全面的服务器安全监控脚本

全面的服务器安全监控脚本

#!/bin/sh
#-------------------------------------------------服务器安全监控脚本---------------------------------------------------------
#The script is based on RedHat Enterprise Linux AS Series
#Written by Chameleon
scriptdir=/root/shell/Chame_jk
logdir=$scriptdir
echo "`date +%Y-%m-%d`今日服务器相关安全情况：">$logdir/chameleon.log
#----------------------------------------------------------------------------------------------------------------------------
echo "=================================服务器日志分析===================================">>$logdir/chameleon.log
month=`cat /var/log/messages|awk '{print $1}'|sed -n "1p"`
day=`date |awk '{print $3}'`
today="$month  $day"
echo $today >$logdir/today.txt
fail_num01=$(cat /var/log/messages|grep "authentication failure"|grep "$(cat $logdir/today.txt)"|wc -l)
echo "$today：/var/log/message下验证失败信息有$fail_num01个" >>$logdir/chameleon.log
sourceip01=$(cat /var/log/messages|grep "authentication failure"|grep "$(cat $logdir/today.txt)"|awk '{print $13}'|sed '$!N; /^\(.*\)\n\1$/!P; D')
echo "$today：验证失败来源IP为$sourceip01">>$logdir/chameleon.log
fail_num02=$(cat /var/log/secure|grep "Failed"|grep "$(cat $logdir/today.txt)"|wc -l)
echo "$today：/var/log/secure下验证失败信息有$fail_num02个">>$logdir/chameleon.log
sourceip02=$(cat /var/log/secure|grep "Failed"|grep "$(cat $logdir/today.txt)"|awk '{print $13,$16}'|sed '$!N; /^\(.*\)\n\1$/!P; D')
echo "$today：验证失败来源IP、端口、协议为$sourceip02">>$logdir/chameleon.log
rm -f $logdir/today.txt
echo "==================================关键命令检测===================================">>$logdir/chameleon.log
echo "ps、netstat、su关键命令检测">>$logdir/chameleon.log
source_ps_md5=82a66bd2883f0ef1b31afe27c7591da8
source_ps_max=64044
now_ps_md5=`md5sum /bin/ps |awk '{print $1}'`
now_ps_max=$(ls -l /bin/ps|awk '{print $5}')
if [ "$now_ps_md5" = $source_ps_md5 -a "$now_ps_max" = $source_ps_max ]
then
echo "/bin/ps命令大小和MD5值没有改变，请放心！">>$logdir/chameleon.log
else
echo "/bin/ps命令大小和MD5值有改变，请检查！">>$logdir/chameleon.log
fi
source_su_md5=c0490221e929485b96b8b9a716a35e45
source_su_max=46156
now_su_md5=`md5sum /bin/su |awk '{print $1}'`
now_su_max=$(ls -l /bin/su|awk '{print $5}')
if [ "$now_su_md5" = $source_su_md5 -a "$now_su_max" = $source_su_max ]
then
echo "/bin/su命令大小和MD5值没有改变，请放心！">>$logdir/chameleon.log
else
echo "/bin/su命令大小和MD5值有改变，请检查！">>$logdir/chameleon.log
fi
source_netstat_md5=46cf84840c1d985568ff85e675f10803
source_netstat_max=83768
now_netstat_md5=`md5sum /bin/netstat |awk '{print $1}'`
now_netstat_max=$(ls -l /bin/netstat|awk '{print $5}')
if [ "$now_netstat_md5" = $source_netstat_md5 -a "$now_netstat_max" = $source_netstat_max ]
then
echo "/bin/netstat命令大小和MD5值没有改变，请放心！">>$logdir/chameleon.log
else
echo "/bin/netstat命令大小和MD5值有改变，请检查！">>$logdir/chameleon.log
fi
echo "==================================本机IP连接数量==================================">>$logdir/chameleon.log
