#!/bin/bashset -eif [[ $# -eq 0 ]]; then echo "No arguments were give

1. #!/bin/bash
2. set -e
3.  
4. if [[ $# -eq 0 ]]; then
5. echo "No arguments were given"
6. exit 1
7. fi
8.  
9. # Set default values
10. userlist=""
11. ftp=0
12. ssh=0
13. lightdm=0
14. editor="vim"
15.  
16. while [[ $# -gt 0 ]]; do
17. case $1 in
18. -h|--help)
19. echo "Does some common things to harden the security of the machine"
20. echo "Make sure you provide a list of users, where each user is on a seperate line and check the fields in the package manager settings so it installs the latest updates"
21. echo "Also make sure you answer the forensics question beforehand"
22. echo "FTP option is not working"
23. echo ""
24. echo "Usage: sudo bash cplinux.sh [REQUIRED] [OPTIONS] 2>&1 | tee output.log"
25. echo ""
26. echo "Required:"
27. echo "-u, --users [FILE.TXT] list of users whom password to change"
28. echo ""
29. echo "Options:"
30. echo "-h, --help help menu"
31. echo "--ftp enable if the machine uses ftp"
32. echo "--ssh enable if the machine uses ssh"
33. #echo "--lightdm enable if the machine uses lightdm"
34. echo "-e, --editor [EDITOR] editor to use (default vim)"
35. exit 0
36. ;;
37. -u|--users)
38. shift
39. userlist=$1
40. shift
41. ;;
42.  
43. --ftp)
44. shift
45. #ftp=1
46. ;;
47. --ssh)
48. shift
49. ssh=1
50. ;;
51. #--lightdm)
52. #shift
53. #lightdm=1
54. #;;
55. -e | --editor)
56. shift
57. if [[ $1 == "nano" ]]; then
58. editor="nano"
59. fi
60. shift
61. ;;
62. *)
63. echo "Wrong syntax"
64. exit 1
65. ;;
66. esac
67. done
68.  
69. echo "This script does some common things to harden the security of the machine"
70. echo "Make sure you provide a list of users, where each user is on a seperate line and check the fields in the package manager settings so it installs the latest updates"
71. echo "Also make sure you answer the forensics question beforehand otherwise they might be impossible to answer later on"
72. echo "FTP option is not working"
73. read -p "Have you performed the tasks listed above? "
74.  
75. echo -e "\nStarting execution\n"
76. sleep 3
77.  
78. # Install prerequisites
79. apt-get -V -y install htop auditd libpam-cracklib ufw gufw vim firefox hardinfo chkrootkit portsentry lynis clamav
80.  
81. # Perform manual configuration
82. echo -e "\nPerform manual configuration\n"
83. sleep 3
84.  
85. echo "Opening /etc/apt/sources.list"
86. echo "Check for Malicious sources"
87. sleep 5
88. $editor /etc/apt/sources.list
89. echo ""
90.  
91. echo "Opening /etc/resolv.conf"
92. echo "Make sure it is safe, use a secure name server"
93. sleep 5
94. $editor /etc/resolv.conf
95. echo ""
96.  
97. echo "Opening /etc/hosts"
98. echo "Make sure it is not redirecting"
99. sleep 5
100. $editor /etc/hosts
101. echo ""
102.  
103. echo "Opening /etc/rc.local"
104. echo "Should be empty except for 'exit 0'"
105. sleep 5
106. $editor /etc/rc.local
107. echo ""
108.  
109. echo "Opening /etc/sysctl.conf"
110. echo "Change net.ipv4.tcp_syncookies entry from 0 to 1"
111. sleep 5
112. $editor /etc/sysctl.conf
113. echo ""
114.  
115. echo "Opening /etc/lightdm/lightdm.conf"
116. echo "Set 'allow_guest=false' and remove 'autologin'"
117. sleep 5
118. $editor /etc/lightdm/lightdm.conf
119. echo ""
120.  
121. # Check the network's connections
122. echo -e "\nChecking the network's connections\n"
123. sleep 3
124. netstat -tulpn
125. lsof -i -n -P
126.  
127. # Password settings
128. echo -e "\nChanging password settings\n"
129. sleep 3
130. sed -i 's/^PASS_MAX_DAYS\t.*$/PASS_MAX_DAYS\t90/' /etc/login.defs
131. sed -i 's/^PASS_MIN_DAYS\t.*$/PASS_MIN_DAYS\t10/' /etc/login.defs
132. sed -i 's/^PASS_WARN_AGE\t.*$/PASS_WARN_AGE\t7/' /etc/login.defs
133.  
134. sed -i 's/pam_cracklib.so .*$/pam_cracklib.so retry=3 minlength=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4/' /etc/pam.d/common-password
135. sed -i 's/pam_unix.so .*$/pam_unix.so deny=5 even_deny_root unlock_time=1800O/' /etc/pam.d/common-auth
136.  
137. # Disable root
138. echo -e "\nDisabling root\n"
139. sleep 3
140. passwd -l root
141.  
142. # SHH
143. if [[ $ssh == 1 ]]; then
144. echo -e "\nConfiguring SSH\n"
145. echo "Set 'PermitRootLogin no' and 'PermitEmptyPasswords no'"
146. sleep 5
147. service ssh start
148. $editor /etc/ssh/sshd_config
149. service ssh restart
150. fi
151.  
152. # FTP
153. if [[ $ftp == 1 ]]; then
154. echo -e "\nConfiguring FTP\n"
155. sleep 3
156. service ftp start
157.  
158. service ftp restart
159. fi
160. # Users
161.  
162. # Auditing
163. echo -e "\nEnabling auditing\n"
164. sleep 3
165. auditctl -e 1
166.  
167. # Firewall
168. echo -e "\nEnabling firewall\n"
169. sleep 3
170. ufw enable
171.  
172. if [[ $ssh == 1 ]]; then
173. ufw allow ssh
174. fi
175.  
176. if [[ $ftp == 1 ]]; then
177. ufw allow ftp
178. fi
179.  
180. # Change password for all users
181. echo -e "\nChanging password for all given users\n"
182. sleep 3
183. users=( $(cat ${userlist}) )
184.  
185. for user in ${users[@]}; do
186. read -p "Change password for user ${user}? (y/n)" ans
187. if [[ $ans != "n" ]]; then
188. echo -e "G44@4xXq0e6y0PpB7*qAqAiXn*kRUIFD\nG44@4xXq0e6y0PpB7*qAqAiXn*kRUIFD" | passwd $user
189. fi
190. done
191.  
192. # Check crontabs
193. echo -e "\nChecking crontabs\n"
194. sleep 3
195.  
196. for user in ${users[@]}; do
197. crontab -u ${user} -l
198. done
199. crontab -l
200.  
201. echo -e "/etc/crontab"
202. sleep 3
203. $EDITOR /etc/crontab
204.  
205. echo -e "List all crontab files"
206. sleep 3
207. ls /etc/cron*
208.  
209. # Check path
210. echo -e "\nCheck the path for weird files"
211. echo $PATH
212. read -p "Finished?"
213.  
214.  
215. # Delete media files
216. echo -e "\nDeleting media files\n"
217. sleep 3
218. find / -name '*.mp3' -type f -delete
219. find / -name '*.mov' -type f -delete
220. find / -name '*.mp4' -type f -delete
221. find / -name '*.avi' -type f -delete
222. find / -name '*.mpg' -type f -delete
223. find / -name '*.mpeg' -type f -delete
224. find / -name '*.flac' -type f -delete
225. find / -name '*.m4a' -type f -delete
226. find / -name '*.flv' -type f -delete
227. find / -name '*.ogg' -type f -delete
228. find /home -name '*.gif' -type f -delete
229. find /home -name '*.png' -type f -delete
230. find /home -name '*.jpg' -type f -delete
231. find /home -name '*.jpeg' -type f -delete
232.  
233. # Delete games
234. echo -e "\nDeleting games\n"
235. sleep 3
236. apt-get purge aisleriot gnome-mahjongg gnome-mines gnome-sudoku -y
237.  
238. # Check that all went well
239. echo -e "\nCheck that right changes were made\n"
240. sleep 5
241. $editor /etc/login.defs
242. $editor /etc/pam.d/common-password
243. $editor /etc/pam.d/common-auth
244. if [[ $lightdm == 1 ]]; then
245. /usr/lib/lightdm/lightdm-set-defaults -l false
246. fi
247.  
248. echo "UFW status report"
249. ufw status verbose
250. sleep 3
251.  
252. # Gather information
253. echo -e "\nGathering information\n"
254. echo "Scanning is disabled due formatting probles, scan yourself manually"
255. sleep 3
256. #hardinfo -r -f html
257. #chkrootkit
258. #lynis -c
259. #freshclam
260. #clamscan -r /
261.  
262. # System update
263. echo -e "\nUpdating the system\n"
264. sleep 3
265. apt-get update
266. apt-get upgrade -y
267. apt-get dist-upgrade
268. apt-get autoremove -y
269.  
270. echo "Finished"
271. echo "Do not forget to check for wrong users, usergroups, and the sudoers file"
272. echo "Also perform scans manually"