1 Linux系统
1.1 找出占用CPU 内存过高的进程
ps -eo user,pid,pcpu,pmem,args --sort=-pcpu |head -n 5
ps -eo user,pid,pcpu,pmem,args --sort=-pmem |head -n 5
1.2 一键查看服务器资源利用率
#!/bin/bash
function cpu() {
NUM=1
while [ $NUM -le 3 ]; do
util=`vmstat |awk '{if(NR==3)print 100-$15"%"}'`
user=`vmstat |awk '{if(NR==3)print $13"%"}'`
sys=`vmstat |awk '{if(NR==3)print $14"%"}'`
iowait=`vmstat |awk '{if(NR==3)print $16"%"}'`
echo "CPU - 使用率: $util , 等待磁盘IO响应使用率: $iowait"
let NUM++
sleep 1
done
}
function memory() {
total=`free -m |awk '{if(NR==2)printf "%.1f",$2/1024}'`
used=`free -m |awk '{if(NR==2) printf "%.1f",($2-$NF)/1024}'`
available=`free -m |awk '{if(NR==2) printf "%.1f",$NF/1024}'`
echo "内存 - 总大小: ${total}G , 使用: ${used}G , 剩余: ${available}G"
}
function disk() {
fs=$(df -h |awk '/^\/dev/{print $1}')
for p in $fs; do
mounted=$(df -h |awk '$1=="'$p'"{print $NF}')
size=$(df -h |awk '$1=="'$p'"{print $2}')
used=$(df -h |awk '$1=="'$p'"{print $3}')
used_percent=$(df -h |awk '$1=="'$p'"{print $5}')
echo "硬盘 - 挂载点: $mounted , 总大小: $size , 使用: $used , 使用率: $used_percent"
done
}
function tcp_status() {
summary=$(ss -antp |awk '{status[$1]++}END{for(i in status) printf i":"status[i]" "}')
echo "TCP连接状态 - $summary"
}
cpu
memory
disk
tcp_status
1.3 批量主机远程执行命令
#!/bin/bash
COMMAND=$*
HOST_INFO=host.info
for IP in $(awk '/^[^#]/{print $1}' $HOST_INFO); do
USER=$(awk -v ip=$IP 'ip==$1{print $2}' $HOST_INFO)
PORT=$(awk -v ip=$IP 'ip==$1{print $3}' $HOST_INFO)
PASS=$(awk -v ip=$IP 'ip==$1{print $4}' $HOST_INFO)
expect -c "
spawn ssh -p $PORT $USER@$IP
expect {
\"(yes/no)\" {send \"yes\r\"; exp_continue}
\"password:\" {send \"$PASS\r\"; exp_continue}
\"$USER@*\" {send \"$COMMAND\r exit\r\"; exp_continue}
}
"
echo "-------------------"
done
1.4 批量创建用户并设置密码
#!/bin/bash
DATE=$@
USER_FILE=user.txt
for USER in $USER_LIST; do
if ! id $USER &>/dev/null; then
PASS=$(echo $RANDOM |md5sum |cut -c 1-8)
useradd $USER
echo $PASS |passwd --stdin $USER &>/dev/null
echo "$USER $PASS" >> $USER_FILE
echo "$USER User create successful."
else
echo "$USER User already exists!"
fi
done
1.5 目录文件变化监控和实时文件同步
#!/bin/bash
MON_DIR=/opt
inotifywait -mqr --format %f -e create $MON_DIR |\
while read files; do
rsync -avz /opt /tmp/opt
#echo "$(date +'%F %T') create $files" | mail -s "dir monitor" xxx@163.com
done
1.6 服务器系统配置初始化脚本
#/bin/bash
# 设置时区并同步时间
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
if ! crontab -l |grep ntpdate &>/dev/null ; then
(echo "* 1 * * * ntpdate time.windows.com >/dev/null 2>&1";crontab -l) |crontab
fi
# 禁用selinux
sed -i '/SELINUX/{s/permissive/disabled/}' /etc/selinux/config
# 关闭防火墙
if egrep "7.[0-9]" /etc/redhat-release &>/dev/null; then
systemctl stop firewalld
systemctl disable firewalld
elif egrep "6.[0-9]" /etc/redhat-release &>/dev/null; then
service iptables stop
chkconfig iptables off
fi
# 历史命令显示操作时间
if ! grep HISTTIMEFORMAT /etc/bashrc; then
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/bashrc
fi
# SSH超时时间
if ! grep "TMOUT=600" /etc/profile &>/dev/null; then
echo "export TMOUT=600" >> /etc/profile
fi
# 禁止root远程登录
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# 禁止定时任务向发送邮件
sed -i 's/^MAILTO=root/MAILTO=""/' /etc/crontab
# 设置最大打开文件数
if ! grep "* soft nofile 65535" /etc/security/limits.conf &>/dev/null; then
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
EOF
fi
# 系统内核优化
cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_tw_buckets = 20480
net.ipv4.tcp_max_syn_backlog = 20480
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_fin_timeout = 20
EOF
# 减少SWAP使用
echo "0" > /proc/sys/vm/swappiness
# 安装系统性能分析工具及其他
yum install gcc make autoconf vim sysstat net-tools iostat iftop iotp lrzsz -y
1.7 网卡流量监控
#!/bin/bash
#Description: 网卡流量监控
#脚本用法
#判断用户是否传参
if [ -z "$1"] || [ "$1" == "--help" ];then
cat << EOF
$0 网卡名称
--help 打印帮助菜单
EOF
fi
#如果用户没有传参,则退出脚本
[ $# -lt 1 ]&&exit 1
#第一次取值
#1、获得当前网卡流量 初始化值
NIC_RX=`ifconfig $1|grep "RX packets"|tr -s " "|cut -d " " -f6`
NIC_TX=`ifconfig $1|grep "TX packets"|tr -s " "|cut -d " " -f6`
#休息一秒开始循环
sleep 1
#循环开始监控网卡流量 监控频率 1s
while :
do
#2、监控当前网络的流量,第二次取值
NIC_RX_1=`ifconfig $1|grep "RX packets"|tr -s " "|cut -d " " -f6`
NIC_TX_1=`ifconfig $1|grep "TX packets"|tr -s " "|cut -d " " -f6`
#3、制作输出
#3.1、清屏输出下文
clear
echo -e "\t$1 网卡流量监控"
echo "----------------------------------------"
echo -e "网卡: $1\n"
#3.2、运算得出结论
echo -e "发送:\t$((NIC_TX_1-NIC_TX))B/s\t接收:\t$((NIC_RX_1-NIC_RX))B/s"
#重新赋值网卡初始化流入流出变量
NIC_RX=$NIC_RX_1
NIC_TX=$NIC_TX_1
#休眠1秒,进入下一次循环
sleep 1
done
1.8 cpu核数,内存,存储
cat /proc/cpuinfo | grep "processor" | wc -l;cat /proc/meminfo |grep MemTotal;df -h
1.9 等保2.0初始化(root用户执行)
加强Linux系统的安全性,特别是针对用户账号管理和SSH访问控制方面,同时也提供了一些基于环境自定义的安全配置建议。
#!/bin/bash
check_passwd() {
dcredit=0
lcredit=0
ucredit=0
ocredit=0
class=0
user=$1
passwd=$2
num=${#passwd}
[ ${num} -lt 8 ] && return 1
[[ ${passwd} =~ ${user} ]] && return 1
((num--))
for i in $(seq 0 ${num})
do
ch=${passwd:i:1}
case $ch in
[0-9])
((dcredit++))
[ ${dcredit} -eq 1 ] && ((class++))
;;
[a-z])
((lcredit++))
[ ${lcredit} -eq 1 ] && ((class++))
;;
[A-Z])
((ucredit++))
[ ${ucredit} -eq 1 ] && ((class++))
;;
*)
((ocredit++))
[ ${ocredit} -eq 1 ] && ((class++))
esac
done
[ ${class} -ge 3 ] && return 0
return 1
}
# 1. 要求用户执行脚本通过useradd添加账号
echo -e "确保管理员账号通过提权方式管理系统,禁止直接通过root登录管理,因此需要用户手动创建一个管理员账号。"
echo -e "注意账号密码需要满足复杂度要求: "
echo -e " 1.长度不小于8位"
echo -e " 2.至少包含3类字符(大写字母、小写字母、特殊符号、数字)"
echo -e " 3.不得包含用户名"
read -p "请输入要创建的管理员用户:" user
useradd ${user}
until [[ $? -eq 0 ]]
do
echo "无效的管理员用户名, 无法执行useradd命令"
read -p "请重新输入要创建的管理员用户: " user
useradd ${user}
done
rc=1
echo -e "请输入管理员用户${user}的密码:"
until [ ${rc} -eq 0 ]
do
read -s passwd
nullbuf=$(check_passwd ${user} ${passwd})
rc=$?
if [ ${rc} -eq 1 ]; then
echo "密码复杂度不满足要求,请重新输入:"
else
echo "请再次确认密码:"
read -s confirm_passwd
if [ "${passwd}" != "${confirm_passwd}" ]; then
echo "两次输入密码不一致,请重新输入:"
rc=1
else
echo "${passwd}" | passwd --stdin ${user} > /dev/null
if [ $? -ne 0 ]; then
echo "密码复杂度不满足要求,请重新输入:"
rc=1
fi
fi
fi
done
# 用户新添加的管理员账号,加入wheel组, 支持使用su
usermod -G wheel ${user}
semode=$(sestatus |grep "Current mode:" |awk -F: '{print $2}'|tr -d ' ')
[[ $semode == "enforcing" ]] && setenforce 0
# 修改账号的最大口令过期时间、最小修改周期
chage --maxdays 90 ${user}
chage --mindays 7 ${user}
[[ $semode == "enforcing" ]] && setenforce 1
# 2. 确保每个用户的home目录权限设置为750
chmod 750 /home/*
# 3. 禁止root账户通过SSH直接登录,需要用户提前创建其他管理账号
var=$(sshd -T -C user=root -C addr=localhost|grep -iE "\s*permitrootlogin\s+([^#]+,)?yes\b")
if [ x"$var" != x"" ]; then
line=($(cat /etc/ssh/sshd_config | awk '{if($1 == "PermitRootLogin")print NR}'))
PermitRootLogin="PermitRootLogin no"
if [ -n "${line}" ]; then
sed -i "${line} c ${PermitRootLogin}" /etc/ssh/sshd_config
else
echo ${PermitRootLogin} >> /etc/ssh/sshd_config
fi
systemctl restart sshd
fi
echo -e "\n\033[31;49;1m root账号已经被禁止登录系统,请使用新创建的管理员账号${user}登录并使用su或sudo命令提权管理系统。\033[39;49;0m\n"
echo -e "\033[32;49;1m 加固完成,下面部分加固项需要您根据实际部署情况选择手动修改配置加固。\033[39;49;0m"
echo -e "------------------------------------------------------------------------------------"
echo -e "等保要求:“应通过设定终端接入方式或网络地址范围对通过网络进行管理的管理终端进行限制”。"
echo -e "\n1、应当配置SSH服务侦听IP地址,请根据实际部署情况选择性配置,如果只有1个网卡无需配置。"
echo -e "\t修改/etc/ssh/sshd_config文件,在ListenAddress字段后设置相应的IP地址,如果有多个可以设置多行,例如:"
echo -e "\tListenAddress <ip addr 1>\n\tListenAddress <ip addr 2>"
echo -e "2、应当配置认证黑白名单,请根据实际部署情况选择性配置,如果只有1个账号可以登录可以忽略本项。"
echo -e "\t修改/etc/ssh/sshd_config文件,添加相关Allow或Deny字段,可以任意组合,例如:"
echo -e "\tAllowUsers <user1>\n\tAllowGroups <group1>\n\tDenyUsers <user2>\n\tDenyGroups <group2>"
1.10 审计,记录登录用户及ip具体操作
touch /var/log/usermonit.log
chmod 002 /var/log/usermonit.log
chattr +a /var/log/usermonit.log
tail -1 /etc/profile
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### (who am i |awk "{print \1" "$2" "$5}") #### (history 1 | { read x cmd; echo "cmd"; })"; } >>/var/log/usermonit.log'
2 中间件及日志
2.1 监控nginx日志,Dos攻击防范(自动屏蔽攻击IP)
#!/bin/bash
DATE=$(date +%d/%b/%Y:%H:%M)
LOG_FILE=/usr/local/nginx/logs/demo2.access.log #监控nginx日志
ABNORMAL_IP=$(tail -n5000 $LOG_FILE |grep $DATE |awk '{a[$1]++}END{for(i in a)if(a[i]>100)print i}')
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
echo "$(date +'%F_%T') $IP" >> /tmp/drop_ip.log
fi
done
2.2 nginx 访问访问日志按天切割
#!/bin/bash
LOG_DIR=/usr/local/nginx/logs
YESTERDAY_TIME=$(date -d "yesterday" +%F)
LOG_MONTH_DIR=$LOG_DIR/$(date +"%Y-%m")
LOG_FILE_LIST="default.access.log"
for LOG_FILE in $LOG_FILE_LIST; do
[ ! -d $LOG_MONTH_DIR ] && mkdir -p $LOG_MONTH_DIR
mv $LOG_DIR/$LOG_FILE $LOG_MONTH_DIR/${LOG_FILE}_${YESTERDAY_TIME}
done
kill -USR1 $(cat /var/run/nginx.pid)
2.3 nginx访问日志分析脚本
#!/bin/bash
# 日志格式: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"
LOG_FILE=$1
echo "统计访问最多的10个IP"
awk '{a[$1]++}END{print "UV:",length(a);for(v in a)print v,a[v]}' $LOG_FILE |sort -k2 -nr |head -10
echo "----------------------"
echo "统计时间段访问最多的IP"
awk '$4>="[01/Dec/2018:13:20:25" && $4<="[27/Nov/2018:16:20:49"{a[$1]++}END{for(v in a)print v,a[v]}' $LOG_FILE |sort -k2 -nr|head -10
echo "----------------------"
echo "统计访问最多的10个页面"
awk '{a[$7]++}END{print "PV:",length(a);for(v in a){if(a[v]>10)print v,a[v]}}' $LOG_FILE |sort -k2 -nr
echo "----------------------"
echo "统计访问页面状态码数量"
awk '{a[$7" "$9]++}END{for(v in a){if(a[v]>5)print v,a[v]}}' $LOG_FILE |sort -k3 -nr
2.4 自动发布Java项目(Tomcat)
#!/bin/bash
DATE=$(date +%F_%T)
TOMCAT_NAME=$1
TOMCAT_DIR=/usr/local/$TOMCAT_NAME
ROOT=$TOMCAT_DIR/webapps/ROOT
BACKUP_DIR=/data/backup
WORK_DIR=/tmp
PROJECT_NAME=tomcat-java-demo
# 拉取代码
cd $WORK_DIR
if [ ! -d $PROJECT_NAME ]; then
git clone https://github.com/fixpng/tomcat-java-demo
cd $PROJECT_NAME
else
cd $PROJECT_NAME
git pull
fi
# 构建
mvn clean package -Dmaven.test.skip=true
if [ $? -ne 0 ]; then
echo "maven build failure!"
exit 1
fi
# 部署
TOMCAT_PID=$(ps -ef |grep "$TOMCAT_NAME" |egrep -v "grep|$$" |awk 'NR==1{print $2}')
[ -n "$TOMCAT_PID" ] && kill -9 $TOMCAT_PID
[ -d $ROOT ] && mv $ROOT $BACKUP_DIR/${TOMCAT_NAME}_ROOT$DATE
unzip $WORK_DIR/$PROJECT_NAME/target/*.war -d $ROOT
$TOMCAT_DIR/bin/startup.sh
2.5 正在运行的tomcat目录整个压缩备份
#!/bin/bash
tomcat_dir=$(ps aux | grep tomcat | grep -v grep | sed -n 's/.*-Dcatalina.base=\([^ ]*\).*/\1/p')
exclude_dir=$tomcat_dir/logs # 排除logs日志目录
output_file=/home/appuser/hades/tomcat_bak.tar.gz
tar --exclude $exclude_dir -zcvf $output_file $tomcat_dir
2.6 Nginx日志安全分析脚本
nginx_check.sh
#!/usr/bin/env bash
# =========================================================
# \ Nginx日志安全分析脚本 V1.0 /
# =========================================================
# 支持Nginx日志分析,攻击告警分析等
# author:al0ne "
echo -e "\n"
#此脚本是参考nmgxy/klionsec修改而来,重新添加了一些特征,只用来临时救急,还是推荐到ELK或者Splunk中分析
#功能
###统计Top 20 地址
###SQL注入分析
###SQL注入 FROM查询统计
###扫描器/常用黑客工具
###漏洞利用检测
###敏感路径访问
###文件包含攻击
###HTTP Tunnel
###Webshell
###寻找响应长度的url Top 20
###寻找罕见的脚本文件访问
###寻找302跳转的脚本文件
#如果存在多个access文件或者有多个access.x.gz 建议先zcat access*.gz >> access.log文件中
#设置分析结果存储目录,结尾不能加/
outfile=/tmp/logs/nginx_check
#如果目录以存在则清空,未存在则新建目录
if [ -d $outfile ]; then
rm -rf $outfile/*
else
mkdir -p $outfile
fi
#设置nginx日志目录,结尾必须加/
access_dir=/opt/app/jeson/logs/
#设置文件名,如果文件名为access那么匹配的是access*文件
access_log=access
#判断日志文件是否存在
num=$(ls ${access_dir}${access_log}* | wc -l) >/dev/null 2>&1
if [ $num -eq 0 ]; then
echo '日志文件不存在'
exit 1
fi
echo -e "\n"
# 验证操作系统是debian系还是centos
OS='None'
if [ -e "/etc/os-release" ]; then
source /etc/os-release
case ${ID} in
"debian" | "ubuntu" | "devuan")
OS='Debian'
;;
"centos" | "rhel fedora" | "rhel")
OS='Centos'
;;
*) ;;
esac
fi
if [ $OS = 'None' ]; then
if command -v apt-get >/dev/null 2>&1; then
OS='Debian'
elif command -v yum >/dev/null 2>&1; then
OS='Centos'
else
echo -e "\n不支持这个系统\n"
echo -e "已退出"
exit 1
fi
fi
# 检测ag软件有没有安装
if ag -V >/dev/null 2>&1; then
echo -e "\e[00;32msilversearcher-ag已安装 \e[00m"
else
if [ $OS = 'Centos' ]; then
yum -y install the_silver_searcher >/dev/null 2>&1
else
apt-get -y install silversearcher-ag >/dev/null 2>&1
fi
fi
#如果检测别的日志请手动替换偏移,例如awk的$7代表url,$9代表状态码,$10代表长度,本脚本是以nginx日志为基础
echo "分析结果日志:${outfile}"
echo "Nginx日志目录:${access_dir}"
echo "Nginx文件名:${access_log}"
echo -e "\n"
echo -e "\e[00;31m[+]TOP 20 IP 地址\e[00m"
ag -a -o --nofilename '\d+\.\d+\.\d+\.\d+' ${access_dir}${access_log}* | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/top20.log
echo -e "\n"
echo -e "\e[00;31m[+]SQL注入攻击分析\e[00m"
#在SQL注入中排除掉了一些扫描css/js/png图片类等无用告警,并且重点筛选状态码200或者500的告警
ag -a "xp_cmdshell|%20xor|%20and|%20AND|%20or|%20OR|select%20|%20and%201=1|%20and%201=2|%20from|%27exec|information_schema.tables|load_file|benchmark|substring|table_name|table_schema|%20where%20|%20union%20|%20UNION%20|concat\(|concat_ws\(|%20group%20|0x5f|0x7e|0x7c|0x27|%20limit|\bcurrent_user\b|%20LIMIT|version%28|version\(|database%28|database\(|user%28|user\(|%20extractvalue|%updatexml|rand\(0\)\*2|%20group%20by%20x|%20NULL%2C|sqlmap" ${access_dir}${access_log}* | ag -v '/\w+\.(?:js|css|html|jpg|jpeg|png|htm|swf)(?:\?| )' | awk '($9==200)||($9==500) {print $0}' >${outfile}/sql.log
awk '{print "SQL注入攻击" NR"次"}' ${outfile}/sql.log | tail -n1
echo "SQL注入 TOP 20 IP地址"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/sql.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/sql_top20.log
# 重点关注from查询,是否存在脱裤行为,排除扫描行为
echo "SQL注入 FROM 查询"
cat ${outfile}/sql.log | ag '\bfrom\b' | ag -v 'information_schema' >${outfile}/sql_from_query.log
awk '{print "SQL注入FROM查询" NR"次"}' ${outfile}/sql_from_query.log | tail -n1
echo -e "\n"
echo -e "\e[00;31m[+]扫描器scan & 黑客工具\e[00m"
ag -a "acunetix|by_wvs|nikto|netsparker|HP404|nsfocus|WebCruiser|owasp|nmap|nessus|HEAD /|AppScan|burpsuite|w3af|ZAP|openVAS|.+avij|.+angolin|360webscan|webscan|XSS@HERE|XSS%40HERE|NOSEC.JSky|wwwscan|wscan|antSword|WebVulnScan|WebInspect|ltx71|masscan|python-requests|Python-urllib|WinHttpRequest" ${access_dir}${access_log}* | ag -v '/\w+\.(?:js|css|jpg|jpeg|png|swf)(?:\?| )' | awk '($9==200)||($9==500) {print $0}' >${outfile}/scan.log
awk '{print "共检测到扫描攻击" NR"次"}' ${outfile}/scan.log | tail -n1
echo "扫描工具流量 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/scan.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/scan_top20.log
echo -e "\n"
echo -e "\e[00;31m[+]敏感路径访问\e[00m"
ag -a "/_cat/|/_config/|include=|phpinfo|info\.php|/web-console|JMXInvokerServlet|/manager/html|axis2-admin|axis2-web|phpMyAdmin|phpmyadmin|/admin-console|/jmx-console|/console/|\.tar.gz|\.tar|\.tar.xz|\.xz|\.zip|\.rar|\.mdb|\.inc|\.sql|/\.config\b|\.bak|/.svn/|/\.git/|\.hg|\.DS_Store|\.htaccess|nginx\.conf|\.bash_history|/CVS/|\.bak|wwwroot|备份|/Web.config|/web.config|/1.txt|/test.txt" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/dir.log
awk '{print "共检测到针对敏感文件扫描" NR"次"}' ${outfile}/dir.log | tail -n1
echo "敏感文件访问流量 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/dir.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/dir_top20.log
echo -e "\n"
echo -e "\e[00;31m[+]漏洞利用检测\e[00m"
ag -a "%00|/win.ini|/my.ini|\.\./\.\./|/etc/shadow|%0D%0A|file:/|gopher:/|dict:/|WindowsPowerShell|/wls-wsat/|call_user_func_array|uddiexplorer|@DEFAULT_MEMBER_ACCESS|@java\.lang\.Runtime|OgnlContext|/bin/bash|cmd\.exe|wget\s|curl\s|s=/index/\think" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/exploit.log
awk '{print "漏洞利用探测" NR"次"}' ${outfile}/exploit.log | tail -n1
echo "漏洞利用检测 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/exploit.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/exploit_top20.log
echo -e "\n"
echo -e "\e[00;31m[+]webshell\e[00m"
ag -a "=whoami|dbname=|exec=|cmd=|\br57\b|\bc99\b|\bc100\b|\bb374k\b|adminer.php|eval\(|assert\(|%eval|%execute|tunnel\.[asp|php|jsp|aspx]{3,4}|makewebtaski|ma\.[asp|php|jsp|aspx]{3,4}|\bup\.[asp|php|jsp|aspx]{3,4}|cmd\.[asp|php|jsp|aspx]{3,4}|201\d\.[asp|php|jsp|aspx]{3,4}|xiaoma\.[asp|php|jsp|aspx]{3,4}|shell\.[asp|php|jsp|aspx]{3,4}|404\.[asp|php|jsp|aspx]{3,4}|tom\.[asp|php|jsp|aspx]{3,4}|k8cmd\.[asp|php|jsp|aspx]{3,4}|ver[0-9]{3,4}\.[asp|php|jsp|aspx]{3,4}|\.aar|[asp|php|jsp|aspx]{3,4}spy\.|o=vLogin|aioshell|admine|ghost\.[asp|php|jsp|aspx]{3,4}|r00ts|90sec|t00ls|editor\.aspx|wso\.[asp|aspx]{3,4}" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/webshell.log
awk '{print "共检测到webshell行为" NR "次"}' ${outfile}/webshell.log | tail -n1
echo "Webshell TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/webshell.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/webshell_top20.log
echo -e "\n"
echo -e "\e[00;31m[+]HTTP Tunnel\e[00m"
#Regeorg代理特征
ag -a "cmd=disconnect|cmd=read|cmd=forward|cmd=connect" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' | tee -a ${outfile}/tunnel.log
awk '{print "共检测到隧道行为" NR "次"}' ${outfile}/tunnel.log | tail -n1
echo -e "\n"
echo -e "\e[00;31m[+]Top 20 url响应长度\e[00m"
# 查找url响应长度最长的url排序,目的是有没有下载服务器的一些打包文件
len=$(cat ${access_dir}${access_log}* | awk '{print $10}' | sort -nr | head -n 20)
echo $len | awk 'BEGIN{ RS=" " }{ print $0 }' | xargs -i{} ag -a --nocolor '\d+\s{}\s' ${access_dir}${access_log}* | awk '{print $7,$10}' | sort | uniq | sort -k 2 -nr | tee -a ${outfile}/url_rsp_len.log
echo -e "\n"
echo -e "\e[00;31m[+]罕见的脚本文件访问\e[00m"
echo "访问量特别特别少的脚本文件极有可能是webshell"
cat ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $7}' | sort | uniq -c | sort -n | ag -v '\?' | ag '\.php|\.jsp|\.asp|\.aspx' | head -n 20 | tee -a ${outfile}/rare_url.log
echo -e "\n"
echo -e "\e[00;31m[+]302跳转\e[00m"
echo "此目的是寻找一些登录成功的脚本文件"
cat ${access_dir}${access_log}* | awk '($9==302)||($9==301) {print $7}' | sort | uniq -c | sort -n | ag -v '\?' | ag '\.php|\.jsp|\.asp|\.aspx' | head -n 20 | tee -a ${outfile}/302_goto.log
echo -e "\n"
2.7 Tomcat应用日志,按时间范围导出
sed -n '/2023-09-02 18:00:00/,/2023-09-03 09:10:00/p' ./logs/catalina.out > ~/catalina_bak20230902.out
- -n 表示不输出文件中的任何行,这里只在满足条件的情况下输出指定的日志信息。
- /2023-09-02 18:00:00/,/2023-09-03 09:10:00/p 表示从行匹配开始输出数据到结束行匹配位置。
- ./logs/catalina.out 表示需要处理的文件。
3 数据库
3.1 使用mysqldump对MySQL数据库备份
单循环
#!/bin/bash
DATE=$(date +%F_%H-%M-%S)
HOST=localhost
USER=backup
PASS=654321.com
BACKUP_DIR=/data/db_backup
DB_LIST=$(mysql -h$HOST -u$USER -p$PASS -s -e "show databases;" 2>/dev/null |egrep -v "Database|information_schema|mysql|performance_schema|sys")
for DB in $DB_LIST; do
BACKUP_NAME=$BACKUP_DIR/${DB}_${DATE}.sql
if ! mysqldump -h$HOST -u$USER -p$PASS -B $DB > $BACKUP_NAME 2>/dev/null; then
echo "$BACKUP_NAME 备份失败!"
fi
done
多循环
#!/bin/bash
DATE=$(date +%F_%H-%M-%S)
HOST=localhost
USER=backup
PASS=654321.com
BACKUP_DIR=/data/db_backup
DB_LIST=$(mysql -h$HOST -u$USER -p$PASS -s -e "show databases;" 2>/dev/null |egrep -v "Database|information_schema|mysql|performance_schema|sys")
for DB in $DB_LIST; do
BACKUP_DB_DIR=$BACKUP_DIR/${DB}_${DATE}
[ ! -d $BACKUP_DB_DIR ] && mkdir -p $BACKUP_DB_DIR &>/dev/null
TABLE_LIST=$(mysql -h$HOST -u$USER -p$PASS -s -e "use $DB;show tables;" 2>/dev/null)
for TABLE in $TABLE_LIST; do
BACKUP_NAME=$BACKUP_DB_DIR/${TABLE}.sql
if ! mysqldump -h$HOST -u$USER -p$PASS $DB $TABLE > $BACKUP_NAME 2>/dev/null; then
echo "$BACKUP_NAME 备份失败!"
fi
done
done
4 环境及应用
4.1 批量检测网站是否异常
#!/bin/bash
URL_LIST="www.baidu.com www.ctnrs.com"
for URL in $URL_LIST; do
FAIL_COUNT=1
for ((i=1;i<=2;i++)); do
HTTP_CODE=$(curl -o /dev/null --connect-timeout 2 -s -w "%{http_code}" $URL)
if [ $HTTP_CODE -eq 200 ]; then
echo "$URL OK"
break
else
echo "$URL retry $FAIL_COUNT"
let FAIL_COUNT++
fi
done
if [ $FAIL_COUNT -eq 2 ]; then
echo "Warning: $URL Access failure!"
fi
done
4.2 Python环境安装脚本
1、获得软件包
2、源码安装
3、升级pip命令
#!/bin/bash
#Description: python install from zutuanxue(http://www.zutuanxue.com)
#Release: python 3.7.6
#Auther: zutuanxue
#Email:
#OS: Centos 8.X
#variables
python_download_url=https://www.python.org/ftp/python/3.7.6/Python-3.7.6.tgz
python_source_pkg=Python-3.7.6.tgz
python_code=Python-3.7.6
#functions
#安装前准备,安装必要依赖包
per_install () {
if ( ! yum -y install gcc-* openssl-* libffi-devel sqlite-devel &>/dev/null );then
#if ( ! yum -y install gcc-* openssl-* libffi-devel sqlite-devel ) &>/dev/null ;then
echo -e "\033[31m network connection error,exit... \033[0m"
exit 130
fi
}
#安装python
install () {
#下载软件包
wget $python_download_url
#解压软件包
if [ -f $python_source_pkg ];then
tar xf $python_source_pkg
[ $? -ne 0 ]&&echo "$python_source_pkg unzip fail"&&exit 1
cd $python_code
#配置,开启ssl支持https
if ./configure --with-openssl=/usr/bin/openssl 1>/dev/null;then
#mv Modules/Setup Modules/Setup.bak
cp -f ../Setup Modules/
if make 1>/dev/null;then
#if make ;then
if make install 1>/dev/null;then
#if make install ;then
#if pip3 install --upgrade pip 1>/dev/null;then
#安装完成后更新pip
if pip3 install --upgrade pip;then
echo "python install success"
else
echo "pip3 install fail"
exit 1
fi
else
echo "python install fail"
exit 1
fi
else
echo "python make fail"
exit 1
fi
else
echo "python configure fail"
exit
fi
else
echo "not found $python_source_pkg"
exit 1
fi
}
per_install;install
rm -rf $python_code
rm -rf python_source_pkg
4.3 nginx安装脚本
#!/bin/bash
#Description: nginx install script from zutuanxue(http://www.zutuanxue.com)
#Release: 1.0
#Auther: www.zutuanxue.com
#Email:
#OS: Centos 8.X
cat <<EOF
#Description: nginx install script from zutuanxue(http://www.zutuanxue.com)
#Release: 1.0
#Auther: www.zutuanxue.com
#Email:
#OS: Centos 8.X
EOF
#nginx源码包下载路径
nginx_pkg_url=http://nginx.org/download/nginx-1.17.8.tar.gz
#nginx安装路径,安装路径为$nginx_install_doc/nginx
nginx_install_doc=/usr/local
#nginx服务管理用户
nginx_manage_user=www
#统计本机CPU核数
cpu_count=`grep -c "flags" /proc/cpuinfo`
check () {
#安装nginx需要管理员权限
[ $UID -ne 0 ] && echo "need to be root so that" && exit 1
#安装前的依赖包解决
#wget 命令
#gcc 编译命令
#pcre-devel URL重写功能
#zlib-devel 压缩支持
#make 编译命令
if ! (yum -y install wget gcc pcre-devel zlib-devel make &>/dev/null);then
echo "yum install soft package fail"
exit 1
fi
if ! (egrep "^www" /etc/passwd &>/dev/null);then
useradd -s /sbin/nologin -r -M www
fi
}
nginx_install () {
#1、下载软件包
#if wget $nginx_pkg_url &>/dev/null;then
#2、解压软件包
echo $nginx_pkg_url|awk -F "/" '{print $5}'|xargs tar xf
nginx_source_doc=`echo $nginx_pkg_url|awk -F "/" '{print $5}'|cut -d "." -f 1-3`
#3、进入软件包
if [ ! -d $nginx_source_doc ];then
echo "unzip `echo $nginx_pkg_url|awk -F "/" '{print $5}'` fail"
exit 1
fi
cd $nginx_source_doc
#4、configure nginx
./configure --prefix=$nginx_install_doc/nginx --user=$nginx_manage_user --group=$nginx_manage_user 1>/dev/null
[ $? -ne 0 ]&&echo "nginx configure fail"&&exit 1
#5、make nginx
make -j $cpu_count 1>/dev/null
[ $? -ne 0 ]&&echo "nginx make fail"&&exit 1
#6、install nginx
make install 1>/dev/null
[ $? -ne 0 ]&&echo "nginx install fail"&&exit 1||echo "`clear`nginx install success..."
#7、delete nginx soft package
cd ..
rm -rf ${nginx_source_doc}*
#else
# echo "$nginx_pkg_url download fail"
# exit 1
#fi
}
#####callable function
check;nginx_install
4.4 Ansible一键离线安装部署
依赖资源下载
链接:https://pan.baidu.com/s/1RqdU4H-uo1IftTuL3LVUqA
提取码:f7qt
安装脚本
tar -xzvf ansible_v2.9.9_install.tar.gz #解压安装包,不同版本替换为不同的安装包;
cd ansible_v2.9.9_install
chmod +x ansible_v2.9.0_install.sh
sh ansible_v2.9.0_install.sh
2638
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
