hd.sh

#!/bin/bash -i
#
# Title         : hardening.sh
# Description   : Simple hardening script Indonesian UnderTeam
# Author        : m1rr0r & xhaxor
# Date          : 10 Januari 2015
# Version       : 1.0
#

pause(){
  read -p "Tekan [enter] untuk melanjutkan" fackEnterKey
}

hist(){
    echo "cek history"
    pause
}

os(){
    echo "OS yang digunakan:"
    cat /etc/*release
    echo "Kernel :"
    uname -a
    pause
  }

passwds() {
    echo "Cek /etc/passwd"
    cat /etc/passwd
    echo "Cek /etc/shadow"
    cat /etc/shadow
    pause
}

adduser(){
  echo "Tambah User SSH"
  read -p 'Tambah user ssh:' uservar
  useradd $uservar
  passwd $uservar
  echo "Tambah user sukses"
  pause
}

sudoers(){
    echo "Cek /etc/sudoers"
    cat /etc/sudoers | grep ALL
    pause
}

cron(){
    echo "Cek crontab"
    crontab -l
    pause
}

sudoroot(){
    echo "Set User Sebagai Root"
    read -p "Username :" uservar
    echo "$uservar ALL=(ALL) ALL" >> /etc/sudoers
    echo "Sukses set $uservar sebagai root"
    pause
}

nologin() {
    echo "Set /sbin/nologin untuk root /etc/passwd"
    pause
}

porting() {
    echo "Cek Port"
    netstat -tulpn
    echo "Cek chkconfig"
    chkconfig --list | grep on
    pause
}

rootchg() {
    echo "Ganti password ssh root"
    passwd
    pause
}

reset_mysql() {
    echo "Reset Mysql"
    echo "Step - Step :"
    echo "service mysqld stop"
    echo "mysqld_safe --skip-grant-tables &"
    echo "mysql -u root"
    echo "mysql> use mysql;"
    echo "mysql> UPDATE user SET password=PASSWORD("passwordaja") WHERE User='root';"
    echo "mysql> flush privileges;"
    echo "mysql> quit"
    echo "service mysqld stop"
    echo "service mysqld restart"
    pause
}

change_mysql() {
    echo "Ganti password mysql"
    mysql_secure_installation
    pause
}

key() {
    echo "Menambahkan authorization_keys"
    read -p "Nama User:" uservar
    rm -rf /home/$uservar/.ssh/authorized_keys
    mkdir /home/$uservar/.ssh
    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD8jMh+0ZI34yqNncAZOkkHczsyAQjH9j7D2M33dWkiSKIwXWW5xGzHUv1IPNxZAX03WFc6AIJ2LU0f5I/H4xh3XHemGRlTTCS19y4evtj3m8O1usOcX4lAJAOlJBfWAHmGDiQnrwqOaNo0+UO46qPj/8mnSSfoap3hVGOcXMlf/NcMmnRF0pvQ3tC05JMXy8aokfYVxSRUQYSr0ALC2PFO23Kf9qirsMPuOzf2E2dvD98wed0zNSfrBRZfjsGncovb2wPCrcs8WTLy33MuMUIC4zGL+esO9sGhNfQ8HJpIeKs37WK8F0+gavbOE4bk7ZuPN9HiSWhT+rxn9GZlEo5MAnHJ+Lv2R0UP98NlR20SAgwB6jj9XPIdAnY6cAk9Xnf54sWJFnGJxKlNrr2iSe/HZ0dWOZapvX6Gfk9LYx5m+ZpX2xOdaksVd9ibLl4+oFc0fAqdMIE9Bhzr/PbmkfVn0VdHt1S7wPRIJiJNVP7AFWQ2OhsieTb0Y2oR6oRv9LAhdCsdJ2H3wHphwSE7wRFUGxqh3C3VW0jM1gmR0WQ1Ns2b3ye7T09jTev0/xuyzuA2jJzJDyH6KcQ9dRK4OQsO/FZacQb9VEbel1B8ZqOPq9zRAXcbtpj1c5oc9vgy+WNgAMIQSzrCywGm8jw+rFhJUGlHav/8OYNmGA6kvquiLQ== katakutu@m1rr0r-pc" >> /home/$uservar/.ssh/authorized_keys
    chown $uservar:$uservar -R /home/$uservar/.ssh
    chmod 700 /home/$uservar/.ssh
    chmod 600 /home/$uservar/.ssh/*
    restorecon -R -v /home/$uservar/.ssh
    echo "Menambahkan authorization_keys selesai"
    pause
}


akun(){
    echo "Manajemen Akun"
    echo "Cek akun selain root yang memiliki uid 0"
    x=`awk -F: '($3 == "0") {print}' /etc/passwd | awk -F: '{print $1}'`
    if [ $x == root ]
      then
      echo "Tidak ada akun yang memiliki uid 0"
    else
      echo "Ada akun yang memiliki uid 0, cek /etc/shadow"
    fi
    sleep 2
    echo " "

    echo "Disable akun dan grup yang tidak dipakai"
    sed -i 's/^lp/#lp/' /etc/passwd
    sed -i 's/^games/#games/' /etc/passwd
    sed -i 's/^sync/#sync/' /etc/passwd
    sed -i 's/^shutdown/#shutdown/' /etc/passwd
    sed -i 's/^halt/#halt/' /etc/passwd
    sed -i 's/^mail/#mail/' /etc/passwd
    sed -i 's/^news/#news/' /etc/passwd
    sed -i 's/^uucp/#uucp/' /etc/passwd
    sed -i 's/^operator/#operator/' /etc/passwd
    sed -i 's/^gopher/#gopher/' /etc/passwd
    sed -i 's/^ftp/#ftp/' /etc/passwd
    sed -i 's/^lp/#lp/' /etc/group
    sed -i 's/^games/#games/' /etc/group
    sed -i 's/^uucp/#uucp/' /etc/group
    echo "Akun dan grup berhasil diupdate"
    sleep 2
    echo " "

    echo "Ubah parameter umur password yang digunakan"
    echo "- ubah maksimum umur password 60hari"
    sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 60' /etc/login.defs
    echo "- ubah minimum umur password 1 hari"
    sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 1'  /etc/login.defs
    echo "- ubah password minimal 8 karakter"
    sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN 8' /etc/login.defs
    echo "- ubah warning usia password 15 hari"
    sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE 15' /etc/login.defs
    echo "Sukses mengubah parameter umur password"
    sleep 2
    echo " "

    pause
}


akses() {
    echo "Modifikasi Hak Akses"
    echo "chmod 100 untuk rpm, tar, gzip, ping, gunzip, mount, umount, who, lastb, lastlog, arping"
    chmod 100 /bin/rpm
    chmod 100 /bin/tar
    chmod 100 /bin/gzip
    chmod 100 /bin/gunzip
    chmod 100 /bin/ping
    chmod 100 /bin/mount
    chmod 100 /bin/umount
    chmod 100 /usr/bin/gzip
    chmod 100 /usr/bin/gunzip
    chmod 100 /usr/bin/who
    chmod 100 /usr/bin/lastb
    chmod 100 /usr/bin/last
    chmod 100 /usr/bin/lastlog
    chmod 100 /sbin/arping
    echo "chmod 400 untuk hosts.allow, hosts.deny, shadow, crontab, cron.deny, at.deny, cron.allow, at.allow"
    chmod 400 /etc/hosts.allow
    chmod 400 /etc/hosts.deny
    chmod 400 /etc/shadow
    chmod 400 /etc/crontab
    chmod 400 /etc/cron.deny
    chmod 400 /etc/at.deny
    chmod 400 /etc/cron.allow
    chmod 400 /etc/at.allow
    echo "chmod 644 untuk wtmp, passwd, group"
    chmod 644 /var/log/wtmp
    chmod 644 /etc/passwd
    chmod 644 /etc/group
    echo "chmod 700 untuk cron, cron.d, cron.hourly, cron.monthly, cron.dialy, cron.weekly"
    chmod 700 /var/spool/cron
    chmod 700 /etc/cron.d
    chmod 700 /etc/cron.hourly
    chmod 700 /etc/cron.monthly
    chmod 700 /etc/cron.dialy
    chmod 700 /etc/cron.weekly
    echo "Hak akses telah diubah"
    pause
}

rkhunt() {
    echo "Install Rkhunter"
    read -p "Local Ip :" ipvar
    cd /usr/local/source
    wget http://$ipvar/source/rkhunter-1.4.2.tar.gz
    tar -zxvf rkhunter-1.4.2.tar.gz
    cd rkhunter-1.4.2
    ./installer.sh --layout default --install
    /usr/local/bin/rkhunter --update
    /usr/local/bin/rkhunter --propupd
    rm -Rf /usr/local/src/rkhunter*
    echo "Jalankan Rkhunter"
    rkhunter --check
    pause
}

