小花狸監控之安全加固expect備份指令碼
小花狸監控的異地備份功能依賴expect指令碼
原來使用的expect指令碼如下
#!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路徑]
# 5.serverPath [server端路徑]
#返回值:
# 0 成功
# 1 引數個數不正確
###########################################################
proc usage {} {
regsub ".*/" $::argv0 "" name
send_user "Usage:\n"
send_user "$name serviceip User userPassword serverPath localPath\n"
exit 1
}
## 判斷引數個數
if {[llength $argv] != 5} {
usage
}
#設定變數值
set severip [lindex $argv 0]
set User [lindex $argv 1]
set userPassword [lindex $argv 2]
set serverPath [lindex $argv 3]
set localPath [lindex $argv 4]
#定義變數標記rsync連線時是否輸入yes確認
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $User@$severip:$serverPath $localPath
expect
{
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$userPassword\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果輸入了yes確認,輸入密碼
if {$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$userPassword\r"
interact
}
}
}
expect eof
這個指令碼有一個致命的問題,就是呼叫方式
[dev@localhost~/golang/src]$./backup.sh 127.0.0.1 root password /home/dev /tmp
spawn rsync -arqP root@127.0.0.1:/home/dev /tmp
root@127.0.0.1's password:
另外一個使用者可以直接使用ps命令看到密碼
[dev@localhost~]$ps -ef | grep expect
dev 27155 25299 0 17:53 pts/0 00:00:00 /usr/bin/expect ./backup.sh 127.0.0.1 root password /home/dev /tmp
dev 27171 23951 0 17:53 pts/1 00:00:00 grep expect
這樣,一旦集中備份伺服器被駭客攻破..其他伺服器的密碼簡直就是白送的.
採用如下的加固方式
http://blog.itpub.net/29254281/viewspace-1578997/
指令碼改造如下
#!/bin/bash
read serverip
read user
read password
read serverpath
read localpath
/usr/bin/expect < #!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路徑]
# 5.serverPath [server端路徑]
###########################################################
#定義變數標記rsync連線時是否輸入yes確認
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $user@$serverip:$serverpath $localpath
expect {
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$password\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果輸入了yes確認,輸入密碼
if {\$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$password\r"
interact
}
}
}
expect eof
!
呼叫方式改為:
echo "127.0.0.1 root password /home/dev /tmp" | sed 's/ /\n/g' | ./backup.sh
這時,另外的使用者使用ps命令就不能看到敏感資訊了
[dev@localhost~]$ps -ef | grep backup
dev 27294 25299 0 18:14 pts/0 00:00:00 /bin/bash ./backup.sh
dev 27312 23951 0 18:14 pts/1 00:00:00 grep backup
[dev@localhost~]$ps -ef | grep expect
dev 27295 27294 0 18:14 pts/0 00:00:00 /usr/bin/expect
dev 27315 23951 0 18:14 pts/1 00:00:00 grep expect
原來使用的expect指令碼如下
#!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路徑]
# 5.serverPath [server端路徑]
#返回值:
# 0 成功
# 1 引數個數不正確
###########################################################
proc usage {} {
regsub ".*/" $::argv0 "" name
send_user "Usage:\n"
send_user "$name serviceip User userPassword serverPath localPath\n"
exit 1
}
## 判斷引數個數
if {[llength $argv] != 5} {
usage
}
#設定變數值
set severip [lindex $argv 0]
set User [lindex $argv 1]
set userPassword [lindex $argv 2]
set serverPath [lindex $argv 3]
set localPath [lindex $argv 4]
#定義變數標記rsync連線時是否輸入yes確認
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $User@$severip:$serverPath $localPath
expect
{
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$userPassword\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果輸入了yes確認,輸入密碼
if {$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$userPassword\r"
interact
}
}
}
expect eof
這個指令碼有一個致命的問題,就是呼叫方式
[dev@localhost~/golang/src]$./backup.sh 127.0.0.1 root password /home/dev /tmp
spawn rsync -arqP root@127.0.0.1:/home/dev /tmp
root@127.0.0.1's password:
另外一個使用者可以直接使用ps命令看到密碼
[dev@localhost~]$ps -ef | grep expect
dev 27155 25299 0 17:53 pts/0 00:00:00 /usr/bin/expect ./backup.sh 127.0.0.1 root password /home/dev /tmp
dev 27171 23951 0 17:53 pts/1 00:00:00 grep expect
這樣,一旦集中備份伺服器被駭客攻破..其他伺服器的密碼簡直就是白送的.
