Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- set -e
- if [[ $# -eq 0 ]]; then
- echo "No arguments were given"
- exit 1
- fi
- # Set default values
- userlist=""
- ftp=0
- ssh=0
- lightdm=0
- editor="vim"
- while [[ $# -gt 0 ]]; do
- case $1 in
- -h|--help)
- echo "Does some common things to harden the security of the machine"
- echo "Make sure you provide a list of users, where each user is on a seperate line and check the fields in the package manager settings so it installs the latest updates"
- echo "Also make sure you answer the forensics question beforehand"
- echo "FTP option is not working"
- echo ""
- echo "Usage: sudo bash cplinux.sh [REQUIRED] [OPTIONS] 2>&1 | tee output.log"
- echo ""
- echo "Required:"
- echo "-u, --users [FILE.TXT] list of users whom password to change"
- echo ""
- echo "Options:"
- echo "-h, --help help menu"
- echo "--ftp enable if the machine uses ftp"
- echo "--ssh enable if the machine uses ssh"
- #echo "--lightdm enable if the machine uses lightdm"
- echo "-e, --editor [EDITOR] editor to use (default vim)"
- exit 0
- ;;
- -u|--users)
- shift
- userlist=$1
- shift
- ;;
- --ftp)
- shift
- #ftp=1
- ;;
- --ssh)
- shift
- ssh=1
- ;;
- #--lightdm)
- #shift
- #lightdm=1
- #;;
- -e | --editor)
- shift
- if [[ $1 == "nano" ]]; then
- editor="nano"
- fi
- shift
- ;;
- *)
- echo "Wrong syntax"
- exit 1
- ;;
- esac
- done
- echo "This script does some common things to harden the security of the machine"
- echo "Make sure you provide a list of users, where each user is on a seperate line and check the fields in the package manager settings so it installs the latest updates"
- echo "Also make sure you answer the forensics question beforehand otherwise they might be impossible to answer later on"
- echo "FTP option is not working"
- read -p "Have you performed the tasks listed above? "
- echo -e "\nStarting execution\n"
- sleep 3
- # Install prerequisites
- apt-get -V -y install htop auditd libpam-cracklib ufw gufw vim firefox hardinfo chkrootkit portsentry lynis clamav
- # Perform manual configuration
- echo -e "\nPerform manual configuration\n"
- sleep 3
- echo "Opening /etc/apt/sources.list"
- echo "Check for Malicious sources"
- sleep 5
- $editor /etc/apt/sources.list
- echo ""
- echo "Opening /etc/resolv.conf"
- echo "Make sure it is safe, use a secure name server"
- sleep 5
- $editor /etc/resolv.conf
- echo ""
- echo "Opening /etc/hosts"
- echo "Make sure it is not redirecting"
- sleep 5
- $editor /etc/hosts
- echo ""
- echo "Opening /etc/rc.local"
- echo "Should be empty except for 'exit 0'"
- sleep 5
- $editor /etc/rc.local
- echo ""
- echo "Opening /etc/sysctl.conf"
- echo "Change net.ipv4.tcp_syncookies entry from 0 to 1"
- sleep 5
- $editor /etc/sysctl.conf
- echo ""
- echo "Opening /etc/lightdm/lightdm.conf"
- echo "Set 'allow_guest=false' and remove 'autologin'"
- sleep 5
- $editor /etc/lightdm/lightdm.conf
- echo ""
- # Check the network's connections
- echo -e "\nChecking the network's connections\n"
- sleep 3
- netstat -tulpn
- lsof -i -n -P
- # Password settings
- echo -e "\nChanging password settings\n"
- sleep 3
- sed -i 's/^PASS_MAX_DAYS\t.*$/PASS_MAX_DAYS\t90/' /etc/login.defs
- sed -i 's/^PASS_MIN_DAYS\t.*$/PASS_MIN_DAYS\t10/' /etc/login.defs
- sed -i 's/^PASS_WARN_AGE\t.*$/PASS_WARN_AGE\t7/' /etc/login.defs
- sed -i 's/pam_cracklib.so .*$/pam_cracklib.so retry=3 minlength=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4/' /etc/pam.d/common-password
- sed -i 's/pam_unix.so .*$/pam_unix.so deny=5 even_deny_root unlock_time=1800O/' /etc/pam.d/common-auth
- # Disable root
- echo -e "\nDisabling root\n"
- sleep 3
- passwd -l root
- # SHH
- if [[ $ssh == 1 ]]; then
- echo -e "\nConfiguring SSH\n"
- echo "Set 'PermitRootLogin no' and 'PermitEmptyPasswords no'"
- sleep 5
- service ssh start
- $editor /etc/ssh/sshd_config
- service ssh restart
- fi
- # FTP
- if [[ $ftp == 1 ]]; then
- echo -e "\nConfiguring FTP\n"
- sleep 3
- service ftp start
- service ftp restart
- fi
- # Users
- # Auditing
- echo -e "\nEnabling auditing\n"
- sleep 3
- auditctl -e 1
- # Firewall
- echo -e "\nEnabling firewall\n"
- sleep 3
- ufw enable
- if [[ $ssh == 1 ]]; then
- ufw allow ssh
- fi
- if [[ $ftp == 1 ]]; then
- ufw allow ftp
- fi
- # Change password for all users
- echo -e "\nChanging password for all given users\n"
- sleep 3
- users=( $(cat ${userlist}) )
- for user in ${users[@]}; do
- read -p "Change password for user ${user}? (y/n)" ans
- if [[ $ans != "n" ]]; then
- echo -e "G44@4xXq0e6y0PpB7*qAqAiXn*kRUIFD\nG44@4xXq0e6y0PpB7*qAqAiXn*kRUIFD" | passwd $user
- fi
- done
- # Check crontabs
- echo -e "\nChecking crontabs\n"
- sleep 3
- for user in ${users[@]}; do
- crontab -u ${user} -l
- done
- crontab -l
- echo -e "/etc/crontab"
- sleep 3
- $EDITOR /etc/crontab
- echo -e "List all crontab files"
- sleep 3
- ls /etc/cron*
- # Check path
- echo -e "\nCheck the path for weird files"
- echo $PATH
- read -p "Finished?"
- # Delete media files
- echo -e "\nDeleting media files\n"
- sleep 3
- find / -name '*.mp3' -type f -delete
- find / -name '*.mov' -type f -delete
- find / -name '*.mp4' -type f -delete
- find / -name '*.avi' -type f -delete
- find / -name '*.mpg' -type f -delete
- find / -name '*.mpeg' -type f -delete
- find / -name '*.flac' -type f -delete
- find / -name '*.m4a' -type f -delete
- find / -name '*.flv' -type f -delete
- find / -name '*.ogg' -type f -delete
- find /home -name '*.gif' -type f -delete
- find /home -name '*.png' -type f -delete
- find /home -name '*.jpg' -type f -delete
- find /home -name '*.jpeg' -type f -delete
- # Delete games
- echo -e "\nDeleting games\n"
- sleep 3
- apt-get purge aisleriot gnome-mahjongg gnome-mines gnome-sudoku -y
- # Check that all went well
- echo -e "\nCheck that right changes were made\n"
- sleep 5
- $editor /etc/login.defs
- $editor /etc/pam.d/common-password
- $editor /etc/pam.d/common-auth
- if [[ $lightdm == 1 ]]; then
- /usr/lib/lightdm/lightdm-set-defaults -l false
- fi
- echo "UFW status report"
- ufw status verbose
- sleep 3
- # Gather information
- echo -e "\nGathering information\n"
- echo "Scanning is disabled due formatting probles, scan yourself manually"
- sleep 3
- #hardinfo -r -f html
- #chkrootkit
- #lynis -c
- #freshclam
- #clamscan -r /
- # System update
- echo -e "\nUpdating the system\n"
- sleep 3
- apt-get update
- apt-get upgrade -y
- apt-get dist-upgrade
- apt-get autoremove -y
- echo "Finished"
- echo "Do not forget to check for wrong users, usergroups, and the sudoers file"
- echo "Also perform scans manually"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement