Untitled

#!/bin/bash
{
#v14 enviormental variables added
#HM 10/4/2017
l=$(grep "^UID_MIN" /etc/login.defs)
l1=$(grep "^UID_MAX" /etc/login.defs)
UUID=$(blkid | grep ext4 | grep -o '".*"' | sed 's/\ .*/ /')
hacking_tools=(logkeys keylogger freeviv-server keysniffer uber vlogger vuze deluge torrent tixati frostwire ophcrack medusa RainbowCrack wfuzz brutus LOphtCrack fgdump hydra john aircrack abel ksimet inssider kismac netstumbler weplab airjack nmap superscan hping scapy nemesis socat splunk nagios pof ngrep wireshark  ettercap dsniff etherape paros fiddler ratproxy slsstrip aide netfilter skipfish wapiti w3af helix sleuth maltego encase gdb tor OpenVPN snort netcop metasploit sqlmap sqlninja netsparker beef nessus openvas nipper retina qualysguard nexpose burp steam webscarab websecurify nikto w3af )
pack=(samba chromium apache2 nfs-util postgresql telnet postfix openvpn php5 perl wine mysql-server xinetd vsftp exim4 nginx rpcbind openssh-server mongodb MariaDB samba-server bind9 dovecot vnc4server tightvncserver gcc cc  )
root=$(awk -F: '($3 == "0") {print}' /etc/passwd)
awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max ) print $0}' /etc/passwd | awk -F':' '{print $1}' > /tmp/users
grep '^sudo:.*$' /etc/group | cut -d: -f4 > /tmp/admns
tr , '\n' < /tmp/admns > /tmp/admins
if [ "$(uname -a| grep Ubuntu)" ]; then
	os="Ubuntu"
else
	os="Debian"
fi

echo "$os operating system detected..."
sleep 1;

echo "Enter all valid STANDARD users:"
sleep 1;
nano /tmp/authorized_users
echo "Enter all valid ADMINS:"
sleep 1;
nano /tmp/authorized_admins
cat /tmp/authorized_users /tmp/authorized_admins > /tmp/allusers
userz=$(grep -Fxvf /tmp/allusers /tmp/users)
adminz=$(grep -Fxvf /tmp/authorized_admins /tmp/admins)

rm /tmp/admns

echo "Badboy users: " >> ~/report
grep -Fxvf /tmp/allusers /tmp/users >> ~/report


for i in ${userz[@]}; do
	deluser $i
done

echo "Badboy admins:" >> ~/report
grep -Fxvf /tmp/authorized_admins /tmp/admins >> ~/report

for i in ${adminz[@]}; do
	deluser $i sudo
done


mkdir /backups
mkdir /prison
killall -9 dpkg
update-manager
apt-get update
########################### DEFINING FUNCTIONS #####################################
declare -a options=( change_passwords configure_ufw secure_crontab secure_sysctl secure_ssh secure_sudoers secure_logdefs secure_fstab )
change_passwords() {
	echo "Changing all passwords to thebomb.com1234!"
	sed 's/$/:thebomb.com1234!/' /tmp/allusers > /tmp/passwords
	cat /tmp/passwords | /usr/sbin/chpasswd
	echo "Changing root password"
	passwd -u root
	echo "root:thebomb.com1234!" | chpasswd
}
configure_ufw() {
	echo "Configuring ufw"
	apt-get install ufw
	ufw enable
	echo "Ufw rules... " >> ~/report
	ufw status >> ~/report
echo "" >> ~/report
}
secure_grub() {
	echo "Securing Grub, enter boot password:"
	grub-mkpasswd-pbkdf2 | tee /tmp/hash
	grubhash="$(cat /tmp/hash | sed  's/^[^:]*is //'| tail -n+3)"
	echo "set superusers=root" >> /etc/grub.d/40_custom
	echo "password_pbkdf2 root $grubhash" >> /etc/grub.d/40_custom
	grub-update
}
secure_crontab() {

crontabs="$(ls /etc/cron.d/* /var/spool/cron/* /etc/crontab)"
for crontab in ${crontabs[@]}
do
    echo "" > $crontab
done
}
secure_sysctl() {
cp /etc/sysctl.conf /backups
cat > /etc/sysctl.conf <<'EOF'
# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2

########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0

# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.tcp_syncookies = 1

# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1


net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking ends ##############

#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1


#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit
fs.file-max = 65535

#Allow for more PIDs
kernel.pid_max = 65536

#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
EOF
sysctl -p
}
secure_ssh() {
echo "Editing ssh..."
cp /etc/ssh/sshd_config /backups
cat > /etc/ssh/sshd_config <<EOF
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the users ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no


#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
EOF
}
secure_sudoers() {
echo "Editing sudoers file..."
cp /etc/sudoers /backups
cat > /etc/sudoers <<EOF
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL
EOF
}
secure_logdefs() {
echo "Editing login.defs..."
cp /etc/login.defs /backups
cat > /etc/login.defs <<EOF

MAIL_DIR        /var/mail
FAILLOG_ENAB		yes
LOG_UNKFAIL_ENAB	yes
LOG_OK_LOGINS		yes
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes
FTMP_FILE	/var/log/btmp
SU_NAME		su
HUSHLOGIN_FILE	.hushlogin
ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP	tty
TTYPERM		0600
ERASECHAR	0177
KILLCHAR	025
UMASK		022
PASS_MAX_DAYS	90
PASS_MIN_DAYS	10
PASS_WARN_AGE	7
UID_MIN			 1000
UID_MAX			60000
SYS_UID_MIN		  100
SYS_UID_MAX		  999
GID_MIN			 1000
GID_MAX			60000
SYS_GID_MIN		  100
SYS_GID_MAX		  999
LOGIN_RETRIES		3
LOGIN_TIMEOUT		60
CHFN_RESTRICT		rwh
DEFAULT_HOME	yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
EOF
}
secure_fstab() {
cp /etc/fstab/ /backups
echo UUID="$UUID / ext4 errors=remount-ro 0 1" > /etc/fstab
echo "tmpfs     /run/shm     tmpfs     ro,noexec,nosuid,nodev     0     0" >> /etc/fstab
}

echo "Creating ~/megalist"
find /etc /var /root /bin /home /pub /media /opt -xdev >> ~/megalist
dpkg --list >> ~/megalist
dpkg --list >> ~/pack


echo "Identifying Services"
echo "Services: " >> ~/report

for i in ${pack[@]}; do
        if ! [ "$( grep -w $i ~/pack)" == "" ];then
					echo "$i" possibly "installed" >> ~/report
				fi
done

echo "Identifying Hacking Tools"
echo "Hacking tools & Other Things : " >> ~/report
for i in ${hacking_tools[@]}; do
        if  ! [  "$(grep -w $i ~/megalist)" == "" ]; then
					echo $i maybe installed  >> ~/report ; apt-get remove $i

		fi
done

if [ -e /etc/prelink.conf ]; then
	prelink -ua
	apt-get remove prelink
	echo prelink installed >> ~/report
fi

echo "Possibly Bad Files: " >> ~/report

if [ -e /etc/vsftpd.conf ] ; then
	echo "vsftpd found"
	grep -rnw -e "password" -e "card" -e "boss" -e "hey" -e "hack" -e "personal" -e ".*\.mp3$" ".*\.m4b$" -e -e ".*\.mp4$" -e ".*\.mov$" -e ".*\.tar.gz$" -e ".*\.avi$" /srv
fi

echo "Possibly Bad Files: "
grep -rlin --exclude-dir={.mozilla,.cache,.config} -e "passsword" -e "card" -e "boss" -e "hey" -e "personal" -e "hack" /var/www /home >> ~/report


apt-get remove netcat-openbsd tcpdump
if [ -e /bin/nc ]; then
	echo "Hashing netcat..."
	export nchash=$(md5sum /bin/nc |  cut -f1 -d" ")
fi

if [ -e /bin/nc.traditional ]; then
	echo "Hashing netcat..."
	export tradhash=$(md5sum /bin/nc |  cut -f1 -d" ")
fi


echo "Setting permissions..."
chmod 0700 /etc/rc*
chmod 0700 /etc/init.d*
chmod 0700 /etc/sysctl.conf
chmod 644 /etc/passwd
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg
chown root:root /etc/passwd
chown root:root /etc/sudoers
chown root:shadow /etc/shadow
chown root:root /etc/group
chmod 644 /etc/group
chmod -R 0444 /var/www/html/
chmod 644 /etc/fstab
chmod 400 /etc/shadow
chmod 02750 /bin/su
sudo dpkg-statoverride --update --add root sudo 4750 /bin/su

clear


rm '/etc/security/limits.d/*'
cp /etc/security/limits.conf /backups
echo "* hard core 0" >> /etc/security/limits.conf
cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a password "}' >> ~/report

echo "" >> ~/report
echo "Checking for UID of 0..."
echo "Following line should only be root" >> ~/report
[ "$root" != "root:x:0:0:root:/root:/bin/bash" ] && (echo "POSSIBLE UID OF 0!" >> ~/report | echo $"root" >> ~/report )


echo "Finding world writable files.."
echo "All world writeable files" >> ~/report
find /etc /var /root /home -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print >> ~/report
echo "Finding no user files...."
echo "No user files" >> ~/report
echo $(find /home /etc /var /dev -xdev \( -nouser -o -nogroup \) -print) >> ~/report
echo "Removing netcat and installing auidit"
apt-get remove netcat*
apt-get install libpam-cracklib
apt-get install auiditd
auditctl –e 1
reset
apt-get autoremove
echo "" >> ~/report


echo "Looking for netcat copies"
location="$(find ${PATH//:/ } -maxdepth 1 -executable)"
for binary in ${location[@]}
do
		if ! [ -d "$binary" ]; then
			if [ "$(md5sum $binary | cut -f1 -d" " )" == "$nchash" ] || [ "$(md5sum $binary | cut -f1 -d" " )" == "$tradhash" ] ;then
					mv "$binary" /prison
					echo "$binary is netcat, imprsioned" >> ~/report
					killall -9 "$binary"
			fi
        fi
done


if [ -e /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf ] ;then
	echo "Disabling guest..."
	echo "allow-guest=false" >> /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
	echo "Guest Disabled" >> ~/report
fi


apt-get install clamav
apt-get install rkhunter
freshclam
rkhunter --check

echo "Finding Media Files..."
echo "Media files:" >> ~/report
grep -e ".*\.mp3$" -e ".*\.mp4$" -e ".*\.mov$" -e ".*\.tar.gz$" -e ".*\.avi$" -e ".*\.torrent$" -e ".*\.exe$" ~/megalist  >> ~/report


echo "order bind,hosts" >> /etc/host.conf
echo "nospoof on" >> /etc/host.conf
sudo dmesg -n 1


cat > /etc/modprobe.d/CIS.conf <<EhOF
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
EhOF


if [ "$(dpkg --list | grep -i  php)" != "" ]; then
        echo "PHP found"
				echo "PHP security report: >> ~/report"
        phpconf=$(php -i | grep -i '/php.ini' | awk -F'> ' '{ print $NF }')

        if [ -e /etc/php.d/sqlite3.ini ];then
                mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable
        fi

        function secure_php() {
				read -r -p "Run secure_php in active mode? y/n" php_response
				case "$php_response" in
					[yY][eE][sS]|[yY])
						php_status = true
						echo "running in active mode"
							;;
					*)
						php_status = false
						echo "running in passive mode"
							;;
				esac


				cp $phpconf /backups
                i=i
                export line=$(awk '/disable_funct/{print NR; exit $1}' $1 )
                if [ $line != "" ]; then
                        export linewi="$line$i"
                        sed -i '/disable_func/d' $1
                        sed -i "$linewi\disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source" $1
                fi


                declare -A arr=( ["upload_max_filesize"]="1m" ["post_max_size"]="1k" ["max_execution_time"]="30" ["max_input_time"]="30" ["memory_limit"]="40m" ["expose_php"]="off" ["display_errors"]="off" ["log_errors"]="on" ["cgi.force_redirect"]="on" ["magic_quotes_gpc"]="on" ["sql.safe_mode"]="on" ["allow_url_include"]="off"  ["file_uploads"]="off"   ["allow_url_include"]="off" )

                for key in "${!arr[@]}"; do
                        if [ "$(grep "$key" $1)" != "" ] && [ "$(grep "$key" $1 | grep -i ${arr[${key}]})" == "" ] || [ "$( grep  "$key" $1 | grep "#" )" != ""  ];then

															echo "${key} not set correctly in $1" | tee -a ~/report
															if [ "$php_status" = true ]; then
																 badline=$(grep -n "$key" $phpconf | grep "="| awk -F  ":" '{print $1}')
																 sed -i '$badline d' $phpconf
																 ex -sc '3i|${key}=${arr[${key}]}' -cx $phpconf
															fi

                        fi
                done
        }

        secure_php $phpconf

        if [ -e /etc/php.d/security.ini ]; then
								cp /etc/php.d/security.ini /backups
                secure_php /etc/php.d/security.ini
        fi
fi


if [ -e /etc/vsftpd.conf ]; then
	echo "VSFTP found..."
	cp /etc/vsftpd.conf /backups
	echo "vsftp report: " >> ~/report
	echo "ssl cert generated for you at /etc/vsftpd.pem " >> ~/report
 	openssl req -x509 -days 365 -newkey rsa:2048 -nodes -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
	declare -A ftp=( ["anonymous_enable="]="=no" ["local_enable="]="=yes" ["chroot_local_user="]="=yes" ["xferlog_enable="]="=yes" ["anon_max_rate="]="=30000" ["local_max_rate="]="=30000" ["idle_session_timeout="]="=300" ["max_per_ip="]="=50" )
	for key in "${!ftp[@]}:"; do
                        	if [ "$(grep "$key" /etc/vsftpd.conf)" == "" ] || [ "$(grep "$key" /etc/vsftpd.conf | grep -i "${ftp[${key}]}")" == "" ]  || [ "$(grep "$key" /etc/vsftpd.conf|  grep "#" )" != ""  ];then
                                        echo "${key} not set correctly in /etc/vsftpd.conf" | tee -a ~/report
                                fi
        done
fi


echo "Configuring Pam..."
cp /etc/pam.d/common-password /backups
cat > /etc/pam.d/common-password <<EOF

password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512 minlen=8 remember=5

password        requisite                       pam_deny.so

password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
# end of pam-auth-update config
EOF


cp /etc/pam.d/common-auth /backups
cat > /etc/pam.d/common-auth <<EOF
#
# /etc/pam.d/common-auth - authentication settings common to all services
#

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config
auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800
EOF


###start prouse###
prousemain () {
        for i in ${allusers[@]}; do
                echo "typeset -r TMOUT=900(15 minutes = 900 seconds)" >> $(getent passwd $i | cut -d: -f6)/.bashrc
                chattr +a $(getent passwd $i | cut -d: -f6)/.bash_history
                chattr +i $(getent passwd $i | cut -d: -f6)/.bash_history
        done
        chmod 0700 /etc/profile
        chmod 0700 /etc/hosts.allow
        chmod 0700 /etc/mtab
        chmod 0700 /etc/utmp
        chmod 0700 /var/adm/wtmp
        if [ $? > 0 ]; then
                chmod 0700 /var/log/wtmp
        fi
        chmod 0700 /etc/syslog.pid
        if [ $? > 0 ]; then
                chmod 0700 /var/run/syslog.pid
        fi
        chmod 0700 /etc/sysctl.conf
        chmod 0700 /etc/inittab

apache2ports() {
        if [ -d /etc/apache2 ]; then
                echo "###Start Apache2 Report###" >> ~/apache2report
                if [ -e /etc/apache2/ports.conf ]; then
                        if [ "$(cat /etc/apache2/ports.conf | grep -i "Listen")" == "" ]; then
                                echo "Apache2 isn't listening at all!" >> ~/apache2apache2report
                        fi
                        if [ "$(cat /etc/apache2/ports.conf | grep -i "Listen" | grep -i "Listen 80")" == "" ]; then
                                echo "Apache2 isn't listening on port 443 (This may be okay)" >> ~/apache2report
                        fi
                        badports="$(cat /etc/apache2/ports.conf | grep -i "Listen" | grep -i "Listen" | sed -e 's/Listen 443//g;s/Listen 80//g' | sed -e 's/Listen//g')"
                        echo "Apache2 is running on these unauthorized ports: $badports" >> ~/apache2report
                fi
                if [ -e /etc/apache2/envvars ]; then
                        cp /etc/apache2/envvars /backups/envvars.bak
                        cat > /etc/apache2/envvars <<EOF
unset HOME
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
        SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
else
        SUFFIX=
fi
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
export LANG=C
export LANG
EOF
#                       sed -i 's/.*export APACHE_RUN_USER.*/export APACHE_RUN_USER=www-data/g' && echo "Apache2 runuser set to www-data" >> ~/apache2report
#                       sed -i 's/.*export APACHE_RUN_GROUP.*/export APACHE_RUN_GROUP=www-data/g' && echo "Apache2 rungroup set to www-data" >> ~/apache2report
                fi
                if [ -e /etc/apache2/apache2.conf ]; then
                        cp /etc/apache2/apache2.conf /backups/apache2.conf.bak
                        sed -i 's/KeepAlive On/ KeepAlive Off/g' /etc/apache2/apache2.conf && echo "KeepAlive Off" >> /etc/apache2/apache2.conf && echo "KeepAlive changed to Off" >> ~/apache2report
                        sed -i 's/.*Timeout.*/Timeout 300/g' /etc/apache2/apache2.conf && echo "Timeout changed to 300" >> ~/apache2report
                        sed -i 's/.*MaxKeepAliveRequests.*/MaxKeepAliveRequests 100/g' /etc/apache2/apache2.conf && echo "MaxKeepAliveRequests changed to 100" >> ~/apache2report
                        sed -i 's/.*KeepAliveTimeout.*/KeepAliveTimeout 5/g' /etc/apache2/apache2.conf && echo "KeepAliveTimeout set to 5" >> ~/apache2report
                        sed -i 's/.*HostnameLookups.*/HostnameLookups Off/g' /etc/apache2/apache2.conf && echo "HostnameLookups set to Off" >> ~/apache2report
                        sed -i 's/.*LogLevel.*/LogLevel warn/g' /etc/apache2/apache2.conf && echo "LogLevel set to warn" >> ~/apache2report
##thislinedoesntwork##                  sed -i 's/.*Options FollowSymlinks.*/Options -FollowSymLinks/' /etc/apache2/apache2.conf && sed -i 's/.*Options Indexes FollowSymLinks.*/Options Indexes -FollowSymLinks/g' /etc/apache2/apache2.con$
                        echo "Include ports.conf" >> /etc/apache2/apache2.conf && echo "Apache2 reads ports.conf" >> ~/apache2report
                fi
        fi
}
apache2ports
}
prousemain
###end prouse###


if [ "$(echo $PATH)" != "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" ]; then
	echo "PATH variable mishap" >> ~/report
	echo "$PATH">> ~/report
	if [ "$(cat /etc/environment)" != "PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"" ]; then
		cp /etc/environment /backups
		echo "PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"" > /etc/environment
		source /etc/environment && export PATH

	fi
fi

netstat -tulpn | grep LISTEN >> ~/report


for i in ${options[@]}; do
        read -r -p "Do want to $i? [y/N] " response
        case "$response" in
        [yY][eE][sS]|[yY])
                $i
                ;;
        *)
                echo "Cancelling $i"
                ;;
        esac
done

echo "|||| Done: created file '~/report' and file backups in '/backups' ||||"
}2>|tee ~/comp_errors.log