採用如下的加固方式
http://blog.itpub.net/29254281/viewspace-1578997/
指令碼改造如下
#!/bin/bash
read serverip
read user
read password
read serverpath
read localpath
/usr/bin/expect < #!/usr/bin/expect
##########################################################
# 1.service ip
# 2.User
# 3.userPassword
# 4.localPath [本地路徑]
# 5.serverPath [server端路徑]
###########################################################
#定義變數標記rsync連線時是否輸入yes確認
set inputYes 0
set timeout -1
#rsync -avz /etc/ 192.168.15.234:/home/7_8
spawn rsync -arqP $user@$serverip:$serverpath $localpath
expect {
-nocase -re "yes/no"
{
send -- "yes\r"
set inputYes 1
}
-nocase -re "assword: "
{
send -- "$password\r"
interact
}
-nocase -re "Connection refused" {
send_error "Sftp services at ${ftpServerIp} is not active.\n"
exit 2
}
timeout {
send_error "Connect to sftp server ${ftpUser}@${ftpServerIp} timeout(10s).\n"
exit 8
}
eof
}
#如果輸入了yes確認,輸入密碼
if {\$inputYes==1} {
expect {
-nocase -re "assword: " {
send -- "$password\r"
interact
}
}
}
expect eof
!
呼叫方式改為:
echo "127.0.0.1 root password /home/dev /tmp" | sed 's/ /\n/g' | ./backup.sh
[dev@localhost~]$ps -ef | grep backup
dev 27294 25299 0 18:14 pts/0 00:00:00 /bin/bash ./backup.sh
dev 27312 23951 0 18:14 pts/1 00:00:00 grep backup
[dev@localhost~]$ps -ef | grep expect
dev 27295 27294 0 18:14 pts/0 00:00:00 /usr/bin/expect
dev 27315 23951 0 18:14 pts/1 00:00:00 grep expect
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29254281/viewspace-1580525/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 小花狸監控之MySQLMySql
- 小花狸監控之加密加密
- 小花狸監控之RedisRedis
- 小花狸監控之MongodbMongoDB
- 小花狸監控之網路收發
- 小花狸ITPUB部落格備份工具
- PostgreSQL之鎖監控指令碼SQL指令碼
- 監控目錄備份是否成功通用指令碼backup_monitor.sh指令碼
- shell指令碼:自動記憶體監控及日誌備份指令碼記憶體
- 監控指令碼指令碼
- 【Linux】Linux安全加固指令碼Linux指令碼
- 備份指令碼指令碼
- Oracle之備份和清理監聽日誌、告警日誌指令碼Oracle指令碼
- mysql監控指令碼MySql指令碼
- DBA監控指令碼指令碼
- session指令碼監控Session指令碼
- 埠監控指令碼指令碼
- oracle 監控指令碼Oracle指令碼
- listener監聽監控指令碼指令碼
- 【SQL監控】SQL完全監控的指令碼SQL指令碼
- rman備份和增量備份指令碼指令碼
- ORACLE備份指令碼Oracle指令碼
- mysqldump 備份指令碼MySql指令碼
- rman 備份指令碼指令碼
- mysqldump備份指令碼MySql指令碼
- innobackupex備份指令碼指令碼
- SQLServer備份指令碼SQLServer指令碼
- SQL 備份指令碼SQL指令碼
- Mongodb 備份指令碼MongoDB指令碼
- rman備份指令碼指令碼
- oracle 備份指令碼Oracle指令碼
- mysql備份指令碼MySql指令碼
- ogg監控指令碼指令碼
- stap監控IO指令碼指令碼
- 【shell】磁碟監控指令碼指令碼
- mysql 的一個監控指令碼,監控heartbeatMySql指令碼
- oracle rman備份驗證和備份進度監控Oracle
- mysql mon 的一個監控指令碼,監控heartbeatMySql指令碼