# Scripts

## Reverse shell detection:

#### Dependency:

```
ss
```

#### Script:

```bash
#!/bin/bash

# Log file path
LOG_FILE="/var/log/reverse_shell_detection_ss.log"

# Initialize log file
initialize_log() {
    echo "Initializing Reverse Shell Detection Log with ss" > "$LOG_FILE"
    echo "Monitoring started at $(date)" >> "$LOG_FILE"
    echo "---------------------------------------------" >> "$LOG_FILE"
}

# Function to check for suspicious connections
check_connections() {
    # Define common reverse shell ports
    local COMMON_PORTS="4444 5555 6666"

    # Use ss to list active connections
    ss -tunap | grep -E "ESTAB" | awk '{print $5, $6}' | while read -r line; do
        for port in $COMMON_PORTS; do
            if [[ "$line" == *":$port "* ]]; then
                echo "[ALERT] Potential reverse shell detected on port $port: $line" | tee -a "$LOG_FILE"
            fi
        done
    done
}

# Main monitoring loop
initialize_log
while true; do
    check_connections
    # Sleep for a specified interval before checking again
    sleep 60
done
```

## Lock down users:

#### Usage:

```bash
sudo ./lockdown_users.sh user1 user2 user3
```

#### Script:

```bash
#!/bin/bash

# Check if the script is run as root
if [ "$(id -u)" -ne 0 ]; then
    echo "This script must be run as root" >&2
    exit 1
fi

# Function to lock user and set expiration date
lock_and_expire_user() {
    local username="$1"
    local expire_date="1971-01-01"

    # Lock the user account
    passwd --lock "$username"

    # Set the account expiration date
    usermod --expiredate $(date -d "$expire_date" +%Y-%m-%d) "$username"

    if [ $? -eq 0 ]; then
        echo "User $username locked and expiration set to $expire_date."
    else
        echo "Failed to modify user $username." >&2
    fi
}

# Main script
if [ $# -lt 1 ]; then
    echo "Usage: $0 username [username2 ...]"
    exit 1
fi

for username in "$@"; do
    lock_and_expire_user "$username"
done

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://paul-gleason.gitbook.io/firewalld/ncae/scripts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.