linux安全基線配置

現(xiàn)在大多數(shù)企業(yè)都是使用linux作為服務(wù)器，不僅是linux是開源系統(tǒng)，更是因為linux比windows更安全。但是由于管理員的安全意識不全或者疏忽，導(dǎo)致linux的敏感端口和服務(wù)沒有正確的配置，可能會被惡意利用，所以需要進(jìn)行基線加固。

1.基線

即安全基線配置，諸如操作系統(tǒng)、中間件和數(shù)據(jù)庫的一個整體配置，這個版本中各項配置都符合安全方面的標(biāo)準(zhǔn)。比如在系統(tǒng)安裝后需要按安全基線標(biāo)準(zhǔn)，將新機器中各項配置調(diào)整到一個安全、高效、合理的數(shù)值。

2.基線掃描

使用自動化工具、抓取系統(tǒng)和服務(wù)的配置項。將抓取到的實際值和標(biāo)準(zhǔn)值進(jìn)行對比，將不符合的項顯示出來，最終以報告 的形式體現(xiàn)出掃描結(jié)果有的工具將配置采集和配置對比分開，通過自動化腳本采集配置后再通過特別的軟件轉(zhuǎn)換為適合人類閱讀的文檔

3.基線加固自動化腳本的編寫

本篇文章主要是記錄和學(xué)習(xí)安全加固腳本，首先放幾張安全加固shell腳本的命令語法：

基本命令語法介紹完了，借用網(wǎng)上的腳本來學(xué)習(xí)：

在執(zhí)行腳本前需要提前做好備份：

#!/bin/bash
cp/etc/login.defs/etc/login.defs.bak
cp/etc/security/limits.conf/etc/security/limits.conf.bak
cp/etc/pam.d/su/etc/pam.d/su.bak
cp/etc/profile/etc/profile.bak
cp/etc/issue.net/etc/issue.net.bak
cp/etc/shadow/etc/shadow.bak
cp/etc/passwd/etc/passwd.bak
cp/etc/pam.d/passwd/etc/pam.d/passwd.bak
cp/etc/pam.d/common-password/etc/pam.d/common-password.bak
cp/etc/host.conf/etc/host.conf.bak
cp/etc/hosts.allow/etc/hosts.allow.bak
cp/etc/ntp.conf/etc/ntp.conf.bak
cp-p/etc/sysctl.conf/etc/sysctl.conf.bak
echo"============備份完成=================="

1. 檢查是否設(shè)置口令更改最小間隔天數(shù)

MINDAY=`cat-n/etc/login.defs|grep-v".*#.*"|grepPASS_MIN_DAYS|awk'{print$1}'`
sed-i''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS6/'/etc/login.defs
echo"檢查口令更改最小間隔天數(shù)完成"

2.檢查是否設(shè)置口令過期前警告天數(shù)

WARNAGE=`cat-n/etc/login.defs|grep-v".*#.*"|grepPASS_WARN_AGE|awk'{print$1}'`
sed-i''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE30/'/etc/login.defs
echo"檢查口令過期前警告天數(shù)完成"

3.檢查口令生存周期

MAXDAY=`cat-n/etc/login.defs|grep-v".*#.*"|grepPASS_MAX_DAYS|awk'{print$1}'`
sed-i''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS90/'/etc/login.defs
echo"檢查口令生存周期完成"

4.檢查口令最小長度

MINLEN=`cat-n/etc/login.defs|grep-v".*#.*"|grepPASS_MIN_LEN|awk'{print$1}'`
sed-i''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_LEN6/'/etc/login.defs
echo"檢查口令最小長度"

5.檢查是否設(shè)置grub，lilo密碼

grub="/etc/menu.lst"
if[!-x"$grub"];then
touch"$grub"
echopassword=123456>>"$grub"
else
echopassword=123456>>"$grub"
fi
lilo="/etc/lilo.conf"
if[!-x"$lilo"];then
touch"$lilo"
echopassword=123456>>"$lilo"
else
echopassword=123456>>"$lilo"
fi

6.檢查是否設(shè)置core

c=`cat-n/etc/security/limits.conf|grep"#root"|awk'{print$1}'`
d=`cat-n/etc/security/limits.conf|grep"#root"|awk'{print$5}'`
sed-i''$c's/$d/0/g'/etc/security/limits.conf
echo"設(shè)置*hardcore0完成"
e=`cat-n/etc/security/limits.conf|grepsoft|grepcore|awk'{print$1}'`
f=`cat-n/etc/security/limits.conf|grepsoft|grepcore|awk'{print$5}'`
sed-i''$e's/'$f'/0/g'/etc/security/limits.conf
echo"設(shè)置*softcore0完成"

7.檢查系統(tǒng)是否禁用ctrl+alt+del組合

a=`cat-n/etc/control-alt-delete.conf|grep-v"#"|grep/sbin/shutdown|awk'{print$1}'`
if[-z$a];then
echook
else
sed-i''$a's/^/#/'/etc/control-alt-delete.conf
fi

8.檢查保留歷史記錄文件的大小與數(shù)量

echo"HISTFILESIZE=5">>/etc/profile
echo"檢查保留歷史命令的記錄文件大小完成"
echo"HISTSIZE=5">>/etc/profile
echo"檢查保留歷史命令的條數(shù)完成"

9.檢查是否使用PAM認(rèn)證模塊禁止wheel組之外的用戶su為root

10.檢查是否刪除了/etc/issue.net文件

if[-f/etc/issue.net]
then
mv/etc/issue.net/etc/issue.net.bak
else
echo"issue.net文件不存在"
fi
if[-f/etc/issue]
then
mv/etc/issue/etc/issue.bak
else
echo"issue文件不存在"
fi

11.是否刪除與設(shè)備運行，維護(hù)等工作無關(guān)的賬戶

12.檢查密碼重復(fù)使用次數(shù)限制

13.檢查是否配置賬戶認(rèn)證失敗次數(shù)限制

cd/etc/pam.d
if[-fsystem-auth];then
cp/etc/pam.d/system-auth/etc
#num=`grep-n"md5"/etc/system-auth|cut-d":"-f1`
#sed-i''$num'rs/$/remember=5'/etc/system-auth
kk=`cat-n/etc/system-auth|grep-v".*#.*"|grepmd5|awk'{print$1}'`
echo$kk
version="passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtokremember=500"
sed-i""$kk"c$version"/etc/system-auth
letter=`cat-n/etc/system-auth|greppassword|greprequisite|awk'{print$1}'`
sed-i''$letter's/pam_cracklib.so/&ucredit=-1lcredit=-1dcredit=-1/'/etc/pam.d/system-auth
fi

14.檢查是否配置關(guān)閉IP偽裝與綁定

snu=`cat/etc/host.conf|awk'{print$2}'`
if["$snu"="on"];then
echo"沒有關(guān)閉ip偽裝"
fi
sed-i's/on/off/g'/etc/host.conf
echo"關(guān)閉IP偽裝完成"

15.檢查/etc/hosts配置

if[-fhosts.allow];then
cp/etc/hosts.allow/etc/
echo"allall">>/etc/hosts.allow
echo"sshdall">>/etc/hosts.allow
fi
cd/etc
if[-fhosts.deny];then
cp/etc/hosts.deny/etc/
echo"all:all">>/etc/hosts.deny
fi

16.檢查相關(guān)服務(wù)狀態(tài)

17.檢查重要文件是否存在suid和sgid權(quán)限

find/usr/bin/chage/usr/bin/gpasswd/usr/bin/wall/usr/bin/chfn/usr/bin/chsh/usr/bin/newgrp/usr/bin/write/usr/sbin/usernetctl/usr/sbin/traceroute/bin/mount/bin/umount/bin/ping/sbin/netreport-typef-perm+60002>/dev/null>file.txt
if[-sfile.txt];then
echo" find。。這條命令有輸出"
foriin`catfile.txt`
do
chmod755$idoneelse
echo"find 。。這條命令沒有輸出"
fi

18.其他

19.權(quán)限設(shè)置

chmod644/etc/passwd
chmod644/etc/group
chmod400/etc/shadow
#chmod600/etc/xinetd.conf
chmod644/etc/services
chmod600/etc/security
chmod600/etc/grub.conf
chmod600/boot/grub/grub.conf
chmod600/etc/lilo.conf
echo"文件權(quán)限設(shè)置完成"

經(jīng)典綜合腳本鑒賞：

1、

echo---------------開始--------------------
echo---------------aboutkey----------------
cd/etc
if[-flogin.defs];then
cp/etc/login.defs/home/test1
MINDAY=`cat-n/home/test1/login.defs|grep-v".*#.*"|grepPASS_MIN_DAYS|awk'{print$1}'`
sed-i''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS6/'/home/test1/login.defs
WARNAGE=`cat-n/home/test1/login.defs|grep-v".*#.*"|grepPASS_WARN_AGE|awk'{print$1}'`
sed-i''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE30/'/home/test1/login.defs
MAXDAY=`cat-n/home/test1/login.defs|grep-v".*#.*"|grepPASS_MAX_DAYS|awk'{print$1}'`
sed-i''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS90/'/home/test1/login.defs
MINLEN=`cat-n/home/test1/login.defs|grep-v".*#.*"|grepPASS_MIN_LEN|awk'{print$1}'`
sed-i''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_LEN6/'/home/test1/login.defs
fi
echo--------------------ok---------------------------
echo-------------------stopthedel------------------------
cd/etc/init
if[-fcontrol-alt-delete.conf];then
cp/etc/init/control-alt-delete.conf/home/test1
#delete=`grep-n"/sbin/shutdown-rnow"/home/test1/control-alt-delete.conf|cut-d":"-f1`
#sed-i''$delete'rs/^/#/'/home/test1/control-alt-delete.conf
#cp/etc/init/control-alt-delete.conf/home/test1
#num1=`grep-n"/sbin/shutdown"/home/test1/control-alt-delete.conf|cut-d""-f1`
#sed-i''$num'rs/^/#/'/home/test1/control-alt-delete.conf
#a=`cat-n/home/test1/control-alt-delete.conf|grep-v"#"|grep"/sbin/shutdown"|awk'{print$1}'`
#text=`sed-n"$a"p/home/test1/control-alt-delete.conf`
#sed-i''$a'c#'$text''/home/test1/control-alt-delete.conf
a=`cat-n/home/test1/control-alt-delete.conf|grep-v"#"|grep/sbin/shutdown|awk'{print$1}'`
if[-z$a];then
echook
else
sed-i''$a's/^/#/'/home/test1/control-alt-delete.conf
fi
fi
echo---------------------ok---------------------------------------
echo------------------------grubandlilokey------------------------
grub="/home/test1/menu.lst"
if[!-x"$grub"];then
touch"$grub"
echopassword=123456>>"$grub"
else
echopassword=123456>>"$grub"
fi
lilo="/home/test1/lilo.conf"
if[!-x"$lilo"];then
touch"$lilo"
echopassword=123456>>"$lilo"
else
echopassword=123456>>"$lilo"
fi
echo---------------------ok--------------------------------------
echo----------------------thehistoryofmouthpasswd------------------
cd/etc
if[-fprofile];then
cp/etc/profile/home/test1
#num=`sed-n/home/test1/profile|grepHISTFILESIZE|awk'{print$1}'`
#/home/test1/profile|sed$num'cHISTFILESIZE=5'
echo"HISTFILESIZE=5">>/home/test1/profile
echo"ulimit-S-cunlimited">>/home/test1/profile
fi
echo-------------------------ok---------------------
echo------------------------issue-----------------
#issu="/etc/issue.net"
cd/etc
if[-fissue.net];then
cpissue.net/home/test1/issue.net.bak
echook
fi
echook
if[-fissue];then
cpissue/home/test1/issue.bak
echook
fi
echo-----------------------allow/denyip-------------------
cd/etc
if[-fhosts.allow];then
cp/etc/hosts.allow/home/test1
echo"allall">>/home/test1/hosts.allow
echo"sshdall">>/home/test1/hosts.allow
fi
cd/etc
if[-fhosts.deny];then
cp/etc/hosts.deny/home/test1
echo"all:all">>/home/test1/hosts.deny
fi
echo-----------------ok------------------------
#/etc/init.d/xinetdrestart
echo-----------------------------coredump-------------------
cd/etc/security
if[-flimits.conf];then
cp/etc/security/limits.conf/home/test1
echo"*softcore0">>/home/test1/limits.conf
echo"*hardcore0">>/home/test1/limits.conf
fi
echo--------------ok-------------------------
echo----------------------------passwdrepeat---------------------
cd/etc/pam.d
if[-fsystem-auth];then
cp/etc/pam.d/system-auth/home/test1
#num=`grep-n"md5"/home/test1/system-auth|cut-d":"-f1`
#sed-i''$num'rs/$/remember=5'/home/test1/system-auth
kk=`cat-n/home/test1/system-auth|grep-v".*#.*"|grepmd5|awk'{print$1}'`
echo$kk
version="passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtokremember=500"
sed-i""$kk"c$version"/home/test1/system-auth
letter=`cat-n/home/test1/system-auth|greppassword|greprequisite|awk'{print$1}'`
sed-i''$letter's/pam_cracklib.so/&ucredit=-1lcredit=-1dcredit=-1/'/etc/pam.d/system-auth
fi
echo-----------------ok--------------------
echo--------------------超出退出--------------
cd/etc
if[-fprofile];then
cp/etc/profile/home/test1
echo"exportTMOUT=600">>/home/test1/profile
fi
echo------------------ok-------------------
echo------------------權(quán)限-------------------
chmod644/etc/passwd
chmod644/etc/group
chmod400/etc/shadow
#chmod600/etc/xinetd.conf
chmod644/etc/services
chmod600/etc/security
chmod600/etc/grub.conf
chmod600/boot/grub/grub.conf
chmod600/etc/lilo.conf

echo------------------unmask--------------------
cp/etc/csh.cshrc/home/test1
cp/etc/csh.login/home/test1
cp/etc/bashrc/home/test1
cp/etc/profile/home/test1
sed-i'11s/.*umask.*/umask077/'/home/test1/csh.cshrc

sed-i'58s/.*umask.*/umask077/'/home/test1/csh.login

sed-i'66s/.*UMASK.*/UMASK077/'/home/test1/bashrc

sed-i'62s/.*umask.*/umask077/'/home/test1/profile
echo--------------------beforeloginbanner-------------------
cd/etc
if[-fssh_banner];then
touch/etc/ssh_banner
chownbin:bin/etc/ssh_banner
chmod644/etc/ssh_banner
echo"Authorizedonly.Allactivitywillbemonitoredandreported">/etc/ssh_banner
fi
echo-----------------------ok----------------------------
echo-------------------stoprootsshlogin------------------
cp/etc/pam.d/login/home/test1
echo"authrequiredpam_securetty.so">>/home/test1/login
cp/etc/ssh/sshd_config/home/test1
echo"Banner/etc/ssh_banner">>/home/test1/sshd_config
echo"PermitRootLoginno">>/home/test1/sshd_config
servicesshdrestart
echo-------------------------ok-------------------
echo--------------------openssh----------------------------
openssh=`cat-n/home/test1/sshd_config|grep-v".*#.*"|grepProtocol|awk'{print$1}'`
sed-i''$openssh's/.*Protocol.*/Protocol2/'/home/test1/sshd_config
echo-------------ok---------------------------

2、

#!/bin/bash
readkey
echo"警告：本腳本只是一個檢查的操作，未對服務(wù)器做任何修改，管理員可以根據(jù)此報告進(jìn)行相應(yīng)的設(shè)置。"
echo---------------------------------------主機安全檢查-----------------------
echo"系統(tǒng)版本"
uname-a
echo--------------------------------------------------------------------------
echo"本機的ip地址是："
ifconfig|grep--color"([0-9]{1,3}.){3}[0-9]{1,3}"
echo--------------------------------------------------------------------------
awk-F":"'{if($2!~/^!|^*/){print "("$1")""是一個未被鎖定的賬戶，請管理員檢查是否需要鎖定它或者刪除它。"}}'/etc/shadow
echo--------------------------------------------------------------------------
more/etc/login.defs|grep-E"PASS_MAX_DAYS"|grep-v"#"|awk-F'''{if($2!=90){print "/etc/login.defs里面的"$1 "設(shè)置的是"$2"天，請管理員改成90天。"}}'
echo--------------------------------------------------------------------------
more/etc/login.defs|grep-E"PASS_MIN_LEN"|grep-v"#"|awk-F'''{if($2!=6){print "/etc/login.defs里面的"$1 "設(shè)置的是"$2"個字符，請管理員改成6個字符。"}}'
echo--------------------------------------------------------------------------
more/etc/login.defs|grep-E"PASS_WARN_AGE"|grep-v"#"|awk-F'''{if($2!=10){print "/etc/login.defs里面的"$1 "設(shè)置的是"$2"天，請管理員將口令到期警告天數(shù)改成10天。"}}'
echo--------------------------------------------------------------------------
grepTMOUT/etc/profile/etc/bashrc>/dev/null||echo"未設(shè)置登錄超時限制，請設(shè)置之，設(shè)置方法：在/etc/profile或者/etc/bashrc里面添加TMOUT=600參數(shù)"
echo--------------------------------------------------------------------------
ifps-elf|grepxinet|grep-v"grepxinet";then
echo"xinetd服務(wù)正在運行，請檢查是否可以把xinnetd服務(wù)關(guān)閉"
else
echo"xinetd服務(wù)未開啟"
fi
echo--------------------------------------------------------------------------
echo"查看系統(tǒng)密碼文件修改時間"
ls-ltr/etc/passwd
echo--------------------------------------------------------------------------
echo"查看是否開啟了ssh服務(wù)"
ifservicesshdstatus|grep-E"listeningon|active(running)";then
echo"SSH服務(wù)已開啟"
else
echo"SSH服務(wù)未開啟"
fi
echo--------------------------------------------------------------------------
echo"查看是否開啟了TELNET服務(wù)"
ifmore/etc/xinetd.d/telnetd2>&1|grep-E"disable=no";then
echo"TELNET服務(wù)已開啟"
else
echo"TELNET服務(wù)未開啟"
fi
echo--------------------------------------------------------------------------
echo"查看系統(tǒng)SSH遠(yuǎn)程訪問設(shè)置策略(host.deny拒絕列表)"
ifmore/etc/hosts.deny|grep-E"sshd:";more/etc/hosts.deny|grep-E"sshd";then
echo"遠(yuǎn)程訪問策略已設(shè)置"
else
echo"遠(yuǎn)程訪問策略未設(shè)置"
fi
echo--------------------------------------------------------------------------
echo"查看系統(tǒng)SSH遠(yuǎn)程訪問設(shè)置策略(hosts.allow允許列表)"
ifmore/etc/hosts.allow|grep-E"sshd:";more/etc/hosts.allow|grep-E"sshd";then
echo"遠(yuǎn)程訪問策略已設(shè)置"
else
echo"遠(yuǎn)程訪問策略未設(shè)置"
fi
echo"當(dāng)hosts.allow和 host.deny相沖突時，以hosts.allow設(shè)置為準(zhǔn)。"
echo-------------------------------------------------------------------------
echo"查看shell是否設(shè)置超時鎖定策略"
ifmore/etc/profile|grep-E"TIMEOUT=";then
echo"系統(tǒng)設(shè)置了超時鎖定策略"
else
echo"未設(shè)置超時鎖定策略"
fi
echo-------------------------------------------------------------------------
echo"查看syslog日志審計服務(wù)是否開啟"
ifservicesyslogstatus|egrep"active(running";then
echo"syslog服務(wù)已開啟"
else
echo"syslog服務(wù)未開啟，建議通過servicesyslogstart開啟日志審計功能"
fi
echo-------------------------------------------------------------------------
echo"查看syslog日志是否開啟外發(fā)"
ifmore/etc/rsyslog.conf|egrep"@....|@...|@..|*.*@....|*.*@...|*.*@..";then
echo"客戶端syslog日志已開啟外發(fā)"
else
echo"客戶端syslog日志未開啟外發(fā)"
fi
echo-------------------------------------------------------------------------
echo"查看passwd文件中有哪些特權(quán)用戶"
awk-F:'$3==0{print$1}'/etc/passwd
echo------------------------------------------------------------------------
echo"查看系統(tǒng)中是否存在空口令賬戶"
awk-F:'($2=="!!"){print$1}'/etc/shadow
echo"該結(jié)果不適用于Ubuntu系統(tǒng)"
echo------------------------------------------------------------------------
echo"查看系統(tǒng)中root用戶外連情況"
lsof-uroot|egrep"ESTABLISHED|SYN_SENT|LISTENING"
echo----------------------------狀態(tài)解釋------------------------------
echo"ESTABLISHED的意思是建立連接。表示兩臺機器正在通信。"
echo"LISTENING的"
echo"SYN_SENT狀態(tài)表示請求連接"
echo------------------------------------------------------------------------
echo"查看系統(tǒng)中root用戶TCP連接情況"
lsof-uroot|egrep"TCP"
echo------------------------------------------------------------------------
echo"查看系統(tǒng)中存在哪些非系統(tǒng)默認(rèn)用戶"
echo"root“該值大于500為新創(chuàng)建用戶，小于或等于500為系統(tǒng)初始用戶”"
more/etc/passwd|awk-F":"'{if($3>500){print "/etc/passwd里面的"$1 "的值為"$3"，請管理員確認(rèn)該賬戶是否正常。"}}'
echo------------------------------------------------------------------------
echo"檢查系統(tǒng)守護(hù)進(jìn)程"
more/etc/xinetd.d/rsync|grep-v"^#"
echo------------------------------------------------------------------------
echo"檢查系統(tǒng)是否存在入侵行為"
more/var/log/secure|greprefused
echo------------------------------------------------------------------------
echo"-----------------------檢查系統(tǒng)是否存在PHP腳本后門---------------------"
iffind/-typef-name*.php|xargsegrep-l"mysql_query($query,$dbconn)|專用網(wǎng)馬|udf.dll|classPHPzip{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木馬|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir|PHP木馬|Array("$filename"|eval($_POST[|classpackdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documentsandsettings|system32|serv-u|提權(quán)|phpspy|后門"|sort-n|uniq-c|sort-rn1>/dev/null2>&1;then
echo"檢測到PHP腳本后門"
find/-typef-name*.php|xargsegrep-l"mysql_query($query,$dbconn)|專用網(wǎng)馬|udf.dll|classPHPzip{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木馬|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir|PHP木馬|Array("$filename"|eval($_POST[|classpackdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documentsandsettings|system32|serv-u|提權(quán)|phpspy|后門"|sort-n|uniq-c|sort-rn
find/-typef-name*.php|xargsegrep-l"mysql_query($query,$dbconn)|專用網(wǎng)馬|udf.dll|classPHPzip{|ZIP壓縮程序荒野無燈修改版|$writabledb|AnonymousUserName|eval(|Root_CSS()|黑狼PHP木馬|eval(gzuncompress(base64_decode|if(empty($_SESSION|$shellname|$work_dir|PHP木馬|Array("$filename"|eval($_POST[|classpackdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documentsandsettings|system32|serv-u|提權(quán)|phpspy|后門"|sort-n|uniq-c|sort-rn|awk'{print$2}'|xargs-I{}cp{}/tmp/
echo"后門樣本已拷貝到/tmp/目錄"
else
echo"未檢測到PHP腳本后門"
fi
echo------------------------------------------------------------------------
echo"-----------------------檢查系統(tǒng)是否存在JSP腳本后門---------------------"
find/-typef-name*.jsp|xargsegrep-l"InputStreamReader(this.is)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documentsandsettings|system32|serv-u|提權(quán)|jspspy|后門"|sort-n|uniq-c|sort-rn2>&1
find/-typef-name*.jsp|xargsegrep-l"InputStreamReader(this.is)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documentsandsettings|system32|serv-u|提權(quán)|jspspy|后門"|sort-n|uniq-c|sort-rn|awk'{print$2}'|xargs-I{}cp{}/tmp/2>&1
echo------------------------------------------------------------------------
echo"----------------------檢查系統(tǒng)是否存在HTML惡意代碼---------------------"
iffind/-typef-name*.html|xargsegrep-l"WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a=prototype;|204.351.440.495.232.315.444.550.64.330"1>/dev/null2>&1;then
echo"發(fā)現(xiàn)HTML惡意代碼"
find/-typef-name*.html|xargsegrep-l"WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a=prototype;|204.351.440.495.232.315.444.550.64.330"|sort-n|uniq-c|sort-rn
find/-typef-name*.html|xargsegrep-l"WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a=prototype;|204.351.440.495.232.315.444.550.64.330"|sort-n|uniq-c|sort-rn|awk'{print$2}'|xargs-I{}cp{}/tmp/
echo"后門樣本已拷貝到/tmp/目錄"
else
echo"未檢測到HTML惡意代碼"
fi
echo"----------------------檢查系統(tǒng)是否存在perl惡意程序----------------------"
iffind/-typef-name*.pl|xargsegrep-l"SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::INET;"1>/dev/null2>&1;then
echo"發(fā)現(xiàn)perl惡意程序"
find/-typef-name*.pl|xargsegrep-l"SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::INET;"|sort-n|uniq-c|sort-rn
find/-typef-name*.pl|xargsegrep-l"SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::INET;"|sort-n|uniq-c|sort-rn|awk'{print$2}'|xargs-I{}cp{}/tmp/
echo"可疑樣本已拷貝到/tmp/目錄"
else
echo"未檢測到perl惡意程序"
fi
echo"----------------------檢查系統(tǒng)是否存在Python惡意程序----------------------"
find/-typef-name*.py|xargsegrep-l"execCmd|cat/etc/issue|getAppProc|exploitdb"|sort-n|uniq-c|sort-rn
find/-typef-name*.py|xargsegrep-l"execCmd|cat/etc/issue|getAppProc|exploitdb"|sort-n|uniq-c|sort-rn|awk'{print$2}'|xargs-I{}cp{}/tmp/
echo------------------------------------------------------------------------
echo"-----------------------檢查系統(tǒng)是否存在惡意程序---------------------"
find/-typef-perm-111|xargsegrep"UpdateProcessER12CUpdateGatesE6C|CmdMsg.cpp|MiniHttpHelper.cpp|y4'r31uCkyk1d!|execve@@GLIBC_2.0|initfini.c|ptmalloc_unlock_all2|_IO_wide_data_2|system@@GLIBC_2.0|socket@@GLIBC_2.0|gettimeofday@@GLIBC_2.0|execl@@GLIBC_2.2.5|WwW.SoQoR.NeT|2.6.17-2.6.24.1.c|LocalRootExploit|close@@GLIBC_2.0|syscall(\__NR\_vmsplice,|LinuxvmspliceLocalRootExploit|Itlooksliketheexploitfailed|gettingrootshell"2>/dev/null
echo------------------------------------------------------------------------
echo"檢查網(wǎng)絡(luò)連接和監(jiān)聽端口"
netstat-an
echo"--------------------------路由表、網(wǎng)絡(luò)連接、接口信息--------------"
netstat-rn
echo"------------------------查看網(wǎng)卡詳細(xì)信息--------------------------"
ifconfig-a
echo------------------------------------------------------------------------
echo"查看正常情況下登錄到本機的所有用戶的歷史記錄"
last
echo------------------------------------------------------------------------
echo"檢查系統(tǒng)中core文件是否開啟"
ulimit-c
echo"core是unix系統(tǒng)的內(nèi)核。當(dāng)你的程序出現(xiàn)內(nèi)存越界的時候,操作系統(tǒng)會中止你的進(jìn)程,并將當(dāng)前內(nèi)存狀態(tài)倒出到core文件中,以便進(jìn)一步分析，如果返回結(jié)果為0，則是關(guān)閉了此功能，系統(tǒng)不會生成core文件"
echo------------------------------------------------------------------------
echo"檢查系統(tǒng)中關(guān)鍵文件修改時間"
ls-ltr/bin/ls/bin/login/etc/passwd/bin/ps/usr/bin/top/etc/shadow|awk'{print "文件名："$8"""最后修改時間："$6""$7}'
echo"ls文件：是存儲ls命令的功能函數(shù)，被刪除以后，就無法執(zhí)行l(wèi)s命令，黑客可利用篡改ls文件來執(zhí)行后門或其他程序。
login文件：login是控制用戶登錄的文件，一旦被篡改或刪除，系統(tǒng)將無法切換用戶或登陸用戶
user/bin/passwd是一個命令，可以為用戶添加、更改密碼，但是，用戶的密碼并不保存在/etc/passwd當(dāng)中，而是保存在了/etc/shadow當(dāng)中
etc/passwd是一個文件，主要是保存用戶信息。
sbin/portmap是文件轉(zhuǎn)換服務(wù)，缺少該文件后，無法使用磁盤掛載、轉(zhuǎn)換類型等功能。
bin/ps 進(jìn)程查看命令功能支持文件，文件損壞或被更改后，無法正常使用ps命令。
usr/bin/top  top命令支持文件，是Linux下常用的性能分析工具,能夠?qū)崟r顯示系統(tǒng)中各個進(jìn)程的資源占用狀況。
etc/shadow shadow 是/etc/passwd 的影子文件，密碼存放在該文件當(dāng)中，并且只有root用戶可讀。"
echo--------------------------------------------------------------------------
echo"-------------------查看系統(tǒng)日志文件是否存在--------------------"
log=/var/log/syslog
log2=/var/log/messages
if[-e"$log"];then
echo"syslog日志文件存在！"
else
echo"/var/log/syslog日志文件不存在！"
fi
if[-e"$log2"];then
echo"/var/log/messages日志文件存在！"
else
echo"/var/log/messages日志文件不存在！"
fi
echo--------------------------------------------------------------------------
echo"檢查系統(tǒng)文件完整性2(MD5檢查)"
echo"該項會獲取部分關(guān)鍵文件的MD5值并入庫，默認(rèn)保存在/etc/md5db中"
echo"如果第一次執(zhí)行，則會提示md5sum:/sbin/portmap:沒有那個文件或目錄"
echo"第二次重復(fù)檢查時，則會對MD5DB中的MD5值進(jìn)行匹配，來判斷文件是否被更改過"
file="/etc/md5db"
if[-e"$file"];thenmd5sum-c/etc/md5db2>&1;
else
md5sum/etc/passwd>>/etc/md5db
md5sum/etc/shadow>>/etc/md5db
md5sum/etc/group>>/etc/md5db
md5sum/usr/bin/passwd>>/etc/md5db
md5sum/sbin/portmap>>/etc/md5db
md5sum/bin/login>>/etc/md5db
md5sum/bin/ls>>/etc/md5db
md5sum/bin/ps>>/etc/md5db
md5sum/usr/bin/top>>/etc/md5db;
fi
echo----------------------------------------------------------------------
echo"------------------------主機性能檢查--------------------------------"
echo"CPU檢查"
dmesg|grep-icpu
echo-----------------------------------------------------------------------
more/proc/cpuinfo
echo-----------------------------------------------------------------------
echo"內(nèi)存狀態(tài)檢查"
vmstat25
echo-----------------------------------------------------------------------
more/proc/meminfo
echo-----------------------------------------------------------------------
free-m
echo-----------------------------------------------------------------------
echo"文件系統(tǒng)使用情況"
df-h
echo-----------------------------------------------------------------------
echo"網(wǎng)卡使用情況"
lspci-tv
echo----------------------------------------------------------------------
echo"查看僵尸進(jìn)程"
ps-ef|grepzombie
echo----------------------------------------------------------------------
echo"耗CPU最多的進(jìn)程"
psauxf|sort-nr-k3|head-5
echo----------------------------------------------------------------------
echo"耗內(nèi)存最多的進(jìn)程"
psauxf|sort-nr-k4|head-5

審核編輯：郭婷