Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash -i
- #
- # Title : hardening.sh
- # Description : Simple hardening script Indonesian UnderTeam
- # Author : m1rr0r & xhaxor
- # Date : 10 Januari 2015
- # Version : 1.0
- #
- pause(){
- read -p "Tekan [enter] untuk melanjutkan" fackEnterKey
- }
- hist(){
- echo "cek history"
- pause
- }
- os(){
- echo "OS yang digunakan:"
- cat /etc/*release
- echo "Kernel :"
- uname -a
- pause
- }
- passwds() {
- echo "Cek /etc/passwd"
- cat /etc/passwd
- echo "Cek /etc/shadow"
- cat /etc/shadow
- pause
- }
- adduser(){
- echo "Tambah User SSH"
- read -p 'Tambah user ssh:' uservar
- useradd $uservar
- passwd $uservar
- echo "Tambah user sukses"
- pause
- }
- sudoers(){
- echo "Cek /etc/sudoers"
- cat /etc/sudoers | grep ALL
- pause
- }
- cron(){
- echo "Cek crontab"
- crontab -l
- pause
- }
- sudoroot(){
- echo "Set User Sebagai Root"
- read -p "Username :" uservar
- echo "$uservar ALL=(ALL) ALL" >> /etc/sudoers
- echo "Sukses set $uservar sebagai root"
- pause
- }
- nologin() {
- echo "Set /sbin/nologin untuk root /etc/passwd"
- pause
- }
- porting() {
- echo "Cek Port"
- netstat -tulpn
- echo "Cek chkconfig"
- chkconfig --list | grep on
- pause
- }
- rootchg() {
- echo "Ganti password ssh root"
- passwd
- pause
- }
- reset_mysql() {
- echo "Reset Mysql"
- echo "Step - Step :"
- echo "service mysqld stop"
- echo "mysqld_safe --skip-grant-tables &"
- echo "mysql -u root"
- echo "mysql> use mysql;"
- echo "mysql> UPDATE user SET password=PASSWORD("passwordaja") WHERE User='root';"
- echo "mysql> flush privileges;"
- echo "mysql> quit"
- echo "service mysqld stop"
- echo "service mysqld restart"
- pause
- }
- change_mysql() {
- echo "Ganti password mysql"
- mysql_secure_installation
- pause
- }
- key() {
- echo "Menambahkan authorization_keys"
- read -p "Nama User:" uservar
- rm -rf /home/$uservar/.ssh/authorized_keys
- mkdir /home/$uservar/.ssh
- echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD8jMh+0ZI34yqNncAZOkkHczsyAQjH9j7D2M33dWkiSKIwXWW5xGzHUv1IPNxZAX03WFc6AIJ2LU0f5I/H4xh3XHemGRlTTCS19y4evtj3m8O1usOcX4lAJAOlJBfWAHmGDiQnrwqOaNo0+UO46qPj/8mnSSfoap3hVGOcXMlf/NcMmnRF0pvQ3tC05JMXy8aokfYVxSRUQYSr0ALC2PFO23Kf9qirsMPuOzf2E2dvD98wed0zNSfrBRZfjsGncovb2wPCrcs8WTLy33MuMUIC4zGL+esO9sGhNfQ8HJpIeKs37WK8F0+gavbOE4bk7ZuPN9HiSWhT+rxn9GZlEo5MAnHJ+Lv2R0UP98NlR20SAgwB6jj9XPIdAnY6cAk9Xnf54sWJFnGJxKlNrr2iSe/HZ0dWOZapvX6Gfk9LYx5m+ZpX2xOdaksVd9ibLl4+oFc0fAqdMIE9Bhzr/PbmkfVn0VdHt1S7wPRIJiJNVP7AFWQ2OhsieTb0Y2oR6oRv9LAhdCsdJ2H3wHphwSE7wRFUGxqh3C3VW0jM1gmR0WQ1Ns2b3ye7T09jTev0/xuyzuA2jJzJDyH6KcQ9dRK4OQsO/FZacQb9VEbel1B8ZqOPq9zRAXcbtpj1c5oc9vgy+WNgAMIQSzrCywGm8jw+rFhJUGlHav/8OYNmGA6kvquiLQ== katakutu@m1rr0r-pc" >> /home/$uservar/.ssh/authorized_keys
- chown $uservar:$uservar -R /home/$uservar/.ssh
- chmod 700 /home/$uservar/.ssh
- chmod 600 /home/$uservar/.ssh/*
- restorecon -R -v /home/$uservar/.ssh
- echo "Menambahkan authorization_keys selesai"
- pause
- }
- akun(){
- echo "Manajemen Akun"
- echo "Cek akun selain root yang memiliki uid 0"
- x=`awk -F: '($3 == "0") {print}' /etc/passwd | awk -F: '{print $1}'`
- if [ $x == root ]
- then
- echo "Tidak ada akun yang memiliki uid 0"
- else
- echo "Ada akun yang memiliki uid 0, cek /etc/shadow"
- fi
- sleep 2
- echo " "
- echo "Disable akun dan grup yang tidak dipakai"
- sed -i 's/^lp/#lp/' /etc/passwd
- sed -i 's/^games/#games/' /etc/passwd
- sed -i 's/^sync/#sync/' /etc/passwd
- sed -i 's/^shutdown/#shutdown/' /etc/passwd
- sed -i 's/^halt/#halt/' /etc/passwd
- sed -i 's/^mail/#mail/' /etc/passwd
- sed -i 's/^news/#news/' /etc/passwd
- sed -i 's/^uucp/#uucp/' /etc/passwd
- sed -i 's/^operator/#operator/' /etc/passwd
- sed -i 's/^gopher/#gopher/' /etc/passwd
- sed -i 's/^ftp/#ftp/' /etc/passwd
- sed -i 's/^lp/#lp/' /etc/group
- sed -i 's/^games/#games/' /etc/group
- sed -i 's/^uucp/#uucp/' /etc/group
- echo "Akun dan grup berhasil diupdate"
- sleep 2
- echo " "
- echo "Ubah parameter umur password yang digunakan"
- echo "- ubah maksimum umur password 60hari"
- sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 60' /etc/login.defs
- echo "- ubah minimum umur password 1 hari"
- sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 1' /etc/login.defs
- echo "- ubah password minimal 8 karakter"
- sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN 8' /etc/login.defs
- echo "- ubah warning usia password 15 hari"
- sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE 15' /etc/login.defs
- echo "Sukses mengubah parameter umur password"
- sleep 2
- echo " "
- pause
- }
- akses() {
- echo "Modifikasi Hak Akses"
- echo "chmod 100 untuk rpm, tar, gzip, ping, gunzip, mount, umount, who, lastb, lastlog, arping"
- chmod 100 /bin/rpm
- chmod 100 /bin/tar
- chmod 100 /bin/gzip
- chmod 100 /bin/gunzip
- chmod 100 /bin/ping
- chmod 100 /bin/mount
- chmod 100 /bin/umount
- chmod 100 /usr/bin/gzip
- chmod 100 /usr/bin/gunzip
- chmod 100 /usr/bin/who
- chmod 100 /usr/bin/lastb
- chmod 100 /usr/bin/last
- chmod 100 /usr/bin/lastlog
- chmod 100 /sbin/arping
- echo "chmod 400 untuk hosts.allow, hosts.deny, shadow, crontab, cron.deny, at.deny, cron.allow, at.allow"
- chmod 400 /etc/hosts.allow
- chmod 400 /etc/hosts.deny
- chmod 400 /etc/shadow
- chmod 400 /etc/crontab
- chmod 400 /etc/cron.deny
- chmod 400 /etc/at.deny
- chmod 400 /etc/cron.allow
- chmod 400 /etc/at.allow
- echo "chmod 644 untuk wtmp, passwd, group"
- chmod 644 /var/log/wtmp
- chmod 644 /etc/passwd
- chmod 644 /etc/group
- echo "chmod 700 untuk cron, cron.d, cron.hourly, cron.monthly, cron.dialy, cron.weekly"
- chmod 700 /var/spool/cron
- chmod 700 /etc/cron.d
- chmod 700 /etc/cron.hourly
- chmod 700 /etc/cron.monthly
- chmod 700 /etc/cron.dialy
- chmod 700 /etc/cron.weekly
- echo "Hak akses telah diubah"
- pause
- }
- rkhunt() {
- echo "Install Rkhunter"
- read -p "Local Ip :" ipvar
- cd /usr/local/source
- wget http://$ipvar/source/rkhunter-1.4.2.tar.gz
- tar -zxvf rkhunter-1.4.2.tar.gz
- cd rkhunter-1.4.2
- ./installer.sh --layout default --install
- /usr/local/bin/rkhunter --update
- /usr/local/bin/rkhunter --propupd
- rm -Rf /usr/local/src/rkhunter*
- echo "Jalankan Rkhunter"
- rkhunter --check
- pause
- }
- chkroot() {
- echo "Install Chkrootkit"
- read -p "Local Ip :" ip2var
- wget http://$ipvar/source/chkrootkit.tar.gz
- tar -zxvf chkrootkit.tar.gz
- mkdir /usr/local/chkrootkit
- mv chkrootkit*/* /usr/local/chkrootkit
- cd /usr/local/chkrootkit
- make sense
- echo "Jalankan Chkrootkit"
- chkrootkit
- pause
- }
- apache() {
- echo "Apache hardening"
- echo "Mematikan Server Signature"
- sed -i 's/ServerSignature On/ServerSignature Off/' /etc/httpd/conf/httpd.conf
- cat /etc/httpd/conf/httpd.conf | grep ServerSignature
- echo "Mematikan Server Token"
- sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/httpd/conf/httpd.conf
- cat /etc/httpd/conf/httpd.conf | grep ServerTokens
- echo "Restart Httpd"
- service httpd restart
- pause
- }
- sshhard(){
- echo "Hardening SSH"
- echo "disable root login"
- sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
- cat /etc/ssh/sshd_config | grep PermitRootLogin
- echo "set allow user"
- read -p "Allow User : " allowvar
- echo "AllowUsers $allowvar" >> /etc/ssh/sshd_config
- cat /etc/ssh/sshd_config | grep AllowUsers
- echo "Disable subsystem sftp"
- sed -i 's/Subsystem/#Subsystem/' /etc/ssh/sshd_config
- cat /etc/ssh/sshd_config | grep Subsystem
- service sshd restart
- pause
- }
- fail2(){
- echo "Install Fail2ban *belum fix*"
- pause
- }
- webapp() {
- echo "Hardening Web Application"
- echo "Membuat user baru untuk http"
- read -p "username : " uservar
- useradd $uservar
- chown $uservar:$uservar -R /var/www/
- echo "Set User httpd"
- read -p "username : " uservar
- sed -i 's/User apache/User $uservar/' /etc/httpd/conf/httpd.conf
- sed -i 's/Group apache/Group $uservar/' /etc/httpd/conf/httpd.conf
- cat /etc/httpd/conf/httpd.conf | grep $uservar
- echo "Safe mode on pada php.ini"
- sed -i 's/mode = Off/mode = On/' /etc/php.ini
- cat /etc/php.ini | grep safe_mode
- echo "Disable function php"
- echo "disable_functions = symlink,system,shell_exec,eval,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinumcols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,ftp,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,popen,fpassthru,php_uname, pcntl_exec," >> /etc/php.ini
- service httpd restart
- echo "Hardening Web Application Sukses"
- pause
- }
- backdoor() {
- echo "Backdoor Scanner"
- read -p "Masukan Lokasi htdocs :" httdocvar
- grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" $httdocvar
- pause
- }
- bashs() {
- echo "Bash Sock Exploit Test"
- #!/bin/bash
- warn() {
- if [ "$scary" == "1" ]; then
- echo -e "\033[91mVulnerable to $1\033[39m"
- else
- echo -e "\033[93mFound non-exploitable $1\033[39m"
- fi
- }
- good() {
- echo -e "\033[92mNot vulnerable to $1\033[39m"
- }
- tmpdir=`mktemp -d -t tmp.XXXXXXXX`
- [ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
- echo -e "\033[95mTesting $bash ..."
- $bash -c 'echo "Bash version $BASH_VERSION"'
- echo -e "\033[39m"
- #r=`a="() { echo x;}" $bash -c a 2>/dev/null`
- if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
- scary=1
- elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
- scary=0
- elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
- scary=0
- elif [ -n "$(env '__BASH_FUNC<a>()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m"
- scary=0
- else
- echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
- scary=0
- fi
- r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
- if [ -n "$r" ]; then
- warn "CVE-2014-6271 (original shellshock)"
- else
- good "CVE-2014-6271 (original shellshock)"
- fi
- pushd $tmpdir > /dev/null
- env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
- if [ -e echo ]; then
- warn "CVE-2014-7169 (taviso bug)"
- else
- good "CVE-2014-7169 (taviso bug)"
- fi
- popd > /dev/null
- $($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
- ret=$?
- grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null
- if [ $? == 0 ] || [ $ret == 139 ]; then
- warn "CVE-2014-7186 (redir_stack bug)"
- else
- good "CVE-2014-7186 (redir_stack bug)"
- fi
- $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
- if [ $? != 0 ]; then
- warn "CVE-2014-7187 (nested loops off by one)"
- else
- echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
- fi
- $($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
- if [ $? != 0 ]; then
- warn "CVE-2014-6277 (lcamtuf bug #1)"
- else
- good "CVE-2014-6277 (lcamtuf bug #1)"
- fi
- if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
- warn "CVE-2014-6278 (lcamtuf bug #2)"
- elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
- warn "CVE-2014-6278 (lcamtuf bug #2)"
- elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
- warn "CVE-2014-6278 (lcamtuf bug #2)"
- else
- good "CVE-2014-6278 (lcamtuf bug #2)"
- fi
- rm -rf $tmpdir
- pause
- }
- heartbleed() {
- echo "Heartbleed Exploit Test"
- read -p "Masukan Ip Server : " servervar
- nmap -sV $servervar --script=ssl-heartbleed
- pause
- }
- mod_security() {
- echo "Install mod_security"
- pause
- }
- mod_evasive() {
- echo "Install mod_evasive"
- pause
- }
- check_firewall() {
- echo "Cek Firewall"
- pause
- }
- set_firewall() {
- echo "Set Firewall"
- pause
- }
- flush_firewall() {
- echo "Flush Firewall"
- pause
- }
- tcp_monitor() {
- while [ "true" ]
- do
- clear
- echo "TCP Connection Monitoring"
- echo "---------------------------------------------------------------------------"
- netstat -ntup
- echo "Jumlah Koneksi IP Address"
- netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr
- echo "---------------------------------------------------------------------------"
- date
- sleep 1
- done
- }
- titit(){
- echo "titit"
- pause
- }
- show_menus(){
- clear
- echo "________ _____ ______ ______________________________ ___"
- echo "____ _/ __ / / /__ | / /__ __/__ ____/__ |__ |/ /"
- echo " __ /_______ / / /__ |/ /__ / __ __/ __ /| |_ /|_/ /"
- echo "__/ /_/_____/ /_/ / _ /| / _ / _ /___ _ ___ | / / /"
- echo "/___/ \____/ /_/ |_/ /_/ /_____/ /_/ |_/_/ /_/"
- echo "1. Cek history"
- echo "2. Ganti root password"
- echo "3. Cek OS dan Kernel"
- echo "4. Cek Passwd dan Shadow"
- echo "5. Cek Sudoers"
- echo "6. Cek cron"
- echo "7. Menambahkan User SSH"
- echo "8. Modifikasi sudoer untuk user"
- echo "9. Set root nologin di passwd"
- echo "10. Cek port dan chkconfig"
- echo "11. Reset Password Mysql"
- echo "12. Ganti password mysql"
- echo "13. Menambahkan auth key"
- echo "14. Menghapus paket tak terpakai"
- echo "15. Manajemen Akun"
- echo "16. Manajemen Kernel"
- echo "17. Modifikasi Hak Akses"
- echo "18. Set SSH Banner"
- echo "19. Rkhunter"
- echo "20. Chkrootkit"
- echo "21. Hardening Apache"
- echo "22. Hardening SSH"
- echo "23. Install Fail2ban"
- echo "24. Hardening Web Application"
- echo "25. Backdoor Scanner"
- echo "26. Bash Sock Exploit Test"
- echo "27. Heartbleed Exploit Test"
- echo "28. Install mod_security"
- echo "29. Install mod_evasive"
- echo "30. Cek Firewall"
- echo "31. Set Firewall"
- echo "32. flush Firewall"
- echo "33. Tcp Monitoring"
- echo "x.Keluar"
- }
- read_options(){
- local choice
- read -p "Masukan pilihan opsi hardening? " choice
- case $choice in
- 1) hist ;;
- 2) rootchg ;;
- 3) os ;;
- 4) passwds ;;
- 5) sudoers ;;
- 6) cron ;;
- 7) adduser ;;
- 8) sudoroot ;;
- 9) nologin ;;
- 10) porting ;;
- 11) reset_mysql ;;
- 12) change_mysql ;;
- 13) key;;
- 14) package ;;
- 15) akun ;;
- 16) Kernel ;;
- 17) akses ;;
- 18) banner ;;
- 19) rkhunt ;;
- 20) chkroot ;;
- 21) apache ;;
- 22) sshhard ;;
- 23) fail2 ;;
- 24) webapp ;;
- 25) backdoor ;;
- 26) bashs ;;
- 27) heartbleed ;;
- 28) mod_security ;;
- 29) mod_evasive ;;
- 30) check_firewall ;;
- 31) set_firewall ;;
- 32) flush_firewall ;;
- 33) tcp_monitor ;;
- x) exit 0;;
- *) echo -e "${RED}Error...${STD}" && sleep 2
- esac
- }
- trap '' SIGINT SIGQUIT SIGTSTP
- while true
- do
- show_menus
- read_options
- done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement