API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 20th, 2018
89
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.02 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #Possible dirs:
  3. #/etc/.cron.d/
  4. #/usr/share/man/man7/udisk.7.gz
  5.  
  6. STAGING='/usr/share/groff/current/font/cyrilic'
  7. BACKUP_DIR='/usr/share/groff/current/font/cyrilic'
  8. ALT_BIN_DIR='/usr/share/sgml/stylesheet/css'
  9. LOG_DIR='/usr/share/groff/current/font/cyrilic'
  10.  
  11.  
  12. run () {
  13. echo -e "\n$@ {" | tee -a $LOG_DIR/log
  14. eval $@ &>>$LOG_DIR/log
  15. case $? in
  16. 0) echo "} pass" | tee -a $LOG_DIR/log ;;
  17. *) echo -e "} FAIL" | tee -a $LOG_DIR/log
  18. esac
  19. }
  20.  
  21. timestomp_dir () {
  22. run find $1 -exec touch -r /usr/share/man/man8/fsck.8.gz {} +
  23. }
  24.  
  25. timestomp () {
  26. run touch -r /usr/share/man/man8/fsck.8.gz $@
  27. }
  28.  
  29. timestomp_silent () {
  30. touch -r /usr/share/man/man8/fsck.8.gz $@
  31. }
  32.  
  33.  
  34. # Backup Some Artifacts
  35. # Artifacts to backup EARLY (i.e. before we modify anything)
  36. mkdir -p "$STAGING" "$BACKUP_DIR" "$ALT_BIN_DIR" "$LOG_DIR"
  37. run mkdir -p "$STAGING/artifacts"
  38. echo "~~~~~~~~~~~~~~~~~find~~~~~~~~~~~~~~" | tee $STAGING/artifacts/to_be_reviewed
  39. run find / -cmin -5 ! -path \"/proc/*\" | tee -a $STAGING/artifacts/to_be_reviewed
  40.  
  41.  
  42. # Install necessary packages
  43. # Packages to reinstall EARLY (i.e. before we modify anything)
  44. run apt-get install -y passwd
  45.  
  46.  
  47. # Change user passwords
  48. echo -e "\e[34m[?]\e[39mChanging Passwords"
  49. run chpasswd << EOF
  50. root:pickles are bad for malaria
  51. EOF
  52.  
  53.  
  54. # Change MySQL password
  55. if [ -d "/etc/mysql" ]; then
  56. mysqladmin -u root --password='foobar' password 'king george disliked potatoes'
  57. /etc/init.d/mysql stop
  58. /etc/init.d/mysql start
  59. fi
  60.  
  61.  
  62. # Add an alternate admin user
  63. echo -e "\e[34m[?]\e[39mAdding User"
  64. run useradd apache2 -G `egrep -o "wheel|sudo" /etc/group`
  65. run chpasswd << EOF
  66. apache2:pop tarts kill your liver
  67. EOF
  68.  
  69.  
  70. # Backup system configs
  71. echo -e "\e[34m[?]\e[39mBacking Up /etc"
  72. run tar -cvf $BACKUP_DIR/eat /etc/
  73. timestomp $BACKUP_DIR/eat
  74.  
  75.  
  76. # Configure sshd_config
  77. mv /etc/ssh/sshd_config{,.orig}
  78.  
  79. cat > /etc/ssh/sshd_config << EOF
  80. Port 22
  81. PubkeyAuthentication no
  82. IgnoreRhosts yes
  83. UsePAM no
  84. X11Forwarding no
  85. Subsystem sftp /usr/libexec/sftp-server
  86. AllowUsers apache2
  87.  
  88. EOF
  89.  
  90. chmod 644 /etc/ssh/sshd_config
  91. service sshd restart
  92.  
  93. # Load IPtables rules
  94. run modprobe ip_conntrack_ftp
  95. cat > $BACKUP_DIR/ipt.sh << EOF
  96. #!/bin/bash
  97.  
  98. IPTABLES=\${IPTABLES:-xtables-multi}
  99. LOG_SERVER='10.2.5.11'
  100. DNS_SERVER='10.2.5.10'
  101. PROXY_SERVER='10.2.5.11'
  102.  
  103. \$IPTABLES ip6tables -P INPUT DROP
  104. \$IPTABLES ip6tables -P FORWARD DROP
  105. \$IPTABLES ip6tables -P OUTPUT DROP
  106.  
  107. \$IPTABLES iptables -F
  108. \$IPTABLES iptables -t mangle -F
  109. \$IPTABLES iptables -t mangle -P INPUT ACCEPT
  110. \$IPTABLES iptables -t mangle -P FORWARD DROP
  111. \$IPTABLES iptables -t mangle -P OUTPUT ACCEPT
  112.  
  113. \$IPTABLES iptables -t mangle -A INPUT -i lo -j ACCEPT
  114. \$IPTABLES iptables -t mangle -A OUTPUT -o lo -j ACCEPT
  115.  
  116. \$IPTABLES iptables -t mangle -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  117. \$IPTABLES iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTAB,REL -j ACCEPT
  118.  
  119. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state ESTAB,REL --sport 5044 -j ACCEPT
  120. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp --dport 5044 -d \$LOG_SERVER -j ACCEPT
  121.  
  122. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state ESTAB,REL --sport 3128 -j ACCEPT
  123. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp --dport 3128 -d \$LOG_SERVER -j ACCEPT
  124.  
  125. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state NEW -j LOG
  126.  
  127. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 22 -j LOG
  128. \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 22 -j ACCEPT
  129. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 22 -j ACCEPT
  130.  
  131. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 21 -j LOG
  132. \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 21 -j ACCEPT
  133. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 21 -j ACCEPT
  134.  
  135. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 20 -j LOG
  136. \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 20 -j ACCEPT
  137. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 20 -j ACCEPT
  138.  
  139. \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 3306 -j LOG
  140. \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 3306 -j ACCEPT
  141. \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 3306 -j ACCEPT
  142.  
  143. if [[ \$* = *"--web"* ]]
  144. then
  145. \$IPTABLES iptables -t mangle -A OUTPUT -d \$PROXY_SERVER -p tcp --dport 80 -j ACCEPT
  146. \$IPTABLES iptables -t mangle -A INPUT -s \$PROXY_SERVER -p tcp -m state --state ESTAB,REL --sport 80 -j ACCEPT
  147.  
  148. \$IPTABLES iptables -t mangle -A OUTPUT -d \$PROXY_SERVER -p tcp --dport 443 -j ACCEPT
  149. \$IPTABLES iptables -t mangle -A INPUT -s \$PROXY_SERVER -p tcp -m state --state ESTAB,REL --sport 443 -j ACCEPT
  150.  
  151. \$IPTABLES iptables -t mangle -A OUTPUT -d \$DNS_SERVER -p udp --dport 53 -j ACCEPT
  152. \$IPTABLES iptables -t mangle -A INPUT -s \$DNS_SERVER -p udp -m state --state ESTAB,REL --sport 53 -j ACCEPT
  153. else
  154. echo "[-] No web"
  155. fi
  156.  
  157. \$IPTABLES iptables -t mangle -A INPUT -j DROP
  158. \$IPTABLES iptables -t mangle -A OUTPUT -j DROP
  159.  
  160. if [[ \$* = *"--fin"* ]]
  161. then
  162. echo "Boy I hope you don't get locked out"
  163. else
  164. echo "Win?"
  165. sleep 5
  166. \$IPTABLES iptables -t mangle -F
  167. fi
  168.  
  169. EOF
  170. run chmod +x $BACKUP_DIR/ipt.sh
  171. timestomp $BACKUP_DIR/ipt.sh
  172. run $BACKUP_DIR/ipt.sh --fin --web
  173.  
  174. # Reinstall essential packages
  175. echo -e "\e[34m[?]\e[39mReinstalling"
  176. run apt-get install --reinstall -y auditd vim lsof tmux coreutils strace procps mount passwd python iptables openssh-client openssh-server mysql-server build-essential
  177.  
  178. # Apply final stricter firewall rules
  179. run $BACKUP_DIR/ipt.sh --fin
  180.  
  181. # Move the iptables binaries
  182. run mv $(which xtables-multi) /sbin/mkattr
  183. timestomp /sbin/mkattr
  184.  
  185. # Disable cron
  186. run killall cron
  187. CRON=$(which cron)
  188. run chmod 600 $CRON
  189. run mv $CRON /sbin/nod
  190. timestomp /sbin/nod
  191.  
  192.  
  193. # Setup alternate binary directory
  194. echo -e "\e[34m[?]\e[39mSetting Up Rescue Binaries"
  195. if [ ! -e "$ALT_BIN_DIR" ]; then
  196. run mkdir "$ALT_BIN_DIR"
  197. timestomp "$ALT_BIN_DIR"
  198. fi
  199. run cp /{,s}bin/* "$ALT_BIN_DIR/"
  200. timestomp "$ALT_BIN_DIR/*"
  201. tar -cvJf "$BACKUP_DIR/roo" "$ALT_BIN_DIR/*"
  202. timestomp "$BACKUP_DIR/roo"
  203.  
  204.  
  205. # Prevent some common rootkits
  206. #Prevent rootkits
  207. env | grep -i 'LD_PRELOAD' && export LD_PRELOAD=''
  208. run mv /etc/ld.so.preload /etc/ld.so.null
  209. timestomp /etc/ld.so.null
  210. run touch /etc/ld.so.preload
  211. timestomp /etc/ld.so.preload
  212. run chattr +i /etc/ld.so.preload
  213. run sysctl kernel.modules_disabled=1
  214. #run cat /etc/default/grub | sed -e "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"module.sig_enforce=1 /g" > /tmp/grub
  215. #run cp /etc/default/grub /etc/default/grub.bak; cp /tmp/grub /etc/default/grub
  216. #run grub2-mkconfig -o /boot/grub/grub2.cfg || grub-mkconfig -o /boot/grub/grub.cfg
  217. #Slightly overkill
  218.  
  219.  
  220. # Setup auditctl Logging
  221. unchattr log file
  222. chattr -R -a /var/log/audit/
  223.  
  224. #Configure logging
  225. run echo '
  226. -w /etc/passwd -p aw -k KILLME
  227. -w /etc/shadow -p aw -k KILLME
  228. -w /etc/nsswitch.conf -p aw -k KILLME
  229. -w /etc/ssh/ -p aw -k KILLME
  230. -w /etc/pamd.d/ -p aw -k KILLME
  231. -a exit,always -F arch=b64 -F euid=0 -S execve -k ROOTEXEC
  232. -a always,exit -F arch=b64 -S execve -k NEWPROCESS
  233. -a always,exit -F arch=b64 -S fork -S clone -k NEWFORK
  234. ' | tee $STAGING/a
  235. auditctl -D
  236. chown root:root $STAGING/a
  237. chmod 600 $STAGING/a
  238. auditctl -R $STAGING/a
  239.  
  240. service auditd start
  241.  
  242. #Force reboot to modify rules
  243. auditctl -e 2
  244. timestomp $STAGING/a
  245.  
  246.  
  247. # Chattr Stuff
  248. #Chattr logs
  249. timestomp /var/log
  250. timestomp /var/log/apt
  251. timestomp /var/log/lastlog
  252. timestomp /var/log/dpkg.log
  253. run chattr -R +a /var/log/
  254. run chattr -R -a /var/log/apt/
  255. run chattr -a /var/log/lastlog
  256. run chattr -a /var/log/dpkg.log
  257.  
  258. #Chattr other stuff - prevent stuff from being written to them
  259. run chattr +i /root/.lesshst
  260. timestomp /root/.lesshst
  261. run chattr +i /root/.viminfo
  262. timestomp /root/.viminfo
  263. for i in `ls /home`; do
  264. run chattr +i /home/$i/.lesshst
  265. timestomp /home/$i/.lesshst
  266. run chattr +i /root/.viminfo
  267. timestomp /home/$i/.viminfo
  268. done
  269.  
  270.  
  271. # Backup everything else
  272. # Main backup
  273. # Backup binaries
  274. echo -e "\e[34m[?]\e[39mBacking Up Binaries"
  275. run tar -czvf $BACKUP_DIR/bake `echo $PATH | tr ":" " "`
  276. timestomp $BACKUP_DIR/bake
  277.  
  278. # Backup databases
  279. if [ -d /etc/mysql ]; then
  280. mysqldump -u root --password='king george disliked potatoes' --all-databases > $BACKUP_DIR/db.sql
  281. timestomp $BACKUP_DIR/db.sql
  282. fi
  283.  
  284.  
  285. # Backup other Artifacts
  286. # Find Some Things to Review
  287. run tar -czvf "$STAGING/artifacts/rootartifacts.tar.gz" ~/.ssh ~/.profile ~/.lesshst ~/.bashrc ~/.bash_history
  288. for i in $(ls /home); do
  289. run tar -czvf "$STAGING/artifacts/artifacts.home.$i.tar.gz" /home/$i
  290. done
  291. echo "~~~~~~~~~~~~~~~~~mount~~~~~~~~~~~~~~" | tee -a $STAGING/artifacts/to_be_reviewed
  292. run mount | tee -a $STAGING/artifacts/to_be_reviewed
  293. echo "~~~~~~~~~~~~~~~~~lsof~~~~~~~~~~~~~~" | tee -a $STAGING/artifacts/to_be_reviewed
  294. run lsof | grep -i -E 'RAW|PCAP' | tee -a $STAGING/artifacts/to_be_reviewed
  295. timestomp $STAGING/artifacts/to_be_reviewed
  296.  
  297.  
  298. # Configure DNS
  299. #Configure DNS server
  300. cat > /etc/resolv.conf << EOF
  301. nameserver 10.2.5.10
  302. EOF
  303.  
  304. # Hide some other binaries
  305. run mv $(which vim) /usr/bin/cim
  306. timestomp /usr/bin/cim
  307. run mv $(which vi) /usr/bin/ci
  308. timestomp /usr/bin/ci
  309. run mv $(which sed) /bin/ded
  310. timestomp /bin/ded
  311. run mv $(which nano) /usr/bin/ana
  312. timestomp /usr/bin/ana
  313. run mv $(which ps) /bin/bs
  314. timestomp /bin/bs
  315. run mv $(which wget) /usr/bin/cget
  316. timestomp /usr/bin/cget
  317. run mv $(which curl) /usr/bin/wurl
  318. timestomp /usr/bin/wurl
  319. if [ ! -z "$(which nc)" ]; then
  320. run mv $(which nc) /usr/bin/pc
  321. timestomp /usr/bin/pc
  322. fi
  323. if [ ! -z "$(which ncat)" ]; then
  324. run mv $(which ncat) /usr/bin/pcat
  325. timestomp /usr/bin/pcat
  326. fi
  327.  
  328.  
  329. # Timestomp Everything
  330. run timestomp_dir $LOG_DIR
  331. run timestomp_dir $ALT_BIN_DIR
  332. run timestomp_dir $BACKUP_DIR
  333. run timestomp_dir $STAGING
  334. timestomp_silent $LOG_DIR/log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!