chkroot() {
    echo "Install Chkrootkit"
    read -p "Local Ip :" ip2var
    wget http://$ipvar/source/chkrootkit.tar.gz
    tar -zxvf chkrootkit.tar.gz
    mkdir /usr/local/chkrootkit
    mv chkrootkit*/* /usr/local/chkrootkit
    cd /usr/local/chkrootkit
    make sense
    echo "Jalankan Chkrootkit"
    chkrootkit
    pause
}

apache() {
    echo "Apache hardening"
    echo "Mematikan Server Signature"
    sed -i 's/ServerSignature On/ServerSignature Off/' /etc/httpd/conf/httpd.conf
    cat /etc/httpd/conf/httpd.conf | grep ServerSignature
    echo "Mematikan Server Token"
    sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/httpd/conf/httpd.conf
    cat /etc/httpd/conf/httpd.conf | grep ServerTokens
    echo "Restart Httpd"
    service httpd restart
    pause
}

sshhard(){
    echo "Hardening SSH"
    echo "disable root login"
    sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
    cat /etc/ssh/sshd_config | grep PermitRootLogin
    echo "set allow user"
    read -p "Allow User : " allowvar
    echo "AllowUsers $allowvar" >> /etc/ssh/sshd_config
    cat /etc/ssh/sshd_config | grep AllowUsers
    echo "Disable subsystem sftp"
    sed -i 's/Subsystem/#Subsystem/' /etc/ssh/sshd_config
    cat /etc/ssh/sshd_config | grep Subsystem
    service sshd restart
    pause
}

fail2(){
    echo "Install Fail2ban *belum fix*"
    pause
}

webapp() {
    echo "Hardening Web Application"
    echo "Membuat user baru untuk http"
    read -p "username : " uservar
    useradd $uservar
    chown $uservar:$uservar -R /var/www/
    echo "Set User httpd"
    read -p "username : " uservar
    sed -i 's/User apache/User $uservar/' /etc/httpd/conf/httpd.conf
    sed -i 's/Group apache/Group $uservar/' /etc/httpd/conf/httpd.conf
    cat /etc/httpd/conf/httpd.conf | grep $uservar
    echo "Safe mode on pada php.ini"
    sed -i 's/mode = Off/mode = On/' /etc/php.ini
    cat /etc/php.ini | grep safe_mode
    echo "Disable function php"
    echo "disable_functions = symlink,system,shell_exec,eval,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinumcols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,ftp,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,popen,fpassthru,php_uname, pcntl_exec," >> /etc/php.ini
    service httpd restart
    echo "Hardening Web Application Sukses"
    pause
}

backdoor() {
    echo "Backdoor Scanner"
    read -p "Masukan Lokasi htdocs :" httdocvar
    grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" $httdocvar
    pause
}

bashs() {
    echo "Bash Sock Exploit Test"
    #!/bin/bash

    warn() {
      if [ "$scary" == "1" ]; then
        echo -e "\033[91mVulnerable to $1\033[39m"
      else
        echo -e "\033[93mFound non-exploitable $1\033[39m"
      fi
    }

    good() {
      echo -e "\033[92mNot vulnerable to $1\033[39m"
    }

    tmpdir=`mktemp -d -t tmp.XXXXXXXX`

    [ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
    echo -e "\033[95mTesting $bash ..."
    $bash -c 'echo "Bash version $BASH_VERSION"'
    echo -e "\033[39m"

    #r=`a="() { echo x;}" $bash -c a 2>/dev/null`
    if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
      echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
      scary=1
    elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
      echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
      scary=0
    elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
      echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
      scary=0
    elif [ -n "$(env '__BASH_FUNC<a>()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
      echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m"
      scary=0
    else
      echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
      scary=0
    fi


    r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
    if [ -n "$r" ]; then
      warn "CVE-2014-6271 (original shellshock)"
    else
      good "CVE-2014-6271 (original shellshock)"
    fi

    pushd $tmpdir > /dev/null
    env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
    if [ -e echo ]; then
      warn "CVE-2014-7169 (taviso bug)"
    else
      good "CVE-2014-7169 (taviso bug)"
    fi
    popd > /dev/null

    $($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
    ret=$?
    grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null
    if [ $? == 0 ] || [ $ret == 139 ]; then
      warn "CVE-2014-7186 (redir_stack bug)"
    else
      good "CVE-2014-7186 (redir_stack bug)"
    fi


    $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
    if [ $? != 0 ]; then
      warn "CVE-2014-7187 (nested loops off by one)"
    else
      echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
    fi

    $($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
    if [ $? != 0 ]; then
      warn "CVE-2014-6277 (lcamtuf bug #1)"
    else
      good "CVE-2014-6277 (lcamtuf bug #1)"
    fi

    if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
      warn "CVE-2014-6278 (lcamtuf bug #2)"
    elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
      warn "CVE-2014-6278 (lcamtuf bug #2)"
    elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
      warn "CVE-2014-6278 (lcamtuf bug #2)"
    else
      good "CVE-2014-6278 (lcamtuf bug #2)"
    fi

    rm -rf $tmpdir
    pause
}

heartbleed() {
    echo "Heartbleed Exploit Test"
    read -p "Masukan Ip Server : " servervar
    nmap -sV $servervar --script=ssl-heartbleed
    pause
}

mod_security() {
    echo "Install mod_security"
    pause
}

mod_evasive() {
    echo "Install mod_evasive"
    pause
}

check_firewall() {
    echo "Cek Firewall"
    pause
}

set_firewall() {
    echo "Set Firewall"
    pause
}

flush_firewall() {
    echo "Flush Firewall"
    pause
}

tcp_monitor() {
    while [ "true" ]
    do
    clear
    echo "TCP Connection Monitoring"
    echo "---------------------------------------------------------------------------"
    netstat -ntup
    echo "Jumlah Koneksi    IP Address"
    netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr
    echo "---------------------------------------------------------------------------"
    date
    sleep 1
done
}

titit(){
    echo "titit"
    pause
  }

show_menus(){
    clear

    echo "________    _____  ______   ______________________________  ___"
    echo "____  _/    __  / / /__  | / /__  __/__  ____/__    |__   |/  /"
    echo " __  /_______  / / /__   |/ /__  /  __  __/  __  /| |_  /|_/ /"
    echo "__/ /_/_____/ /_/ / _  /|  / _  /   _  /___  _  ___ |  /  / /"
    echo "/___/       \____/  /_/ |_/  /_/    /_____/  /_/  |_/_/  /_/"

    echo "1. Cek history"
    echo "2. Ganti root password"
    echo "3. Cek OS dan Kernel"
    echo "4. Cek Passwd dan Shadow"
    echo "5. Cek Sudoers"
    echo "6. Cek cron"
    echo "7. Menambahkan User SSH"
    echo "8. Modifikasi sudoer untuk user"
    echo "9. Set root nologin di passwd"
    echo "10. Cek port dan chkconfig"
    echo "11. Reset Password Mysql"
    echo "12. Ganti password mysql"
    echo "13. Menambahkan auth key"
    echo "14. Menghapus paket tak terpakai"
    echo "15. Manajemen Akun"
    echo "16. Manajemen Kernel"
    echo "17. Modifikasi Hak Akses"
    echo "18. Set SSH Banner"
    echo "19. Rkhunter"
    echo "20. Chkrootkit"
    echo "21. Hardening Apache"
    echo "22. Hardening SSH"
    echo "23. Install Fail2ban"
    echo "24. Hardening Web Application"
    echo "25. Backdoor Scanner"
    echo "26. Bash Sock Exploit Test"
    echo "27. Heartbleed Exploit Test"
    echo "28. Install mod_security"
    echo "29. Install mod_evasive"
    echo "30. Cek Firewall"
    echo "31. Set Firewall"
    echo "32. flush Firewall"
    echo "33. Tcp Monitoring"
    echo "x.Keluar"
  }

  read_options(){
    local choice
    read -p "Masukan pilihan opsi hardening? " choice
    case $choice in
      1) hist ;;
      2) rootchg ;;
      3) os ;;
      4) passwds ;;
      5) sudoers ;;
      6) cron ;;
      7) adduser ;;
      8) sudoroot ;;
      9) nologin ;;
      10) porting ;;
      11) reset_mysql ;;
      12) change_mysql ;;
      13) key;;
      14) package ;;
      15) akun ;;
      16) Kernel ;;
      17) akses ;;
      18) banner ;;
      19) rkhunt ;;
      20) chkroot ;;
      21) apache ;;
      22) sshhard ;;
      23) fail2 ;;
      24) webapp ;;
      25) backdoor ;;
      26) bashs ;;
      27) heartbleed ;;
      28) mod_security ;;
      29) mod_evasive ;;
      30) check_firewall ;;
      31) set_firewall ;;
      32) flush_firewall ;;
      33) tcp_monitor ;;
      x) exit 0;;
      *) echo -e "${RED}Error...${STD}" && sleep 2
    esac
  }

  trap '' SIGINT SIGQUIT SIGTSTP

  while true
  do
    show_menus
    read_options
  done