Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # Script Hardening Slackware 13.1 verson 0.1 03-09-2011
- # By Thiago Laurito
- # http://slackdummies.blogspot.com
- # Variaveis de ambiente
- POS="\033[100G"
- VERDE="\033[;32;1m"
- VERMELHO="\033[;31;1m"
- NORMAL="\033[00m"
- OK="echo -e $POS [ ${VERDE}OK${NORMAL}]"
- FAILED="echo -e $POS [ ${VERMELHO}FAILED${NORMAL} ]"
- # Comenta CTRL-ALT-DELETE.
- INITTAB=/etc/inittab
- if [ -e "$INITTAB" ];
- then
- echo -n "Ctrlaltdel Inittab"
- sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' $INITTAB && $OK || $FAILED ;
- echo "# Require the root pw when booting into single user mode" >> "$INITTAB" ;
- echo "~~:S:wait:/sbin/sulogin" >> "$INITTAB"
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # SSH Seguro.
- SSHD=/etc/ssh/sshd_config
- if [ -e "$SSHD" ];
- then
- echo -n "UsePrivilegeSeparation"
- sed -i 's/#UsePrivilegeSeparation yes/UsePrivilegeSeparation no/g' "$SSHD" && $OK || $FAILED ;
- echo -n "Protocol Version 2"
- sed -i 's/#Protocol 2/Protocol 2/g' "$SSHD" && $OK || $FAILED ;
- echo -n "StrictModes"
- sed -i 's/#StrictModes no/StrictModes yes/g' "$SSHD" && $OK || $FAILED ;
- echo -n "AllowTcpForwarding"
- sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' "$SSHD" && $OK || $FAILED ;
- echo -n "X11Forwarding"
- sed -i 's/#X11Forwarding yes/X11Forwarding no/g' "$SSHD" && $OK || $FAILED ;
- echo -n "IgnoreRhosts"
- sed -i 's/#IgnoreRhosts no/IgnoreRhosts yes/g' "$SSHD" && $OK || $FAILED ;
- echo -n "HostbasedAuthentication"
- sed -i 's/#HostbasedAuthentication yes/HostbasedAuthentication no/g' "$SSHD" && $OK || $FAILED ;
- echo -n "RhoststsRSAAuthentication"
- sed -i 's/#RhostsRSAAuthentication yes/RhostsRSAAuthentication no/g' "$SSHD" && $OK || $FAILED ;
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # Permissao Segura em /etc/shadow.
- SHADOW=/etc/shadow
- if [ -e "$SHADOW" ];
- then
- echo -n "Security Permission" "$SHADOW"
- chmod 600 "$SHADOW" && $OK || $FAILED
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # Acesso Root em apenas 2 TTY.
- STTY=/etc/securetty
- if [ -e "$STTY" ] ;
- then
- echo -n "TTY Security"
- sed -i 's/tty3/#tty3/g' "$STTY" && $OK || $FAILED ;
- sed -i 's/tty4/#tty4/g' "$STTY" ;
- sed -i 's/tty5/#tty5/g' "$STTY" ;
- sed -i 's/tty6/#tty6/g' "$STTY"
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # Politicas de Login.
- LOGIND=/etc/login.defs
- if [ -e "$LOGIND" ];
- then
- echo -n "Alter PASS_MIN_LEN "$LOGIND" "
- sed -i 's/PASS_MIN_LEN 5/PASS_MIN_LEN 8/g' "$LOGIND" && $OK || $FAILED ;
- echo -n "Passwords expire every 180 days"
- perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i "$LOGIND" && $OK || $FAILED ;
- echo -n "Passwords may only be changed once a day"
- perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i "$LOGIND" && $OK || $FAILED
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # Desabilita Modulo USB-STORAGE e WIRELESS.
- MBLACK=/etc/modprobe.d/blacklist.conf
- if [ -e "$MBLACK" ] ;
- then
- echo -n "Disabling USB Mass Storage"
- echo "blacklist usb-storage" >> "$MBLACK" && $OK || $FAILED ;
- echo -n "Disabling Wireless Modules"
- for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> "$MBLACK" ; done && $OK || $FAILED
- else
- echo -n "Exiting error File Not Found" ; exit
- fi
- # Tratamento de usuarios inativos apos login.
- IDLEU=/etc/profile.d/usecurity.sh
- if [ -e "$IDLEU" ];
- then
- echo
- else
- echo -n "Create "$IDLEU" "
- touch "$IDLEU" && $OK || $FAILED;
- echo -n "Idle users will be removed after 15 minutes"
- echo "readonly TMOUT=900" >> "$IDLEU" && $OK || $FAILED ;
- echo "readonly HISTFILE" >> "$IDLEU" && $OK || $FAILED ;
- chmod +x "$IDLEU"
- fi
- # Restringindo cron e at apenas para root.
- CRALLOW=/etc/cron.allow
- if [ -e "$CRALLOW" ];
- then
- echo
- else
- echo -n "Locking down Cron"
- touch "$CRALLOW" && $OK || $FAILED ;
- chmod 600 /etc/cron.allow
- awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
- fi
- ATLLOW=/etc/at.allow
- if [ -e "$ATLLOW" ];
- then
- echo
- else
- echo -n "Locking down AT"
- touch "$ATLLOW" && $OK || $FAILED ;
- chmod 600 /etc/at.allow
- awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
- fi
- # Parametros de Seguranca para o Kernel.
- SYSCTL=/etc/sysctl.conf
- if [ -e "$SYSCTL" ] ;
- then
- echo
- else
- touch "$SYSCTL"
- echo -n "Protect SYN Floods"
- echo "net.ipv4.tcp_syncookies=1" >> "$SYSCTL" && $Ok || $FAILED ;
- echo -n "Block Broadcast Response"
- echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> "$SYSCTL" && $OK || $FAILED ;
- echo -n "Enable protection for bad icmp error messages"
- echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> "$SYSCTL" && $OK || $FAILED ;
- echo -n "Enable syncookies for SYN flood attack protection"
- echo "net.ipv4.tcp_syncookies = 1" >> "$SYSCTL" && $OK || $FAILED ;
- echo -n "Log spoofed, source routed, and redirect packets"
- echo "net.ipv4.conf.all.log_martians = 1" >> "$SYSCTL" && $OK || $FAILED ;
- echo "net.ipv4.conf.default.log_martians = 1" >> "$SYSCTL" ;
- echo -n "Don't allow source routed packets"
- echo "net.ipv4.conf.all.accept_source_route = 0" >> "$SYSCTL" && $OK || $FAILED ;
- echo "net.ipv4.conf.default.accept_source_route = 0" >> "$SYSCTL";
- echo -n "Turn on reverse path filtering"
- echo "net.ipv4.conf.all.rp_filter = 1" >> "$SYSCTL" && $OK || $FAILED ;
- echo "net.ipv4.conf.default.rp_filter = 1" >> "$SYSCTL" ;
- echo -n "Don't allow outsiders to alter the routing tables"
- echo "net.ipv4.conf.all.accept_redirects = 0" >> "$SYSCTL" && $OK || $FAILED;
- echo "net.ipv4.conf.default.accept_redirects = 0" >> "$SYSCTL" ;
- echo "net.ipv4.conf.all.secure_redirects = 0" >> "$SYSCTL" ;
- echo "net.ipv4.conf.default.secure_redirects = 0" >> "$SYSCTL" ;
- echo -n "Don't pass traffic between networks or act as a router"
- echo "net.ipv4.ip_forward = 0" >> "$SYSCTL" && $OK || $FAILED ;
- echo "net.ipv4.conf.all.send_redirects = 0" >> "$SYSCTL" ;
- echo "net.ipv4.conf.default.send_redirects = 0" >> "$SYSCTL" ;
- echo -n "Disable Core Dumps"
- echo "fs.suid_dumpable = 0" >> "$SYSCTL" && $OK || $FAILED ;
- fi
- # Desabilitando relacao de confianca.
- HEQUIV=/etc/hosts.equiv
- if [ -e "$HEQUIV" ];
- then
- echo
- else
- echo >/etc/hosts.equiv ;
- echo >/etc/.netrc ;
- echo >/etc/r.hosts ;
- /bin/chmod 400 /etc/hosts.equiv ;
- /bin/chmod 400 /etc/.netrc ;
- /bin/chmod 400 /etc/r.hosts ;
- fi
- # Remove arquivos com SUID desnecessario.
- # /usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null
- SPATH=/bin/chmod
- "$SPATH" -s /usr/bin/chsh
- "$SPATH" -s /usr/bin/gpasswd
- "$SPATH" -s /usr/bin/chfn
- "$SPATH" -s /usr/bin/wall
- "$SPATH" -s /usr/bin/screen
- "$SPATH" -s /usr/bin/rcp
- "$SPATH" -s /usr/bin/rsh
- "$SPATH" -s /sbin/mount.nfs
- "$SPATH" -s /sbin/umount.nfs
- "$SPATH" -s /bin/ping
- "$SPATH" -s /bin/ping6
- "$SPATH" -s /bin/umount
- "$SPATH" -s /bin/mount
- # Restringir somente para root.
- for a in /var/log/*; do [ -f $a ] && chmod 600 $a; [ -d $a ] && chmod 700 $a; done
- # Bloqueia o password de usuarios do sistema.
- USERM=/usr/sbin/usermod
- # Block system users passwords
- $USERM -L bin
- $USERM -L daemon
- $USERM -L adm
- $USERM -L lp
- $USERM -L mail
- $USERM -L news
- $USERM -L uucp
- $USERM -L operator
- $USERM -L games
- $USERM -L smmsp
- $USERM -L haldaemon
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement