Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- echo "Voer het gewenste password voor uw account in en druk op enter"
- echo -e "Dit password moet minimaal 8 karakters lang zijn,\r\nminstens een speciaal karakter,\r\neen hoofdletter, en zowel cijfers als letters bevatten"
- userpass=0
- string2=1
- while [ $userpass != $string2 ]
- do
- validpass=false
- while [ $validpass == false ]
- do
- validpass=true
- read -s userpass
- check=${#userpass}
- if [ $check -lt 8 ]; then
- echo "Uw gekozen password is niet lang genoeg"
- validpass=false
- fi
- #check for numbers
- if echo "$userpass" | grep -q '[0-9]'
- then
- true
- else
- echo "Uw gekozen password bevat geen getal"
- validpass=false
- fi
- #check for hoofdletters
- if echo "$userpass" | grep -q '[A-Z]'
- then
- true
- else
- echo "Uw gekozen password bevat geen hoofdletter"
- validpass=false
- fi
- #check for special chars
- if echo "$userpass" | grep -q '[^a-zA-Z0-9]'
- then
- true
- else
- echo "Uw gekozen password bevat geen speciaal karakter"
- validpass=false
- fi
- if [ $validpass == false ]
- then
- echo "Vul aub een geldig password in:"
- fi
- done
- echo "Voer uw password nogmaals in:"
- read -s string2
- if [ $userpass != $string2 ]
- then
- echo "Het tweede password was niet gelijk aan het eerste, voer uw eerste password nogmaals in"
- fi
- done
- echo "Uw password is succesvol gekozen"
- function validateIP()
- {
- local ip=$1
- local stat=1
- if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
- OIFS=$IFS
- IFS='.'
- ip=($ip)
- IFS=$OIFS
- [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
- && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
- stat=$?
- fi
- return $stat
- }
- validip=false
- while [ $validip == false ]; do
- echo "Vul het IP-adres van uw server in"
- read ip
- validateIP $ip
- if [[ $? -ne 0 ]];then
- echo "Dit was geen geldig IP-adres"
- validip=false
- else
- validip=true
- fi
- done
- # Update standaard libraries
- echo -e "\r\nStandaard Linux packetes worden geupdate"
- sudo apt-get update
- sudo apt-get upgrade
- sudo apt-get dist-upgrade
- # Update de SSL/TLS
- echo -e "\r\nopenssl wordt geinstalleerd"
- sudo apt-get install openssl
- # XAMPP security
- echo -e "\r\nSecurity toepassen op mysql + phpmyadmin.."
- sudo /opt/lampp/lampp security
- # Verander user wachtwoord
- echo -e "\r\nUser wachtwoord veranderen.."
- sudo echo -e "$userpass\n$userpass" | sudo passwd user
- # Verander user ID van update user
- sudo sed -i 's/update:x:0:0:/update:x:200:0:/' /etc/passwd
- # Lock root en verwijder update en postfix user
- sudo passwd -l root
- sudo userdel -r update
- sudo userdel telnetd
- #sudo userdel -r postfix
- # Deny sudo su command om naar root te switchen
- sudo sed -i '4iauth requisite pam_deny.so' /etc/pam.d/su
- # Kill duplicate lines
- sort -um /etc/pam.d/su | sudo tee /etc/pam.d/su
- # Remove pam_libinit
- sudo rm /bin/pam_libinit
- # Pas de rechten van dirs aan zodat de guest er niet bij kan
- echo -e "\r\nRechten van dirs aanpassen.."
- sudo chmod 750 /home/user
- sudo chmod 700 /root
- # Pas de rechten van guest aan
- sudo chmod 444 /home/guest
- # Change passwd file permissions to correct values
- echo -e "\r\nRechten van password files aanpassen.."
- sudo chmod 0644 /etc/passwd
- sudo chmod 0640 /etc/shadow
- # Verwijder Telnet Server
- echo -e "\r\nTelnet server uitschakelen.."
- sudo apt-get remove telnet
- # Delete het printenv script
- sudo rm /opt/lampp/cgi-bin/printenv
- # Zet firewall ipv6 uit
- sudo sed -i 's/IPV6=.*/IPV6=no/' /etc/default/ufw
- # Disable TraceEnable in httpd.conf
- echo -e "\r\nTraceEnable uitzetten.."
- sudo echo 'TraceEnable off' | sudo tee -a /opt/lampp/etc/httpd.conf
- # Uitzetten inetd settings
- sudo sed -i 's/discard/#discard/' /etc/inetd.conf
- sudo sed -i 's/daytime/#daytime/' /etc/inetd.conf
- sudo sed -i 's/time/#time/' /etc/inetd.conf
- sudo sed -i 's/telnet/#telnet/' /etc/inetd.conf
- #sudo echo 'Header always append X-Frame-Options SAMEORIGIN' | sudo tee -a /etc/apache2/apache2.conf
- sudo echo 'SSLHonorCipherOrder on' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
- sudo echo 'SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
- # Deny SSL
- sudo echo 'SSLProtocol all -SSLv2 -SSLv3' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
- # Verander ftp settings
- # Anonymous settings
- sudo sed -i 's/anonymous_enable=.*/anonymous_enable=NO/' /etc/vsftpd.conf
- sudo sed -i 's/anon_upload_enable=.*/anon_upload_enable=NO/' /etc/vsftpd.conf
- sudo sed -i 's/anon_mkdir_write_enable=.*/anon_mkdir_write_enable=NO/' /etc/vsftpd.conf
- # Firewall regels
- # deny van 192.168.0.0/16 (private netwerk)
- #DIT MOET AAN VOOR ALLEEN DE VSPHERE
- # sudo iptables -A INPUT -s 192.168.0.0/16 -j DROP
- # deny van 172.16.0.0/16 (private netwerk)
- sudo iptables -A INPUT -s 172.16.0.0/16 -j DROP
- # deny van 10.0.0.0/8 (private netwerk)
- sudo iptables -A INPUT -s 10.0.0.0/8 -j DROP
- # deny van 127.0.0.0/8 (loopback)
- sudo iptables -A INPUT -s 127.0.0.0/8 -j DROP
- # deny van 169.254.0.0/16 (APIPA)
- sudo iptables -A INPUT -s 169.254.0.0/16 -j DROP
- # deny van alle destinations die niet het lokale ip/22 zijn
- sudo iptables -A INPUT ! -d $ip -j DROP
- # allow ssh
- sudo iptables -A INPUT -p tcp --dport ssh -m limit --limit 10/s -j ACCEPT
- # allow ftp
- sudo iptables -A INPUT -p tcp --dport ftp -m limit --limit 10/s -j ACCEPT
- # allow http
- sudo iptables -A INPUT -p tcp --dport http -m limit --limit 10/s -j ACCEPT
- # allow 443
- sudo iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/s -j ACCEPT
- # allow 139 (Samba)
- sudo iptables -A INPUT -p tcp --dport 137 -m limit --limit 10/s -j ACCEPT
- # allow 445 (Samba)
- sudo iptables -A INPUT -p tcp --dport 445 -m limit --limit 10/s -j ACCEPT
- # allow 10000
- sudo iptables -A INPUT -p tcp --dport 10000 -m limit --limit 10/s -j ACCEPT
- # allow established verkeer
- sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT
- # deny ICMP
- sudo iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d localhost -m state --state ESTABLISHED,RELATED -j DROP
- # logging
- sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- # default deny
- sudo iptables -A INPUT -j DROP
- # Voor de outgoing packets
- # allow established verkeer
- sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT
- # allow from intern net
- sudo iptables -A OUTPUT -s $ip -m limit --limit 10/s -j ACCEPT
- # deny ICMP
- sudo iptables -A OUTPUT -p icmp --icmp-type 8 -s localhost -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j DROP
- # logging
- sudo iptables -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- # default deny
- sudo iptables -A OUTPUT -j DROP
- # Opslaan van de regels in een file
- sudo iptables-save | sudo tee /etc/iptables-save
- # Voeg line toe aan rc.local om instellingen by startup te applyen
- sudo sed -i '13isudo iptables-restore < /etc/iptables-save' /etc/rc.local
- ############ SSL Certificaat gedeelte ###############
- # Genereer key
- sudo openssl genrsa -aes256 -out pass.key 2048
- sudo openssl rsa -in pass.key -out server.key
- # Genereer certificate
- sudo openssl req -new -x509 -nodes -sha1 -key server.key -out server.crt -days 999 -config /opt/lampp/share/openssl/openssl.cnf
- # Verplaats naar Apache folder
- echo "Key en certificaat verplaatsen naar correcte mappen.."
- sudo mv server.key /opt/lampp/etc/ssl.key/server.key
- sudo mv server.crt /opt/lampp/etc/ssl.crt/server.crt
- sudo chmod 640 /opt/lampp/etc/ssl.crt/server.crt
- sudo chmod 640 /opt/lampp/etc/ssl.key/server.key
- ############ SSL Certificaat gedeelte Eind ###############
- ############ SSH Config ###############
- # Folder maken voor key als het niet al bestaat
- if [ ! -d "/home/user/.ssh" ]; then
- echo -e "\r\n.ssh directory aanmaken.."
- sudo mkdir -m 700 /home/user/.ssh
- sudo touch /home/user/.ssh/authorized_keys
- sudo chmod 600 /home/user/.ssh/authorized_keys
- fi
- ############ SSH Config End ###############
- ##################### MOTD en Issue message ########################
- # Issue instellen
- echo -e "\r\n Banner veranderen in:"
- printf "########################################################################\nWelcome\nAll connections are monitored and recorded\nUnauthorized access will be prosecuted\n########################################################################\n" | sudo tee /etc/issue /etc/issue.net
- # MOTD aanpassen
- sudo rm /etc/update-motd.d/50-landscape-sysinfo
- printf "####################################\nWelcome\nEnjoy your stay!\n####################################" > /etc/motd.tail
- # Inlogpogingen beperken
- sudo sed -i '1s/^/auth required pam_tally.so onerr=fail deny=3 unlock_time=60 /' /etc/pam.d/common-auth
- ##################### MOTD en Issue message END #####################
- ##################### Ctrl+alt+Delete #####################
- #Ctrl+Alt+Delete disablen
- sudo sed -i 's/exec shutdown -r now "Control-Alt-Delete pressed".*/#exec shutdown -r now "Control-Alt-Delete pressed" /' /etc/init/control-alt-delete.conf
- ##################### Ctrl+alt+Delete END #####################
- ##################### RKHunter #####################
- sudo apt-get install rkhunter
- sudo wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
- tar xzvf rkhunter-1.4.2.tar.gz
- sudo rkhunter-1.4.2/installer.sh
- sudo sed -i 's/SCRIPTWHITELIST=/usr/bin/lwp-request.*/#SCRIPTWHITELIST=/usr/bin/lwp-request /' /etc/rkhunter.conf
- sudo sed -i 's/SCRIPTWHITELIST=/usr/sbin/prelink.*/#SCRIPTWHITELIST=/usr/sbin/prelink /' /etc/rkhunter.conf
- sudo rkhunter --update
- sudo rkhunter --propupd
- sudo rkhunter --check
- sudo dpkg-reconfigure rkhunter
- ##################### RKHunter END #####################
- #################### Windows File Share ####################
- #Update samba
- sudo apt-get install samba
- #Aanmaken van samba user: user
- sudo smbpasswd -a user
- #Maak directory aan om te sharen
- sudo mkdir /home/user/share
- #Toevoegen van de share folder in samba configuration
- sudo echo “[share]” >> /etc/samba/smb.conf
- sudo echo “path = /home/user/share” >> /etc/samba/smb.conf
- sudo echo “valid users = user” >> /etc/samba/smb.conf
- sudo echo “read only = no” >> /etc/samba/smb.conf
- #Restart samba service
- sudo service smbd restart
- #Testen of alles werkt
- testparm
- #Toevoegen van de network share client
- sudo apt-get install smbclient
- #Listen van alle shares
- smbclient -L //$ip/share -U user
- #Starten van de share
- smbclient //$ip/share -U user
- #################### Windows File Share END ####################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement