Linux安全检测shell脚本

#!/bin/bash

# 邮件接收人配置
EMAIL_RECIPIENT="[email protected]"

# 常见的网站根目录和日志目录
COMMON_WEBSITE_DIRS=(
    "/var/www/html"          # LAMP 默认网站根目录
    "/usr/share/nginx/html"  # Nginx 默认网站目录
    "/srv/www"               # OpenSUSE 默认目录
    "/www/wwwroot"           # 宝塔面板默认网站目录
)

COMMON_LOG_DIRS=(
    "/var/log/apache2"  # Apache 日志目录
    "/var/log/httpd"    # CentOS Apache 日志目录
    "/var/log/nginx"    # Nginx 日志目录
    "/www/wwwlogs"      # 宝塔面板日志目录
)

# 挂马检测特征
SUSPICIOUS_CODE_PATTERNS=(
    "eval" "assert" "system" "exec" "passthru" "call_user_func"
    "create_function" "base64_decode" "gzinflate" "str_rot13"
    "shell_exec" "preg_replace" "file_put_contents" "include" "require"
    "\$_GET" "\$_POST" "\$_REQUEST" "c99shell" "r57shell" "phpinfo"
)

# 异常请求特征
SUSPICIOUS_REQUEST_PATTERNS=(
    "\.\./" "php?id=" "base64_encode" "wp-admin"
    "eval(" "UNION SELECT" "\.php\.bak" "\.(sql|zip|tar|gz)$"
    "POST.*multipart/form-data" "cmd=" "r57shell" "c99shell"
)

# 提权日志文件可能路径
PRIVILEGE_LOG_FILES=(
    "/var/log/auth.log"    # Ubuntu/Debian
    "/var/log/secure"      # CentOS/RedHat
)

# 汇总简报内容
SUMMARY_REPORT=""

# 动态显示进度
show_progress() {
    local progress_msg="$1"
    echo -ne "\r[正在处理] $progress_msg..."
    sleep 1
}

# 自动查找目录
find_valid_dir() {
    local dirs=("$@")
    for dir in "${dirs[@]}"; do
        if [[ -d "$dir" ]]; then
            echo "$dir"
            return
        fi
    done
    echo ""
}

# 自动查找日志文件
find_log_file() {
    local log_files=("$@")
    for file in "${log_files[@]}"; do
        if [[ -f "$file" ]]; then
            echo "$file"
            return
        fi
    done
    echo ""
}

# 提权日志分析
check_privilege_logs() {
    local log_file="$1"
    if [[ -z "$log_file" ]]; then
        SUMMARY_REPORT+="未找到提权日志文件。\n"
        return
    fi

    show_progress "分析提权日志"
    local suspicious_patterns=("sudo" "root login" "su " "FAILED LOGIN")
    local alerts=""

    while read -r line; do
        for pattern in "${suspicious_patterns[@]}"; do
            if [[ "$line" =~ $pattern ]]; then
                alerts+="$line\n"
            fi
        done
    done < "$log_file"

    if [[ -n "$alerts" ]]; then
        SUMMARY_REPORT+="[提权日志分析]\n$alerts\n"
    else
        SUMMARY_REPORT+="[提权日志分析]\n未发现可疑提权行为。\n"
    fi
}

# 网站运行日志分析
analyze_access_logs() {
    local log_dir="$1"
    if [[ -z "$log_dir" ]]; then
        SUMMARY_REPORT+="未找到有效的网站运行日志目录。\n"
        return
    fi

    show_progress "分析网站运行日志"
    local alerts=""

    while read -r log_file; do
        while read -r line; do
            for pattern in "${SUSPICIOUS_REQUEST_PATTERNS[@]}"; do
                if [[ "$line" =~ $pattern ]]; then
                    alerts+="可疑请求: $line 来自日志: $log_file\n"
                fi
            done
        done < "$log_file"
    done < <(find "$log_dir" -type f -name "*.log")

    if [[ -n "$alerts" ]]; then
        SUMMARY_REPORT+="[网站运行日志分析]\n$alerts\n"
    else
        SUMMARY_REPORT+="[网站运行日志分析]\n未发现异常请求。\n"
    fi
}

# 挂马检测
scan_for_malware() {
    local scan_dir="$1"
    if [[ -z "$scan_dir" ]]; then
        SUMMARY_REPORT+="未找到有效的网站目录。\n"
        return
    fi

    show_progress "扫描网站目录中的文件挂马"
    local alerts=""

    while read -r file; do
        if [[ -f "$file" ]]; then
            for pattern in "${SUSPICIOUS_CODE_PATTERNS[@]}"; do
                if grep -q -i "$pattern" "$file"; then
                    alerts+="发现可疑代码: $file 包含模式: $pattern\n"
                fi
            done

            # 检查文件权限
            local perms
            perms=$(stat -c '%a' "$file")
            if [[ "$perms" == "777" ]]; then
                alerts+="发现权限异常的文件: $file 权限: $perms\n"
            fi
        fi
    done < <(find "$scan_dir" -type f)

    if [[ -n "$alerts" ]]; then
        SUMMARY_REPORT+="[挂马检测]\n$alerts\n"
    else
        SUMMARY_REPORT+="[挂马检测]\n未发现可疑挂马行为。\n"
    fi
}

# 邮件发送简报
send_summary_email() {
    echo -e "$SUMMARY_REPORT" | mail -s "安全监测简报" "$EMAIL_RECIPIENT"
    echo -e "\n简报已发送到: $EMAIL_RECIPIENT"
}

# 主函数
main() {
    echo "[开始综合环境安全监测]"

    local website_dir log_dir privilege_log
    website_dir=$(find_valid_dir "${COMMON_WEBSITE_DIRS[@]}")
    log_dir=$(find_valid_dir "${COMMON_LOG_DIRS[@]}")
    privilege_log=$(find_log_file "${PRIVILEGE_LOG_FILES[@]}")

    check_privilege_logs "$privilege_log"
    analyze_access_logs "$log_dir"
    scan_for_malware "$website_dir"

    echo -e "\n[综合环境安全监测完成]\n"
    echo -e "$SUMMARY_REPORT"
    send_summary_email
}

# 执行脚本
main

这是一个可以监测常见的网站被挂马或者被提权的监测shell脚本


评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理