Linux服务器全用户文件外发行为检测

我超怕的 -https://www.cnblogs.com/iAmSoScArEd/p/17727571.html

Code

#!/bin/bash

# Specify the directory where user home directories are located
USER_HOME_DIR="/home"

# Specify the file transfer commands you want to monitor
TRANSFER_COMMANDS=("scp" "rsync" "nc" "curl" "ssh" "ftp" "gdb" "gimp" "irb" "ksh" "openssl" "restic" "rvim" "socat" "tar" "python" "ruby" "php")

# Loop through each user's bash history
for user_dir in "$USER_HOME_DIR"/*; do
    if [ -d "$user_dir" ]; then
        username=$(basename "$user_dir")
        history_file="$user_dir/.bash_history"

        if [ -f "$history_file" ]; then
            echo "Checking history for user: $username"
            
            for command in "${TRANSFER_COMMANDS[@]}"; do
                grep -E "\b$command\b" "$history_file" | while read -r line; do
                    echo "User $username executed: $line"
                    # You can add your own logic here to transfer files or take actions
                done
            done
        fi
    fi
done

How To Use

1、起一个http能通过http下载文件的（不会？不知道？ 快速起：在check.sh目录下执行python3 -m http.server 9999，快速起一个9999端口的http服务），把上面的脚本放到check.sh中
2、在需要检测的主机下执行如下命令，使用前替换url（一定要sudo运行，因为部分账号的命令需要root权限）

cd /tmp && wget http://url/check.sh && chmod 777 check.sh && sudo ./check.sh && rm -f ./check.sh

3、会检查所有的命令结果，匹配的均会输出，根据审查的严格、宽松，自行调整TRANSFER_COMMANDS的命令

Tips

1、这种检测方式为历史执行命令检测，可以检测最基础的外发行为，如果是使用程序级别的外发，需要使用其他更高阶的方法。