Skip to content

入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧. http://www.chkrootkit.org官方网站 目前最新版为chkrootkit-0.49 官方可能无法正常下载,可以用我博客里的地址https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz 测试系统为centos5.8

一.安装

wget https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz tar zxvf chkrootkit.tar.gz cd chkrootkit make sense cd .. mv -f chkrootkit- /usr/local/chkrootkit chown -R root:root /usr/local/chkrootkit chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录 cd /usr/local/chkrootkit ./chkrootkit

ROOTDIR is `/’ Checking `amd’… not found Checking `basename’… not infected Checking `biff’… not found Checking `chfn’… not infected Checking `chsh’… not infected Checking `cron’… not infected Checking `crontab’… not infected Checking `date’… not infected Checking `du’… not infected Checking `dirname’… not infected Checking `echo’… not infected Checking `egrep’… not infected Checking `env’… not infected Checking `find’… not infected Checking `fingerd’… not found Checking `gpm’… not infected Checking `grep’… not infected Checking `hdparm’… not infected Checking `su’… not infected Checking `ifconfig’… not infected Checking `inetd’… not tested Checking `inetdconf’… not found Checking `identd’… not found Checking `init’… not infected Checking `killall’… not infected Checking `ldsopreload’… not infected Checking `login’… not infected Checking `ls’… not infected Checking `lsof’… not infected Checking `mail’… not infected Checking `mingetty’… not infected Checking `netstat’… not infected Checking `named’… not found Checking `passwd’… not infected Checking `pidof’… not infected Checking `pop2’… not found Checking `pop3’… not found Checking `ps’… not infected Checking `pstree’… not infected Checking `rpcinfo’… not infected Checking `rlogind’… not found Checking `rshd’… not found Checking `slogin’… not infected Checking `sendmail’… not infected Checking `sshd’… not infected Checking `syslogd’… not infected Checking `tar’… not infected Checking `tcpd’… not infected Checking `tcpdump’… not infected Checking `top’… not infected Checking `telnetd’… not infected Checking `timed’… not found Checking `traceroute’… not infected Checking `vdir’… not infected Checking `w’… not infected Checking `write’… not infected Checking `aliens’… no suspect files Searching for sniffer’s logs, it may take a while… nothing found Searching for HiDrootkit’s default dir… nothing found Searching for t0rn’s default files and dirs… nothing found Searching for t0rn’s v8 defaults… nothing found Searching for Lion Worm default files and dirs… nothing found Searching for RSHA’s default files and dir… nothing found Searching for RH-Sharpe’s default files… nothing found Searching for Ambient’s rootkit (ark) default files and dirs… nothing found Searching for suspicious files and dirs, it may take a while… /usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac Searching for LPD Worm files and dirs… nothing found Searching for Ramen Worm files and dirs… nothing found Searching for Maniac files and dirs… nothing found Searching for RK17 files and dirs… nothing found Searching for Ducoci rootkit… nothing found Searching for Adore Worm… nothing found Searching for ShitC Worm… nothing found Searching for Omega Worm… nothing found Searching for Sadmind/IIS Worm… nothing found Searching for MonKit… nothing found Searching for Showtee… nothing found Searching for OpticKit… nothing found Searching for T.R.K… nothing found Searching for Mithra… nothing found Searching for LOC rootkit… nothing found Searching for Romanian rootkit… nothing found Searching for HKRK rootkit… nothing found Searching for Suckit rootkit… nothing found Searching for Volc rootkit… nothing found Searching for Gold2 rootkit… nothing found Searching for TC2 Worm default files and dirs… nothing found Searching for Anonoying rootkit default files and dirs… nothing found Searching for ZK rootkit default files and dirs… nothing found Searching for ShKit rootkit default files and dirs… nothing found Searching for AjaKit rootkit default files and dirs… nothing found Searching for zaRwT rootkit default files and dirs… nothing found Searching for Madalin rootkit default files… nothing found Searching for Fu rootkit default files… nothing found Searching for ESRK rootkit default files… nothing found Searching for rootedoor… nothing found Searching for ENYELKM rootkit default files… nothing found Searching for common ssh-scanners default files… nothing found Searching for suspect PHP files… /tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php /tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php /tmp/pear/download/XML_Util-1.2.1/Util.php /tmp/pear/download/XML_Util-1.2.1/examples/example2.php /tmp/pear/download/XML_Util-1.2.1/examples/example.php /tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php /tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php /tmp/pear/download/PEAR-1.9.1/PEAR5.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.1/PEAR/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command.php /tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.1/System.php /tmp/pear/download/PEAR-1.9.1/PEAR.php /tmp/pear/download/PEAR-1.9.1/OS/Guess.php /tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php /tmp/pear/download/PEAR-1.9.4/PEAR5.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.4/PEAR/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command.php /tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.4/System.php /tmp/pear/download/PEAR-1.9.4/PEAR.php /tmp/pear/download/PEAR-1.9.4/OS/Guess.php /tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php /tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file Checking `asp’… not infected Checking `bindshell’… not infected Checking `lkm’… chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs’… not found Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets Checking `w55808’… not infected Checking `wted’… chkwtmp: nothing deleted Checking `scalper’… not infected Checking `slapper’… not infected Checking `z2’… chklastlog: nothing deleted Checking `chkutmp’… chkutmp: nothing deleted Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了 ./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件 vi chkrootkitcron.sh

#!/bin/bash TOOLKITSPATH=/usr/local MAILUSER=root@localhost file_chkrootkit_log=chkrootkitcron.log servername=`hostname` date=`date +%Y-%m-%d` cd ${TOOLKITSPATH}/chkrootkit ./chkrootkit > ${file_chkrootkit_log} [ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \ grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .

rev="post-1365" No comments

By C1G 2012/04/09

限制/tmp分区的执行权限

Linux的提权rootkit基本都是已编译的执行文件。禁止其在/tmp下的运行可降低黑客入侵的可能性。 Perl、PHP脚本属于解释型语言,可通过perl/php命令直接调用,即使脚本存放于/tmp也不受限制。

先以有独立/tmp分区的为例

1.mount 查看一下/tmp为default

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

2.给/tmp加上(nosuid,noexec) vi /etc/fstab

/dev/VolGroup00/LogVol01 / ext3 defaults 1 1 /dev/VolGroup01/LogVol00 /opt ext3 defaults 1 2 /dev/VolGroup00/LogVol03 /var ext3 defaults 1 2 /dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol00 swap swap defaults 0 0

3.依据fstab重新载入/tmp mount -oremount /tmp

4.再次查看 mount

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw,noexec,nosuid) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

5.执行文件测试 vi test.sh

#!/bin/bash echo ‘/tmp test’

chmod u+x ./test.sh ./test.sh -bash: ./test.sh: /bin/bash: bad interpreter: Permission denied

6.迁移/var/tmp目录

mv /var/tmp/* /tmp/ rm -fr /var/tmp ln -s /tmp /var/tmp

对不存在独立/tmp分区的可以用dd创建个10G大小文件作/tmp

cd /usr/ dd if=/dev/zero of=Tmp bs=1024 count=10000000 mkfs -t ext3 /usr/Tmp mkdir /tmp_backup cp -ar /tmp /tmp_backup mount -o loop,rw,noexec,nosuid /usr/Tmp /tmp cp -ar /tmp_backup/tmp/* /tmp/ chmod 0777 /tmp chmod +t /tmp rm -rf /tmp_backup #放入fstab 中启动加载 echo “/usr/Tmp /tmp ext3 loop,rw,noexec,nosuid 0 0” >> /etc/fstab

Posted in 安全.

Tagged with , .

rev="post-1360" No comments

By C1G 2012/04/06

linux基本安全配置设置脚本1.2发布

依据linux基本安全配置手册 方便设置一些基本的linux安全设置

更新============= 兼容centos/rhel 6 tty,ctrlaltdel,ipv6 关闭服务可以使用白名单,更可靠 限制su的用户组修正兼容性(充许su的用户需用gpasswd命令添加,sudoer不受限制)

#vi autosafe.sh

#!/bin/bash ######################################################################### # # File: autosafe.sh # Description: # Language: GNU Bourne-Again SHell # Version: 1.2 # Date: 2012-3-30 # Corp.: c1gstudio # Author: c1g # WWW: https://blog.c1gstudio.com ### END INIT INFO ############################################################################### if [[ ! -n ${WORKUSER} ]]; then WORKUSER=c1g fi if [[ ! -n ${SSHPORT} ]]; then SSHPORT=22 fi V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp” V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon” V_PASSMINLEN=8 V_HISTSIZE=30 V_TMOUT=300 V_GROUPNAME=suadmin #V_SERVICE Not working since Version 1.2 V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd xfs xinetd yppasswdd ypserv yum-updatesd tog-pegasus” V_TTY=”3|4|5|6″ V_TTY6=”1-2″ V_SUID=( ‘/usr/bin/chage’ ‘/usr/bin/gpasswd’ ‘/usr/bin/wall’ ‘/usr/bin/chfn’ ‘/usr/bin/chsh’ ‘/usr/bin/newgrp’ ‘/usr/bin/write’ ‘/usr/sbin/usernetctl’ ‘/bin/traceroute’ ‘/bin/mount’ ‘/bin/umount’ ‘/sbin/netreport’ ) linuxvar=`cat /etc/issue.net |head -n1` linuxvar=${linuxvar#*release} linuxvar=${linuxvar:1:1} version=1.2 safe_deluser(){ echo “delete user …” for i in $V_DELUSER ;do echo “deleting $i”; userdel $i ; done } safe_delgroup(){ echo “delete group …” for i in $V_DELGROUP ;do echo “deleting $i”; groupdel $i; done } safe_password(){ echo “change password limit …” echo “/etc/login.defs” echo “PASS_MIN_LEN $V_PASSMINLEN” sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs } safe_history(){ echo “change history limit …” echo “/etc/profile” echo “HISTSIZE $V_HISTSIZE” sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile } safe_logintimeout(){ echo “change login timeout …” echo “/etc/profile” echo “TMOUT=$V_TMOUT” sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile } safe_bashhistory(){ echo “denied bashhistory …” echo “/etc/skel/.bash_logout” echo ‘rm -f $HOME/.bash_history’ if egrep “bash_history” /etc/skel/.bash_logout > /dev/null then echo ‘warning:existed’ else echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout fi } safe_addgroup(){ echo “groupadd $V_GROUPNAME …” groupadd $V_GROUPNAME } safe_sugroup(){ echo “permit $V_GROUPNAME use su …” echo “/etc/pam.d/su” echo “auth sufficient pam_rootok.so debug” echo “auth required pam_wheel.so group=$V_GROUPNAME” echo “gpasswd -a $WORKUSER $V_GROUPNAME” if egrep “auth required pam_wheel.so” /etc/pam.d/su > /dev/null then echo ‘warning:existed’ else sed -i “/^#%PAM/a\auth required pam_wheel.so group=${V_GROUPNAME}” /etc/pam.d/su sed -i “/^#%PAM/a\auth sufficient pam_rootok.so debug” /etc/pam.d/su gpasswd -a $WORKUSER $V_GROUPNAME fi } safe_sudoer(){ echo “permit $WORKUSER use sudo …” echo “/etc/sudoers” echo “$WORKUSER ALL=(ALL) ALL” if [ -n $WORKUSER ] then if egrep “$WORKUSER” /etc/sudoers > /dev/null then echo “warning:existed! ” else echo “$WORKUSER ALL=(ALL) ALL” >> /etc/sudoers echo ‘export PATH=$PATH:/sbin:/usr/sbin’ >> /etc/bashrc echo ‘export LDFLAGS=”-L/usr/local/lib -Wl,-rpath,/usr/local/lib”‘ >> /etc/bashrc echo ‘export LD_LIBRARY_PATH=”/usr/local/lib”‘ >> /etc/bashrc fi else echo “warning:skip! ” fi } safe_denyrootssh(){ echo “denied root login …” echo “/etc/ssh/sshd_config” echo “PermitRootLogin no” sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config } safe_changesshport(){ echo “change ssh port …” echo “/etc/ssh/sshd_config” echo “Port $SSHPORT” if egrep “Port $SSHPORT” /etc/ssh/sshd_config > /dev/null then echo “warning:existed! ” else echo “Port $SSHPORT” >> “/etc/ssh/sshd_config” fi } safe_stopservice(){ echo “stop services …” for i in $V_SERVICE ;do service $i stop; done } safe_closeservice(){ echo “close services autostart …” for i in $V_SERVICE ;do chkconfig $i off; done } safe_closeservicewhite(){ echo “close services autostart …” for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-` echo $CURSRV case $CURSRV in crond | irqbalance | microcode_ctl | network | sshd | syslog | rsyslog | snmpd | fail2ban | ntpd | lvm2-monitor | iptables | auditd | kdump | sysstat | memcached | smartd | nagios | local | sphinx ) ;; *) echo “change $CURSRV to off” chkconfig –level 235 $CURSRV off service $CURSRV stop ;; esac done } safe_tty(){ echo “close tty …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/start-ttys.conf” echo “/etc/sysconfig/init” echo “ACTIVE_CONSOLES=/dev/tty[${V_TTY6}]” echo “init q” #close tty #initctl stop tty TTY=/dev/tty6 sed -i “/^env ACTIVE_CONSOLES/s/\[1-6\]/\[${V_TTY6}\]/” /etc/init/start-ttys.conf sed -i “/^ACTIVE_CONSOLES/s/\[1-6\]/\[1-2\]/” /etc/sysconfig/init else echo “/etc/inittab” echo “#3:2345:respawn:/sbin/mingetty tty3” echo “#4:2345:respawn:/sbin/mingetty tty4” echo “#5:2345:respawn:/sbin/mingetty tty5” echo “#6:2345:respawn:/sbin/mingetty tty6” sed -i “/^[${V_TTY}]:2345/s/^/#/” /etc/inittab echo “init q” fi init q } safe_ctrlaltdel(){ echo “close ctrl+alt+del to restart server …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/control-alt-delete.conf” echo ‘#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”‘ echo “init q” sed -i ‘/^exec/s/^/#/’ /etc/init/control-alt-delete.conf else echo “/etc/inittab” echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now” echo “init q” sed -i ‘/^ca::/s/^/#/’ /etc/inittab fi init q } safe_ipv6(){ echo “close ipv6 …” if [ ${linuxvar} == 6 ]; then echo ‘”alias net-pf-10 off” >> /etc/modprobe.d/ipv6.conf’ echo ‘”options ipv6 disable=1″ >> /etc/modprobe.d/ipv6.conf’ cat > /etc/modprobe.d/ipv6.conf > /etc/modprobe.conf’ echo ‘”alias ipv6 off” >> /etc/modprobe.conf’ if egrep “alias net-pf-10 off” /etc/modprobe.conf > /dev/null then echo “warning:existed! ” else echo “alias net-pf-10 off” >> /etc/modprobe.conf echo “alias ipv6 off” >> /etc/modprobe.conf fi fi echo ‘/sbin/chkconfig ip6tables off’ echo ‘”NETWORKING_IPV6=no” >> /etc/sysconfig/network’ /sbin/chkconfig –level 35 ip6tables off if egrep “NETWORKING_IPV6=no” /etc/sysconfig/network > /dev/null then echo “warning:existed! ” else echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network fi } safe_selinux(){ echo “disable selinux …” echo “sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config ” sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config echo “selinux is disabled,you must reboot!” } safe_vim(){ echo “edit vim …” echo “alias vi=’vim'” sed -i “8 s/^/alias vi=’vim’/” /root/.bashrc cat >/root/.vimrc” echo “” echo ” deluser delete user” echo ” delgroup delete group” echo ” password change password limit” echo ” history change history limit” echo ” logintimeout change login timeout” echo ” bashhistory denied bashhistory” echo ” addgroup groupadd $V_GROUPNAME” echo ” sugroup permit $V_GROUPNAME use su” echo ” denyrootssh denied root login” echo ” stopservice stop services use black list” echo ” closeservice close services use black list” echo ” closeservicewhite close & stop services use white list” echo ” tty close tty” echo ” ctrlaltdel close ctrl+alt+del” echo ” ipv6 close ipv6″ echo ” selinux disabled selinux” echo ” vim edit vim” echo ” lockfile lock user&services” echo ” unlockfile unlock user&services” echo ” chmodinit init script only for root” echo ” chmodcommand remove SUID” echo ” version ” echo “” ;; esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser ./autosafe.sh delgroup …..

猛击下载脚本 autosafe1.2.sh

其它参考 linux基本安全配置手册 iptables 默认安全规则脚本

Posted in shell.

Tagged with , , .

rev="post-1356" No comments

By C1G 2012/03/30

centos/rhel 5和6的一点区别

1.安装时,rehl5一般都是在定制完系统后才开始格式化盘,安装相关的包,而rhel6则格式化完硬盘才开始定制系统。 2.rhel6修改ifcfg-eth0文件,保存后网络会马上生效,而不会像以前版本修改后改变需要重启网络 3.centos6.2开始网卡ifcfg-eth0改成ifcfg-em1 4./etc/inittab 文件里相关设定分成了小文件

System initialization is started by /etc/init/rcS.conf

#

Individual runlevels are started by /etc/init/rc.conf

#

Ctrl-Alt-Delete is handled by /etc/init/control-alt-delete.conf

#

Terminal gettys are handled by /etc/init/tty.conf and /etc/init/serial.conf,

with configuration in /etc/sysconfig/init.

5./etc/modprobe.conf不再存在,而是分成/etc/modprobe.d/ 下小文件 6.在RHEL 5.5中系统硬盘在分完区后可以直接使用partprobe更新分区,使内核识别分区。 在RHEL6中分区完毕后使用partprobe无法更新分区,必须重新启动服务器后,分区才可以被正常挂载。 2012-4-10更新 7.mailx由8.1 6/6/93升级成Heirloom Mail version 12.4 7/29/08

=============2012-5-11更新 内核ip_conntrack参数改成,nf_conntrack 在/etc/sysctl.conf中使用老的参数,再用sysctl -p生效会报错

error: “net.ipv4.netfilter.ip_conntrack_max” is an unknown key error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_established” is an unknown key

改为

net.nf_conntrack_max = 655360 net.netfilter.nf_conntrack_tcp_timeout_established = 36000

参考:http://www.myfreelinux.com/?p=743&cpage=2&replytocom=223803

Posted in LINUX.

Tagged with , .

rev="post-1350" No comments

By C1G 2012/03/30

Lempelf一键安装包更新1.0.3

Lempelf一键安装包是什么?

Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog 主要修复1.0.3的bug

2012-3-28 发布Lempelf 1.0.3 Bugfix:awstats安装完成后的提示域名地址 Bugfix:nginx安装失败 ./scripts/setup_nginx.sh 第21行文件名修正 Bugfix:php启动时找不到mysqlclient.so.18 (echo “/opt/mysql/lib” > /etc/ld.so.conf.d/mysql.conf && ldconfig) Bugfix:64位下secure日志中的PAM错误 修改/etc/pam.d/su 中路径 Bugfix:centos6的tty,ctrl+alt+del,ipv6 Bugfix:限制可以su的用户 需要su的用户需用gpasswd 添加到组 Change:nginx日志改为保留1月 Feature:新增scripts/firstlog.sh 用于生成文件及运行信息供日后对比

2012-3-23 发布Lempelf 1.0.2 php的magic_quotes_gpc 设为on yum增加cmake mysql升级为Percona-Server-5.5.20-rel24.1 增加/tmp/mysql.sock软链接 php升级成5.2.17并打上hash补丁 隐藏nginx版本号为1.0 nginx.conf中隐藏版本号 修改autosafe.sh中自动运行的服务 升级pcre到pcre-8.30 phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

2012-3-28 16:00再次更新 2012-3-30 14:30再次更新 2012-3-30 18:00再次更新

https://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1340" No comments

By C1G 2012/03/28

Lempelf一键包更新 1.0.2

Lempelf一键安装包是什么?

Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog 主要提升性能及安全

2012-3-23 发布Lempelf 1.0.2 php的magic_quotes_gpc 设为on yum增加cmake mysql升级为Percona-Server-5.5.20-rel24.1 增加/tmp/mysql.sock软链接 php升级成5.2.17并打上hash补丁 隐藏nginx版本号为1.0 nginx.conf中隐藏版本号 修改autosafe.sh中自动运行的服务 升级pcre到pcre-8.30 phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

https://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1332" No comments

By C1G 2012/03/23

phpMyAdmin 3.3.X and 3.4.X 含有注入漏洞

测试过受影响版本 phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7

另3.0也有sql注入漏洞

目前最新稳定版为phpMyAdmin 3.4.10.1 注意升级 http://www.phpmyadmin.net/home_page/downloads.php

参考: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/

Posted in 安全通告.

Tagged with , .

rev="post-1325" No comments

By C1G 2012/03/23

PHP一句话木马及查杀

常见的木马基本上有如下特征 1.接收外部变量 常见如:$_GET,$_POST 更加隐蔽的$_FILES,$_REQUEST…

2.执行函数 获取数据后还需执行它 常见如:eval,assert,preg_replace 隐藏变种:

include($_POST[‘a’]); $hh = “p”.”r”.”e”.”g”.”_”.”r”.”e”.”p”.”l”.”a”.”c”.”e”; $hh(“/[discuz]/e”,$_POST[‘h’],”Access”); @preg_replace(‘/ad/e’,’@’.str_rot13(‘riny’).'($b4dboy)’, ‘add’);

使用urldecode,gzinflate,base64_decode等加密函数

3.写入文件 获取更多的权限 如:copy,file_get_contents,exec

一般的建议是打开safe_mode 或使用disable_functions 等来提升安全性; 可能有些程序无法正常运行,基本的安全设置 php.ini中

expose_php = OFF register_globals = Off display_errors = Off cgi.fix_pathinfo=0 magic_quotes_gpc = On allow_url_fopen = Off allow_url_include = Off 配置open_basedir

查找木马脚本 查找隐藏特征码及入口可以找出大部分的木马.

#!/bin/bash findpath=./ logfile=findtrojan.log echo -e $(date +%Y-%m-%d_%H:%M:%S)” start\r” >>$logfile echo -e ‘============changetime list==========\r\n’ >> ${logfile} find ${findpath} -name “*.php” -ctime -3 -type f -exec ls -l {} \; >> ${logfile} echo -e ‘============nouser file list==========\r\n’ >> ${logfile} find ${findpath} -nouser -nogroup -type f -exec ls -l {} \; >> ${logfile} echo -e ‘============php one word trojan ==========\r\n’ >> ${logfile} find ${findpath} -name “*.php” -exec egrep -I -i -C1 -H ‘exec\(|eval\(|assert\(|system\(|passthru\(|shell_exec\(|escapeshellcmd\(|pcntl_exec\(|gzuncompress\(|gzinflate\(|unserialize\(|base64_decode\(|file_get_contents\(|urldecode\(|str_rot13\(|\$_GET|\$_POST|\$_REQUEST|\$_FILES|\$GLOBALS’ {} \; >> ${logfile} #使用使用-l 代替-C1 -H 可以只打印文件名 echo -e $(date +%Y-%m-%d_%H:%M:%S)” end\r” >>$logfile more $logfile

Posted in 安全, 技术.

Tagged with , .

rev="post-1316" 2 comments

By C1G 2012/03/21

正则表达式口诀

正则其实也势利,削尖头来把钱揣; (指开始符号^和结尾符号$) 特殊符号认不了,弄个倒杠来引路; (指. *等特殊符号) 倒杠后面跟小w, 数字字母来表示; (w跟数字字母;\d跟数字) 倒杠后面跟小d, 只有数字来表示; 倒杠后面跟小a, 报警符号嘀一声; 倒杠后面跟小b, 单词分界或退格; 倒杠后面跟小t, 制表符号很明了; 倒杠后面跟小r, 回车符号知道了; 倒杠后面跟小s, 空格符号很重要; 小写跟罢跟大写,多得实在不得了; 倒杠后面跟大W, 字母数字靠边站; 倒杠后面跟大S, 空白也就靠边站; 倒杠后面跟大D, 数字从此靠边站; 倒框后面跟大B, 不含开头和结尾;

单个字符要重复,三个符号来帮忙; ( + ?) 0 星加1 到无穷,问号只管0 和1; (表0-n;+表1-n;?表0-1次重复) 花括号里学问多,重复操作能力强; ({n} {n,} {n,m}) 若要重复字符串,园括把它括起来; ((abc){3} 表示字符串“abc”重复3次 ) 特殊集合自定义,中括号来帮你忙; 转义符号行不通,一个一个来排队; 实在多得排不下,横杠请来帮个忙; ([1-5]) 尖头放进中括号,反义定义威力大; ([^a]指除“a”外的任意字符 ) 1竖作用可不小,两边正则互替换; (键盘上与“”是同一个键) 1竖能用很多次,复杂定义很方便; 园括号,用途多; 反向引用指定组,数字排符对应它; (“(\w+)\b\s+\1\b”中的数字“1”引用前面的“(\w+)”) 支持组名自定义,问号加上尖括号; (“(?

\w+)”中把“w+”定义为组,组名为“Word”) 园括号,用途多,位置指定全靠它; 问号等号字符串,定位字符串前面; (“\w+(?=ing\b)”定位“ing”前面的字符串) 若要定位串后面,中间插个小于号; (“(?

Posted in 文档理论.

Tagged with .

rev="post-1322" No comments

By C1G 2012/02/28

find搜索如何排除文件及目录

查找cache目录下不是html的文件

find ./cache ! -name ‘*.html’ -type f

列出当前目录下的目录名,排除includes目录,后面的-print不能少

find . -path ‘./includes’ -prune -o -type d -maxdepth 1 -print

2012-3-26更新 排除多个目录,”(“前是带”\”的

find / \( -path /home/ -o -path /root \) -prune -nouser -type f -exec ls -l {} \;

Posted in Linux 命令.

Tagged with .

rev="post-1320" No comments

By C1G 2012/02/24