Scripts

Reverse shell detection:

Dependency:

ss

Script:

#!/bin/bash

# Log file path
LOG_FILE="/var/log/reverse_shell_detection_ss.log"

# Initialize log file
initialize_log() {
    echo "Initializing Reverse Shell Detection Log with ss" > "$LOG_FILE"
    echo "Monitoring started at $(date)" >> "$LOG_FILE"
    echo "---------------------------------------------" >> "$LOG_FILE"
}

# Function to check for suspicious connections
check_connections() {
    # Define common reverse shell ports
    local COMMON_PORTS="4444 5555 6666"

    # Use ss to list active connections
    ss -tunap | grep -E "ESTAB" | awk '{print $5, $6}' | while read -r line; do
        for port in $COMMON_PORTS; do
            if [[ "$line" == *":$port "* ]]; then
                echo "[ALERT] Potential reverse shell detected on port $port: $line" | tee -a "$LOG_FILE"
            fi
        done
    done
}

# Main monitoring loop
initialize_log
while true; do
    check_connections
    # Sleep for a specified interval before checking again
    sleep 60
done

Lock down users:

Usage:

sudo ./lockdown_users.sh user1 user2 user3

Script:

#!/bin/bash

# Check if the script is run as root
if [ "$(id -u)" -ne 0 ]; then
    echo "This script must be run as root" >&2
    exit 1
fi

# Function to lock user and set expiration date
lock_and_expire_user() {
    local username="$1"
    local expire_date="1971-01-01"

    # Lock the user account
    passwd --lock "$username"

    # Set the account expiration date
    usermod --expiredate $(date -d "$expire_date" +%Y-%m-%d) "$username"

    if [ $? -eq 0 ]; then
        echo "User $username locked and expiration set to $expire_date."
    else
        echo "Failed to modify user $username." >&2
    fi
}

# Main script
if [ $# -lt 1 ]; then
    echo "Usage: $0 username [username2 ...]"
    exit 1
fi

for username in "$@"; do
    lock_and_expire_user "$username"
done

PreviousDNS NextSpice Client

Last updated 1 year ago