def check_run():
'''
@name 开始检测
@author hwliang<2020-08-03>
@return tuple (status<bool>,msg<string>)
@example
status, msg = check_run()
if status:
print('OK')
else:
print('Warning: {}'.format(msg))
'''
mycnf_file = '/etc/my.cnf'
if not os.path.exists(mycnf_file):
return True,'MySQL is not installed'
mycnf = public.readFile(mycnf_file)
port_tmp = re.findall(r"port\s*=\s*(\d+)",mycnf)
if not port_tmp:
return True,'MySQL is not installed'
if not public.ExecShell("lsof -i :{}".format(port_tmp[0]))[0]:
return True,'MySQL is not installed'
result = public.check_port_stat(int(port_tmp[0]),public.GetClientIp())
if result == 0:
return True,'Risk-free'
return False,'The current MySQL port: {}, which can be accessed by any server, which may cause MySQL to be cracked by brute force, posing security risks'.format(port_tmp[0])
def check_run():
'''
@name 开始检测
@author hwliang<2020-08-03>
@return tuple (status<bool>,msg<string>)
@example
status, msg = check_run()
if status:
print('OK')
else:
print('Warning: {}'.format(msg))
'''
mycnf_file = '/etc/my.cnf'
if not os.path.exists(mycnf_file):
return True, 'MySQL is not installed'
mycnf = public.readFile(mycnf_file)
port_tmp = re.findall(r"port\s*=\s*(\d+)", mycnf)
if not port_tmp:
return True, 'MySQL is not installed'
if not public.ExecShell("lsof -i :{}".format(port_tmp[0]))[0]:
return True, 'MySQL is not installed'
result = public.check_port_stat(int(port_tmp[0]), public.GetLocalIp())
if result == 0:
return True, 'Risk-free'
fail2ban_file = '/www/server/panel/plugin/fail2ban/config.json'
if os.path.exists(fail2ban_file):
try:
fail2ban_config = json.loads(public.readFile(fail2ban_file))
if 'mysql' in fail2ban_config.keys():
if fail2ban_config['mysql']['act'] == 'true':
return True, 'Fail2ban is enabled'
except:
pass
return False, '当前MySQL端口: {},可被任意服务器访问,这可能导致MySQL被暴力破解,存在安全隐患'.format(
port_tmp[0])
def check_run():
'''
@name 开始检测
@author hwliang<2020-08-03>
@return tuple (status<bool>,msg<string>)
'''
p_file = '/etc/init.d/memcached'
p_body = public.readFile(p_file)
if not p_body: return True, 'Risk-free'
tmp = re.findall(r"^\s*IP=(0\.0\.0\.0)", p_body, re.M)
if not tmp: return True, 'Risk-free'
tmp = re.findall(r"^\s*PORT=(\d+)", p_body, re.M)
result = public.check_port_stat(int(tmp[0]), public.GetClientIp())
if result == 0:
return True, 'Risk-free'
return False, 'The current Memcached port: {} allows arbitrary client access, which can lead to data leakage'.format(
tmp[0])
def GetList(self,get = None):
try:
data = {}
# 获取开放的端口
data['ports'] = self.__Obj.GetAcceptPortList();
#当前时间
#'2018-10-11 14:36:40'
addtime = time.strftime('%Y-%m-%d %X',time.localtime())
#
for i in range(len(data['ports'])):
#
tmp = self.CheckDbExists(data['ports'][i]['port'],data['ports'][i]['protocol']);
# | id | port | ps | addtime | ports | protocol | address_ip | types |
if not tmp: public.M('firewall').add('port,ps,addtime',(data['ports'][i]['port'],'',addtime))
data['iplist'] = self.__Obj.GetDropAddressList();
for i in range(len(data['iplist'])):
try:
tmp = self.CheckDbExists(data['iplist'][i]['address']);
if not tmp: public.M('firewall').add('port,ps,addtime',(data['iplist'][i]['address'],'',addtime))
except:
return public.get_error_info()
# 添加到firewalls 数据表中
data['reject']=self.__Obj.GetrejectLIST()
for i in range(len(data['reject'])):
try:
tmp=self.CheckDbExists2(data['reject'][i]['protocol'],
data['reject'][i]['type'],
data['reject'][i]['port'],
data['reject'][i]['address'])
if not tmp:public.M('firewall').add('protocol,types,ports,address_ip,addtime',
(data['reject'][i]['protocol'],
data['reject'][i]['type'],
data['reject'][i]['port'],
data['reject'][i]['address'],addtime))
except:
return public.get_error_info()
# 添加允许信息到firewalls 表中
data['accept'] = self.__Obj.Getacceptlist()
#return data
for i in range(len(data['accept'])):
try:
tmp = self.CheckDbExists2(data['accept'][i]['protocol'],
data['accept'][i]['type'],
data['accept'][i]['port'],
data['accept'][i]['address'])
if not tmp: public.M('firewall').add('protocol,types,ports,address_ip,addtime',
(data['accept'][i]['protocol'],
data['accept'][i]['type'],
data['accept'][i]['port'],
data['accept'][i]['address'],addtime))
except:
return public.get_error_info()
count = public.M('firewall').count();
data = {}
data['page'] = public.get_page(count,int(get.p),12,get.collback)
data['data'] = public.M('firewall').limit(data['page']['shift'] + ',' + data['page']['row']).order('id desc').select()
for i in range(len(data['data'])):
if data['data'][i]['port'].find(':') != -1 or data['data'][i]['port'].find('.') != -1 or data['data'][i]['port'].find('-') != -1:
data['data'][i]['status'] = -1;
else:
data['data'][i]['status'] = public.check_port_stat(int(data['data'][i]['port']));
data['page'] = data['page']['page']
return data
except Exception as ex:
return public.get_error_info()
def check_run():
'''
@name 开始检测
@author hwliang<2020-08-03>
@return tuple (status<bool>,msg<string>)
@example
status, msg = check_run()
if status:
print('OK')
else:
print('Warning: {}'.format(msg))
'''
file = '/etc/ssh/sshd_config'
conf = public.readFile(file)
if not conf: conf = ''
rep = r"#*Port\s+([0-9]+)\s*\n"
tmp1 = re.search(rep, conf)
port = '22'
if tmp1:
port = tmp1.groups(0)[0]
version = public.readFile('/etc/redhat-release')
if not version:
version = public.readFile('/etc/issue').strip().split("\n")[0].replace(
'\\n', '').replace('\l', '').strip()
else:
version = version.replace('release ',
'').replace('Linux',
'').replace('(Core)',
'').strip()
if os.path.exists('/usr/bin/apt-get'):
if os.path.exists('/etc/init.d/sshd'):
status = public.ExecShell(
"service sshd status | grep -P '(dead|stop)'|grep -v grep")
else:
status = public.ExecShell(
"service ssh status | grep -P '(dead|stop)'|grep -v grep")
else:
if version.find(' 7.') != -1 or version.find(
' 8.') != -1 or version.find('Fedora') != -1:
status = public.ExecShell(
"systemctl status sshd.service | grep 'dead'|grep -v grep")
else:
status = public.ExecShell(
"/etc/init.d/sshd status | grep -e 'stopped' -e '已停'|grep -v grep"
)
fail2ban_file = '/www/server/panel/plugin/fail2ban/config.json'
if os.path.exists(fail2ban_file):
try:
fail2ban_config = json.loads(public.readFile(fail2ban_file))
if 'sshd' in fail2ban_config.keys():
if fail2ban_config['sshd']['act'] == 'true':
return True, 'Fail2ban is enable'
except:
pass
if len(status[0]) > 3:
status = False
else:
status = True
if not status:
return True, 'SSH service is not enabled'
if port != '22':
return True, 'The default SSH port has been modified'
result = public.check_port_stat(int(port), public.GetLocalIp())
if result == 0:
return True, 'Rick-free'
return False, 'The default SSH port ({}) has not been modified, and the access IP limit configuration has not been done, there is a risk of SSH breaching'.format(
port)
