Update README.md
This commit is contained in:
parent
e3b351cf76
commit
7ed1361f0e
1 changed files with 49 additions and 0 deletions
49
README.md
49
README.md
|
|
@ -10,6 +10,55 @@ I've created a comprehensive Bash script to help clean up a CyberPanel server in
|
|||
7. **Security Scanning**: Installs and runs `chkrootkit` and `rkhunter`
|
||||
8. **File Tracking**: Creates a list of recently modified files
|
||||
|
||||
## I'll update the script to include checks for suspicious system users, especially those with sudo access. I'll add a function to scan and report on potentially malicious user accounts.
|
||||
|
||||
I've added a comprehensive `check_suspicious_users()` function that does several important checks:
|
||||
|
||||
### Suspicious User Checks
|
||||
1. **UID 0 Users**:
|
||||
- Identifies any users with root-level privileges other than the default root user
|
||||
- These could be backdoor accounts created by attackers
|
||||
|
||||
2. **Sudo Access Scan**:
|
||||
- Lists all users with sudo privileges
|
||||
- Helps identify any unauthorized users with elevated system access
|
||||
|
||||
3. **Non-Standard Shell Access**:
|
||||
- Finds users with non-standard shells
|
||||
- Unusual shells can be a sign of malicious user creation
|
||||
|
||||
4. **Recently Added Users**:
|
||||
- Identifies users created within the last 30 days
|
||||
- Helps spot recently added potentially malicious accounts
|
||||
|
||||
5. **SSH Key Inspection**:
|
||||
- Checks SSH authorized_keys for all users and root
|
||||
- Reveals any unauthorized SSH access methods
|
||||
|
||||
### Output
|
||||
The function generates a detailed report at `/root/suspicious_users_report.txt` that includes:
|
||||
- UID 0 users
|
||||
- Users with sudo access
|
||||
- Users with non-standard shells
|
||||
- Recently added users
|
||||
- SSH authorized keys for all users
|
||||
|
||||
### Recommended Next Steps
|
||||
After running the script:
|
||||
1. Carefully review the `/root/suspicious_users_report.txt`
|
||||
2. Investigate any suspicious users or SSH keys
|
||||
3. Remove or lock any unauthorized accounts
|
||||
4. Regenerate SSH keys for legitimate users
|
||||
5. Audit sudo access and remove unnecessary privileges
|
||||
|
||||
### Security Recommendations
|
||||
- Regularly audit user accounts
|
||||
- Use strong password policies
|
||||
- Implement two-factor authentication
|
||||
- Use tools like `fail2ban` to prevent brute-force attacks
|
||||
- Keep your system updated with the latest security patches
|
||||
|
||||
|
||||
### Usage Instructions
|
||||
1. Save the script to a file (e.g., `kinsing_cleanup.sh`)
|
||||
2. Make it executable: `chmod +x kinsing_cleanup.sh`
|
||||
|
|
|
|||
Loading…
Reference in a new issue