Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1. Checking SElinux settings:
- SElinux is already in enforcing mode
- 2. Changing different parameters of password aging
- Changes in /etc/login.defs file are done
- 3. Linux kernel hardening:
- Changes in /etc/sysctl.conf file are done.
- 4. Setting permissions to restrictive for commonly used commands
- commands permissions changed
- 5. Disabling 'lp' and 'game' users in passwd file:
- Users are disabled
- 6. Setting 'Banner' and 'Motd'
- Banner is set.
- 7. Configuring SSH
- hardening_script.sh: line 98: unexpected EOF while looking for matching `"'
- hardening_script.sh: line 99: syntax error: unexpected end of file
- [root@a0110testing01 shell]# vi hardening_script.sh
- [root@a0110testing01 shell]# vi hardening_script.sh
- [root@a0110testing01 shell]# cat hardening_script.sh
- echo "1. Checking SElinux settings:"
- x=`cat /etc/sysconfig/selinux | grep ^SELINUX | head -n 1 | awk -F= '{print $2}'`
- if [ $x == disabled ]
- then
- echo "SElinux is disabled"
- echo "Changing it to enforcing"
- sed -i 's/^SELINUX=disabled/SELINUX=enforcing/' /etc/sysconfig/selinux
- else
- echo "SElinux is already in enforcing mode"
- fi
- sleep 2
- echo " "
- echo "2. Changing different parameters of password aging"
- sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 60' /etc/login.defs
- sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 1' /etc/login.defs
- sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN 8' /etc/login.defs
- sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE 15' /etc/login.defs
- echo "Changes in /etc/login.defs file are done"
- sleep 2
- echo " "
- echo "3. Linux kernel hardening:"
- cp /etc/sysctl.conf /etc/sysctl.conf.backup
- echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.all.forwarding = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.all.mc_forwarding = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
- echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
- echo "net.ipv4.tcp_max_syn_backlog = 4096" >> /etc/sysctl.conf
- echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
- sleep 2
- echo "Changes in /etc/sysctl.conf file are done."
- sleep 1
- echo " "
- echo "4. Setting permissions to restrictive for commonly used commands"
- chmod 100 /bin/rpm
- chmod 100 /bin/ping
- chmod 100 /bin/mount
- chmod 100 /bin/umount
- chmod 100 /sbin/arping
- chmod 400 /etc/hosts.allow
- chmod 400 /etc/hosts.deny
- chmod 644 /var/log/wtmp
- echo "commands permissions changed"
- sleep 1
- echo " "
- echo "5. Disabling 'lp' and 'game' users in passwd file:"
- sed -i 's/^lp/#lp/' /etc/passwd
- sed -i 's/^games/#games/' /etc/passwd
- sed -i 's/^lp/#lp/' /etc/group
- sed -i 's/^games/#games/' /etc/group
- echo "Users are disabled"
- sleep 1
- echo " "
- echo "6. Setting 'Banner' and 'Motd'"
- echo "*****************************************************************************" >> /etc/motd
- echo -e "!!!WARNING!!!\n" >> /etc/motd
- echo -e "\nYou are logging into GSS Telenor\n\n" >> /etc/motd
- echo "This system is for the use of authorized company personnel only and by accessing this system you are here by consent to the system being monitored by the company. Any unauthorized use will be considered as a breach of company's Information Security Policies and may be unlawful under law. " >> /etc/motd
- echo "*****************************************************************************" >> /etc/motd
- cp /etc/issue /etc/issue.net
- echo "Banner is set."
- sleep 1
- echo " "
- echo "7. Configuring SSH"
- echo "Host *" >> /etc/ssh/ssh_config
- /usr/bin/awk '/^Protocol/ { $2 = "2"};
- /^X11Forwarding/ { $2 = "no"};
- /^#MaxAuthTries/ { $1 = "MaxAuthTries" ; $2 = "3"};
- /^#IgnoreRhosts/ { $1 = "IgnoreRhosts" ; $2 = "yes"};
- /^#RhostsRSAAuthentication/ { $1 = "RhostsRSAAuthentication" ; $2 = "no"};
- /^#LoginGraceTime/ { $1 = "LoginGraceTime" ; $2 = "0m"};
- /^#PermitRootLogin/ { $1 = "PermitRootLogin" ; $2 = "yes"};
- /^#PermitEmptyPasswords/ { $1 = "PermitEmptyPasswords" ; $2 = "no"};
- /^#Banner/ { $1 = "Banner" ; $2 = "yes"};
- {print}' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
- echo "/etc/init.d/sshd restart
- echo "SSH is configurated"
- sleep 1
- echo " "
- echo "***********************"
- echo "Hardening is completed!"
- echo "***********************"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement