Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #Possible dirs:
- #/etc/.cron.d/
- #/usr/share/man/man7/udisk.7.gz
- STAGING='/usr/share/groff/current/font/cyrilic'
- BACKUP_DIR='/usr/share/groff/current/font/cyrilic'
- ALT_BIN_DIR='/usr/share/sgml/stylesheet/css'
- LOG_DIR='/usr/share/groff/current/font/cyrilic'
- run () {
- echo -e "\n$@ {" | tee -a $LOG_DIR/log
- eval $@ &>>$LOG_DIR/log
- case $? in
- 0) echo "} pass" | tee -a $LOG_DIR/log ;;
- *) echo -e "} FAIL" | tee -a $LOG_DIR/log
- esac
- }
- timestomp_dir () {
- run find $1 -exec touch -r /usr/share/man/man8/fsck.8.gz {} +
- }
- timestomp () {
- run touch -r /usr/share/man/man8/fsck.8.gz $@
- }
- timestomp_silent () {
- touch -r /usr/share/man/man8/fsck.8.gz $@
- }
- # Backup Some Artifacts
- # Artifacts to backup EARLY (i.e. before we modify anything)
- mkdir -p "$STAGING" "$BACKUP_DIR" "$ALT_BIN_DIR" "$LOG_DIR"
- run mkdir -p "$STAGING/artifacts"
- echo "~~~~~~~~~~~~~~~~~find~~~~~~~~~~~~~~" | tee $STAGING/artifacts/to_be_reviewed
- run find / -cmin -5 ! -path \"/proc/*\" | tee -a $STAGING/artifacts/to_be_reviewed
- # Install necessary packages
- # Packages to reinstall EARLY (i.e. before we modify anything)
- run apt-get install -y passwd
- # Change user passwords
- echo -e "\e[34m[?]\e[39mChanging Passwords"
- run chpasswd << EOF
- root:pickles are bad for malaria
- EOF
- # Change MySQL password
- if [ -d "/etc/mysql" ]; then
- mysqladmin -u root --password='foobar' password 'king george disliked potatoes'
- /etc/init.d/mysql stop
- /etc/init.d/mysql start
- fi
- # Add an alternate admin user
- echo -e "\e[34m[?]\e[39mAdding User"
- run useradd apache2 -G `egrep -o "wheel|sudo" /etc/group`
- run chpasswd << EOF
- apache2:pop tarts kill your liver
- EOF
- # Backup system configs
- echo -e "\e[34m[?]\e[39mBacking Up /etc"
- run tar -cvf $BACKUP_DIR/eat /etc/
- timestomp $BACKUP_DIR/eat
- # Configure sshd_config
- mv /etc/ssh/sshd_config{,.orig}
- cat > /etc/ssh/sshd_config << EOF
- Port 22
- PubkeyAuthentication no
- IgnoreRhosts yes
- UsePAM no
- X11Forwarding no
- Subsystem sftp /usr/libexec/sftp-server
- AllowUsers apache2
- EOF
- chmod 644 /etc/ssh/sshd_config
- service sshd restart
- # Load IPtables rules
- run modprobe ip_conntrack_ftp
- cat > $BACKUP_DIR/ipt.sh << EOF
- #!/bin/bash
- IPTABLES=\${IPTABLES:-xtables-multi}
- LOG_SERVER='10.2.5.11'
- DNS_SERVER='10.2.5.10'
- PROXY_SERVER='10.2.5.11'
- \$IPTABLES ip6tables -P INPUT DROP
- \$IPTABLES ip6tables -P FORWARD DROP
- \$IPTABLES ip6tables -P OUTPUT DROP
- \$IPTABLES iptables -F
- \$IPTABLES iptables -t mangle -F
- \$IPTABLES iptables -t mangle -P INPUT ACCEPT
- \$IPTABLES iptables -t mangle -P FORWARD DROP
- \$IPTABLES iptables -t mangle -P OUTPUT ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -i lo -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -o lo -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTAB,REL -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state ESTAB,REL --sport 5044 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp --dport 5044 -d \$LOG_SERVER -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state ESTAB,REL --sport 3128 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp --dport 3128 -d \$LOG_SERVER -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state NEW -j LOG
