Automatic security check for large-scale win servers

A company has a large number of win servers. It takes a long time to manually check or run scripts for each login if reinforcement is performed.

So I want to log on to the host by writing a program, run the script, capture insecure configurations, and upload them to a server for the same archive analysis.

Then the program loops through this process to capture the insecure configurations of all hosts.

In the original architecture, the terminal host is used to manage all hosts. The host obtains the Host ip address, account, and password through a database. The table structure is similar to the following:

Ip	User	Pwd
192.168.1.45	Administrator	Sdfsafd123
192.168.1.34: 2222	Admin	12312 xcvcv
192.168.2.46: 4444	Administrator	112312 sdfsdf

 

The script contains two files. install # is used to install the environment and check # is used to check

Install

 

[Root @ localhost ~] # Cat install

#! /Bin/sh

Read-n 1-p "Insert your cdrom... "# You should insert the system installation CD before installing the environment. I use CentOS. You can modify it according to your system.

Mkdir-pv/mnt/cdrom

Mount/dev/cdrom/mnt/cdrom

For repo_file in/etc/yum. repos. d/*. repo; do

Mv $ {repo_file }$ {repo_file}. bak

Done

Cat>/etc/yum. repos. d/cdrom. repo <EOF # use local cdrom as the yum Source

[Cdrom]

Name = CentOS 5 Local Repository

Baseurl = file: // mnt/cdrom

Enabled = 1

Gpgcheck = 0

EOF

Yum-y install mysql rdesktop nmap

 

Check

 

[Root @ localhost ~] # Cat check

 

#! /Bin/sh echo 'enter DB_HOST: 'read DB_HOSTecho 'Enter DB_USER: 'read DB_USERecho' Enter DB_PWD: 'read DB_PWD DB_NAME = 'test' DB _ TABLE = 'host' TMP_FILE = "tmp_00000000.txt" mysql-u $ {DB_USER}-p $ {DB_PWD}-h $ {DB_HOST }- e "select ip_add, username, passwd from $ {DB_NAME }. $ {DB_TABLE} "> $ TMP_FILE | exit 1 sed-I '1d '$ TMP_FILEwhile read recorddoHOST =$ (echo $ record | awk-f''' {print $1} '| awk-F ': ''{print $1 }') USER = $ (echo $ record | awk-F ''' {print $2 }') PWD = $ (echo $ record | awk-F ''' {print $3 }') PORT = $ (echo $ record | awk-F ''' {print $1} '| awk-F': ''{print $2 }') if ["$ PORT" = ""]; thenPORT = "3389" finmap-p $ PORT $ HOST | grep "$ PORT/tcp open">/dev/null 2> & 1if ["$? "= 0]; thenecho" $ HOST: $ PORT "rdesktop-u $ USER-p $ PWD-s 'echo open xx. xx. xx. xx> t. t & echo user> t. t & echo pass> t. t & echo get your_check_bat.bat> t. t & echo bye> t. t & ftp-s: t. t & del t. t & your_check_bat.bat '$ HOST: $ PORT # the command to be executed when the red write terminal starts. You need to modify the command according to your own situation. The command function is as follows: download the reinforcement script from the specified ftp and execute it. The content of the reinforcement script is Security Configuration check. After the script is executed, the insecure part of the check result is output to the txt file and then uploaded to the specified ftpfidone <$ TMP_FILE

There is another unsolved problem in the program, that is, there is a limit on the number of connections to log on to the win terminal. Once the maximum number of connections is exceeded, the check cannot be performed. If you want to log on to the rdp console, rdesktop uses the-0 parameter, however, you cannot use-s to execute the startup command after logging on to the console. I don't know if there are any better methods. If you have any better methods, I hope you can give me some advice.

Click my download http://www.bkjia.com/uploadfile/2012/0210/20120210125050363.zip


From www.sectop.com