shell-script-pt
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Script mata processos não autorizados

From: Marcelo Salavee Lemos
Subject: Script mata processos não autorizados
Date: Tue, 25 Sep 2007 08:42:52 -0300
User-agent: Thunderbird 2.0.0.6 (X11/20070728) 
Bom dia,

Com a ajuda de vc's cheguei a um rascunho de monitoração de portas como abaixo:

-----------------

#!/bin/bash

MAILTO="root"

HOSTNAME=`hostname`

SUBJECT="Atencao: Portas Alteradas em $HOSTNAME WARNING\!"

DATE=`date +"%F-%T"`

getports() {

      lsof -i -n -P | grep -v smtpd | awk '/LISTEN/{print $1"/"$3"/"$8}' | sort 
-u



}

VELHO="$(getports)"

echo -e "Portas Autorizadas:\n${VELHO}"

while sleep 20 ; do

      NOVO="$(getports)"

DIFF=`diff <(echo "$NOVO") <(echo "${VELHO}")`

      if [[ -n $DIFF ]]; then

echo "Alteracao de Portas DETECTADO. Plano-B entrando em ACAO!"

mail -s "${SUBJECT}" $MAILTO <<-EOF

########################################################

############## PORTA ALTERADA EM $DATE #################

########################################################

${DIFF}

########################################################

########################################################

############## Status antes da alteracao: ##############

${VELHO}

########################################################

############## Status apos a alteracao: ################

${NOVO}

########################################################

EOF

fi

VELHO="$NOVO"

done

--------------------------------------
O que eu gostaria agora é limitar os serviços, ou seja, tem uma lista "velho" e se aparecer um outro serviço 
que não pertença a lista "velho" que o servidor desse um "kill -9" na processo 
e enviasse um e-mail...

tipo usando o:

netstat -nap|grep 0.0.0.0|grep LISTEN

Portas Autorizadas:

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      
13816/smbd

tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
20941/httpd

tcp        0      0 127.0.0.1:22            0.0.0.0:*               LISTEN      
19429/sshd

tcp        0      0 143.107.179.241:22      0.0.0.0:*               LISTEN      
19429/sshd

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      
18239/master

tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      
13816/smbd

e se aparecesse:

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      
13816/smbd

tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      
22277/dovecot

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
20941/httpd

tcp        0      0 127.0.0.1:22            0.0.0.0:*               LISTEN      
19429/sshd

tcp        0      0 143.107.179.241:22      0.0.0.0:*               LISTEN      
19429/sshd

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      
18239/master

tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      
13816/smbd

tcp        0      0 0.0.0.0:7777         0.0.0.0:*               LISTEN      
13856/sshd

tcp        0      0 0.0.0.0:5777         0.0.0.0:*               LISTEN      
14856/sshd

Daí ele "daria um kill" nos processos (13856-13056-14856) e mandaria um 
e-mail....

É isso...

Desde já agradeço...

Abraços,

Marcelo


---------------------------------------------------------------------
Esta mensagem pode conter informacao confidencial.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao podera usar, copiar ou divulgar as informacoes nela
contidas ou tomar qualquer acao baseada nessas informacoes. Se
voce recebeu esta mensagem por engano, favor avisar imediatamente o
remetente, respondendo o e-mail e, em seguida, apague-o.
Agradecemos sua cooperacao.

This message may contain confidential information.
If you are not the addressee or authorized person to receive it for the
addressee, you must not use, copy, disclose or take any action based on
this message or any information herein. If you have received this message
in error, please advise the sender immediately by replying this e-mail message and delete it. 
Thanks in advance for your cooperation.
----------------------------------------------------------------------
                 Faculdade de Medicina USP
----------------------------------------------------------------------
reply via email to
[Prev in Thread] Current Thread [Next in Thread]