" ];then 398 echo -e " [ √ ] 內核文件dump配置檢查[*\tsoft\tcore\t0]已經設置" 399 fi 400 if [ $i = "hard" ];then 401 echo -e " [ √ ] 內核文件dump配置檢查[*\thard\tcore\t0]已經設置" 402 fi 403 done 404 else 405 echo -e " [ X ] 沒有設置core,建議在/etc/security/limits.conf中添加[*\tsoft\tcore\t0]和[*\thard\tcore\t0]" 406 fi 407 408 ulimit -c 409 410 echo "core是unix系統的內核。當你的程序出現內存越界的時候,操作系統會中止你的進程,並將當前內存狀態倒出到core文件中,以便進一步分析,如果返回結果為0,則是關閉了此功能,系統不會生成core文件" 411 412 echo ------------------------------------------------------------------------ 413 414 echo "檢查系統中關鍵文件修改時間" 415 416 ls -ltr /bin/ls /bin/login /etc/passwd /bin/ps /usr/bin/top /etc/shadow|awk '{print "文件名:"$8" ""最后修改時間:"$6" "$7}' 417 418 echo "ls文件:是存儲ls命令的功能函數,被刪除以后,就無法執行ls命令,黑客可利用篡改ls文件來執行后門或其他程序。 419 420 login文件:login是控制用戶登錄的文件,一旦被篡改或刪除,系統將無法切換用戶或登陸用戶 421 422 user/bin/passwd是一個命令,可以為用戶添加、更改密碼,但是,用戶的密碼並不保存在/etc/passwd當中,而是保存在了/etc/shadow當中 423 424 etc/passwd是一個文件,主要是保存用戶信息。 425 426 sbin/portmap是文件轉換服務,缺少該文件后,無法使用磁盤掛載、轉換類型等功能。 427 428 bin/ps 進程查看命令功能支持文件,文件損壞或被更改后,無法正常使用ps命令。 429 430 usr/bin/top top命令支持文件,是Linux下常用的性能分析工具,能夠實時顯示系統中各個進程的資源占用狀況。 431 432 etc/shadow shadow 是 /etc/passwd 的影子文件,密碼存放在該文件當中,並且只有root用戶可讀。" 433 434 echo -------------------------------------------------------------------------- 435 436 echo "-------------------查看系統日志文件是否存在--------------------" 437 438 log=/var/log/syslog 439 440 log2=/var/log/messages 441 442 if [ -e "$log" ]; then 443 444 echo "syslog日志文件存在! " 445 446 else 447 448 echo "/var/log/syslog日志文件不存在! " 449 450 fi 451 452 if [ -e "$log2" ]; then 453 454 echo "/var/log/messages日志文件存在! " 455 456 else 457 458 echo "/var/log/messages日志文件不存在! " 459 460 fi 461 462 echo -------------------------------------------------------------------------- 463 464 echo "檢查系統文件完整性2(MD5檢查)" 465 466 echo "該項會獲取部分關鍵文件的MD5值並入庫,默認保存在/etc/md5db中" 467 468 echo "如果第一次執行,則會提示md5sum: /sbin/portmap: 沒有那個文件或目錄" 469 470 echo "第二次重復檢查時,則會對MD5DB中的MD5值進行匹配,來判斷文件是否被更改過" 471 472 file="/etc/md5db" 473 474 if [ -e "$file" ]; then md5sum -c /etc/md5db 2>&1; 475 476 else 477 478 md5sum /etc/passwd >>/etc/md5db 479 480 md5sum /etc/shadow >>/etc/md5db 481 482 md5sum /etc/group >>/etc/md5db 483 484 md5sum /usr/bin/passwd >>/etc/md5db 485 486 md5sum /sbin/portmap>>/etc/md5db 487 488 md5sum /bin/login >>/etc/md5db 489 490 md5sum /bin/ls >>/etc/md5db 491 492 md5sum /bin/ps >>/etc/md5db 493 494 md5sum /usr/bin/top >>/etc/md5db; 495 496 fi 497 498 echo ---------------------------------------------------------------------- 499 500 echo "------------------------主機性能檢查--------------------------------" 501 502 echo "CPU檢查" 503 504 dmesg | grep -i cpu 505 506 echo ----------------------------------------------------------------------- 507 508 more /proc/cpuinfo 509 510 echo ----------------------------------------------------------------------- 511 512 echo "內存狀態檢查" 513 514 vmstat 2 5 515 516 echo ----------------------------------------------------------------------- 517 518 more /proc/meminfo 519 520 echo ----------------------------------------------------------------------- 521 522 free -m 523 524 echo ----------------------------------------------------------------------- 525 526 echo "文件系統使用情況" 527 528 df -h 529 530 echo ----------------------------------------------------------------------- 531 532 echo "網卡使用情況" 533 534 lspci -tv 535 536 echo ---------------------------------------------------------------------- 537 538 echo "查看僵屍進程" 539 540 ps -ef | grep zombie 541 542 echo ---------------------------------------------------------------------- 543 544 echo "耗CPU最多的進程" 545 546 ps auxf |sort -nr -k 3 |head -5 547 548 echo ---------------------------------------------------------------------- 549 550 echo "耗內存最多的進程" 551 552 ps auxf |sort -nr -k 4 |head -5 553 554 echo ---------------------------------------------------------------------- 555 556 echo --------------------------------------------------------------------- 557 558 559 echo ---------------------------------------------------------------------
linux系統安全巡檢腳本
免責聲明!
本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。