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 22 -j LOG
- \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 22 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 22 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 21 -j LOG
- \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 21 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 21 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 20 -j LOG
- \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 20 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 20 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -p tcp -m state --state NEW --dport 3306 -j LOG
- \$IPTABLES iptables -t mangle -A INPUT -p tcp --dport 3306 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -p tcp -m state --state ESTAB,REL --sport 3306 -j ACCEPT
- if [[ \$* = *"--web"* ]]
- then
- \$IPTABLES iptables -t mangle -A OUTPUT -d \$PROXY_SERVER -p tcp --dport 80 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -s \$PROXY_SERVER -p tcp -m state --state ESTAB,REL --sport 80 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -d \$PROXY_SERVER -p tcp --dport 443 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -s \$PROXY_SERVER -p tcp -m state --state ESTAB,REL --sport 443 -j ACCEPT
- \$IPTABLES iptables -t mangle -A OUTPUT -d \$DNS_SERVER -p udp --dport 53 -j ACCEPT
- \$IPTABLES iptables -t mangle -A INPUT -s \$DNS_SERVER -p udp -m state --state ESTAB,REL --sport 53 -j ACCEPT
- else
- echo "[-] No web"
- fi
- \$IPTABLES iptables -t mangle -A INPUT -j DROP
- \$IPTABLES iptables -t mangle -A OUTPUT -j DROP
- if [[ \$* = *"--fin"* ]]
- then
- echo "Boy I hope you don't get locked out"
- else
- echo "Win?"
- sleep 5
- \$IPTABLES iptables -t mangle -F
- fi
- EOF
- run chmod +x $BACKUP_DIR/ipt.sh
- timestomp $BACKUP_DIR/ipt.sh
- run $BACKUP_DIR/ipt.sh --fin --web
- # Reinstall essential packages
- echo -e "\e[34m[?]\e[39mReinstalling"
- run apt-get install --reinstall -y auditd vim lsof tmux coreutils strace procps mount passwd python iptables openssh-client openssh-server mysql-server build-essential
- # Apply final stricter firewall rules
- run $BACKUP_DIR/ipt.sh --fin
- # Move the iptables binaries
- run mv $(which xtables-multi) /sbin/mkattr
- timestomp /sbin/mkattr
- # Disable cron
- run killall cron
- CRON=$(which cron)
- run chmod 600 $CRON
- run mv $CRON /sbin/nod
- timestomp /sbin/nod
- # Setup alternate binary directory
- echo -e "\e[34m[?]\e[39mSetting Up Rescue Binaries"
- if [ ! -e "$ALT_BIN_DIR" ]; then
- run mkdir "$ALT_BIN_DIR"
- timestomp "$ALT_BIN_DIR"
- fi
- run cp /{,s}bin/* "$ALT_BIN_DIR/"
- timestomp "$ALT_BIN_DIR/*"
- tar -cvJf "$BACKUP_DIR/roo" "$ALT_BIN_DIR/*"
- timestomp "$BACKUP_DIR/roo"
- # Prevent some common rootkits
- #Prevent rootkits
- env | grep -i 'LD_PRELOAD' && export LD_PRELOAD=''
- run mv /etc/ld.so.preload /etc/ld.so.null
- timestomp /etc/ld.so.null
- run touch /etc/ld.so.preload
- timestomp /etc/ld.so.preload
- run chattr +i /etc/ld.so.preload
- run sysctl kernel.modules_disabled=1
- #run cat /etc/default/grub | sed -e "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"module.sig_enforce=1 /g" > /tmp/grub
- #run cp /etc/default/grub /etc/default/grub.bak; cp /tmp/grub /etc/default/grub
- #run grub2-mkconfig -o /boot/grub/grub2.cfg || grub-mkconfig -o /boot/grub/grub.cfg
- #Slightly overkill
- # Setup auditctl Logging
- unchattr log file
- chattr -R -a /var/log/audit/
- #Configure logging
- run echo '
- -w /etc/passwd -p aw -k KILLME
- -w /etc/shadow -p aw -k KILLME
- -w /etc/nsswitch.conf -p aw -k KILLME
- -w /etc/ssh/ -p aw -k KILLME
- -w /etc/pamd.d/ -p aw -k KILLME
- -a exit,always -F arch=b64 -F euid=0 -S execve -k ROOTEXEC
- -a always,exit -F arch=b64 -S execve -k NEWPROCESS
- -a always,exit -F arch=b64 -S fork -S clone -k NEWFORK
- ' | tee $STAGING/a
- auditctl -D
- chown root:root $STAGING/a
- chmod 600 $STAGING/a
- auditctl -R $STAGING/a
- service auditd start
- #Force reboot to modify rules
- auditctl -e 2
- timestomp $STAGING/a
- # Chattr Stuff
- #Chattr logs
- timestomp /var/log
- timestomp /var/log/apt
- timestomp /var/log/lastlog
- timestomp /var/log/dpkg.log
- run chattr -R +a /var/log/
- run chattr -R -a /var/log/apt/
- run chattr -a /var/log/lastlog
- run chattr -a /var/log/dpkg.log
- #Chattr other stuff - prevent stuff from being written to them
- run chattr +i /root/.lesshst
- timestomp /root/.lesshst
- run chattr +i /root/.viminfo
- timestomp /root/.viminfo
- for i in `ls /home`; do
- run chattr +i /home/$i/.lesshst
- timestomp /home/$i/.lesshst
- run chattr +i /root/.viminfo
- timestomp /home/$i/.viminfo
- done
- # Backup everything else
- # Main backup
- # Backup binaries
- echo -e "\e[34m[?]\e[39mBacking Up Binaries"
- run tar -czvf $BACKUP_DIR/bake `echo $PATH | tr ":" " "`
- timestomp $BACKUP_DIR/bake
- # Backup databases
- if [ -d /etc/mysql ]; then
- mysqldump -u root --password='king george disliked potatoes' --all-databases > $BACKUP_DIR/db.sql
- timestomp $BACKUP_DIR/db.sql
- fi
- # Backup other Artifacts
- # Find Some Things to Review
- run tar -czvf "$STAGING/artifacts/rootartifacts.tar.gz" ~/.ssh ~/.profile ~/.lesshst ~/.bashrc ~/.bash_history
- for i in $(ls /home); do
- run tar -czvf "$STAGING/artifacts/artifacts.home.$i.tar.gz" /home/$i
- done
- echo "~~~~~~~~~~~~~~~~~mount~~~~~~~~~~~~~~" | tee -a $STAGING/artifacts/to_be_reviewed
- run mount | tee -a $STAGING/artifacts/to_be_reviewed
- echo "~~~~~~~~~~~~~~~~~lsof~~~~~~~~~~~~~~" | tee -a $STAGING/artifacts/to_be_reviewed
- run lsof | grep -i -E 'RAW|PCAP' | tee -a $STAGING/artifacts/to_be_reviewed
- timestomp $STAGING/artifacts/to_be_reviewed
- # Configure DNS
- #Configure DNS server
- cat > /etc/resolv.conf << EOF
- nameserver 10.2.5.10
- EOF
- # Hide some other binaries
- run mv $(which vim) /usr/bin/cim
- timestomp /usr/bin/cim
- run mv $(which vi) /usr/bin/ci
- timestomp /usr/bin/ci
- run mv $(which sed) /bin/ded
- timestomp /bin/ded
- run mv $(which nano) /usr/bin/ana
- timestomp /usr/bin/ana
- run mv $(which ps) /bin/bs
- timestomp /bin/bs
- run mv $(which wget) /usr/bin/cget
- timestomp /usr/bin/cget
- run mv $(which curl) /usr/bin/wurl
- timestomp /usr/bin/wurl
- if [ ! -z "$(which nc)" ]; then
- run mv $(which nc) /usr/bin/pc
- timestomp /usr/bin/pc
- fi
- if [ ! -z "$(which ncat)" ]; then
- run mv $(which ncat) /usr/bin/pcat
- timestomp /usr/bin/pcat
- fi
- # Timestomp Everything
- run timestomp_dir $LOG_DIR
- run timestomp_dir $ALT_BIN_DIR
- run timestomp_dir $BACKUP_DIR
- run timestomp_dir $STAGING
- timestomp_silent $LOG_DIR/log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement