script

1. #!/bin/bash
2.  
3. echo "Voer het gewenste password voor uw account in en druk op enter"
4. echo -e "Dit password moet minimaal 8 karakters lang zijn,\r\nminstens een speciaal karakter,\r\neen hoofdletter, en zowel cijfers als letters bevatten"
5. userpass=0
6. string2=1
7. while [ $userpass != $string2 ]
8. do
9. validpass=false
10. while [ $validpass == false ]
11. do
12. validpass=true
13. read -s userpass
14. check=${#userpass}
15. if [ $check -lt 8 ]; then
16. echo "Uw gekozen password is niet lang genoeg"
17. validpass=false
18. fi
19.  
20. #check for numbers
21. if echo "$userpass" | grep -q '[0-9]'
22. then
23. true
24. else
25. echo "Uw gekozen password bevat geen getal"
26. validpass=false
27. fi
28.  
29. #check for hoofdletters
30. if echo "$userpass" | grep -q '[A-Z]'
31. then
32. true
33. else
34. echo "Uw gekozen password bevat geen hoofdletter"
35. validpass=false
36. fi
37.  
38. #check for special chars
39. if echo "$userpass" | grep -q '[^a-zA-Z0-9]'
40. then
41. true
42. else
43. echo "Uw gekozen password bevat geen speciaal karakter"
44. validpass=false
45. fi
46. if [ $validpass == false ]
47. then
48. echo "Vul aub een geldig password in:"
49. fi
50. done
51. echo "Voer uw password nogmaals in:"
52. read -s string2
53. if [ $userpass != $string2 ]
54. then
55. echo "Het tweede password was niet gelijk aan het eerste, voer uw eerste password nogmaals in"
56. fi
57. done
58. echo "Uw password is succesvol gekozen"
59.  
60.  
61. function validateIP()
62. {
63. local ip=$1
64. local stat=1
65. if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
66. OIFS=$IFS
67. IFS='.'
68. ip=($ip)
69. IFS=$OIFS
70. [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
71. && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
72. stat=$?
73. fi
74. return $stat
75. }
76. validip=false
77. while [ $validip == false ]; do
78. echo "Vul het IP-adres van uw server in"
79. read ip
80. validateIP $ip
81.  
82. if [[ $? -ne 0 ]];then
83. echo "Dit was geen geldig IP-adres"
84. validip=false
85. else
86. validip=true
87. fi
88. done
89.  
90.  
91. # Update standaard libraries
92. echo -e "\r\nStandaard Linux packetes worden geupdate"
93. sudo apt-get update
94. sudo apt-get upgrade
95. sudo apt-get dist-upgrade
96.  
97. # Update de SSL/TLS
98. echo -e "\r\nopenssl wordt geinstalleerd"
99. sudo apt-get install openssl
100.  
101. # XAMPP security
102. echo -e "\r\nSecurity toepassen op mysql + phpmyadmin.."
103. sudo /opt/lampp/lampp security
104.  
105. # Verander user wachtwoord
106. echo -e "\r\nUser wachtwoord veranderen.."
107. sudo echo -e "$userpass\n$userpass" | sudo passwd user
108.  
109. # Verander user ID van update user
110. sudo sed -i 's/update:x:0:0:/update:x:200:0:/' /etc/passwd
111.  
112. # Lock root en verwijder update en postfix user
113. sudo passwd -l root
114. sudo userdel -r update
115. sudo userdel telnetd
116. #sudo userdel -r postfix
117.  
118. # Deny sudo su command om naar root te switchen
119. sudo sed -i '4iauth requisite pam_deny.so' /etc/pam.d/su
120. # Kill duplicate lines
121. sort -um /etc/pam.d/su | sudo tee /etc/pam.d/su
122.  
123. # Remove pam_libinit
124. sudo rm /bin/pam_libinit
125.  
126. # Pas de rechten van dirs aan zodat de guest er niet bij kan
127. echo -e "\r\nRechten van dirs aanpassen.."
128. sudo chmod 750 /home/user
129. sudo chmod 700 /root
130.  
131. # Pas de rechten van guest aan
132. sudo chmod 444 /home/guest
133.  
134. # Change passwd file permissions to correct values
135. echo -e "\r\nRechten van password files aanpassen.."
136. sudo chmod 0644 /etc/passwd
137. sudo chmod 0640 /etc/shadow
138.  
139.  
140. # Verwijder Telnet Server
141. echo -e "\r\nTelnet server uitschakelen.."
142. sudo apt-get remove telnet
143.  
144. # Delete het printenv script
145. sudo rm /opt/lampp/cgi-bin/printenv
146.  
147. # Zet firewall ipv6 uit
148. sudo sed -i 's/IPV6=.*/IPV6=no/' /etc/default/ufw
149.  
150. # Disable TraceEnable in httpd.conf
151. echo -e "\r\nTraceEnable uitzetten.."
152. sudo echo 'TraceEnable off' | sudo tee -a /opt/lampp/etc/httpd.conf
153.  
154. # Uitzetten inetd settings
155. sudo sed -i 's/discard/#discard/' /etc/inetd.conf
156. sudo sed -i 's/daytime/#daytime/' /etc/inetd.conf
157. sudo sed -i 's/time/#time/' /etc/inetd.conf
158. sudo sed -i 's/telnet/#telnet/' /etc/inetd.conf
159.  
160.  
161.  
162. #sudo echo 'Header always append X-Frame-Options SAMEORIGIN' | sudo tee -a /etc/apache2/apache2.conf
163.  
164. sudo echo 'SSLHonorCipherOrder on' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
165. sudo echo 'SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
166.  
167.  
168.  
169.  
170. # Deny SSL
171. sudo echo 'SSLProtocol all -SSLv2 -SSLv3' | sudo tee -a /opt/lampp/etc/extra/httpd-ssl.conf
172.  
173. # Verander ftp settings
174. # Anonymous settings
175. sudo sed -i 's/anonymous_enable=.*/anonymous_enable=NO/' /etc/vsftpd.conf
176. sudo sed -i 's/anon_upload_enable=.*/anon_upload_enable=NO/' /etc/vsftpd.conf
177. sudo sed -i 's/anon_mkdir_write_enable=.*/anon_mkdir_write_enable=NO/' /etc/vsftpd.conf
178.  
179.  
180.  
181.  
182.  
183.  
184. # Firewall regels
185. # deny van 192.168.0.0/16 (private netwerk)
186. #DIT MOET AAN VOOR ALLEEN DE VSPHERE
187. # sudo iptables -A INPUT -s 192.168.0.0/16 -j DROP
188. # deny van 172.16.0.0/16 (private netwerk)
189. sudo iptables -A INPUT -s 172.16.0.0/16 -j DROP
190. # deny van 10.0.0.0/8 (private netwerk)
191. sudo iptables -A INPUT -s 10.0.0.0/8 -j DROP
192. # deny van 127.0.0.0/8 (loopback)
193. sudo iptables -A INPUT -s 127.0.0.0/8 -j DROP
194. # deny van 169.254.0.0/16 (APIPA)
195. sudo iptables -A INPUT -s 169.254.0.0/16 -j DROP
196. # deny van alle destinations die niet het lokale ip/22 zijn
197. sudo iptables -A INPUT ! -d $ip -j DROP
198. # allow ssh
199. sudo iptables -A INPUT -p tcp --dport ssh -m limit --limit 10/s -j ACCEPT
200. # allow ftp
201. sudo iptables -A INPUT -p tcp --dport ftp -m limit --limit 10/s -j ACCEPT
202. # allow http
203. sudo iptables -A INPUT -p tcp --dport http -m limit --limit 10/s -j ACCEPT
204. # allow 443
205. sudo iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/s -j ACCEPT
206. # allow 139 (Samba)
207. sudo iptables -A INPUT -p tcp --dport 137 -m limit --limit 10/s -j ACCEPT
208. # allow 445 (Samba)
209. sudo iptables -A INPUT -p tcp --dport 445 -m limit --limit 10/s -j ACCEPT
210. # allow 10000
211. sudo iptables -A INPUT -p tcp --dport 10000 -m limit --limit 10/s -j ACCEPT
212. # allow established verkeer
213. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT
214. # deny ICMP
215. sudo iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d localhost -m state --state ESTABLISHED,RELATED -j DROP
216. # logging
217. sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
218. # default deny
219. sudo iptables -A INPUT -j DROP
220.  
221. # Voor de outgoing packets
222. # allow established verkeer
223. sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT
224. # allow from intern net
225. sudo iptables -A OUTPUT -s $ip -m limit --limit 10/s -j ACCEPT
226. # deny ICMP
227. sudo iptables -A OUTPUT -p icmp --icmp-type 8 -s localhost -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j DROP
228. # logging
229. sudo iptables -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
230. # default deny
231. sudo iptables -A OUTPUT -j DROP
232.  
233. # Opslaan van de regels in een file
234. sudo iptables-save | sudo tee /etc/iptables-save
235. # Voeg line toe aan rc.local om instellingen by startup te applyen
236. sudo sed -i '13isudo iptables-restore < /etc/iptables-save' /etc/rc.local
237.  
