Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #$/bin/sh
- #-----------------------------------------------------------------------
- #Iptables script below creates iptables rules file under /etc
- #and it is saved there for persistence. To modify the rules
- #edit this script and run again or edit iptables file in /etc/iptables and save.
- # Then restart Iptables.
- #-------------------------------------------------------------------------------
- echo "Closingasafalsepositive" | passwd --stdin root
- mkdir /root/backup/
- cp -r /etc/ /root/backup/
- cp -r /var/ /root/backup/
- # Disable IPv6
- sysctl -w net.ipv6.conf.all.disable_ipv6=1
- sysctl -w net.ipv6.conf.default.disable_ipv6=1
- # Clear all exsisting rules
- iptables -F
- # Set default action to drop packets
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- iptables -P INPUT DROP
- # Create table for blacklist
- iptables -N BLACKLIST
- iptables -A BLACKLIST -m recent --remove
- iptables -A BLACKLIST -m recent --name blacklist --set
- iptables -A BLACKLIST -j LOG --log-prefix "Blacklist Blocked: "
- #####SETUP INBOUND RULE ######
- # Allow local traffic (loopback)
- iptables -A INPUT -i lo -j ACCEPT
- # Allow dns traffic (Enable 953 for RNDC = cl nameserver administration)
- iptables -A INPUT -p udp --dport 53 -m state --state new -j ACCEPT
- iptables -A INPUT -p udp --dport 953 -m state --state new -j ACCEPT
- # Prevent SYN packet attacks
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 1/min -j LOG --log-prefix "SYN packet flood: "
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- # Prevent fragmented packets
- iptables -A INPUT -f -m limit --limit 1/min -j LOG --log-prefix "Fragmented packet: "
- iptables -A INPUT -f -j DROP
- # Prevent XMAS attacks
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/min -j LOG --log-prefix "XMAS packet: "
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
- # Prevent NULL attacks
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/min -j LOG --log-prefix "NULL packet: "
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # Allow ping with limits
- iptables -A INPUT -p icmp -m limit --limit 3/sec -j ACCEPT
- # Drop packets from blacklisted ip for 10 minutes
- iptables -A INPUT -m recent --rcheck --name blacklist --seconds 600 -j DROP
- # Flag excessive pings as flood attack
- iptables -A INPUT -p icmp -m limit --limit 1/minute -j LOG --log-prefix "ICMP Flood: "
- # Allow all traffic already established
- iptables -A INPUT -m state --state established,related -j ACCEPT
- # Remember all ip connections and send excessive requests to blacklist
- iptables -A INPUT -m state --state NEW -m recent --set
- iptables -A INPUT ! -s 172.20.240.0/22 -m recent --update --seconds 10 --hitcount 20 -j BLACKLIST
- # Allow ssh traffic
- # iptables -A INPUT -p tcp --dport 22 -s 172.20.240.0/22 -m state --state new -j ACCEPT
- #####SETUP OUTBOUND RULES #####
- # Allow local traffic
- iptables -A OUTPUT -o lo -j ACCEPT
- # Allow all traffic already established
- iptables -A OUTPUT -m state --state established,related -j ACCEPT
- # Allow http traffic
- iptables -A OUTPUT -p tcp --dport 80 -m state --state new -j ACCEPT
- # Allow ldap traffic
- iptables -A OUTPUT -p tcp --dport 389 -d 172.20.242.200 -m state --state new -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 636 -d 172.20.242.200 -m state --state new -j ACCEPT
- iptables -A OUTPUT -p udp --dport 389 -d 172.20.242.200 -m state --state new -j ACCEPT
- iptables -A OUTPUT -p udp --dport 636 -d 172.20.242.200 -m state --state new -j ACCEPT
- # Allow https traffic
- iptables -A OUTPUT -p tcp --dport 443 -m state --state new -j ACCEPT
- # Allow ssh traffic
- #iptables -A OUTPUT -p tcp --dport 22 -d 172.20.240.0/22 -m state --state new -j ACCEPT
- # Allow dns traffic
- iptables -A OUTPUT -p udp --dport 53 -m state --state new -j ACCEPT
- # Allow ntp traffic
- iptables -A OUTPUT -p udp --dport 123 -d 172.20.242.200 -m state --state new -j ACCEPT
- # Allow rsyslog traffic to send logs
- iptables -A OUTPUT -p udp --dport 5014 -d 172.20.241.20 -m state --state new -j ACCEPT
- iptables -A OUTPUT -p udp --dport 5014 -d 172.20.241.20 -j ACCEPT
- iptables -A INPUT -p udp --sport 5014 -s 172.20.241.20 -j ACCEPT
- # Allow ping
- iptables -A OUTPUT -p icmp -m limit --limit 2/sec -j ACCEPT
- # Log everything else about to be dropped
- iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "Output-Dropped: " --log-level 4
- iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "Input-Dropped: " --log-level 4
- iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "Forward-Dropped: " --log-level 4
- # Save the filter rules
- iptables-save > /etc/iptables
- echo '#!/bin/sh' > /etc/network/if-pre-up.d/iptables
- # activate the rules
- echo 'iptables-restore < /etc/iptables' >> /etc/network/if-pre-up.d/iptables
- chmod +x /etc/network/if-pre-up.d/iptables
- #----------------
- #System Hardening
- #-----------------
- #lock the system account which has root priv
- usermod -L -e 1 system
- #fixes ssl cert errors
- chattr -i /etc/group
- /usr/sbin/groupadd -g 114 ssl-cert
- #fix broken packages
- apt-get update --fix-missing
- dpkg --configure -a
- apt-get -y install -f
- #Install updates
- apt-get update
- apt-get -y upgrade
- #remove crons for root and admins
- crontab -u root -r
- crontab -u sysadmin -r
- crontab -u system -r
- #remove all crons
- rm -rf /var/spool/cron/crontab/*
- # remove telnet
- apt-get -y remove telnet
- # Stop unecessary services
- service open-iscsi stop
- service atd stop
- service cron stop
- service anacron stop
- service apache2 stop
- service nfs-common stop
- service nfs-kernel-server stop
- service portmap stop
- service bluetooth stop
- service cups stop
- service pulseaudio stop
- service sshd stop
- service avahi-daemon stop
- # harden bash history
- chattr +a /home/sysadmin/.bash_history
- chattr +a /home/sysadmin/.bash_profile
- chattr +a /home/sysadmin/.bash_login
- chattr +a /home/sysadmin/.profile
- chattr +a /home/sysadmin/.bash_logout
- chattr +a /home/sysadmin/.bashrc
- # set permissions to sensitive files
- chmod 0000 /etc/shadow
- chmod 0700 /etc/profile
- chmod 0700 /etc/hosts.allow
- chmod 0700 /etc/mtab
- chmod 0700 /etc/utmp
- chmod 0700 /etc/log/wtmp
- #make sure Apparmor is running
- service apparmor restart
- service apparmor start
- #============================================================
- #=====================
- CONFIGS and MISC
- #=====================
- #install nano
- apt-get -y install nano
- #---------------------
- #Central Logging Setup
- #---------------------
- #Update/Install rsyslog and forward logs
- apt-get install rsyslog
- echo "$ActionQueueType LinkedList" >> /etc/rsyslog.conf
- echo "$ActionQueueFileName Forward1" >> /etc/rsyslog.conf
- echo "$ActionResumeRetryCount -1" >> /etc/rsyslog.conf
- echo "$ActionQueueSaveOnShutdown on" >> /etc/rsyslog.conf
- echo "*.* @172.20.241.20:5014" >> /etc/rsyslog.conf
- echo "*.* @172.20.241.20" >> /etc/rsyslog.conf
- #---------
- #NTP conf
- #---------
- apt-get -y install ntp
- echo "server 172.20.242.200 prefer" >> /etc/ntp.conf
- #Set localtime zone
- ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
- service ntp restart
- service ntp start
- #--------------
- #DNS resolvers
- #--------------
- #configure multiple DNS resolvers
- echo "# Adds outside DNS servers." >> /etc/resolv.conf
- echo "nameserver 8.8.4.4" >> /etc/resolv.conf
- echo "nameserver 8.8.8.8" >> /etc/resolv.conf
- echo "nameserver 172.20.242.200" >> /etc/resolv.conf
- #---------
- # DNS CONF
- #----------
- #install / update bind
- apt-get -y install bind9 bind9utils bind9-doc
- touch /tmp/bind_ck
- #forward requests to google manually
- service bind restart
- service bind9 start
- #install and run rkhunter to find misonfigs as wells rootkits
- apt -y install rkhunter
- rkhunter --update
- #--->Manually check
- #rkhunter -c --enable all -disable none
- #============================================================
- history -c
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement