linux系统安全巡检脚本
Posted Leonardo-li
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux系统安全巡检脚本相关的知识,希望对你有一定的参考价值。
1 #!/bin/bash 2 3 #name: safe_check.sh 4 #Author: lipc 5 #Date: 2019-11-30 6 #Version: 1.0 7 #Notes: 此脚本用来做系统的安全巡检 8 9 read key 10 11 echo "警告:本脚本只是一个检查的操作,未对服务器做任何修改,管理员可以根据此报告进行相应的设置。" 12 13 14 echo ---------------------------------------主机安全检查----------------------- 15 16 echo "系统版本" 17 18 uname -a 19 20 echo -------------------------------------------------------------------------- 21 22 echo "本机的ip地址是:" 23 24 ifconfig | grep --color "([0-9]{1,3}.){3}[0-9]{1,3}" 25 26 echo -------------------------------------------------------------------------- 27 28 awk -F":" ‘{if($2!~/^!|^*/){print "("$1")" " 是一个未被锁定的账户,请管理员检查是否需要锁定它或者删除它。"}}‘ /etc/shadow 29 30 echo -------------------------------------------------------------------------- 31 32 more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F‘ ‘ ‘{if($2!=90){print "/etc/login.defs里面的"$1 "设置的是"$2"天,请管理员改成90天。"}}‘ 33 34 echo -------------------------------------------------------------------------- 35 36 more /etc/login.defs | grep -E "PASS_MIN_LEN" | grep -v "#" |awk -F‘ ‘ ‘{if($2!=6){print "/etc/login.defs里面的"$1 "设置的是"$2"个字符,请管理员改成6个字符。"}}‘ 37 38 echo -------------------------------------------------------------------------- 39 40 more /etc/login.defs | grep -E "PASS_WARN_AGE" | grep -v "#" |awk -F‘ ‘ ‘{if($2!=10){print "/etc/login.defs里面的"$1 "设置的是"$2"天,请管理员将口令到期警告天数改成10天。"}}‘ 41 42 echo -------------------------------------------------------------------------- 43 44 grep TMOUT /etc/profile /etc/bashrc > /dev/null|| echo "未设置登录超时限制,请设置之,设置方法:在/etc/profile或者/etc/bashrc里面添加TMOUT=600参数" 45 46 echo -------------------------------------------------------------------------- 47 48 if ps -elf |grep xinet |grep -v "grep xinet";then 49 50 echo "xinetd 服务正在运行,请检查是否可以把xinnetd服务关闭" 51 52 else 53 54 echo "xinetd 服务未开启" 55 56 fi 57 58 echo -------------------------------------------------------------------------- 59 60 echo "查看系统密码文件修改时间" 61 62 ls -ltr /etc/passwd 63 64 echo -------------------------------------------------------------------------- 65 66 echo "查看是否开启了ssh服务" 67 68 if service sshd status | grep -E "listening on|active (running)"; then 69 70 echo "SSH服务已开启" 71 72 else 73 74 echo "SSH服务未开启" 75 76 fi 77 78 echo -------------------------------------------------------------------------- 79 80 echo "查看是否开启了TELNET服务" 81 82 if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then 83 84 echo "TELNET服务已开启 " 85 86 else 87 88 echo "TELNET服务未开启 " 89 90 fi 91 92 echo -------------------------------------------------------------------------- 93 94 echo "查看系统SSH远程访问设置策略(host.deny拒绝列表)" 95 96 if more /etc/hosts.deny | grep -E "sshd: ";more /etc/hosts.deny | grep -E "sshd"; then 97 98 echo "远程访问策略已设置 " 99 100 else 101 102 echo "远程访问策略未设置 " 103 104 fi 105 106 echo -------------------------------------------------------------------------- 107 108 echo "查看系统SSH远程访问设置策略(hosts.allow允许列表)" 109 110 if more /etc/hosts.allow | grep -E "sshd: ";more /etc/hosts.allow | grep -E "sshd"; then 111 112 echo "远程访问策略已设置 " 113 114 else 115 116 echo "远程访问策略未设置 " 117 118 fi 119 120 echo "当hosts.allow和 host.deny相冲突时,以hosts.allow设置为准。" 121 122 echo ------------------------------------------------------------------------- 123 124 echo "查看shell是否设置超时锁定策略" 125 126 if more /etc/profile | grep -E "TIMEOUT= "; then 127 128 echo "系统设置了超时锁定策略 " 129 130 else 131 132 echo "未设置超时锁定策略 " 133 134 fi 135 136 echo ------------------------------------------------------------------------- 137 138 echo "查看syslog日志审计服务是否开启" 139 140 if service syslog status | egrep " active (running";then 141 142 echo "syslog服务已开启" 143 144 else 145 146 echo "syslog服务未开启,建议通过service syslog start开启日志审计功能" 147 148 fi 149 150 echo ------------------------------------------------------------------------- 151 152 echo "查看syslog日志是否开启外发" 153 154 if more /etc/rsyslog.conf | egrep "@....|@...|@..|*.* @....|*.* @...|*.* @..";then 155 156 echo "客户端syslog日志已开启外发" 157 158 else 159 160 echo "客户端syslog日志未开启外发" 161 162 fi 163 164 echo ------------------------------------------------------------------------- 165 166 echo "查看passwd文件中有哪些特权用户" 167 168 awk -F: ‘$3==0 {print $1}‘ /etc/passwd 169 170 echo ------------------------------------------------------------------------ 171 172 echo "查看系统中是否存在空口令账户" 173 174 awk -F: ‘($2=="!!") {print $1}‘ /etc/shadow 175 176 echo "该结果不适用于Ubuntu系统" 177 178 echo ------------------------------------------------------------------------ 179 180 echo "查看系统中root用户外连情况" 181 182 lsof -u root |egrep "ESTABLISHED|SYN_SENT|LISTENING" 183 184 echo -------重要文件权限检查中------------------------------------------------ 185 186 file1=`ls -l /etc/passwd | awk ‘{print $1}‘` 187 if [ $file1 = "-rw-r--r--." ];then 188 echo " [ √ ] /etc/passwd文件权限为644,符合要求" 189 else 190 echo " [ X ] /etc/passwd文件权限为[$file1.],不符合要求" 191 fi 192 193 file2=`ls -l /etc/shadow | awk ‘{print $1}‘` 194 if [ $file2 = "-rw-r--r--." ] || [ $file2 = "----------." ];then 195 echo " [ √ ] /etc/shadow文件权限为400或000,符合要求" 196 else 197 echo " [ X ] /etc/shadow文件权限为${file2},不符合要求" 198 fi 199 200 file3=`ls -l /etc/group | awk ‘{print $1}‘` 201 if [ $file3 = "-rw-r--r--." ];then 202 echo " [ √ ] /etc/group文件权限为644,符合要求" 203 else 204 echo " [ X ] /etc/group文件权限为$file3,不符合要求" 205 fi 206 207 file4=`ls -l /etc/securetty | awk ‘{print $1}‘` 208 if [ $file4 = "-rw-------." ];then 209 echo " [ √ ] /etc/security文件权限为600,符合要求" 210 else 211 echo " [ X ] /etc/security文件权限不为600,不符合要求,建议设置权限为600" 212 fi 213 214 file5=`ls -l /etc/services | awk ‘{print $1}‘` 215 if [ $file5 = "-rw-r--r--." ];then 216 echo " [ √ ] /etc/services文件权限为644,符合要求" 217 else 218 echo " [ X ] /etc/services文件权限不为644,不符合要求,建议设置权限为644" 219 fi 220 221 file6=`ls -l /etc/xinetd.conf | awk ‘{print $1}‘` 222 if [ !-f $file6 ];then 223 echo " [ √ ] /etc/xinetd.conf文件不存在,暂略此项" 224 else 225 if [ $file6 = "-rw-------." ];then 226 echo " [ √ ] /etc/xinetd.conf文件权限为600,符合要求" 227 else 228 echo " [ X ] /etc/xinetd.conf文件权限不为600,不符合要求,建议设置权限为600" 229 fi 230 fi 231 232 file7=`ls -l /etc/grub.conf | awk ‘{print $1}‘` 233 if [ $file7 = "-rw-------." ];then 234 echo " [ √ ] /etc/grub.conf文件权限为600,符合要求" 235 else 236 echo " [ X ] /etc/grub.conf文件权限为$file7,不符合要求,建议设置权限为600" 237 fi 238 239 file8=`ls -l /etc/lilo.conf | awk ‘{print $1}‘` 240 if [ -f /etc/lilo.conf ];then 241 if [ $file8 = "-rw-------" ];then 242 echo " [ √ ] /etc/lilo.conf文件权限为600,符合要求" 243 else 244 echo " [ X ] /etc/lilo.conf文件权限不为600,不符合要求,建议设置权限为600" 245 fi 246 else 247 echo " [ √ ] /etc/lilo.conf文件不存在,暂略此项" 248 fi 249 250 echo ------------------------------------------------------------------------ 251 252 253 echo ----------------------------状态解释------------------------------ 254 255 echo "ESTABLISHED的意思是建立连接。表示两台机器正在通信。" 256 257 echo "LISTENING的" 258 259 echo "SYN_SENT状态表示请求连接" 260 261 echo ------------------------------------------------------------------------ 262 263 echo "查看系统中root用户TCP连接情况" 264 265 lsof -u root |egrep "TCP" 266 267 echo ------------------------------------------------------------------------ 268 269 echo "查看系统中存在哪些非系统默认用户" 270 271 echo "root:x:“该值大于500为新创建用户,小于或等于500为系统初始用户”" 272 273 more /etc/passwd |awk -F ":" ‘{if($3>500){print "/etc/passwd里面的"$1 "的值为"$3",请管理员确认该账户是否正常。"}}‘ 274 275 echo ------------------------------------------------------------------------ 276 277 echo "检查系统守护进程" 278 279 more /etc/xinetd.d/rsync | grep -v "^#" 280 281 echo ------------------------------------------------------------------------ 282 283 echo "检查系统是否存在入侵行为" 284 285 more /var/log/secure |grep refused 286 287 echo ------------------------------------------------------------------------ 288 289 echo "-----------------------检查系统是否存在php脚本后门---------------------" 290 291 if find / -type f -name *.php | xargs egrep -l "mysql_query($query, $dbconn)|专用网马|udf.dll|class PHPzip{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木马|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir |PHP木马|Array("$filename"| eval($_POST[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn 1>/dev/null 2>&1;then 292 293 echo "检测到PHP脚本后门" 294 295 find / -type f -name *.php | xargs egrep -l "mysql_query($query, $dbconn)|专用网马|udf.dll|class PHPzip{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木马|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir |PHP木马|Array("$filename"| eval($_POST[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn 296 297 find / -type f -name *.php | xargs egrep -l "mysql_query($query, $dbconn)|专用网马|udf.dll|class PHPzip{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木马|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir |PHP木马|Array("$filename"| eval($_POST[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn |awk ‘{print $2}‘ | xargs -I{} cp {} /tmp/ 298 299 echo "后门样本已拷贝到/tmp/目录" 300 301 else 302 303 echo "未检测到PHP脚本后门" 304 305 fi 306 307 echo ------------------------------------------------------------------------ 308 309 echo "-----------------------检查系统是否存在JSP脚本后门---------------------" 310 311 find / -type f -name *.jsp | xargs egrep -l "InputStreamReader(this.is)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提权|jspspy|后门" |sort -n|uniq -c |sort -rn 2>&1 312 313 find / -type f -name *.jsp | xargs egrep -l "InputStreamReader(this.is)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提权|jspspy|后门" |sort -n|uniq -c |sort -rn| awk ‘{print $2}‘ | xargs -I{} cp {} /tmp/ 2>&1 314 315 echo ------------------------------------------------------------------------ 316 317 echo "----------------------检查系统是否存在html恶意代码---------------------" 318 319 if find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" 1>/dev/null 2>&1;then 320 321 echo "发现HTML恶意代码" 322 323 find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn 324 325 find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn| awk ‘{print $2}‘ | xargs -I{} cp {} /tmp/ 326 327 echo "后门样本已拷贝到/tmp/目录" 328 329 else 330 331 echo "未检测到HTML恶意代码" 332 333 fi 334 335 echo "----------------------检查系统是否存在perl恶意程序----------------------" 336 337 if find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;" 1>/dev/null 2>&1;then 338 339 echo "发现perl恶意程序" 340 341 find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn 342 343 find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn| awk ‘{print $2}‘ | xargs -I{} cp {} /tmp/ 344 345 echo "可疑样本已拷贝到/tmp/目录" 346 347 else 348 349 echo "未检测到perl恶意程序" 350 351 fi 352 353 echo "----------------------检查系统是否存在Python恶意程序----------------------" 354 355 find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn 356 357 find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn| awk ‘{print $2}‘ | xargs -I{} cp {} /tmp/ 358 359 echo ------------------------------------------------------------------------ 360 361 echo "-----------------------检查系统是否存在恶意程序---------------------" 362 363 find / -type f -perm -111 |xargs egrep "UpdateProcessER12CUpdateGatesE6C|CmdMsg.cpp|MiniHttpHelper.cpp|y4‘r3 1uCky k1d!|execve@@GLIBC_2.0|initfini.c|ptmalloc_unlock_all2|_IO_wide_data_2|system@@GLIBC_2.0|socket@@GLIBC_2.0|gettimeofday@@GLIBC_2.0|execl@@GLIBC_2.2.5|WwW.SoQoR.NeT|2.6.17-2.6.24.1.c|Local Root Exploit|close@@GLIBC_2.0|syscall(\__NR\_vmsplice,|Linux vmsplice Local Root Exploit|It looks like the exploit failed|getting root shell" 2>/dev/null 364 365 echo ------------------------------------------------------------------------ 366 367 echo "检查网络连接和监听端口" 368 369 netstat -an 370 371 echo "--------------------------路由表、网络连接、接口信息--------------" 372 373 netstat -rn 374 375 echo "------------------------查看网卡详细信息--------------------------" 376 377 ifconfig -a 378 379 echo ------------------------------------------------------------------------ 380 381 echo "查看正常情况下登录到本机的所有用户的历史记录" 382 383 last 384 385 echo ------------------------------------------------------------------------ 386 387 echo -----------内核文件dump配置检查中--------------------------------------- 388 389 echo "检查系统中core文件是否开启" 390 391 cat /etc/security/limits.conf | grep -v ^# | grep core 392 if [ $? = 0 ];then 393 #soft=`cat /etc/security/limits.conf| grep -V ^# | grep core | awk {print $2}` 394 soft=`cat /etc/security/limits.conf| grep -v ‘^#‘ | awk ‘{print $2}‘` &> /dev/null 395 for i in $soft 396 do 397 if [ $i = "soft" ];then 398 echo -e " [ √ ] 内核文件dump配置检查[* soft core 0]已经设置" 399 fi 400 if [ $i = "hard" ];then 401 echo -e " [ √ ] 内核文件dump配置检查[* hard core 0]已经设置" 402 fi 403 done 404 else 405 echo -e " [ X ] 没有设置core,建议在/etc/security/limits.conf中添加[* soft core 0]和[* hard core 0]" 406 fi 407 408 ulimit -c 409 410 echo "core是unix系统的内核。当你的程序出现内存越界的时候,操作系统会中止你的进程,并将当前内存状态倒出到core文件中,以便进一步分析,如果返回结果为0,则是关闭了此功能,系统不会生成core文件" 411 412 echo ------------------------------------------------------------------------ 413 414 echo "检查系统中关键文件修改时间" 415 416 ls -ltr /bin/ls /bin/login /etc/passwd /bin/ps /usr/bin/top /etc/shadow|awk ‘{print "文件名:"$8" ""最后修改时间:"$6" "$7}‘ 417 418 echo "ls文件:是存储ls命令的功能函数,被删除以后,就无法执行ls命令,黑客可利用篡改ls文件来执行后门或其他程序。 419 420 login文件:login是控制用户登录的文件,一旦被篡改或删除,系统将无法切换用户或登陆用户 421 422 user/bin/passwd是一个命令,可以为用户添加、更改密码,但是,用户的密码并不保存在/etc/passwd当中,而是保存在了/etc/shadow当中 423 424 etc/passwd是一个文件,主要是保存用户信息。 425 426 sbin/portmap是文件转换服务,缺少该文件后,无法使用磁盘挂载、转换类型等功能。 427 428 bin/ps 进程查看命令功能支持文件,文件损坏或被更改后,无法正常使用ps命令。 429 430 usr/bin/top top命令支持文件,是Linux下常用的性能分析工具,能够实时显示系统中各个进程的资源占用状况。 431 432 etc/shadow shadow 是 /etc/passwd 的影子文件,密码存放在该文件当中,并且只有root用户可读。" 433 434 echo -------------------------------------------------------------------------- 435 436 echo "-------------------查看系统日志文件是否存在--------------------" 437 438 log=/var/log/syslog 439 440 log2=/var/log/messages 441 442 if [ -e "$log" ]; then 443 444 echo "syslog日志文件存在! " 445 446 else 447 448 echo "/var/log/syslog日志文件不存在! " 449 450 fi 451 452 if [ -e "$log2" ]; then 453 454 echo "/var/log/messages日志文件存在! " 455 456 else 457 458 echo "/var/log/messages日志文件不存在! " 459 460 fi 461 462 echo -------------------------------------------------------------------------- 463 464 echo "检查系统文件完整性2(MD5检查)" 465 466 echo "该项会获取部分关键文件的MD5值并入库,默认保存在/etc/md5db中" 467 468 echo "如果第一次执行,则会提示md5sum: /sbin/portmap: 没有那个文件或目录" 469 470 echo "第二次重复检查时,则会对MD5DB中的MD5值进行匹配,来判断文件是否被更改过" 471 472 file="/etc/md5db" 473 474 if [ -e "$file" ]; then md5sum -c /etc/md5db 2>&1; 475 476 else 477 478 md5sum /etc/passwd >>/etc/md5db 479 480 md5sum /etc/shadow >>/etc/md5db 481 482 md5sum /etc/group >>/etc/md5db 483 484 md5sum /usr/bin/passwd >>/etc/md5db 485 486 md5sum /sbin/portmap>>/etc/md5db 487 488 md5sum /bin/login >>/etc/md5db 489 490 md5sum /bin/ls >>/etc/md5db 491 492 md5sum /bin/ps >>/etc/md5db 493 494 md5sum /usr/bin/top >>/etc/md5db; 495 496 fi 497 498 echo ---------------------------------------------------------------------- 499 500 echo "------------------------主机性能检查--------------------------------" 501 502 echo "CPU检查" 503 504 dmesg | grep -i cpu 505 506 echo ----------------------------------------------------------------------- 507 508 more /proc/cpuinfo 509 510 echo ----------------------------------------------------------------------- 511 512 echo "内存状态检查" 513 514 vmstat 2 5 515 516 echo ----------------------------------------------------------------------- 517 518 more /proc/meminfo 519 520 echo ----------------------------------------------------------------------- 521 522 free -m 523 524 echo ----------------------------------------------------------------------- 525 526 echo "文件系统使用情况" 527 528 df -h 529 530 echo ----------------------------------------------------------------------- 531 532 echo "网卡使用情况" 533 534 lspci -tv 535 536 echo ---------------------------------------------------------------------- 537 538 echo "查看僵尸进程" 539 540 ps -ef | grep zombie 541 542 echo ---------------------------------------------------------------------- 543 544 echo "耗CPU最多的进程" 545 546 ps auxf |sort -nr -k 3 |head -5 547 548 echo ---------------------------------------------------------------------- 549 550 echo "耗内存最多的进程" 551 552 ps auxf |sort -nr -k 4 |head -5 553 554 echo ---------------------------------------------------------------------- 555 556 echo --------------------------------------------------------------------- 557 558 559 echo ---------------------------------------------------------------------
以上是关于linux系统安全巡检脚本的主要内容,如果未能解决你的问题,请参考以下文章