Advertisement
Guest User

whooptywhoop

a guest
Feb 23rd, 2019
75
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.83 KB | None | 0 0
  1. #$/bin/sh
  2.  
  3. #-----------------------------------------------------------------------
  4. #Iptables script below creates iptables rules file under /etc
  5. #and it is saved there for persistence. To modify the rules
  6. #edit this script and run again or edit iptables file in /etc/iptables and save.
  7. # Then restart Iptables.
  8. #-------------------------------------------------------------------------------
  9.  
  10. echo "Closingasafalsepositive" | passwd --stdin root
  11.  
  12. mkdir /root/backup/
  13. cp -r /etc/ /root/backup/
  14. cp -r /var/ /root/backup/
  15.  
  16. # Disable IPv6
  17. sysctl -w net.ipv6.conf.all.disable_ipv6=1
  18. sysctl -w net.ipv6.conf.default.disable_ipv6=1
  19.  
  20. # Clear all exsisting rules
  21. iptables -F
  22.  
  23. # Set default action to drop packets
  24. iptables -P FORWARD DROP
  25. iptables -P OUTPUT DROP
  26. iptables -P INPUT DROP
  27.  
  28. # Create table for blacklist
  29. iptables -N BLACKLIST
  30. iptables -A BLACKLIST -m recent --remove
  31. iptables -A BLACKLIST -m recent --name blacklist --set
  32. iptables -A BLACKLIST -j LOG --log-prefix "Blacklist Blocked: "
  33.  
  34. #####SETUP INBOUND RULE ######
  35. # Allow local traffic (loopback)
  36. iptables -A INPUT -i lo -j ACCEPT
  37.  
  38. # Allow dns traffic (Enable 953 for RNDC = cl nameserver administration)
  39. iptables -A INPUT -p udp --dport 53 -m state --state new -j ACCEPT
  40. iptables -A INPUT -p udp --dport 953 -m state --state new -j ACCEPT
  41.  
  42. # Prevent SYN packet attacks
  43. iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 1/min -j LOG --log-prefix "SYN packet flood: "
  44. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  45.  
  46. # Prevent fragmented packets
  47. iptables -A INPUT -f -m limit --limit 1/min -j LOG --log-prefix "Fragmented packet: "
  48. iptables -A INPUT -f -j DROP
  49.  
  50. # Prevent XMAS attacks
  51. iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/min -j LOG --log-prefix "XMAS packet: "
  52. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  53.  
  54. # Prevent NULL attacks
  55. iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/min -j LOG --log-prefix "NULL packet: "
  56. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  57.  
  58. # Allow ping with limits
  59. iptables -A INPUT -p icmp -m limit --limit 3/sec -j ACCEPT
  60.  
  61. # Drop packets from blacklisted ip for 10 minutes
  62. iptables -A INPUT -m recent --rcheck --name blacklist --seconds 600 -j DROP
  63.  
  64. # Flag excessive pings as flood attack
  65. iptables -A INPUT -p icmp -m limit --limit 1/minute -j LOG --log-prefix "ICMP Flood: "
  66.  
  67. # Allow all traffic already established
  68. iptables -A INPUT -m state --state established,related -j ACCEPT
  69.  
  70. # Remember all ip connections and send excessive requests to blacklist
  71. iptables -A INPUT -m state --state NEW -m recent --set
  72. iptables -A INPUT ! -s 172.20.240.0/22 -m recent --update --seconds 10 --hitcount 20 -j BLACKLIST
  73.  
  74. # Allow ssh traffic
  75. # iptables -A INPUT -p tcp --dport 22 -s 172.20.240.0/22 -m state --state new -j ACCEPT
  76.  
  77. #####SETUP OUTBOUND RULES #####
  78. # Allow local traffic
  79. iptables -A OUTPUT -o lo -j ACCEPT
  80.  
  81. # Allow all traffic already established
  82. iptables -A OUTPUT -m state --state established,related -j ACCEPT
  83.  
  84. # Allow http traffic
  85. iptables -A OUTPUT -p tcp --dport 80 -m state --state new -j ACCEPT
  86.  
  87. # Allow ldap traffic
  88. iptables -A OUTPUT -p tcp --dport 389 -d 172.20.242.200 -m state --state new -j ACCEPT
  89. iptables -A OUTPUT -p tcp --dport 636 -d 172.20.242.200 -m state --state new -j ACCEPT
  90. iptables -A OUTPUT -p udp --dport 389 -d 172.20.242.200 -m state --state new -j ACCEPT
  91. iptables -A OUTPUT -p udp --dport 636 -d 172.20.242.200 -m state --state new -j ACCEPT
  92.  
  93. # Allow https traffic
  94. iptables -A OUTPUT -p tcp --dport 443 -m state --state new -j ACCEPT
  95.  
  96. # Allow ssh traffic
  97. #iptables -A OUTPUT -p tcp --dport 22 -d 172.20.240.0/22 -m state --state new -j ACCEPT
  98.  
  99. # Allow dns traffic
  100. iptables -A OUTPUT -p udp --dport 53 -m state --state new -j ACCEPT
  101.  
  102. # Allow ntp traffic
  103. iptables -A OUTPUT -p udp --dport 123 -d 172.20.242.200 -m state --state new -j ACCEPT
  104.  
  105. # Allow rsyslog traffic to send logs
  106. iptables -A OUTPUT -p udp --dport 5014 -d 172.20.241.20 -m state --state new -j ACCEPT
  107. iptables -A OUTPUT -p udp --dport 5014 -d 172.20.241.20 -j ACCEPT
  108. iptables -A INPUT -p udp --sport 5014 -s 172.20.241.20 -j ACCEPT
  109. # Allow ping
  110. iptables -A OUTPUT -p icmp -m limit --limit 2/sec -j ACCEPT
  111.  
  112. # Log everything else about to be dropped
  113. iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "Output-Dropped: " --log-level 4
  114. iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "Input-Dropped: " --log-level 4
  115. iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "Forward-Dropped: " --log-level 4
  116.  
  117. # Save the filter rules
  118. iptables-save > /etc/iptables
  119. echo '#!/bin/sh' > /etc/network/if-pre-up.d/iptables
  120.  
  121. # activate the rules
  122. echo 'iptables-restore < /etc/iptables' >> /etc/network/if-pre-up.d/iptables
  123. chmod +x /etc/network/if-pre-up.d/iptables
  124.  
  125. #----------------
  126. #System Hardening
  127. #-----------------
  128.  
  129. #lock the system account which has root priv
  130. usermod -L -e 1 system
  131.  
  132. #fixes ssl cert errors
  133. chattr -i /etc/group
  134. /usr/sbin/groupadd -g 114 ssl-cert
  135.  
  136. #fix broken packages
  137. apt-get update --fix-missing
  138. dpkg --configure -a
  139. apt-get -y install -f
  140.  
  141.  
  142. #Install updates
  143. apt-get update
  144. apt-get -y upgrade
  145.  
  146.  
  147. #remove crons for root and admins
  148. crontab -u root -r
  149. crontab -u sysadmin -r
  150. crontab -u system -r
  151. #remove all crons
  152. rm -rf /var/spool/cron/crontab/*
  153.  
  154. # remove telnet
  155. apt-get -y remove telnet
  156.  
  157. # Stop unecessary services
  158. service open-iscsi stop
  159. service atd stop
  160. service cron stop
  161. service anacron stop
  162. service apache2 stop
  163. service nfs-common stop
  164. service nfs-kernel-server stop
  165. service portmap stop
  166. service bluetooth stop
  167. service cups stop
  168. service pulseaudio stop
  169. service sshd stop
  170. service avahi-daemon stop
  171.  
  172. # harden bash history
  173. chattr +a /home/sysadmin/.bash_history
  174. chattr +a /home/sysadmin/.bash_profile
  175. chattr +a /home/sysadmin/.bash_login
  176. chattr +a /home/sysadmin/.profile
  177. chattr +a /home/sysadmin/.bash_logout
  178. chattr +a /home/sysadmin/.bashrc
  179.  
  180. # set permissions to sensitive files
  181. chmod 0000 /etc/shadow
  182. chmod 0700 /etc/profile
  183. chmod 0700 /etc/hosts.allow
  184. chmod 0700 /etc/mtab
  185. chmod 0700 /etc/utmp
  186. chmod 0700 /etc/log/wtmp
  187.  
  188. #make sure Apparmor is running
  189. service apparmor restart
  190. service apparmor start
  191.  
  192. #============================================================
  193.  
  194. #=====================
  195. CONFIGS and MISC
  196. #=====================
  197.  
  198. #install nano
  199. apt-get -y install nano
  200.  
  201. #---------------------
  202. #Central Logging Setup
  203. #---------------------
  204. #Update/Install rsyslog and forward logs
  205. apt-get install rsyslog
  206. echo "$ActionQueueType LinkedList" >> /etc/rsyslog.conf
  207. echo "$ActionQueueFileName Forward1" >> /etc/rsyslog.conf
  208. echo "$ActionResumeRetryCount -1" >> /etc/rsyslog.conf
  209. echo "$ActionQueueSaveOnShutdown on" >> /etc/rsyslog.conf
  210. echo "*.* @172.20.241.20:5014" >> /etc/rsyslog.conf
  211. echo "*.* @172.20.241.20" >> /etc/rsyslog.conf
  212.  
  213. #---------
  214. #NTP conf
  215. #---------
  216. apt-get -y install ntp
  217. echo "server 172.20.242.200 prefer" >> /etc/ntp.conf
  218. #Set localtime zone
  219. ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
  220. service ntp restart
  221. service ntp start
  222.  
  223. #--------------
  224. #DNS resolvers
  225. #--------------
  226. #configure multiple DNS resolvers
  227. echo "# Adds outside DNS servers." >> /etc/resolv.conf
  228. echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  229. echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  230. echo "nameserver 172.20.242.200" >> /etc/resolv.conf
  231.  
  232.  
  233. #---------
  234. # DNS CONF
  235. #----------
  236. #install / update bind
  237. apt-get -y install bind9 bind9utils bind9-doc
  238.  
  239. touch /tmp/bind_ck
  240.  
  241. #forward requests to google manually
  242.  
  243. service bind restart
  244. service bind9 start
  245.  
  246. #install and run rkhunter to find misonfigs as wells rootkits
  247. apt -y install rkhunter
  248. rkhunter --update
  249.  
  250. #--->Manually check
  251. #rkhunter -c --enable all -disable none
  252.  
  253. #============================================================
  254.  
  255.  
  256.  
  257. history -c
  258. exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement