阿里云 ECS 云盾(安骑士)卸载

使用阿里云ECS(尤其是海外的)之前得先把监控软件干掉,要不然啥都给阿里云监控了,一点隐私都没了。下面转载一篇卸载过程的日志,以后用得上。

 

一、卸载云盾(安骑士)

直接上:

$ curl -sSL http://update.aegis.aliyun.com/download/quartz_uninstall.sh | sudo bash

$ sudo rm -rf /usr/local/aegis

$ sudo rm /usr/sbin/aliyun-service

$ sudo rm /lib/systemd/system/aliyun.service

 

 

代码备份
bash
#!/bin/bash

#check linux Gentoo os 
var=`lsb_release -a | grep Gentoo`
if [ -z "${var}" ]; then 
    var=`cat /etc/issue | grep Gentoo`
fi

if [ -d "/etc/runlevels/default" -a -n "${var}" ]; then
    LINUX_RELEASE="GENTOO"
else
    LINUX_RELEASE="OTHER"
fi

stop_aegis(){
    killall -9 aegis_cli >/dev/null 2>&1
    killall -9 aegis_update >/dev/null 2>&1
    killall -9 aegis_cli >/dev/null 2>&1
    printf "%-40s %40s\n" "Stopping aegis" "[  OK  ]"
}

stop_quartz(){
    killall -9 aegis_quartz >/dev/null 2>&1
        printf "%-40s %40s\n" "Stopping quartz" "[  OK  ]"
}

remove_aegis(){
if [ -d /usr/local/aegis ];then
    rm -rf /usr/local/aegis/aegis_client
    rm -rf /usr/local/aegis/aegis_update
fi
}

remove_quartz(){
if [ -d /usr/local/aegis ];then
    rm -rf /usr/local/aegis/aegis_quartz
fi
}


uninstall_service() {

   if [ -f "/etc/init.d/aegis" ]; then
        /etc/init.d/aegis stop  >/dev/null 2>&1
        rm -f /etc/init.d/aegis 
   fi

    if [ $LINUX_RELEASE = "GENTOO" ]; then
        rc-update del aegis default 2>/dev/null
        if [ -f "/etc/runlevels/default/aegis" ]; then
            rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
        fi
    elif [ -f /etc/init.d/aegis ]; then
         /etc/init.d/aegis  uninstall
        for ((var=2; var<=5; var++)) do
            if [ -d "/etc/rc${var}.d/" ];then
                 rm -f "/etc/rc${var}.d/S80aegis"
            elif [ -d "/etc/rc.d/rc${var}.d" ];then
                rm -f "/etc/rc.d/rc${var}.d/S80aegis"
            fi
        done
    fi

}

stop_aegis
stop_quartz
uninstall_service
remove_aegis
printf "%-40s %40s\n" "Uninstalling aegis"  "[  OK  ]"

remove_quartz
printf "%-40s %40s\n" "Uninstalling aegis_quartz"  "[  OK  ]"

 

 

或者用网友简单粗暴版本:

#!/bin/bash 
rm -rf /usr/local/aegis 
for A in $(ps aux | grep Ali | grep -v grep | awk '{print $2}') 
do 
  kill -9 $A; 
done

腾讯云解决方案

据说腾讯云也有类似问题:转:

#!/bin/bash
#fuck tx process
rm -rf /usr/local/sa
rm -rf /usr/local/agenttools
rm -rf /usr/local/qcloud
process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
for i in ${process[@]}
do
  for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
  do
    kill -9 $A
  done
done

chkconfig --level 35 postfix off
service postfix stop
echo ''>/var/spool/cron/root
echo '#!/bin/bash' >/etc/rc.local

Links:

二、屏蔽云盾 IP

而后检查服务器记录时发现一堆 Alibaba.Security.Heimdall 的访问记录。网上查询发现是云盾。

根据官方介绍

云盾会通过公网模拟黑客入侵攻击,进行安全扫描。所以服务器有安全防护时,需要对云盾扫描ip进行放行。

赶快屏蔽!

此处使用 UFWiptables 用户请自己找一下添加方法。注意:如果已有接受 80 端口之类的规则,新增的拒绝 IP 规则在其后将不会生效。所以要在 /etc/ufw/before.rules 设置。

sudo nano 编辑此文件并找到 # End required lines,在其后添加:

# Block Ali Yun Dun  https://help.aliyun.com/knowledge_detail/37436.html

-A ufw-before-input -s 140.205.201.0/28 -j DROP
-A ufw-before-input -s 140.205.201.16/29 -j DROP
-A ufw-before-input -s 140.205.201.32/28 -j DROP
-A ufw-before-input -s 140.205.225.192/29 -j DROP
-A ufw-before-input -s 140.205.225.200/30 -j DROP
-A ufw-before-input -s 140.205.225.184/29 -j DROP
-A ufw-before-input -s 140.205.225.183/32 -j DROP
-A ufw-before-input -s 140.205.225.206/32 -j DROP
-A ufw-before-input -s 140.205.225.205/32 -j DROP
-A ufw-before-input -s 140.205.225.195/32 -j DROP
-A ufw-before-input -s 140.205.225.204/32 -j DROP

保存后运行 sudo ufw reload。完毕!

三、删除阿里云登录界面欢迎信息

每次登录看到

Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-19-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Welcome to Alibaba Cloud Elastic Compute Service !

Last login from

就莫名的不爽,于是查了一下 sudo nano /etc/motd 就可以编辑/删除倒数第二行的 Welcome to Alibaba Cloud Elastic Compute Service ! 欢迎信息了。

原文链接:https://blog.whe.me/post/uninstall-aliyun-monitoring.html

阅读剩余
THE END