-
-
[分享][原创]服务器文件监测脚本
-
发表于: 2016-8-30 16:30
-
为了能监测服务器程序文件变动情况,防止有类似上传目录被植入webshell后门文件,一些rootkit修改了系统默认命令,删除了配置文件等行为,写了个脚本,原理很简单,针对一些关键目录,入/usr/bin,/bin,/usr/sbin,/var/www/html等核心目录,计算每个文件等md5哈希,先生成一份正常的md5哈希文件file_monitor.txt,后续定时计划去跑脚本,如果监测到终点关注的几个敏感目录下,有文件删除、更新、创建等行文,将外发邮件告警。
1、首先需要生成对比参照的MD5文件,file_hash.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import sys
import time
import hashlib
from multiprocessing.dummy import Pool as ThreadPool
def File_Search(filename):
for lists in os.listdir(filename):
path = os.path.join(filename, lists)
if os.path.isfile(path):
File_Hash(path)
if os.path.isdir(path):
File_Search(path)
return True
def File_Hash(filename):
fp = open(filename, 'rb')
fdata = fp.read()
fp.close()
md5 = hashlib.md5()
md5.update(fdata)
fw = open('file_monitor.txt','a')
fw.write(filename+"==>"+md5.hexdigest()+"\n")
if __name__=='__main__':
start = time.clock()
if File_Search('/usr/bin') and File_Search('/usr/sbin') and File_Search('/bin') and File_Search('/var/www/htdocs'):
end = time.clock()
print '文件MD5哈希计算完毕,共运行时长:' + str(end - start)
2、监测脚本file_sec.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import hashlib
import sys
from multiprocessing.dummy import Pool as ThreadPool
import smtplib
from email.mime.text import MIMEText
import json
import string
hash_list = []
result = []
def File_Search(filename):
for lists in os.listdir(filename):
path = os.path.join(filename, lists)
if os.path.isfile(path):
File_Hash(path)
if os.path.isdir(path):
File_Search(path)
return True
def File_Hash(filename):
fp = open(filename, 'rb')
fdata = fp.read()
fp.close()
md5 = hashlib.md5()
md5.update(fdata)
hash_list.append(filename+"==>"+md5.hexdigest()+"\n")
def Hash_Comp():
fp = open('/var/www/sec/file_monitor.txt').readlines()
for line in hash_list:
if line not in fp: #File is created、updated、changed
result.append(str(line).strip()+"\n")
for line1 in fp: #File is deleted
if line1 not in hash_list:
result.append(str(line).strip()+"\n")
return True
def Send_Mail(content):
host = 'smtp.sina.com'
port = 25
sender = 'xx@sina.com' # 发送者
pwd = 'xxxxxxx' #
receiver = ['xx@qq.com', 'tt@sina.com']
body = content # 设置邮件正文
msg = MIMEText(body, 'html', 'utf-8') # 设置正文为符合邮件格式的HTML内容
msg['subject'] = '[Warning,File exception..!!!]' # 设置邮件标题
msg['from'] = sender # 设置发送人
msg['to'] = ';'.join(receiver) # 设置接收人
s = smtplib.SMTP(host, port) # 注意!如果是使用SSL端口,这里就要改为SMTP_SSL
s.login(sender, pwd) # 登陆邮箱
s.sendmail(sender, receiver, msg.as_string())
print 'Send mail ok'
if __name__=='__main__':
if File_Search('/usr/bin') and File_Search('/usr/sbin') and File_Search('/bin') and File_Search('/var/www/htdocs'):
if Hash_Comp():
if result:
Content = ''.join(result)
Send_Mail(Content)
else:
sys.exit(0)
3、crontab,根据需要,一般2小时跑一次
0 */2 * * * /usr/bin/python /var/www/sec/file_sec.py
1、首先需要生成对比参照的MD5文件,file_hash.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import sys
import time
import hashlib
from multiprocessing.dummy import Pool as ThreadPool
def File_Search(filename):
for lists in os.listdir(filename):
path = os.path.join(filename, lists)
if os.path.isfile(path):
File_Hash(path)
if os.path.isdir(path):
File_Search(path)
return True
def File_Hash(filename):
fp = open(filename, 'rb')
fdata = fp.read()
fp.close()
md5 = hashlib.md5()
md5.update(fdata)
fw = open('file_monitor.txt','a')
fw.write(filename+"==>"+md5.hexdigest()+"\n")
if __name__=='__main__':
start = time.clock()
if File_Search('/usr/bin') and File_Search('/usr/sbin') and File_Search('/bin') and File_Search('/var/www/htdocs'):
end = time.clock()
print '文件MD5哈希计算完毕,共运行时长:' + str(end - start)
2、监测脚本file_sec.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import hashlib
import sys
from multiprocessing.dummy import Pool as ThreadPool
import smtplib
from email.mime.text import MIMEText
import json
import string
hash_list = []
result = []
def File_Search(filename):
for lists in os.listdir(filename):
path = os.path.join(filename, lists)
if os.path.isfile(path):
File_Hash(path)
if os.path.isdir(path):
File_Search(path)
return True
def File_Hash(filename):
fp = open(filename, 'rb')
fdata = fp.read()
fp.close()
md5 = hashlib.md5()
md5.update(fdata)
hash_list.append(filename+"==>"+md5.hexdigest()+"\n")
def Hash_Comp():
fp = open('/var/www/sec/file_monitor.txt').readlines()
for line in hash_list:
if line not in fp: #File is created、updated、changed
result.append(str(line).strip()+"\n")
for line1 in fp: #File is deleted
if line1 not in hash_list:
result.append(str(line).strip()+"\n")
return True
def Send_Mail(content):
host = 'smtp.sina.com'
port = 25
sender = 'xx@sina.com' # 发送者
pwd = 'xxxxxxx' #
receiver = ['xx@qq.com', 'tt@sina.com']
body = content # 设置邮件正文
msg = MIMEText(body, 'html', 'utf-8') # 设置正文为符合邮件格式的HTML内容
msg['subject'] = '[Warning,File exception..!!!]' # 设置邮件标题
msg['from'] = sender # 设置发送人
msg['to'] = ';'.join(receiver) # 设置接收人
s = smtplib.SMTP(host, port) # 注意!如果是使用SSL端口,这里就要改为SMTP_SSL
s.login(sender, pwd) # 登陆邮箱
s.sendmail(sender, receiver, msg.as_string())
print 'Send mail ok'
if __name__=='__main__':
if File_Search('/usr/bin') and File_Search('/usr/sbin') and File_Search('/bin') and File_Search('/var/www/htdocs'):
if Hash_Comp():
if result:
Content = ''.join(result)
Send_Mail(Content)
else:
sys.exit(0)
3、crontab,根据需要,一般2小时跑一次
0 */2 * * * /usr/bin/python /var/www/sec/file_sec.py
|
|
|---|---|
|
|
|
|
|
|
|
|
|
