Scripts
Reverse shell detection:
Dependency:
ssScript:
#!/bin/bash
# Log file path
LOG_FILE="/var/log/reverse_shell_detection_ss.log"
# Initialize log file
initialize_log() {
echo "Initializing Reverse Shell Detection Log with ss" > "$LOG_FILE"
echo "Monitoring started at $(date)" >> "$LOG_FILE"
echo "---------------------------------------------" >> "$LOG_FILE"
}
# Function to check for suspicious connections
check_connections() {
# Define common reverse shell ports
local COMMON_PORTS="4444 5555 6666"
# Use ss to list active connections
ss -tunap | grep -E "ESTAB" | awk '{print $5, $6}' | while read -r line; do
for port in $COMMON_PORTS; do
if [[ "$line" == *":$port "* ]]; then
echo "[ALERT] Potential reverse shell detected on port $port: $line" | tee -a "$LOG_FILE"
fi
done
done
}
# Main monitoring loop
initialize_log
while true; do
check_connections
# Sleep for a specified interval before checking again
sleep 60
doneLock down users:
Usage:
sudo ./lockdown_users.sh user1 user2 user3Script:
#!/bin/bash
# Check if the script is run as root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root" >&2
exit 1
fi
# Function to lock user and set expiration date
lock_and_expire_user() {
local username="$1"
local expire_date="1971-01-01"
# Lock the user account
passwd --lock "$username"
# Set the account expiration date
usermod --expiredate $(date -d "$expire_date" +%Y-%m-%d) "$username"
if [ $? -eq 0 ]; then
echo "User $username locked and expiration set to $expire_date."
else
echo "Failed to modify user $username." >&2
fi
}
# Main script
if [ $# -lt 1 ]; then
echo "Usage: $0 username [username2 ...]"
exit 1
fi
for username in "$@"; do
lock_and_expire_user "$username"
done
Last updated