vi
vim

$ vi  basic.bash

$ vi  basic.sh

$ vim  basic.bash

$ chmod +x basic
$ chmod 755 basic

$ bash basic

$ sh basic

clear
echo "Hello $USER"
echo "Today is ";date
echo "Number of user login : " ; who | wc -l
echo "Calendar"
cal
exit 0

clear
echo "Xin chao $USER"
echo "Hom Nay La Ngay ";date
echo "So Lan Login Cua Ban Trong Ngay La : " ; who | wc -l
echo "Tong So ip Ket Noi Den Server La : ";netstat -nat | grep :80 | wc -l
echo "Kiem Tra So Bo : SYS REC ";netstat -n -p |grep SYN_REC | wc -l
echo "Kiem Tra So Bo : SYS ";netstat -nap | grep SYN | wc -l
echo "Kiem Tra So Bo : TIME WAIT ";netstat -nap | grep TIME_WAIT | wc -l
echo "Kiem Tra So Bo : ESTABLISHED ";netstat -nap | grep ESTABLISHED | wc -l
echo "Kiem Tra So Bo : TCP/UDP ";netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
echo "Calendar"
cal
exit 0

netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

netstat -s | less
netstat -t -s | less
netstat -u -s | less
netstat -w -s | less
netstat -s

#!/bin/bash
LOAD=$(awk '{print int($1)}' /proc/loadavg)
HOSTNAME=$(hostname)
IP=$(hostname -i)
EMAIL=(youremail@domain.com <a href="mailto:youremaul2@domain.com">youremaul2@domain.com</a>)
if [ $LOAD -ge 5 ]
then
{
printf "Hostname : $HOSTNAME\n"
printf "IP : $IP\n"
printf "Current Load : $LOAD"
printf "\n\n==================\nMySQL Process List\n==================\n\n"
mysqladmin proc
printf "\n\n==================\nMySQL Extended Status\n==================\n\n"
mysqladmin extended status
printf "\n\n===================\nServer Process List\n===================\n\n"
ps -ef
printf "\n\n==================\nNobody Processes\n==================\n\n"
ps --User nobody
printf "\n\n==================\nTOP Snapshot\n==================\n\n"
top -n1 -b
printf "\n\n==================\nMemory Usage\n==================\n\n"
free -m
printf "\n\n==================\nDisk Usage\n==================\n\n"
df -h
printf "\n\n==================\n Apache Connections \n==================\n\n"
netstat -alpn | grep :80 | awk '{print $5}' | cut -d: -f 1 | sort | uniq -c | sort -n
} | mail -s "$HOSTNAME Overloaded !!!" $EMAIL[@]
fi

# Set up limit below
NOTIFY="6.0"

# admin user email id
EMAIL="root"

# Subject for email
SUBJECT="Alert $(hostname) load average"

# -----------------------------------------------------------------

# Os Specifc tweaks do not change anything below ;)
OS="$(uname)"
TRUE="1"
if [ "$OS" == "FreeBSD" ]; then
        TEMPFILE="$(mktemp /tmp/$(basename $0).tmp.XXX)"
	FTEXT='load averages:'
elif [ "$OS" == "Linux" ]; then
        TEMPFILE="$(mktemp)"
	FTEXT='load average:'
fi


# get first 5 min load
F5M="$(uptime | awk -F "$FTEXT" '{ print $2 }' | cut -d, -f1)"
# 10 min
F10M="$(uptime | awk -F "$FTEXT" '{ print $2 }' | cut -d, -f2)"
# 15 min
F15M="$(uptime | awk -F "$FTEXT" '{ print $2 }' | cut -d, -f3)"

# mail message
# keep it short coz we may send it to page or as an short message (SMS)
echo "Load average Crossed allowed limit $NOTIFY." >> $TEMPFILE
echo "Hostname: $(hostname)" >> $TEMPFILE
echo "Local Date & Time : $(date)" >> $TEMPFILE

# Look if it crossed limit
# compare it with last 15 min load average
RESULT=$(echo "$F15M > $NOTIFY" | bc)

# if so send an email
if [ "$RESULT" == "$TRUE" ]; then
        mail -s "$SUBJECT" "$EMAIL" < $TEMPFILE
fi

# remove file 
rm -f $TEMPFILE

MUSER="root"
# mật mã của admin hoặc root
MPASS="SET-ROOT-PASSWORD"
# hostnames của sql thường là localhost
MHOST="localhost"
# câu lệnh dùng để khởi động lại mysql
MSTART="/etc/init.d/mysql start"
# email được gửi
EMAILID="notification@somewhere-corp.com"
# đường dẫn đến mail progames 
MAILCMD="$(which mail)"
# đường dẫn đến  mysqladmin
MADMIN="$(which mysqladmin)"
MAILMESSAGE="/tmp/mysql.fail.$$"
$MADMIN -h $MHOST -u $MUSER -p${MPASS} ping 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
	echo "" >$MAILMESSAGE
	echo "Error: MySQL Server is not running/responding ping request">>$MAILMESSAGE
	echo "Hostname: $(hostname)" >>$MAILMESSAGE
	echo "Date & Time: $(date)" >>$MAILMESSAGE
	$MSTART>/dev/null
	o=$(ps cax | grep -c ' mysqld$')
	if [ $o -eq 1 ]; then
		sMess="MySQL Server MySQL server successfully restarted"
	else
		sMess="MySQL server FAILED to restart"
	fi
	echo "Current Status: $sMess" >>$MAILMESSAGE
	echo "" >>$MAILMESSAGE
	echo "*** This email generated by $(basename $0) shell script ***" >>$MAILMESSAGE
	echo "*** Please don't reply this email, this is just notification email ***" >>$MAILMESSAGE
	$MAILCMD -s "MySQL server" $EMAILID < $MAILMESSAGE
else # MySQL is running :) and do nothing
	:
fi
# remove file
rm -f $MAILMESSAGE

#!/bin/sh
if [ -d '/usr/local/ddos' ]; then
	echo; echo; echo "Please un-install the previous version first"
	exit 0
else
	mkdir /usr/local/ddos
fi
clear
echo; echo 'Installing DOS-Deflate 0.6'; echo
echo; echo -n 'Downloading source files...'
wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf
echo -n '.'
wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE
echo -n '.'
wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list
echo -n '.'
wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh
chmod 0755 /usr/local/ddos/ddos.sh
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
echo '...done'

echo; echo -n 'Creating cron to run script every minute.....(Default setting)'
/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
echo '.....done'
echo; echo 'Installation has completed.'
echo 'Config file is at /usr/local/ddos/ddos.conf'
echo 'Please send in your comments and/or suggestions to <a href="mailto:zaf@vsnl.com">zaf@vsnl.com</a>'
echo
cat /usr/local/ddos/LICENSE | less

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600

#!/bin/sh
##############################################################################
# DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com>                        #
##############################################################################
# This program is distributed under the "Artistic License" Agreement         #
#                                                                            #
# The LICENSE file is located in the same directory as this program. Please  #
#  read the LICENSE file before you make copies or distribute this program   #
##############################################################################
load_conf()
{
	CONF="/usr/local/ddos/ddos.conf"
	if [ -f "$CONF" ] && [ ! "$CONF" ==	"" ]; then
		source $CONF
	else
		head
		echo "\$CONF not found."
		exit 1
	fi
}

head()
{
	echo "DDoS-Deflate version 0.6"
	echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>"
	echo
}

showhelp()
{
	head
	echo 'Usage: ddos.sh [OPTIONS] [N]'
	echo 'N : number of tcp/udp	connections (default 150)'
	echo 'OPTIONS:'
	echo '-h | --help: Show	this help screen'
	echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
	echo '-k | --kill: Block the offending ip making more than N connections'
}

unbanip()
{
	UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
	TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
	UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
	echo '#!/bin/sh' > $UNBAN_SCRIPT
	echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
	if [ $APF_BAN -eq 1 ]; then
		while read line; do
			echo "$APF -u $line" >> $UNBAN_SCRIPT
			echo $line >> $UNBAN_IP_LIST
		done < $BANNED_IP_LIST
	else
		while read line; do
			echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
			echo $line >> $UNBAN_IP_LIST
		done < $BANNED_IP_LIST
	fi
	echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
	echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
	echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
	echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
	echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
	. $UNBAN_SCRIPT &
}

add_to_cron()
{
	rm -f $CRON
	sleep 1
	service crond restart
	sleep 1
	echo "SHELL=/bin/sh" > $CRON
	if [ $FREQ -le 2 ]; then
		echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
	else
		let "START_MINUTE = $RANDOM % ($FREQ - 1)"
		let "START_MINUTE = $START_MINUTE + 1"
		let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
		echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
	fi
	service crond restart
}


load_conf
while [ $1 ]; do
	case $1 in
		'-h' | '--help' | '?' )
			showhelp
			exit
			;;
		'--cron' | '-c' )
			add_to_cron
			exit
			;;
		'--kill' | '-k' )
			KILL=1
			;;
		 *[0-9]* )
			NO_OF_CONNECTIONS=$1
			;;
		* )
			showhelp
			exit
			;;
	esac
	shift
done

TMP_PREFIX='/tmp/ddos'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
echo >>	$BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
cat $BAD_IP_LIST
if [ $KILL -eq 1 ]; then
	IP_BAN_NOW=0
	while read line; do
		CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
		CURR_LINE_IP=$(echo $line | cut -d" " -f2)
		if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
			break
		fi
		IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
		if [ $IGNORE_BAN -ge 1 ]; then
			continue
		fi
		IP_BAN_NOW=1
		echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
		echo $CURR_LINE_IP >> $BANNED_IP_LIST
		echo $CURR_LINE_IP >> $IGNORE_IP_LIST
		if [ $APF_BAN -eq 1 ]; then
			$APF -d $CURR_LINE_IP
		else
			$IPT -I INPUT -s $CURR_LINE_IP -j DROP
		fi
	done < $BAD_IP_LIST
	if [ $IP_BAN_NOW -eq 1 ]; then
		dt=`date`
		if [ $EMAIL_TO != "" ]; then
			cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
		fi
		unbanip
	fi
fi
rm -f $TMP_PREFIX.*

auto_prepend_file =

auto_prepend_file = /srv/www/vhosts/yourdomain.com/httpdocs (hoặc Puplic_html) /anti.php

$max_hits = 30;
$max_alive = 3;
$interval = 5;
$delay = 3600;

require_once dirname(__FILE__) . "/anti.capcha.php";
sửa lại thành 
//require_once dirname(__FILE__) . "/anti.capcha.php";

wget http://www.rootkit.nl/files/lynis-1.1.1.tar.gz

tar xfvz lynis-1.1.1.tar.gz

cd lynis

./lynis -c

checkbpass:
- This module check for a boot loader password
- Currently only for grub and lilo

checkcfg:
- This module is performed last
- RedHat specific. Just prints out /sbin/chkconfig --list so that
  the user can perform a visual inspection.

checkdotfiles:
- Looks for .forward, .exrc, .rhosts and .netrc files on the system.
- Does not span "other" filesystems. 

checkfiles:
- checks that /tmp and /var/tmp have sitcky bit set
- checks utmp, wtmp, motd, mtab for chmod 644.
- checks /usr, /var dirs/files for root ownership.

checkftpusers:
- checks that all accounts in /etc/passwd are in /etc/ftpusers.

checkhostsfiles:
- Reads /etc/hosts.allow and /etc/hosts.deny files
- Checkes deny for ALL:ALL statement.
- Checks allow for any ALL statements.

checkinetd:
- Checks either /etc/inetd.conf or /etc/xinetd.d/* 
- If inetd.conf, it checks for entries not hashed out.
	(All entries should be commented out :)
- If xinetd.d it checks all files in that dir for disable = yes.

checkinittab:
- Check to see if the default runlevel is 5. If it is, give the user a warning.

checkipv4:
- Checks for common forwarding and ignore settings in ipv4.

checkissue:
- checks to make sure that /etc/motd, /etc/issue and /etc/issue.net
  do not exist, or if they do, warn the user.

checkkbd:
- checks that ctrlaltdel function is disabled under linux.
- checks for KEYBOARD_DISABLE to be enabled under Solaris.

checklimits:
- performs simple check of limits.conf file

checklogging:
- simple check to see if the auth and authpriv logging facilities are on.
  This is mostly for older versions of linux, as I know redhat and others
  have this on by default now...

checkmodules:
- checks to see if loadable kernel modules are enabled

checkmd5:
- performs a system-wide md5sum on all regular files.
- only executes if -m switch is used
- output is in lsatmd5.out, previous output in lsatmd5.old

checknet:
- checks what ports the system is listening to.
- (may not check _all_ ports. I have to RTFM on this one)

checknetforward:
- checks that ipv4 forwarding is disabled under linux
- checks that ipforwarding & source routing are disabled under Solaris
- checks that norouter & defaultrouter exist under Solaris

checknetp:
- checks that no interface is in Promiscuous mode

checkopenfiles:
- checks for all open files on the system using lsof (if installed)

checkpasswd:
- checks /etc/passwd for unneeded accounts.
- checks that only root is SUID=0.

checkrcperms:
- checks files in init.d dir to see if they are chmod 700

checkpkgs:
- Checks list of packages (rpms, debs) installed on the system.
- Checks against a list of "should not have" rpms.
- (this list quite possibly needs to be expanded)

checkrc:
- checks /etc/rcn.d or /etc/rc.d/init.d and reports unneeded scripts.

checkrpm: (redhat specific)
- check to see if we are on redhat, and if we are...
- use the built in rpm -Va to verify rpms on the system.

checksecuretty:
-check to see if only tty[0-6] are in /etc/securetty

checkset:
- Checks system for all setuid/setgid files.
- Also checks for block or char files in /dev/ that do not belong.

checkssh:
- check some security features of ssh for instance:
  root logins, X11 forwarding and the like.

checkumask:
- checks that the default umask on the system is sensible.

checkwrite:
- Checks system for world writable files.

checkwww:
- check to see if ExecCGIs are enabled.
- check to see who is running httpd/apache.

changelog is not chmod 644.
config.status is not chmod 644.
configure is not chmod 644.
lsat is not chmod 644.
lsat.html is not chmod 644.
lsat.pod is not chmod 644.
/var/run/syslog-ng.pid is not chmod 644.
changelog is not chmod 644.
config.status is not chmod 644.
configure is not chmod 644.
lsat is not chmod 644.
lsat.html is not chmod 644.
lsat.pod is not chmod 644.
Check above files for chmod 644.
...................


...........