238.  
239. ############ SSL Certificaat gedeelte ###############
240. # Genereer key
241. sudo openssl genrsa -aes256 -out pass.key 2048
242. sudo openssl rsa -in pass.key -out server.key
243.  
244. # Genereer certificate
245. sudo openssl req -new -x509 -nodes -sha1 -key server.key -out server.crt -days 999 -config /opt/lampp/share/openssl/openssl.cnf
246.  
247. # Verplaats naar Apache folder
248. echo "Key en certificaat verplaatsen naar correcte mappen.."
249. sudo mv server.key /opt/lampp/etc/ssl.key/server.key
250. sudo mv server.crt /opt/lampp/etc/ssl.crt/server.crt
251.  
252. sudo chmod 640 /opt/lampp/etc/ssl.crt/server.crt
253. sudo chmod 640 /opt/lampp/etc/ssl.key/server.key
254.  
255.  
256. ############ SSL Certificaat gedeelte Eind ###############
257.  
258. ############ SSH Config ###############
259.  
260. # Folder maken voor key als het niet al bestaat
261. if [ ! -d "/home/user/.ssh" ]; then
262. echo -e "\r\n.ssh directory aanmaken.."
263. sudo mkdir -m 700 /home/user/.ssh
264. sudo touch /home/user/.ssh/authorized_keys
265. sudo chmod 600 /home/user/.ssh/authorized_keys
266. fi
267.  
268.  
269. ############ SSH Config End ###############
270.  
271.  
272. ##################### MOTD en Issue message ########################
273.  
274. # Issue instellen
275. echo -e "\r\n Banner veranderen in:"
276. printf "########################################################################\nWelcome\nAll connections are monitored and recorded\nUnauthorized access will be prosecuted\n########################################################################\n" | sudo tee /etc/issue /etc/issue.net
277.  
278. # MOTD aanpassen
279. sudo rm /etc/update-motd.d/50-landscape-sysinfo
280. printf "####################################\nWelcome\nEnjoy your stay!\n####################################" > /etc/motd.tail
281.  
282. # Inlogpogingen beperken
283. sudo sed -i '1s/^/auth required pam_tally.so onerr=fail deny=3 unlock_time=60 /' /etc/pam.d/common-auth
284.  
285.  
286. ##################### MOTD en Issue message END #####################
287.  
288. ##################### Ctrl+alt+Delete #####################
289. #Ctrl+Alt+Delete disablen
290. sudo sed -i 's/exec shutdown -r now "Control-Alt-Delete pressed".*/#exec shutdown -r now "Control-Alt-Delete pressed" /' /etc/init/control-alt-delete.conf
291. ##################### Ctrl+alt+Delete END #####################
292.  
293.  
294. ##################### RKHunter #####################
295. sudo apt-get install rkhunter
296. sudo wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
297. tar xzvf rkhunter-1.4.2.tar.gz
298. sudo rkhunter-1.4.2/installer.sh
299.  
300. sudo sed -i 's/SCRIPTWHITELIST=/usr/bin/lwp-request.*/#SCRIPTWHITELIST=/usr/bin/lwp-request /' /etc/rkhunter.conf
301.  
302. sudo sed -i 's/SCRIPTWHITELIST=/usr/sbin/prelink.*/#SCRIPTWHITELIST=/usr/sbin/prelink /' /etc/rkhunter.conf
303.  
304. sudo rkhunter --update
305. sudo rkhunter --propupd
306. sudo rkhunter --check
307.  
308. sudo dpkg-reconfigure rkhunter
309. ##################### RKHunter END #####################
310.  
311.  
312. #################### Windows File Share ####################
313. #Update samba
314. sudo apt-get install samba
315. #Aanmaken van samba user: user
316. sudo smbpasswd -a user
317. #Maak directory aan om te sharen
318. sudo mkdir /home/user/share
319. #Toevoegen van de share folder in samba configuration
320. sudo echo “[share]” >> /etc/samba/smb.conf
321. sudo echo “path = /home/user/share” >> /etc/samba/smb.conf
322. sudo echo “valid users = user” >> /etc/samba/smb.conf
323. sudo echo “read only = no” >> /etc/samba/smb.conf
324. #Restart samba service
325. sudo service smbd restart
326. #Testen of alles werkt
327. testparm
328. #Toevoegen van de network share client
329. sudo apt-get install smbclient
330. #Listen van alle shares
331. smbclient -L //$ip/share -U user
332. #Starten van de share
333. smbclient //$ip/share -U user
334. #################### Windows File Share END ####################