├── README.md ├── centos_mail_secure.sh ├── debian_secure.sh ├── drupal_web_secure.sh └── ubuntu_ftp_secure.sh /README.md: -------------------------------------------------------------------------------- 1 | # [Cyber-Defense-Competition-Scripts](): Having fun playing as Blue Team. 2 | 3 | Created by [@Tech](https://twitter.com/Tech) 4 | 5 | Over the past few weeks leading up to competition day, I have wrote the following scripts to secure our systems in less than 5 minutes. Incase of an intrustion, we can bring systems back up with less downtime. Moreover, none of the systems below got compromised during the competition! 6 | 7 | These include: 8 | + Centos OS, for our Mail Server (Using iRedMail+dovcot on centos) 9 | + Ubuntu OS, for our FTP Server 10 | + Debian OS, for our Web Server 11 | + Drupal Web Server 12 | + Windows 2008 R2 for our Active Directory 13 | + Bonus: The HMI that ran off a raspberry pi! 14 | 15 | ## Documentation 16 | 17 | I have added comments to the code as it goes to give you a better understanding of what each line is doing, for more stories on this past CDC event, visit my blog! 18 | -------------------------------------------------------------------------------- /centos_mail_secure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Name: centos_mail_secure.sh 3 | # Author: Anthony 4 | # Website: Anthonys.io 5 | # Twitter: Twitter.com/tech 6 | # Purpose: This is used on a Centos machine for quick securing. 7 | 8 | ###GUI install:: 9 | #yum groupinstall "Desktop" 10 | #Re-edit the /etc/inittab file and revert your previous modification. Change id:5:initdefault back to id:3:initdefault. 11 | #https://exemen.wordpress.com/2011/01/16/mail-server-setup-guide-for-rhelcentos-5/ 12 | 13 | HOSTNAME=1l11l1lll1l1l1l1l1l1llll1lll1l1ll111l1ll1ll1l11l1ll111l1lll1l1l1l1lll1l1l1l1ll1ll1111l 14 | SSHPORT=8081 15 | USER=ant 16 | #PASSWORD=cdc 17 | ROOTPW=newpass 18 | 19 | # Change root password 20 | echo -e "$ROOTPW\n$ROOTPW" | passwd root 21 | 22 | #setting hostname 23 | echo "$HOSTNAME" > /etc/hostname 24 | hostname -F /etc/hostname 25 | 26 | #Securing Partitioin Mounts 27 | echo "/dev/mapper/lg_os-lv_root / xfs defaults 1 1" >> /etc/fstab 28 | echo "/dev/mapper/lg_data-lv_home /home xfs defaults 1 2" >> /etc/fstab 29 | echo "/dev/mapper/lg_os-lv_tmp /tmp xfs defaults,nosuid,noexec,nodev 1 2" >> /etc/fstab 30 | echo "/dev/mapper/lg_os-lv_var /var xfs defaults,nosuid 1 2" >> /etc/fstab 31 | echo "/dev/mapper/lg_os-lv_var_tmp /var/tmp xfs defaults,nosuid,noexec,nodev 1 2" >> /etc/fstab 32 | echo "/dev/mapper/lg_os-lv_var_tmp /var/log xfs defaults,nosuid,noexec,nodev 1 2" >> /etc/fstab 33 | echo "/dev/mapper/lg_os-lv_var_tmp /var/log/audit xfs defaults,nosuid,noexec,nodev 1 2" >> /etc/fstab 34 | echo "/dev/mapper/lg_data-lv_var_www /var/www xfs defaults,nosuid,noexec,nodev 1 2" >> /etc/fstab 35 | echo "/dev/mapper/lg_data-lv_swap swap swap defaults 0 0" >> /etc/fstab 36 | sed -i "s/boot ext4 defaults 1 2/boot ext4 defaults,nosuid,noexec,nodev 1 2/g" /etc/fstab 37 | 38 | #Install NTP 39 | yum install ntp ntpdate 40 | chkconfig ntpd on 41 | ntpdate pool.ntp.org 42 | /etc/init.d/ntpd start 43 | 44 | #clearing audit.log 45 | rm /var/log/audit/audit.log 46 | touch /var/log/audit/audit.log 47 | 48 | #Setting Permission 49 | chmod 600 /boot/grub2/grub.conf 50 | chmod 700 /root 51 | chmod 700 /dev/shm #mysql 52 | chmod 700 /usr/local/squirrelmail/data #iono 53 | chmod 700 /var/tmp #fuckit 54 | chmod 700 /usr/local/squirrelmail/temp #printer 55 | chmod 600 /tmp/ 56 | 57 | #set auth for signal user mode 58 | sed -i "s/SINGLE=\/sbin\/sushell/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init 59 | 60 | #remove ctrl alt del 61 | sed -i "s/exec/#exec/g" /etc/init/control-alt-delete.conf 62 | echo "exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"" >> /etc/init/control-alt-delete.conf 63 | 64 | #disable ipv6 usage 65 | echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network 66 | echo "IPV6INIT=no" >> /etc/sysconfig/network 67 | 68 | #prune idle users 69 | echo "Idle users will be removed after 15 minutes" 70 | 71 | #lock down cron 72 | echo "Locking down Cron" 73 | touch /etc/cron.allow 74 | chmod 600 /etc/cron.allow 75 | awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny 76 | echo "Locking down AT" 77 | touch /etc/at.allow 78 | chmod 600 /etc/at.allow 79 | awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny 80 | 81 | #sysctl security 82 | echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf 83 | echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf 84 | echo "net.ipv4.tcp_max_syn_backlog = 1280" >> /etc/sysctl.conf 85 | echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf 86 | echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf 87 | echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf 88 | echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf 89 | echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf 90 | echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf 91 | echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf 92 | echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf 93 | echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf 94 | echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf 95 | echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf 96 | echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf 97 | 98 | #remove crap 99 | yum remove xinetd 100 | yum remove telnet-server 101 | yum remove rsh-server 102 | yum remove telnet 103 | yum remove rsh-server 104 | yum remove rsh 105 | yum groupremove "X Window System" 106 | 107 | #kernal hardening 108 | sysctl -q -n -w kernel.randomize_va_space=2 109 | echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf 110 | 111 | #prevent logins to accounts with null pw 112 | sed -i 's/\//g' /etc/pam.d/system-auth 113 | 114 | echo "SSH TYPE SHIT" 115 | echo "==================================================================" 116 | 117 | # Remove existing ssh keys 118 | rm -rf ~/.ssh/* 119 | 120 | #allow only ssh protocol 2 121 | echo "Protocol 2" /etc/ssh/sshd_config 122 | 123 | #disable hsost-based auth 124 | sed -i "s/#HostbasedAuthentication/HostbasedAuthentication/g" /etc/ssh/sshd_config 125 | 126 | #change ssh port 127 | sed -i "s/Port 22/Port 8081/g" /etc/ssh/sshd_config 128 | 129 | #Disable root ssh login 130 | sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config 131 | 132 | #Disabling X11 forwarding 133 | sed -i "s/X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config 134 | 135 | #Disabling sshd DNS resolution 136 | echo "UseDNS no" >> /etc/ssh/sshd_config 137 | 138 | #disable ssh access via empty passwords 139 | sed -i "s/#PermitEmptyPasswords/PermitEmptyPasswords/g" /etc/ssh/sshd_config 140 | 141 | #Do Not Allow SSH Environment Options 142 | sed -i "s/#PermitUserEnvironment/PermitUserEnvironment/g" /etc/ssh/sshd_config 143 | 144 | #approved ciphers 145 | echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config 146 | 147 | echo "==================================================================" 148 | 149 | # Lock down the sudoers file. 150 | chattr -i /etc/sudoers 151 | echo "root ALL=(ALL:ALL) ALL" > /etc/sudoers 152 | chmod 000 /etc/sudoers 153 | chattr +i /etc/sudoers 154 | 155 | # Clear cronjobs. 156 | chattr -i /etc/crontab 157 | echo "" > /etc/crontab 158 | chattr +i /etc/crontab 159 | chattr -i /etc/anacrontab 160 | echo "" > /etc/anacrontab 161 | chattr +i /etc/anacrontab 162 | 163 | # Check for users who should not have root privlages. 164 | groupadd -g 3000 badGroup 165 | while read line 166 | do 167 | IFS=':' read -a userArray <<< "$line" 168 | if [ ${userArray[0]} != "root" ] 169 | then 170 | # Check UID of users 171 | userID=$(id -u "${userArray[0]}") 172 | count=3000 173 | if [ $userID -eq '0' ] 174 | then 175 | usermod -u $count ${userArray[0]} 176 | $count++ 177 | fi 178 | 179 | # Check GID of users 180 | groupID=$(id -g "${userArray[0]}") 181 | if [ $groupID -eq '0' ] 182 | then 183 | usermod -g 3000 ${userArray[0]} 184 | fi 185 | fi 186 | done < '/etc/passwd' 187 | 188 | # Remove users from the root group. 189 | rootGroup=$(awk -F':' '/root/{print $4}' /etc/group) 190 | for i in "${rootGroup[@]}" 191 | do 192 | if [[ $i =~ ^$ ]] 193 | then 194 | continue 195 | fi 196 | usermod -a -G badGroup $i 197 | gpasswd -d $i root 198 | done 199 | 200 | echo "Adding new user" 201 | echo "==================================================================" 202 | #Creating primary user 203 | if [ $(id -u) -eq 0 ]; then 204 | # read -p "Enter username of who can connect via SSH: " USER 205 | read -s -p "Enter password of user who can connect via SSH: " PASSWORD 206 | egrep "^$USER" /etc/passwd >/dev/null 207 | if [ $? -eq 0 ]; then 208 | echo "$USER exists!" 209 | exit 1 210 | else 211 | pass=$(perl -e 'print crypt($ARGV[0], "password")' $PASSWORD) 212 | useradd -s /bin/bash -m -d /home/$USER -U -p $pass $USER 213 | [ $? -eq 0 ] && echo "$USER has been added to system!" || echo "Failed to add a $USER!" 214 | fi 215 | else 216 | echo "Only root may add a user to the system" 217 | exit 2 218 | fi 219 | echo "==================================================================" 220 | 221 | echo "Adding $USER to SSH AllowUsers" 222 | echo "AllowUsers $USER" >> /etc/ssh/sshd_config 223 | echo "Adding $USER to sudoers" 224 | cp /etc/sudoers /etc/sudoers.tmp 225 | chmod 0640 /etc/sudoers.tmp 226 | echo "$USER ALL=(ALL) ALL" >> /etc/sudoers.tmp 227 | chmod 0440 /etc/sudoers.tmp 228 | cp /etc/sudoers.tmp /etc/sudoers 229 | /etc/init.d/ssh restart 230 | 231 | 232 | echo "Colorize the shells" 233 | echo "===============================================================" 234 | #Adding a bit of color and formatting to the command prompt 235 | echo ' 236 | export PS1="${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ " 237 | ' >> /home/$USER/.bashrc 238 | source /home/$USER/.bashrc 239 | 240 | echo "Colorize the shells" 241 | #adding color to root 242 | echo ' 243 | export PS1="\[$(tput sgr0)\]" 244 | ' >> /root/.bashrc 245 | #export PS1="\[\e[30m\]\\$\[\e[m\]" 246 | source /root/.bashrc 247 | 248 | #### Fine tuning network parameters for better perfomance 249 | # Change the following parameters when a high rate of incoming connection requests result in connection failures 250 | echo "100000" > /proc/sys/net/core/netdev_max_backlog 251 | # Size of the listen queue for accepting new TCP connections (default: 128) 252 | echo "4096" > /proc/sys/net/core/somaxconn 253 | # Maximum number of sockets in TIME-WAIT to be held simultaneously (default: 180000) 254 | echo "600000" > /proc/sys/net/ipv4/tcp_max_tw_buckets 255 | # sets the Maximum Socket Receive Buffer for all protocols (in bytes) 256 | echo "16777216" > /proc/sys/net/core/rmem_max 257 | echo "16777216" > /proc/sys/net/core/rmem_default 258 | # sets the Maximum Socket Send Buffer for all protocols (in bytes) 259 | echo "16777216" > /proc/sys/net/core/wmem_max 260 | echo "16777216" > /proc/sys/net/core/wmem_default 261 | # Set Linux autotuning TCP buffer limits 262 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem 263 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem 264 | 265 | echo "0" > /proc/sys/net/ipv4/tcp_sack 266 | echo "0" > /proc/sys/net/ipv4/tcp_dsack 267 | # By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections. 268 | echo "1" > /proc/sys/net/ipv4/tcp_no_metrics_save 269 | # How many times to retry before killing an alive TCP connection 270 | echo "5" > /proc/sys/net/ipv4/tcp_retries2 271 | # How often to send TCP keepalive packets to keep an connection alive if it is currently unused. This value is only used when keepalive is enabled 272 | echo "120" > /proc/sys/net/ipv4/tcp_keepalive_time 273 | # How long to wait for a reply on each keepalive probe. This value is in other words extremely important when you try to calculate how long time will go before your connection will die a keepalive death. 274 | echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl 275 | # Determines the number of probes before timing out 276 | echo "3" > /proc/sys/net/ipv4/tcp_keepalive_probes 277 | # How long to keep sockets in the state FIN-WAIT-2 if you were the one closing the socket (default: 60) 278 | echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout 279 | # Sometimes, packet reordering in a network can be interpreted as packet loss and hence increasing the value of this parameter should improve performance (default is “3″) 280 | echo "15" > /proc/sys/net/ipv4/tcp_reordering 281 | # 282 | echo "cubic" > /proc/sys/net/ipv4/tcp_congestion_control 283 | # This value varies depending on total memory of the system. Use it wisely in different situations 284 | # echo "262144" > /proc/sys/net/ipv4/tcp_max_orphans 285 | 286 | # Disable Core Dumps 287 | echo "0" > /proc/sys/fs/suid_dumpable 288 | # Enable ExecShield 289 | echo "1" > /proc/sys/kernel/exec-shield 290 | echo "1" > /proc/sys/kernel/randomize_va_space 291 | #### Network parameters for better security 292 | # Disable packet forwarding (if this machine is not a router) 293 | echo "0" > /proc/sys/net/ipv4/ip_forward 294 | echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects 295 | echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects 296 | # Enable tcp_syncookies to accept legitimate connections when faced with a SYN flood attack 297 | echo "1" > /proc/sys/net/ipv4/tcp_syncookies 298 | # Turn off to disable IPv4 protocol features which are considered to have few legitimate uses and to be easy to abuse 299 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 300 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route 301 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 302 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects 303 | echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects 304 | echo "0" > /proc/sys/net/ipv4/conf/default/secure_redirects 305 | # Log suspicious packets (This should be turned off if the system is suffering from too much logging) 306 | echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 307 | # Protect from ICMP attacks 308 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 309 | # Enable RFC-recommended source validation (should not be used on machines which are routers for very complicated networks) 310 | echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 311 | echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter 312 | # Increase IPv4 port range to accept more connections 313 | echo "5000 65535" > /proc/sys/net/ipv4/ip_local_port_range 314 | # Disable IPV6 315 | echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6 316 | echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6 317 | #### File system tuning 318 | # Increase system file descriptor limit 319 | echo "7930900" > /proc/sys/fs/file-max 320 | # Allow for more PIDs 321 | echo "65536" > /proc/sys/kernel/pid_max 322 | # Use up to 95% of RAM (5% free) 323 | echo "5" > /proc/sys/vm/swappiness 324 | echo "20" > /proc/sys/vm/dirty_background_ratio 325 | echo "25" > /proc/sys/vm/dirty_ratio 326 | 327 | #Remove wget, find, nmap, gcc,python, and perl 328 | echo "Remove wget, find, nmap, gcc,python, and perl" 329 | echo "=============================================" 330 | echo "=============================================" 331 | echo "=============================================" 332 | -------------------------------------------------------------------------------- /debian_secure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Name: debian_secure.sh 3 | # Author: Anthony 4 | # Website: Anthonys.io 5 | # Twitter: Twitter.com/tech 6 | # Purpose: This is used on a debian machine for quick securing. 7 | 8 | sed -ie 's/nameserver 10.0.100.1/nameserver 192.168.1.1/g' /etc/resolv.conf 9 | rm /var/lib/apt/lists/* -vf 10 | 11 | HOSTNAME=www-data 12 | SSHPORT=8081 13 | USER=ant 14 | PASSWORD=cdc 15 | ROOTPW=newpass 16 | PUBLICKEY="ssh rsa yada yada do" 17 | 18 | # Change root password 19 | echo -e "$ROOTPW\n$ROOTPW" | passwd root 20 | 21 | # Verify this script is being run by the root user. 22 | if [ $EUID -ne 0 ]; then 23 | echo "This script must be run as root" 1>&2 24 | exit 1 25 | fi 26 | 27 | # If you get "E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)" Then enable below. 28 | # Sudo rm /var/lib/apt/lists/* -vf 29 | 30 | apt-get -o Acquire::Check-Valid-Until=false update -y -q 31 | 32 | # Upgrade everything, takes a few seconds (37.3MB) 33 | apt-get -o Acquire::Check-Valid-Until=false upgrade -y -q 34 | 35 | # Lock down the sudoers file. 36 | chattr -i /etc/sudoers 37 | echo "root ALL=(ALL:ALL) ALL" > /etc/sudoers 38 | chmod 000 /etc/sudoers 39 | chattr +i /etc/sudoers 40 | 41 | # Clear cronjobs. 42 | chattr -i /etc/crontab 43 | echo "" > /etc/crontab 44 | chattr +i /etc/crontab 45 | chattr -i /etc/anacrontab 46 | echo "" > /etc/anacrontab 47 | chattr +i /etc/anacrontab 48 | 49 | # Check programs that have root privliges 50 | find / -perm -04000 > programsWithRootAccess.txt 51 | 52 | # Remove existing ssh keys 53 | rm -rf ~/.ssh/* 54 | 55 | # Check for users who should not have root privlages. 56 | groupadd -g 3000 badGroup 57 | while read line 58 | do 59 | IFS=':' read -a userArray <<< "$line" 60 | if [ ${userArray[0]} != "root" ] 61 | then 62 | # Check UID of users 63 | userID=$(id -u "${userArray[0]}") 64 | count=3000 65 | if [ $userID -eq '0' ] 66 | then 67 | usermod -u $count ${userArray[0]} 68 | $count++ 69 | fi 70 | 71 | # Check GID of users 72 | groupID=$(id -g "${userArray[0]}") 73 | if [ $groupID -eq '0' ] 74 | then 75 | usermod -g 3000 ${userArray[0]} 76 | fi 77 | fi 78 | done < '/etc/passwd' 79 | 80 | # Remove users from the root group. 81 | rootGroup=$(awk -F':' '/root/{print $4}' /etc/group) 82 | for i in "${rootGroup[@]}" 83 | do 84 | if [[ $i =~ ^$ ]] 85 | then 86 | continue 87 | fi 88 | usermod -a -G badGroup $i 89 | gpasswd -d $i root 90 | done 91 | 92 | echo "ssh stuff starting" 93 | echo "===============================================================" 94 | 95 | #setting hostname 96 | echo "$HOSTNAME" > /etc/hostname 97 | hostname -F /etc/hostname 98 | 99 | #change ssh port 100 | sed -i "s/Port 22/Port 8081/g" /etc/ssh/sshd_config 101 | 102 | #Ensure that sshd starts after eth0 is up, not just after filesystem 103 | sed -i "s/start on filesystem/start on filesystem and net-device-up IFACE=eth0/g" /etc/init/ssh.conf 104 | 105 | #Disable root ssh login 106 | sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config 107 | 108 | #Disabling password authentication 109 | #sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config 110 | 111 | #Disabling X11 forwarding 112 | sed -i "s/X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config 113 | 114 | #Disabling sshd DNS resolution 115 | echo "UseDNS no" >> /etc/ssh/sshd_config 116 | 117 | #Creating primary user 118 | if [ $(id -u) -eq 0 ]; then 119 | # read -p "Enter username of who can connect via SSH: " USER 120 | read -s -p "Enter password of user who can connect via SSH: " PASSWORD 121 | egrep "^$USER" /etc/passwd >/dev/null 122 | if [ $? -eq 0 ]; then 123 | echo "$USER exists!" 124 | exit 1 125 | else 126 | pass=$(perl -e 'print crypt($ARGV[0], "password")' $PASSWORD) 127 | useradd -s /bin/bash -m -d /home/$USER -U -p $pass $USER 128 | [ $? -eq 0 ] && echo "$USER has been added to system!" || echo "Failed to add a $USER!" 129 | fi 130 | else 131 | echo "Only root may add a user to the system" 132 | exit 2 133 | fi 134 | 135 | echo "Adding $USER to SSH AllowUsers" 136 | echo "AllowUsers $USER" >> /etc/ssh/sshd_config 137 | echo "Adding $USER to sudoers" 138 | cp /etc/sudoers /etc/sudoers.tmp 139 | chmod 0640 /etc/sudoers.tmp 140 | echo "$USER ALL=(ALL) ALL" >> /etc/sudoers.tmp 141 | chmod 0440 /etc/sudoers.tmp 142 | cp /etc/sudoers.tmp /etc/sudoers 143 | /etc/init.d/ssh restart 144 | 145 | echo "Adding SSH key" 146 | echo "===============================================================" 147 | echo "Adding ssh key" 148 | # 149 | mkdir /home/$USER/.ssh 150 | touch /home/$USER/.ssh/authorized_keys 151 | echo $PUBLICKEY >> /home/$USER/.ssh/authorized_keys 152 | chown -R $USER:$USER /home/$USER/.ssh 153 | chmod 700 /home/$USER/.ssh 154 | chmod 600 /home/$USER/.ssh/authorized_keys 155 | # 156 | sed -i "s/#AuthorizedKeysFile/AuthorizedKeysFile/g" /etc/ssh/sshd_config 157 | # 158 | /etc/init.d/ssh restart 159 | 160 | echo "Colorize the shells" 161 | echo "===============================================================" 162 | #Adding a bit of color and formatting to the command prompt 163 | echo ' 164 | export PS1="${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ " 165 | ' >> /home/$USER/.bashrc 166 | source /home/$USER/.bashrc 167 | 168 | echo "Colorize the shells" 169 | #adding color to root 170 | echo ' 171 | export PS1="\[$(tput sgr0)\]" 172 | ' >> /root/.bashrc 173 | #export PS1="\[\e[30m\]\\$\[\e[m\]" 174 | source /root/.bashrc 175 | 176 | echo "Linux Kernal Hardening" 177 | echo "===============================================================" 178 | #Linux kernel hardening 179 | #Linux kernel hardening 180 | #Linux kernel hardening 181 | #Linux kernel hardening 182 | cp /etc/sysctl.conf /etc/sysctl.conf.bak 183 | sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf 184 | sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf 185 | sed -i "s/#net.ipv4.icmp_echo_ignore_broadcasts = 1/net.ipv4.icmp_echo_ignore_broadcasts = 1/g" /etc/sysctl.conf 186 | sed -i "s/#net.ipv4.icmp_ignore_bogus_error_responses = 1/net.ipv4.icmp_ignore_bogus_error_responses = 1/g" /etc/sysctl.conf 187 | sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf 188 | sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf 189 | sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf 190 | sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf 191 | sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf 192 | sed -i "s/#net.ipv4.conf.all.log_martians = 1/net.ipv4.conf.all.log_martians = 1/g" /etc/sysctl.conf 193 | 194 | #### Fine tuning network parameters for better perfomance 195 | # Change the following parameters when a high rate of incoming connection requests result in connection failures 196 | echo "100000" > /proc/sys/net/core/netdev_max_backlog 197 | # Size of the listen queue for accepting new TCP connections (default: 128) 198 | echo "4096" > /proc/sys/net/core/somaxconn 199 | # Maximum number of sockets in TIME-WAIT to be held simultaneously (default: 180000) 200 | echo "600000" > /proc/sys/net/ipv4/tcp_max_tw_buckets 201 | # sets the Maximum Socket Receive Buffer for all protocols (in bytes) 202 | echo "16777216" > /proc/sys/net/core/rmem_max 203 | echo "16777216" > /proc/sys/net/core/rmem_default 204 | # sets the Maximum Socket Send Buffer for all protocols (in bytes) 205 | echo "16777216" > /proc/sys/net/core/wmem_max 206 | echo "16777216" > /proc/sys/net/core/wmem_default 207 | # Set Linux autotuning TCP buffer limits 208 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem 209 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem 210 | 211 | echo "0" > /proc/sys/net/ipv4/tcp_sack 212 | echo "0" > /proc/sys/net/ipv4/tcp_dsack 213 | # By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections. 214 | echo "1" > /proc/sys/net/ipv4/tcp_no_metrics_save 215 | # How many times to retry before killing an alive TCP connection 216 | echo "5" > /proc/sys/net/ipv4/tcp_retries2 217 | # How often to send TCP keepalive packets to keep an connection alive if it is currently unused. This value is only used when keepalive is enabled 218 | echo "120" > /proc/sys/net/ipv4/tcp_keepalive_time 219 | # How long to wait for a reply on each keepalive probe. This value is in other words extremely important when you try to calculate how long time will go before your connection will die a keepalive death. 220 | echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl 221 | # Determines the number of probes before timing out 222 | echo "3" > /proc/sys/net/ipv4/tcp_keepalive_probes 223 | # How long to keep sockets in the state FIN-WAIT-2 if you were the one closing the socket (default: 60) 224 | echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout 225 | # Sometimes, packet reordering in a network can be interpreted as packet loss and hence increasing the value of this parameter should improve performance (default is “3″) 226 | echo "15" > /proc/sys/net/ipv4/tcp_reordering 227 | # 228 | echo "cubic" > /proc/sys/net/ipv4/tcp_congestion_control 229 | # This value varies depending on total memory of the system. Use it wisely in different situations 230 | # echo "262144" > /proc/sys/net/ipv4/tcp_max_orphans 231 | 232 | # Disable Core Dumps 233 | echo "0" > /proc/sys/fs/suid_dumpable 234 | # Enable ExecShield 235 | echo "1" > /proc/sys/kernel/exec-shield 236 | echo "1" > /proc/sys/kernel/randomize_va_space 237 | #### Network parameters for better security 238 | # Disable packet forwarding (if this machine is not a router) 239 | echo "0" > /proc/sys/net/ipv4/ip_forward 240 | echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects 241 | echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects 242 | # Enable tcp_syncookies to accept legitimate connections when faced with a SYN flood attack 243 | echo "1" > /proc/sys/net/ipv4/tcp_syncookies 244 | # Turn off to disable IPv4 protocol features which are considered to have few legitimate uses and to be easy to abuse 245 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 246 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route 247 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 248 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects 249 | echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects 250 | echo "0" > /proc/sys/net/ipv4/conf/default/secure_redirects 251 | # Log suspicious packets (This should be turned off if the system is suffering from too much logging) 252 | echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 253 | # Protect from ICMP attacks 254 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 255 | # Enable RFC-recommended source validation (should not be used on machines which are routers for very complicated networks) 256 | echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 257 | echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter 258 | # Increase IPv4 port range to accept more connections 259 | echo "5000 65535" > /proc/sys/net/ipv4/ip_local_port_range 260 | # Disable IPV6 261 | echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6 262 | echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6 263 | #### File system tuning 264 | # Increase system file descriptor limit 265 | echo "7930900" > /proc/sys/fs/file-max 266 | # Allow for more PIDs 267 | echo "65536" > /proc/sys/kernel/pid_max 268 | # Use up to 95% of RAM (5% free) 269 | echo "5" > /proc/sys/vm/swappiness 270 | echo "20" > /proc/sys/vm/dirty_background_ratio 271 | echo "25" > /proc/sys/vm/dirty_ratio 272 | 273 | 274 | echo "Removing Packages" 275 | echo "===============================================================" 276 | #dpkg --list 277 | #Removing known software!!!!!!!!!!!!!!!!!!! dpkg --list ::to check for more packages 278 | apt-get remove ftp -y 279 | #apt-get remove gcc-4.7-base:amd64 -y 280 | #apt-get remove wget -y 281 | apt-get remove telnet -y 282 | apt-get remove telnetd -y 283 | 284 | apt-get remove perl -y 285 | apt-get remove perl-base -y 286 | apt-get remove perl-modules -y 287 | 288 | apt-get remove netcat-traditional -y 289 | apt-get remove findutils -y 290 | #apt-get remove vim -y 291 | #apt-get remove vim-common -y 292 | #apt-get remove vim-runtime -y 293 | #apt-get remove vim-tiny -y 294 | #apt-get remove bash -y 295 | #apt-get remove bash-completion -y 296 | 297 | #apt-get remove python -y 298 | #apt-get remove python-apt -y 299 | #apt-get remove python-apt-common -y 300 | #apt-get remove python-chardet -y 301 | #apt-get remove python-debian -y 302 | #apt-get remove python-debianbts -y 303 | #apt-get remove python-fpconst -y 304 | #apt-get remove python-ipy -y 305 | #apt-get remove python-minimal -y 306 | #apt-get remove python-reportbug -y 307 | #apt-get remove python-selinux -y 308 | #apt-get remove python-semanage -y 309 | #apt-get remove python-sepolgen -y 310 | #apt-get remove python-setools -y 311 | #apt-get remove python-soappy -y 312 | #apt-get remove python-support -y 313 | #apt-get remove python2.6 -y 314 | #apt-get remove python2.6-minimal -y 315 | #apt-get remove python2.7 -y 316 | #apt-get remove python2.7-minimal -y 317 | 318 | #rm -R /usr/bin/perl 319 | #rm -R /usr/lib/perl 320 | #rm -R /usr/lib/perl5 321 | 322 | echo "Disable shell login" 323 | echo "===============================================================" 324 | #Disable logging via /etc/passwd 325 | #sed -i "s/root:\/bin\/bash/root:\/sbin\/nologin/g" /etc/passwd #root 326 | sed -i "s/sbin:\/bin\/sh/sbin:\/sbin\/nologin/g" /etc/passwd #daemon 327 | sed -i "s/bin:\/bin\/sh/bin:\/sbin\/nologin/g" /etc/passwd #bin 328 | sed -i "s/dev:\/bin\/sh/dev:\/sbin\/nologin/g" /etc/passwd #sys 329 | sed -i "s/games:\/bin\/sh/games:\/sbin\/nologin/g" /etc/passwd #games 330 | sed -i "s/man:\/bin\/sh/man:\/sbin\/nologin/g" /etc/passwd #man 331 | sed -i "s/lpd:\/bin\/sh/lpd:\/sbin\/nologin/g" /etc/passwd #lp (printer?) 332 | sed -i "s/mail:\/bin\/sh/mail:\/sbin\/nologin/g" /etc/passwd #mail 333 | sed -i "s/news:\/bin\/sh/news:\/sbin\/nologin/g" /etc/passwd #news 334 | sed -i "s/uucp:\/bin\/sh/uucp:\/sbin\/nologin/g" /etc/passwd #uucp 335 | sed -i "s/bin:\/bin\/sh/bin:\/sbin\/nologin/g" /etc/passwd #proxy 336 | sed -i "s/www:\/bin\/sh/www:\/sbin\/nologin/g" /etc/passwd #www 337 | sed -i "s/backups:\/bin\/sh/backups:\/sbin\/nologin/g" /etc/passwd #backup 338 | sed -i "s/list:\/bin\/sh/list:\/sbin\/nologin/g" /etc/passwd #list 339 | sed -i "s/ircd:\/bin\/sh/ircd:\/sbin\/nologin/g" /etc/passwd #ircd 340 | sed -i "s/gnats:\/bin\/sh/gnats:\/sbin\/nologin/g" /etc/passwd #gnats 341 | sed -i "s/nonexistent:\/bin\/sh/nonexistent:\/sbin\/nologin/g" /etc/passwd #nobody 342 | sed -i "s/libuuid:\/bin\/sh/libuuid:\/sbin\/nologin/g" /etc/passwd #libuuid 343 | sed -i "s/cdc:\/bin\/bash/cdc:\/sbin\/nologin/g" /etc/passwd #cdc 344 | 345 | #Remove random CDC account on linux 346 | userdel -r cdc 347 | 348 | echo "ssh configs" 349 | echo "===============================================================" 350 | #ssh configs 351 | #https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html 352 | sed -i "s/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc/# Ciphers aes256-ctr/g" /etc/ssh/ssh_config 353 | sed -i "s/# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160/# MACs hmac-sha1/g" /etc/ssh/ssh_config 354 | sed -i "s/# Protocol 2,1/# Protocol 2/g" /etc/ssh/ssh_config 355 | 356 | #World Writeable Directories for User/Group 'Root' 357 | #http://www.onlineconversion.com/html_chmod_calculator.htm 358 | #Removing the folders below 359 | chmod 700 /var/lib/php5 #php 360 | chmod 700 /run/shm #mysql 361 | chmod 700 /run/lock #iono 362 | chmod 700 /var/tmp #fuckit 363 | chmod 700 /var/spool/samba #printer 364 | chmod 600 /etc/shadow 365 | 366 | ######################################## 367 | #THINGS TO CHECKOUT 368 | cat /etc/samba/.smbcredentials 369 | #username=asdfasdf@pangea.local 370 | #password=ASDFqwer1234 371 | # 372 | #/etc/samba/smb.conf 373 | ######################################### 374 | 375 | # Reboot the system 376 | #reboot 377 | 378 | echo "===============================================================" 379 | echo "FINISHED!" 380 | echo "FINISHED!" 381 | echo "Done" 382 | echo "===============================================================" 383 | -------------------------------------------------------------------------------- /drupal_web_secure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Name: drupal_web_secure.sh 3 | # Author: Anthony 4 | # Website: Anthonys.io 5 | # Twitter: Twitter.com/tech 6 | # Purpose: This is used on a ubuntu machine regarding a drupal web server for quick securing. 7 | 8 | MYSQLPASSWORD=G3N1U5H4CK5 9 | 10 | #SSL SETTINGS 11 | country=US 12 | state=NewYork 13 | locality=NewYork 14 | organization=blueteam 15 | organizationalunit=Hackers 16 | commonname=192.168.1.70 #used for serveral commands. 17 | email=administrator@web.com 18 | #Optional 19 | passwordssl=G3N1U5H4CK5 20 | #SSL SETTINGS END 21 | 22 | echo "===============================================================================" 23 | echo "Changing Samba Login/Password" 24 | sed -ie 's/asdfasdf/NEW_USER_FROM_AD_HERE/g' /etc/samba/.smbcredentials 25 | sed -ie 's/ASDFqwer1234/NEW_PASSWORD_HERE/g' /etc/samba/.smbcredentials 26 | 27 | #Mysql Changing password (use manual below if this don't work) 28 | mysqladmin -u root -ppassword password 'G3N1U5H4CK5' 29 | mysqladmin -u root -pG3N1U5H4CK5 ping 30 | 31 | # If it hangs at Resolving because of using 192 network.. then change /etc/resolv.conf (enable below) 32 | #sed -ie 's/nameserver 10.0.100.1/nameserver 192.168.1.1/g' /etc/resolv.conf 33 | 34 | #Puts website in maintenance mode 35 | echo "\$conf['maintenance_mode'] = 1;" >> /var/www/html/sites/default/settings.php 36 | 37 | #Download latest drupal updates 38 | cd /var/www/ 39 | wget https://ftp.drupal.org/files/projects/drupal-7.54.tar.gz -q 40 | tar -zxf drupal-7.54.tar.gz 41 | mv drupal-7.54 htmlnew 42 | rm drupal-7.54.tar.gz 43 | 44 | #Remove infected and unwanted files/folders (pw.list, xmlrpc.php??) 45 | cd /var/www/html 46 | rm README.txt UPGRADE.txt install.php LICENSE.txt INSTALL.mysql.txt INSTALL.pgsql.txt c99shell.php CHANGELOG.txt COPYRIGHT.txt INSTALL.sqlite.txt MAINTAINERS.txt pw.list INSTALL.txt setup.php install.php 47 | 48 | #Remove files/folders for the update! 49 | cd /var/www/html 50 | rm -R includes misc modules profiles 51 | rm authorize.php cron.php index.php update.php 52 | 53 | #Copying new files over 54 | cd /var/www/html 55 | cp -R /var/www/htmlnew/includes . 56 | cp -R /var/www/htmlnew/misc . 57 | cp -R /var/www/htmlnew/modules . 58 | cp -R /var/www/htmlnew/profiles . 59 | cp -R /var/www/htmlnew/authorize.php . 60 | cp -R /var/www/htmlnew/cron.php . 61 | cp -R /var/www/htmlnew/index.php . 62 | cp -R /var/www/htmlnew/update.php . 63 | cp -R /var/www/htmlnew/install.php . 64 | 65 | #Removing extra files.. 66 | rm /var/www/html/install.php 67 | 68 | #Fix an update permission 69 | sed -ie 's/$update_free_access = TRUE;/$update_free_access = FALSE;/g' /var/www/html/sites/default/settings.php 70 | 71 | #Fix file/folder Permissions 72 | cd /var/www/html/sites/default/ 73 | chmod 644 settings.php 74 | cd /var/www/html/sites/ 75 | chmod -R 755 default 76 | 77 | #remove apache2 manual 78 | #rm -R /usr/share/doc/apache2-doc 79 | 80 | #Takes website out of maintenance mode 81 | #echo "\$conf['maintenance_mode'] = 0;" >> /var/www/html/sites/default/settings.php 82 | sed -ie "s/] = 1;/] = 0;/g" /var/www/html/sites/default/settings.php 83 | 84 | #Need to go to update.php via web. 85 | echo "GO TO WEBSITE.COM/update.php and finish the updates." 86 | echo "GO TO WEBSITE.COM/update.php and finish the updates." 87 | echo "GO TO WEBSITE.COM/update.php and finish the updates." 88 | echo "GO TO WEBSITE.COM/update.php and finish the updates." 89 | 90 | #Edit .htaccess in files directory 91 | echo "" >> /var/www/html/sites/default/files/.htaccess 92 | echo "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006" >> /var/www/html/sites/default/files/.htaccess 93 | echo "" >> /var/www/html/sites/default/files/.htaccess 94 | echo " SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003" >> /var/www/html/sites/default/files/.htaccess 95 | echo "" >> /var/www/html/sites/default/files/.htaccess 96 | echo "" >> /var/www/html/sites/default/files/.htaccess 97 | echo " php_flag engine off" >> /var/www/html/sites/default/files/.htaccess 98 | echo "" >> /var/www/html/sites/default/files/.htaccess 99 | 100 | #Installing Captcha 101 | wget https://ftp.drupal.org/files/projects/captcha-7.x-1.4.tar.gz -q 102 | tar -zxf captcha-7.x-1.4.tar.gz 103 | cp -R captcha /var/www/html/sites/all/modules 104 | rm -R captcha 105 | rm captcha-7.x-1.4.tar.gz 106 | chmod 775 /var/www/html/sites/all/modules/captcha 107 | echo "Manually enable through modules page, \"user_register_form\"" 108 | 109 | 110 | #Mysql Changing password (use manual below if this don't work) 111 | #mysqladmin -u root -ppassword password '$MYSQLPASSWORD' 112 | #mysqladmin -u root -p$MYSQLPASSWORD ping 113 | 114 | #Changing Mysql password on drupal 115 | sed -ie "s/ 'password' => 'password',/ 'password' => '$MYSQLPASSWORD',/g" /var/www/html/sites/default/settings.php 116 | 117 | #/etc/init.d/mysql stop 118 | #Need to do it manually.. 119 | #mysql -u root -p 120 | #"Then enter current password" 121 | #use mysql; 122 | #update user set password=PASSWORD("G3N1U5H4CK5") where User='root'; 123 | #flush privileges; 124 | #quit 125 | #/etc/init.d/mysql start 126 | 127 | #Change Footer 128 | sed -ie "s/devsaran.com/anthonys.io/g" /var/www/html/themes/nexus/templates/page.tpl.php 129 | sed -ie "s/Devsaran/@Tech/g" /var/www/html/themes/nexus/templates/page.tpl.php 130 | sed -ie "s/devsaran.com/anthonys.io/g" /var/www/html/themes/nexus_child/templates/page.tpl.php 131 | sed -ie "s/Devsaran/@Tech/g" /var/www/html/themes/nexus_child/templates/page.tpl.php 132 | 133 | #Scrub robots.txt, xmlrpc.php, web.config 134 | mv /var/www/html/robots.txt /var/www/html/robotsNO.txt 135 | mv /var/www/html/xmlrpc.php /var/www/html/xmlrpcNO.php 136 | mv /var/www/html/web.config /var/www/html/webNO.config 137 | 138 | #remove apache2 manual 139 | rm -R /usr/share/doc/apache2-doc 140 | 141 | #remove apache2 icons 142 | rm -R /usr/share/apache2/icons 143 | 144 | #Hide apache version and OS Identity 145 | echo "#Hide apache version and OS Identity" >> /etc/apache2/apache2.conf 146 | echo "ServerSignature Off" >> /etc/apache2/apache2.conf 147 | echo "ServerTokens Prod" >> /etc/apache2/apache2.conf 148 | 149 | #Files outside of web root are not served 150 | echo "#Files outside of web root are not served" >> /etc/apache2/apache2.conf 151 | echo "" >> /etc/apache2/apache2.conf 152 | echo " Order Deny,Allow" >> /etc/apache2/apache2.conf 153 | echo " Deny from all" >> /etc/apache2/apache2.conf 154 | echo " Options None" >> /etc/apache2/apache2.conf 155 | echo " AllowOverride None" >> /etc/apache2/apache2.conf 156 | echo "" >> /etc/apache2/apache2.conf 157 | echo "" >> /etc/apache2/apache2.conf 158 | echo " Order Allow,Deny" >> /etc/apache2/apache2.conf 159 | echo " Allow from all" >> /etc/apache2/apache2.conf 160 | echo "" >> /etc/apache2/apache2.conf 161 | 162 | #Turn off apache2 directory browsing 163 | echo "#Turn off apache2 directory browsing" >> /etc/apache2/apache2.conf 164 | echo "" >> /etc/apache2/apache2.conf 165 | echo "Options -None" >> /etc/apache2/apache2.conf 166 | echo "Options -ExecCGI" >> /etc/apache2/apache2.conf 167 | echo "Options -FollowSymLinks" >> /etc/apache2/apache2.conf 168 | echo "" >> /etc/apache2/apache2.conf 169 | 170 | #Make sure only root has read access to apache's config and binaries 171 | chown -R root:root /usr/share/apache2/ 172 | chmod -R o-rwx /usr/share/apache2/ 173 | chown -R root:root /etc/apache2 174 | chmod -R o-rwx /etc/apache2 175 | 176 | #restart apache2 service 177 | service apache2 restart 178 | 179 | #Remove htmlnew/install.php 180 | rm -R /var/www/htmlnew 181 | rm -R /var/www/html/install.php 182 | 183 | echo "===============================================================" 184 | echo "Starting SSL" 185 | 186 | #openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt 187 | 188 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt -passin pass:$passwordssl \ 189 | -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" 190 | 191 | echo "Done moving on to pem" 192 | openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 193 | 194 | cat > ssl-params.conf << EOF 195 | # from https://cipherli.st/ 196 | # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html 197 | 198 | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 199 | SSLProtocol All -SSLv2 -SSLv3 200 | SSLHonorCipherOrder On 201 | # Disable preloading HSTS for now. You can use the commented out header line that includes 202 | # the "preload" directive if you understand the implications. 203 | #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 204 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" 205 | Header always set X-Frame-Options DENY 206 | Header always set X-Content-Type-Options nosniff 207 | # Requires Apache >= 2.4 208 | SSLCompression off 209 | SSLSessionTickets Off 210 | SSLUseStapling on 211 | SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 212 | 213 | SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 214 | EOF 215 | 216 | cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl.bak 217 | 218 | sed -i '4iServerName '"$commonname" /etc/apache2/sites-available/default-ssl 219 | 220 | sed -ie "s/www/www\/html/g" /etc/apache2/sites-available/default-ssl 221 | #sed -ie "s/www/www\/html/g" /etc/apache2/sites-available/default-ssl 222 | #sed -ie "s/webmaster@localhost/\"$email\"/g" /etc/apache2/sites-available/default-ssl 223 | 224 | sed -ie "s/AllowOverride None/AllowOverride All/g" /etc/apache2/sites-available/default-ssl 225 | sed -ie "s/AllowOverride None/AllowOverride All/g" /etc/apache2/sites-available/default-ssl 226 | sed -ie "s/AllowOverride None/AllowOverride All/g" /etc/apache2/sites-available/default-ssl 227 | 228 | sed -ie "s/ssl-cert-snakeoil.pem/apache-selfsigned.crt/g" /etc/apache2/sites-available/default-ssl 229 | sed -ie "s/ssl-cert-snakeoil.key/apache-selfsigned.key/g" /etc/apache2/sites-available/default-ssl 230 | 231 | sed -i '3iRedirect permanent "/" https://'"$commonname/" /etc/apache2/sites-available/default 232 | a2enmod ssl 233 | a2enmod headers 234 | a2ensite default-ssl 235 | a2enconf ssl-params 236 | apache2ctl configtest 237 | systemctl restart apache2 238 | service apache2 restart 239 | 240 | # Reboot the system 241 | ##reboot 242 | 243 | echo "===============================================================" 244 | echo "Check if website connects to database, if notchange pw in: /var/www/html/sites/default/settings.php " 245 | echo "GO TO WEBSITE.COM/update.php and finish the updates." 246 | echo "Manually enable captcha through modules page, add \"user_register_form\"" 247 | echo "Done" 248 | echo "===============================================================" 249 | -------------------------------------------------------------------------------- /ubuntu_ftp_secure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Name: ubuntu_ftp_secure.sh 3 | # Author: Anthony 4 | # Website: Anthonys.io 5 | # Twitter: Twitter.com/tech 6 | # Purpose: This is used on a ubuntu machine for quick securing. 7 | 8 | 9 | #/etc/nslcd.conf 10 | #^^LDAP Infomation 11 | 12 | ROOTPW=newpass 13 | UBUNTUFTP=newpass 14 | HOSTNAME=111II11I1IIl1llIll11 15 | 16 | #192 network stuff 17 | #ifconfig eth0 192.168.1.22 netmask 255.255.255.0 18 | #ip route add default via 192.168.1.1 19 | sed -ie 's/nameserver 10.0.100.1/nameserver 192.168.1.1/g' /etc/resolv.conf 20 | rm /var/lib/apt/lists/* -vf 21 | 22 | # Change root password 23 | echo -e "$ROOTPW\n$ROOTPW" | passwd root 24 | 25 | #changing default ubuntuftp password 26 | echo -e "$UBUNTUFTP\n$UBUNTUFTP" | passwd ubuntuftp 27 | 28 | #Upgrade everything, takes a few seconds (33.9MB) 29 | apt-get -o Acquire::Check-Valid-Until=false update -y -q 30 | apt-get -o Acquire::Check-Valid-Until=false upgrade -y -q 31 | 32 | #Removing the folders below 33 | chmod 700 /var/lib/php5 #php 34 | chmod 700 /run/shm #mysql 35 | chmod 700 /run/lock #iono 36 | chmod 700 /var/tmp #fuckit 37 | chmod 700 /tmp #fuckit 38 | chmod 700 /var/spool/samba #printer 39 | chmod 700 /var/crash 40 | chmod 600 /etc/shadow 41 | chmod 700 /var/mail 42 | chmod 700 /tmp/ 43 | 44 | #Potentional priv escl bullshit 45 | chmod 600 /sys/kernel/security/apparmor/.access 46 | chmod 600 /sys/kernel/security/apparmor/.remove 47 | chmod 600 /sys/kernel/security/apparmor/.replace 48 | chmod 600 /sys/kernel/security/apparmor/.load 49 | 50 | #chmod 700 auth.log for rfis 51 | chmod 700 /var/log/auth.log 52 | 53 | # Lock down the sudoers file. 54 | chattr -i /etc/sudoers 55 | echo "root ALL=(ALL:ALL) ALL" > /etc/sudoers 56 | chmod 000 /etc/sudoers 57 | chattr +i /etc/sudoers 58 | 59 | # Clear cronjobs. 60 | chattr -i /etc/crontab 61 | echo "" > /etc/crontab 62 | chattr +i /etc/crontab 63 | chattr -i /etc/anacrontab 64 | echo "" > /etc/anacrontab 65 | chattr +i /etc/anacrontab 66 | 67 | # Check programs that have root privliges 68 | find / -perm -04000 > programsWithRootAccess.txt 69 | 70 | # Remove existing ssh keys 71 | rm -rf ~/.ssh/* 72 | 73 | # Check for users who should not have root privlages. 74 | groupadd -g 3000 badGroup 75 | while read line 76 | do 77 | IFS=':' read -a userArray <<< "$line" 78 | if [ ${userArray[0]} != "root" ] 79 | then 80 | # Check UID of users 81 | userID=$(id -u "${userArray[0]}") 82 | count=3000 83 | if [ $userID -eq '0' ] 84 | then 85 | usermod -u $count ${userArray[0]} 86 | $count++ 87 | fi 88 | 89 | # Check GID of users 90 | groupID=$(id -g "${userArray[0]}") 91 | if [ $groupID -eq '0' ] 92 | then 93 | usermod -g 3000 ${userArray[0]} 94 | fi 95 | fi 96 | done < '/etc/passwd' 97 | 98 | # Remove users from the root group. 99 | rootGroup=$(awk -F':' '/root/{print $4}' /etc/group) 100 | for i in "${rootGroup[@]}" 101 | do 102 | if [[ $i =~ ^$ ]] 103 | then 104 | continue 105 | fi 106 | usermod -a -G badGroup $i 107 | gpasswd -d $i root 108 | done 109 | 110 | echo "ssh stuff starting" 111 | echo "===============================================================" 112 | 113 | #setting hostname 114 | echo "$HOSTNAME" > /etc/hostname 115 | hostname -F /etc/hostname 116 | 117 | #change ssh port 118 | sed -i "s/Port 22/Port 8081/g" /etc/ssh/sshd_config 119 | 120 | #Ensure that sshd starts after eth0 is up, not just after filesystem 121 | sed -i "s/start on filesystem/start on filesystem and net-device-up IFACE=eth0/g" /etc/init/ssh.conf 122 | 123 | #Disable root ssh login 124 | sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config 125 | 126 | #Disabling password authentication 127 | #sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config 128 | 129 | #Disabling X11 forwarding 130 | sed -i "s/X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config 131 | 132 | #Disabling sshd DNS resolution 133 | echo "UseDNS no" >> /etc/ssh/sshd_config 134 | 135 | echo "Linux Kernal Hardening" 136 | echo "===============================================================" 137 | #Linux kernel hardening 138 | #Linux kernel hardening 139 | #Linux kernel hardening 140 | #Linux kernel hardening 141 | cp /etc/sysctl.conf /etc/sysctl.conf.bak 142 | sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf 143 | sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf 144 | sed -i "s/#net.ipv4.icmp_echo_ignore_broadcasts = 1/net.ipv4.icmp_echo_ignore_broadcasts = 1/g" /etc/sysctl.conf 145 | sed -i "s/#net.ipv4.icmp_ignore_bogus_error_responses = 1/net.ipv4.icmp_ignore_bogus_error_responses = 1/g" /etc/sysctl.conf 146 | sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf 147 | sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf 148 | sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf 149 | sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf 150 | sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf 151 | sed -i "s/#net.ipv4.conf.all.log_martians = 1/net.ipv4.conf.all.log_martians = 1/g" /etc/sysctl.conf 152 | 153 | #### Fine tuning network parameters for better perfomance 154 | # Change the following parameters when a high rate of incoming connection requests result in connection failures 155 | echo "100000" > /proc/sys/net/core/netdev_max_backlog 156 | # Size of the listen queue for accepting new TCP connections (default: 128) 157 | echo "4096" > /proc/sys/net/core/somaxconn 158 | # Maximum number of sockets in TIME-WAIT to be held simultaneously (default: 180000) 159 | echo "600000" > /proc/sys/net/ipv4/tcp_max_tw_buckets 160 | # sets the Maximum Socket Receive Buffer for all protocols (in bytes) 161 | echo "16777216" > /proc/sys/net/core/rmem_max 162 | echo "16777216" > /proc/sys/net/core/rmem_default 163 | # sets the Maximum Socket Send Buffer for all protocols (in bytes) 164 | echo "16777216" > /proc/sys/net/core/wmem_max 165 | echo "16777216" > /proc/sys/net/core/wmem_default 166 | # Set Linux autotuning TCP buffer limits 167 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem 168 | echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem 169 | 170 | echo "0" > /proc/sys/net/ipv4/tcp_sack 171 | echo "0" > /proc/sys/net/ipv4/tcp_dsack 172 | # By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections. 173 | echo "1" > /proc/sys/net/ipv4/tcp_no_metrics_save 174 | # How many times to retry before killing an alive TCP connection 175 | echo "5" > /proc/sys/net/ipv4/tcp_retries2 176 | # How often to send TCP keepalive packets to keep an connection alive if it is currently unused. This value is only used when keepalive is enabled 177 | echo "120" > /proc/sys/net/ipv4/tcp_keepalive_time 178 | # How long to wait for a reply on each keepalive probe. This value is in other words extremely important when you try to calculate how long time will go before your connection will die a keepalive death. 179 | echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl 180 | # Determines the number of probes before timing out 181 | echo "3" > /proc/sys/net/ipv4/tcp_keepalive_probes 182 | # How long to keep sockets in the state FIN-WAIT-2 if you were the one closing the socket (default: 60) 183 | echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout 184 | # Sometimes, packet reordering in a network can be interpreted as packet loss and hence increasing the value of this parameter should improve performance (default is “3″) 185 | echo "15" > /proc/sys/net/ipv4/tcp_reordering 186 | # 187 | echo "cubic" > /proc/sys/net/ipv4/tcp_congestion_control 188 | # This value varies depending on total memory of the system. Use it wisely in different situations 189 | # echo "262144" > /proc/sys/net/ipv4/tcp_max_orphans 190 | 191 | # Disable Core Dumps 192 | echo "0" > /proc/sys/fs/suid_dumpable 193 | # Enable ExecShield 194 | echo "1" > /proc/sys/kernel/exec-shield 195 | echo "1" > /proc/sys/kernel/randomize_va_space 196 | #### Network parameters for better security 197 | # Disable packet forwarding (if this machine is not a router) 198 | echo "0" > /proc/sys/net/ipv4/ip_forward 199 | echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects 200 | echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects 201 | # Enable tcp_syncookies to accept legitimate connections when faced with a SYN flood attack 202 | echo "1" > /proc/sys/net/ipv4/tcp_syncookies 203 | # Turn off to disable IPv4 protocol features which are considered to have few legitimate uses and to be easy to abuse 204 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 205 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route 206 | echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 207 | echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects 208 | echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects 209 | echo "0" > /proc/sys/net/ipv4/conf/default/secure_redirects 210 | # Log suspicious packets (This should be turned off if the system is suffering from too much logging) 211 | echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 212 | # Protect from ICMP attacks 213 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 214 | # Enable RFC-recommended source validation (should not be used on machines which are routers for very complicated networks) 215 | echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 216 | echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter 217 | # Increase IPv4 port range to accept more connections 218 | echo "5000 65535" > /proc/sys/net/ipv4/ip_local_port_range 219 | # Disable IPV6 220 | echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6 221 | echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6 222 | #### File system tuning 223 | # Increase system file descriptor limit 224 | echo "7930900" > /proc/sys/fs/file-max 225 | # Allow for more PIDs 226 | echo "65536" > /proc/sys/kernel/pid_max 227 | # Use up to 95% of RAM (5% free) 228 | echo "5" > /proc/sys/vm/swappiness 229 | echo "20" > /proc/sys/vm/dirty_background_ratio 230 | echo "25" > /proc/sys/vm/dirty_ratio 231 | 232 | 233 | 234 | echo "Removing Packages" 235 | echo "===============================================================" 236 | #dpkg --list 237 | #Removing known software!!!!!!!!!!!!!!!!!!! dpkg --list ::to check for more packages 238 | apt-get remove ftp -y 239 | apt-get remove curl -y 240 | #apt-get remove gcc-4.7-base:amd64 -y 241 | #apt-get remove wget -y 242 | apt-get remove telnet -y 243 | apt-get remove telnetd -y 244 | 245 | apt-get remove perl -y 246 | apt-get remove perl-base -y 247 | apt-get remove perl-modules -y 248 | 249 | apt-get remove netcat-traditional -y 250 | apt-get remove findutils -y 251 | 252 | apt-get remove nmap -y 253 | apt-get remove netcat -y 254 | apt-get remove --auto-remove netcat -y 255 | apt-get remove netcat-openbsd -y 256 | 257 | #apt-get autoremove -y vsftpd 2>/dev/null 258 | apt-get autoremove -y nmap 2>/dev/null 259 | apt-get autoremove -y telnetd 2>/dev/null 260 | apt-get autoremove -y rdate 2>/dev/null 261 | apt-get autoremove -y tcpdump 2>/dev/null 262 | apt-get autoremove -y vnc4server 2>/dev/null 263 | #apt-get autoremove -y vino 2>/dev/null 264 | apt-get autoremove -y wireshark 2>/dev/null 265 | #apt-get autoremove -y bind9-host 2>/dev/null 266 | #apt-get autoremove -y libbind9-90 2>/dev/null 267 | 268 | echo "Removing bash history" 269 | echo "===============================================================" 270 | rm /root/.bash_history 271 | 272 | echo "Colorize the shells" 273 | #adding color to root 274 | echo ' 275 | export PS1="\[$(tput sgr0)\]" 276 | ' >> /root/.bashrc 277 | #export PS1="\[\e[30m\]\\$\[\e[m\]" 278 | source /root/.bashrc 279 | 280 | #extra shit 281 | echo "" > /etc/motd 282 | echo "" > /etc/issue.net 283 | chown -f root:root /etc/motd /etc/issue* 284 | chmod -f 0444 /etc/motd /etc/issue* 285 | 286 | #Cron setup 287 | if [[ -f /etc/cron.allow ]]; then 288 | if [[ `grep root /etc/cron.allow 2>/dev/null` != "root" ]]; then 289 | echo "root" > /etc/cron.allow 290 | rm -f /etc/at.deny 291 | else 292 | echo "root is already in /etc/cron.allow" 293 | echo "" 294 | fi 295 | fi 296 | 297 | if [[ -f /etc/cron.allow ]]; then 298 | if [[ ! -f /etc/at.allow ]]; then 299 | touch /etc/at.allow 300 | fi 301 | fi 302 | 303 | if [[ `grep root /etc/at.allow 2>/dev/null` != "root" ]]; then 304 | echo "root" > /etc/at.allow 305 | rm -f /etc/at.deny 306 | else 307 | echo "root is already in /etc/at.allow" 308 | echo "" 309 | fi 310 | 311 | if [[ `cat /etc/at.deny 2>/dev/null` = "" ]]; then 312 | rm -f /etc/at.deny 313 | fi 314 | 315 | if [[ `cat /etc/cron.deny 2>/dev/null` = "" ]]; then 316 | rm -f /etc/cron.deny 317 | fi 318 | 319 | 320 | chmod -f 0700 /etc/cron.monthly/* 321 | chmod -f 0700 /etc/cron.weekly/* 322 | chmod -f 0700 /etc/cron.daily/* 323 | chmod -f 0700 /etc/cron.hourly/* 324 | chmod -f 0700 /etc/cron.d/* 325 | chmod -f 0400 /etc/cron.allow 326 | chmod -f 0400 /etc/cron.deny 327 | chmod -f 0400 /etc/crontab 328 | chmod -f 0400 /etc/at.allow 329 | chmod -f 0400 /etc/at.deny 330 | chmod -f 0700 /etc/cron.daily 331 | chmod -f 0700 /etc/cron.weekly 332 | chmod -f 0700 /etc/cron.monthly 333 | chmod -f 0700 /etc/cron.hourly 334 | chmod -f 0700 /var/spool/cron 335 | chmod -f 0600 /var/spool/cron/* 336 | chmod -f 0700 /var/spool/at 337 | chmod -f 0600 /var/spool/at/* 338 | chmod -f 0400 /etc/anacrontab 339 | 340 | 341 | #File permissions and ownerships 342 | chmod -f 1777 /tmp 343 | chown -f root:root /var/crash 344 | chown -f root:root /var/cache/mod_proxy 345 | chown -f root:root /var/lib/dav 346 | chown -f root:root /usr/bin/lockfile 347 | chown -f rpcuser:rpcuser /var/lib/nfs/statd 348 | chown -f adm:adm /var/adm 349 | chmod -f 0600 /var/crash 350 | chown -f root:root /bin/mail 351 | chmod -f 0700 /sbin/reboot 352 | chmod -f 0700 /sbin/shutdown 353 | chmod -f 0600 /etc/ssh/ssh*config 354 | chown -f root:root /root 355 | chmod -f 0700 /root 356 | chmod -f 0500 /usr/bin/ypcat 357 | chmod -f 0700 /usr/sbin/usernetctl 358 | chmod -f 0700 /usr/bin/rlogin 359 | chmod -f 0700 /usr/bin/rcp 360 | chmod -f 0640 /etc/pam.d/system-auth* 361 | chmod -f 0640 /etc/login.defs 362 | chmod -f 0750 /etc/security 363 | chmod -f 0600 /etc/audit/audit.rules 364 | chown -f root:root /etc/audit/audit.rules 365 | chmod -f 0600 /etc/audit/auditd.conf 366 | chown -f root:root /etc/audit/auditd.conf 367 | chmod -f 0600 /etc/auditd.conf 368 | chmod -f 0744 /etc/rc.d/init.d/auditd 369 | chown -f root /sbin/auditctl 370 | chmod -f 0750 /sbin/auditctl 371 | chown -f root /sbin/auditd 372 | chmod -f 0750 /sbin/auditd 373 | chmod -f 0750 /sbin/ausearch 374 | chown -f root /sbin/ausearch 375 | chown -f root /sbin/aureport 376 | chmod -f 0750 /sbin/aureport 377 | chown -f root /sbin/autrace 378 | chmod -f 0750 /sbin/autrace 379 | chown -f root /sbin/audispd 380 | chmod -f 0750 /sbin/audispd 381 | chmod -f 0444 /etc/bashrc 382 | chmod -f 0444 /etc/csh.cshrc 383 | chmod -f 0444 /etc/csh.login 384 | chmod -f 0600 /etc/cups/client.conf 385 | chmod -f 0600 /etc/cups/cupsd.conf 386 | chown -f root:sys /etc/cups/client.conf 387 | chown -f root:sys /etc/cups/cupsd.conf 388 | chmod -f 0600 /etc/grub.conf 389 | chown -f root:root /etc/grub.conf 390 | chmod -f 0600 /boot/grub2/grub.cfg 391 | chown -f root:root /boot/grub2/grub.cfg 392 | chmod -f 0600 /boot/grub/grub.cfg 393 | chown -f root:root /boot/grub/grub.cfg 394 | chmod -f 0444 /etc/hosts 395 | chown -f root:root /etc/hosts 396 | chmod -f 0600 /etc/inittab 397 | chown -f root:root /etc/inittab 398 | chmod -f 0444 /etc/mail/sendmail.cf 399 | chown -f root:bin /etc/mail/sendmail.cf 400 | chmod -f 0600 /etc/ntp.conf 401 | chmod -f 0640 /etc/security/access.conf 402 | chmod -f 0600 /etc/security/console.perms 403 | chmod -f 0600 /etc/security/console.perms.d/50-default.perms 404 | chmod -f 0600 /etc/security/limits 405 | chmod -f 0444 /etc/services 406 | chmod -f 0444 /etc/shells 407 | chmod -f 0644 /etc/skel/.* 408 | chmod -f 0600 /etc/skel/.bashrc 409 | chmod -f 0600 /etc/skel/.bash_profile 410 | chmod -f 0600 /etc/skel/.bash_logout 411 | chmod -f 0440 /etc/sudoers 412 | chown -f root:root /etc/sudoers 413 | chmod -f 0600 /etc/sysctl.conf 414 | chown -f root:root /etc/sysctl.conf 415 | chown -f root:root /etc/sysctl.d/* 416 | chmod -f 0700 /etc/sysctl.d 417 | chmod -f 0600 /etc/sysctl.d/* 418 | chmod -f 0600 /etc/syslog.conf 419 | chmod -f 0600 /var/yp/binding 420 | chown -f root:$AUDIT /var/log 421 | chown -Rf root:$AUDIT /var/log/* 422 | chmod -Rf 0640 /var/log/* 423 | chmod -Rf 0640 /var/log/audit/* 424 | chmod -f 0755 /var/log 425 | chmod -f 0750 /var/log/syslog /var/log/audit 426 | chmod -f 0600 /var/log/lastlog* 427 | chmod -f 0600 /var/log/cron* 428 | chmod -f 0600 /var/log/btmp 429 | chmod -f 0660 /var/log/wtmp 430 | chmod -f 0444 /etc/profile 431 | chmod -f 0700 /etc/rc.d/rc.local 432 | chmod -f 0400 /etc/securetty 433 | chmod -f 0700 /etc/rc.local 434 | chmod -f 0750 /usr/bin/wall 435 | chown -f root:tty /usr/bin/wall 436 | chown -f root:users /mnt 437 | chown -f root:users /media 438 | chmod -f 0644 /etc/.login 439 | chmod -f 0644 /etc/profile.d/* 440 | chown -f root /etc/security/environ 441 | chown -f root /etc/xinetd.d 442 | chown -f root /etc/xinetd.d/* 443 | chmod -f 0750 /etc/xinetd.d 444 | chmod -f 0640 /etc/xinetd.d/* 445 | chmod -f 0640 /etc/selinux/config 446 | chmod -f 0750 /usr/bin/chfn 447 | chmod -f 0750 /usr/bin/chsh 448 | chmod -f 0750 /usr/bin/write 449 | chmod -f 0750 /sbin/mount.nfs 450 | chmod -f 0750 /sbin/mount.nfs4 451 | chmod -f 0700 /usr/bin/ldd #0400 FOR SOME SYSTEMS 452 | chmod -f 0700 /bin/traceroute 453 | chown -f root:root /bin/traceroute 454 | chmod -f 0700 /usr/bin/traceroute6* 455 | chown -f root:root /usr/bin/traceroute6 456 | chmod -f 0700 /bin/tcptraceroute 457 | chmod -f 0700 /sbin/iptunnel 458 | chmod -f 0700 /usr/bin/tracpath* 459 | chmod -f 0644 /dev/audio 460 | chown -f root:root /dev/audio 461 | chmod -f 0644 /etc/environment 462 | chown -f root:root /etc/environment 463 | chmod -f 0600 /etc/modprobe.conf 464 | chown -f root:root /etc/modprobe.conf 465 | chown -f root:root /etc/modprobe.d 466 | chown -f root:root /etc/modprobe.d/* 467 | chmod -f 0700 /etc/modprobe.d 468 | chmod -f 0600 /etc/modprobe.d/* 469 | chmod -f o-w /selinux/* 470 | #umask 077 /etc/* 471 | chmod -f 0755 /etc 472 | chmod -f 0644 /usr/share/man/man1/* 473 | chmod -Rf 0644 /usr/share/man/man5 474 | chmod -Rf 0644 /usr/share/man/man1 475 | chmod -f 0600 /etc/yum.repos.d/* 476 | chmod -f 0640 /etc/fstab 477 | chmod -f 0755 /var/cache/man 478 | chmod -f 0755 /etc/init.d/atd 479 | chmod -f 0750 /etc/ppp/peers 480 | chmod -f 0755 /bin/ntfs-3g 481 | chmod -f 0750 /usr/sbin/pppd 482 | chmod -f 0750 /etc/chatscripts 483 | chmod -f 0750 /usr/local/share/ca-certificates 484 | 485 | DISA STIG file ownsership 486 | chmod -f 0755 /bin/csh 487 | chmod -f 0755 /bin/jsh 488 | chmod -f 0755 /bin/ksh 489 | chmod -f 0755 /bin/rsh 490 | chmod -f 0755 /bin/sh 491 | chmod -f 0640 /dev/kmem 492 | chown -f root:sys /dev/kmem 493 | chmod -f 0640 /dev/mem 494 | chown -f root:sys /dev/mem 495 | chmod -f 0666 /dev/null 496 | chown -f root:sys /dev/null 497 | chmod -f 0755 /etc/csh 498 | chmod -f 0755 /etc/jsh 499 | chmod -f 0755 /etc/ksh 500 | chmod -f 0755 /etc/rsh 501 | chmod -f 0755 /etc/sh 502 | chmod -f 0644 /etc/aliases 503 | chown -f root:root /etc/aliases 504 | chmod -f 0640 /etc/exports 505 | chown -f root:root /etc/exports 506 | chmod -f 0640 /etc/ftpusers 507 | chown -f root:root /etc/ftpusers 508 | chmod -f 0664 /etc/host.lpd 509 | chmod -f 0440 /etc/inetd.conf 510 | chown -f root:root /etc/inetd.conf 511 | chmod -f 0644 /etc/mail/aliases 512 | chown -f root:root /etc/mail/aliases 513 | chmod -f 0644 /etc/passwd 514 | chown -f root:root /etc/passwd 515 | chmod -f 0400 /etc/shadow 516 | chown -f root:root /etc/shadow 517 | chmod -f 0600 /etc/uucp/L.cmds 518 | chown -f uucp:uucp /etc/uucp/L.cmds 519 | chmod -f 0600 /etc/uucp/L.sys 520 | chown -f uucp:uucp /etc/uucp/L.sys 521 | chmod -f 0600 /etc/uucp/Permissions 522 | chown -f uucp:uucp /etc/uucp/Permissions 523 | chmod -f 0600 /etc/uucp/remote.unknown 524 | chown -f root:root /etc/uucp/remote.unknown 525 | chmod -f 0600 /etc/uucp/remote.systems 526 | chmod -f 0600 /etc/uccp/Systems 527 | chown -f uucp:uucp /etc/uccp/Systems 528 | chmod -f 0755 /sbin/csh 529 | chmod -f 0755 /sbin/jsh 530 | chmod -f 0755 /sbin/ksh 531 | chmod -f 0755 /sbin/rsh 532 | chmod -f 0755 /sbin/sh 533 | chmod -f 0755 /usr/bin/csh 534 | chmod -f 0755 /usr/bin/jsh 535 | chmod -f 0755 /usr/bin/ksh 536 | chmod -f 0755 /usr/bin/rsh 537 | chmod -f 0755 /usr/bin/sh 538 | chmod -f 1777 /var/mail 539 | chmod -f 1777 /var/spool/uucppublic 540 | 541 | #Set all files in ``.ssh`` to ``600`` 542 | chmod 700 ~/.ssh && chmod 600 ~/.ssh/* 543 | 544 | #Disable ctrl-alt-delete RHEL 6+ 545 | if [[ -f /etc/init/control-alt-delete.conf ]]; then 546 | if [[ `grep ^exec /etc/init/control-alt-delete.conf` != "" ]]; then 547 | sed -i 's/^exec/#exec/g' /etc/init/control-alt-delete.conf 548 | fi 549 | fi 550 | 551 | 552 | #Disable ctrl-alt-delete RHEL 5+ 553 | if [[ -f /etc/inittab ]]; then 554 | if [[ `grep ^ca:: /etc/inittab` != "" ]]; then 555 | sed -i 's/^ca::/#ca::/g' /etc/inittab 556 | fi 557 | fi 558 | 559 | echo "===============================================================" 560 | echo "Removing users!" 561 | userdel -f games 2>/dev/null 562 | userdel -f news 2>/dev/null 563 | userdel -f gopher 2>/dev/null 564 | userdel -f tcpdump 2>/dev/null 565 | userdel -f shutdown 2>/dev/null 566 | userdel -f halt 2>/dev/null 567 | userdel -f sync 2>/dev/null 568 | userdel -f ftp 2>/dev/null 569 | userdel -f operator 2>/dev/null 570 | userdel -f lp 2>/dev/null 571 | userdel -f uucp 2>/dev/null 572 | userdel -f irc 2>/dev/null 573 | userdel -f gnats 2>/dev/null 574 | userdel -f pcap 2>/dev/null 575 | userdel -f netdump 2>/dev/null 576 | userdel -f www-data 2>/dev/null 577 | userdel -f netdump 2>/dev/null 578 | 579 | #Disable fingerprint in PAM and authconfig 580 | authconfig --disablefingerprint --update 581 | 582 | #Misc settings and permissions 583 | chmod -Rf o-w /usr/local/src/* 584 | rm -f /etc/security/console.perms 585 | 586 | #Set background image permissions 587 | chmod -f 0444 /usr/share/backgrounds/default* 588 | chmod -f 0444 /usr/share/backgrounds/images/default* 589 | 590 | #Set home directories to 0700 permissions 591 | if [[ -d /home ]]; then 592 | for x in `find /home -maxdepth 1 -mindepth 1 -type d`; do chmod -f 0700 $x; done 593 | fi 594 | 595 | if [[ -d /export/home ]]; then 596 | for x in `find /export/home -maxdepth 1 -mindepth 1 -type d`; do chmod -f 0700 $x; done 597 | fi 598 | 599 | if [[ `which sysctl 2>/dev/null` != "" ]]; then 600 | #Turn on Exec Shield for RHEL systems 601 | sysctl -w kernel.exec-shield=1 602 | #Turn on ASLR Conservative Randomization 603 | sysctl -w kernel.randomize_va_space=1 604 | #Hide Kernel Pointers 605 | sysctl -w kernel.kptr_restrict=1 606 | #Allow reboot/poweroff, remount read-only, sync command 607 | sysctl -w kernel.sysrq=176 608 | #Restrict PTRACE for debugging 609 | sysctl -w kernel.yama.ptrace_scope=1 610 | #Hard and Soft Link Protection 611 | sysctl -w fs.protected_hardlinks=1 612 | sysctl -w fs.protected_symlinks=1 613 | #Enable TCP SYN Cookie Protection 614 | sysctl -w net.ipv4.tcp_syncookies=1 615 | #Disable IP Source Routing 616 | sysctl -w net.ipv4.conf.all.accept_source_route=0 617 | #Disable ICMP Redirect Acceptance 618 | sysctl -w net.ipv4.conf.all.accept_redirects=0 619 | sysctl -w net.ipv6.conf.all.accept_redirects=0 620 | sysctl -w net.ipv4.conf.all.send_redirects=0 621 | sysctl -w net.ipv6.conf.all.send_redirects=0 622 | #Enable IP Spoofing Protection 623 | sysctl -w net.ipv4.conf.all.rp_filter=1 624 | sysctl -w net.ipv4.conf.default.rp_filter=1 625 | #Enable Ignoring to ICMP Requests 626 | sysctl -w net.ipv4.icmp_echo_ignore_all=0 627 | #Enable Ignoring Broadcasts Request 628 | sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 629 | #Enable Bad Error Message Protection 630 | sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 631 | #Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets 632 | sysctl -w net.ipv4.conf.all.log_martians=1 633 | sysctl -w net.ipv4.conf.default.log_martians=1 634 | #Perfer Privacy Addresses 635 | net.ipv6.conf.all.use_tempaddr = 2 636 | net.ipv6.conf.default.use_tempaddr = 2 637 | sysctl -p 638 | fi 639 | 640 | #last minute shit 641 | rm /var/log/bootstrap.log 642 | #chmod 400 /proc/kallsyms #kernal exploit 643 | 644 | echo "===============================================================" 645 | echo "FINISHED!" 646 | echo "FINISHED!" 647 | echo "Done" 648 | echo "===============================================================" 649 | --------------------------------------------------------------------------------