/bin/netstat -lnta|fgrep "ESTABLISHED"|cut -b 49-75|cut -d ':' -f1|sort|uniq -c|sort -nr --key=1,7|head -20 >>$logdir/chameleon.log
echo "=================================本机连接状态数量=================================">>$logdir/chameleon.log
/bin/netstat -nta | fgrep ":" | cut -b 77-90 | sort | uniq -cd4 >>$logdir/chameleon.log
echo "===================================僵尸进程情况===================================">>$logdir/chameleon.log
ps -efl|awk '{print $2,$15}' >$logdir/zombile
cat $logdir/zombile| while read line
do
zombile=`cat $logdir/zombile|awk '{print $1}'`
pro_name=`cat $logdir/zombile|awk '{print $2}'`
if [ "$zombile_sign" == "Z" ]
then
echo "警惕！！发现了僵尸进程$pro_name" >>$logdir/chameleon.log
else
echo "放心！！未发现僵尸进程" >>$logdir/chameleon.log
fi
done
rm -f $logdir/zombile
echo "============================CPU、内存、磁盘空间使用情况===========================">>$logdir/chameleon.log
#################################################
echo "磁盘空间使用情况：" >>$logdir/chameleon.log
for disk in `df -h|grep "%" |sed 's/%//g'|grep -v "已用"|awk '{print $(NF-1)}' `
do
if [ "$disk" -gt "80" ]
then
echo "警惕！！服务器磁盘空间使用率已经达到或超过80%了" >>$logdir/chameleon.log
else
echo "放心！！服务器磁盘空间使用率正常" >>$logdir/chameleon.log
fi
done
#################################################
echo "内存空间使用情况：" >>$logdir/chameleon.log
free -m|grep '^[M,S]' | awk '{print $1"\t"$2"\t"$3"\t"$4"\t"$4/$2}'|awk '{z=100*$5}{print $1"\t"$2"\t"$3"\t"$4"\t"z}'|grep '^M' >$logdir/mem
cat $logdir/mem | while read line
do
memused=`echo $line | awk '{print $3}'`
memfree=`echo $line | awk '{print $4}'`
if [ "$memfree" -lt "300" ]
then
echo "警惕！！服务器内存已经使用了$memused M，空闲内存小于300M了" >>$logdir/chameleon.log
else
echo "放心！！服务器内存已经使用了$memused M，使用正常" >>$logdir/chameleon.log
fi
done
swapfree=`free -m|grep '^[M,S]' | awk '{print $1"\t"$2"\t"$3"\t"$4"\t"$4/$2}'|awk '{z=100*$5}{print $1"\t"$2"\t"$3"\t"$4"\t"z}'|grep '^S'|awk '{print $4}'`
echo "服务器交换区剩余空间大小为$swapfree M" >>$logdir/chameleon.log
rm -f $logdir/mem
#################################################
echo "CPU平均使用情况：" >>$logdir/chameleon.log
cpu=`mpstat 1 2 |grep "Average"|awk '{print $3}'|sed "s/\([0-9]*\)\..*/\1/g"`
if [ "$cpu" -gt "60" ]
then
cpu_num=`cat /proc/cpuinfo |grep processor|wc -l|awk '{print $1}'`
cpu_used=`expr 60 \* $cpu_num`
echo "警惕！！CPU使用率已经达到$cpu_used了，请检查" >>$logdir/chameleon.log
else
echo "放心！！CPU使用率正常" >>$logdir/chameleon.log
fi
echo "============================系统帐户情况===========================">>$logdir/chameleon.log
echo "请检查下面的系统帐户是否正常：" >>$logdir/chameleon.log
cat /etc/passwd| awk -F ':' '{print $1}'|xargs >>$logdir/chameleon.log
#-----------------------------------------------------邮件通知---------------------------------------------------------------
cat $logdir/chameleon.log |mail -s "`date +%Y-%m-%d`，今日系统安全监控日志" root@163.com
rm -f $logdir/chameleon.log

转载于:https://blog.51cto.com/ilexes/256297