├── README.md └── ServerSetup.sh /README.md: -------------------------------------------------------------------------------- 1 | Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. The esteemed gentlemen [@cptjesus](https://twitter.com/cptjesus) and [@Killswitch_GUI](https://twitter.com/Killswitch_GUI) have already made leaps and bounds in this arena. I took everything that I learned from them on setting up a server, and applied it to a bash script to automate the process. Before we get to the script, let’s go over the basics to setting up a mail server. 2 | 3 | First, let’s outline the process, then dive deeper into each step: 4 | 5 | 1. Obtain a VPS/Server/IP trusted by the target 6 | 2. Setup Secure Access to the Server 7 | 3. Disable IPv6 and Remove Exim 8 | 4. Install SSL Certs from Let's Encrypt 9 | 5. Install Dovecot and Postfix 10 | 6. Add Aliases 11 | 7. Configure DNS Entries 12 | 8. Test Mail Server Configuration 13 | 14 | ## 1) Obtain a VPS/Server/IP trusted by the target: ## 15 | 16 | To use this script, you must have a Domain Name, and access to a server running Debian 8. You must have the ability to set the PTR record of the IP Address assigned to your server. There are many different options available to purchase a virtual private server(VPS). Some notable ones include [DigtalFyre](https://www.digitalfyre.com), [Linode](https://www.linode.com), and [DigitalOcean](https://www.digitalocean.com/) 17 | 18 | ## 2) Setup Secure Access to the Server ## 19 | 20 | The industry standard for accessing a server remotely is through SSH. Ideally, SSH should only be accessible to a single account with low privileges. root login and password authentication should also be disabled. The Command “Setup SSH” will prompt you to create an account to be used for SSH Authentication. Once the account is setup the script uses that account to create an “.ssh” directory. It will also edit /etc/ssh/sshd_config to only allow that user to authenticate, and prevent remote root logins. 21 | 22 | ## 3) Disable ipv6 and remove Exim 23 | 24 | Debian 8 comes with the Exim mail service by default. Exim can cause problems when installing Postfix and should be removed. On the same note, IPv6 can create additional problems and should be disabled. The command “Debian Prep” will remove Exim, and disable IPv6. The script will also prompt you for the Mail Server’s Domain Name. It will use this Domain name to change the Hostname of the System. After all of these changes, the system will reboot. 25 | 26 | ## 4) Install SSL Certs From Lets Encrypt ## 27 | 28 | We will need a working SSL Certificate in order to use TLS with Postfix authentication. To create this, ensure that you have set the A record on your Domain Name to the IP address of the Server and run the “Install SSL” command. It will prompt you for the Domain Name again, and then begin the process of creating the SSL Certs. 29 | 30 | ## 5) Installing Postfix and Dovecot (MailServer): ## 31 | 32 | Now that all of the prerequisites are complete, we can start installing the actual mail server. In order to make a mail server appear legitimate, it must have a reverse PTR record set up correctly and employ the following elements: 33 | 34 | 1. Sender Policy Framework (SPF) 35 | 2. DomainKeys Identified Mail (DKIM) 36 | 3. Domain Message Authentication, Reporting, and Conformance (DMARC) 37 | 38 | This script will prompt you for the domain name you would like to use, and then setup all of the rest for you! Once the command has finished you should see a service status report for Postfix, Dovecot, OpenDKIM, and OpenDMARC. Each of these services should report “active (running)” 39 | 40 | ## 6) Add Aliases ## 41 | 42 | Once the server is up and running, we need to tell it where to send mail to and from. Using the command “Add Aliases”, assign the user account you created earlier to receive mail for root, and then chose an alias to test from. 43 | 44 | ## 7) Configure DNS Entries ## 45 | 46 | Finally we can add DNS entries to our domain to ensure that SPF, DKIM, and DMARC are working properly. Using the command “Get DNS Entries” will print the DNS entries to the console. 47 | 48 | ## 8) Testing your new mail server ## 49 | 50 | To test your new mail server, send an email using the mail command! Simply run mail target@example.com on the command line, and then follow the prompts. Then check to see if the email was delivered. You can also use tools like 51 | [DKIM Validator](http://dkimvalidator.com/) to check that DKIM is passing, and [MX Toolbox](http://mxtoolbox.com/) for pretty much everything else. 52 | 53 | ## In Conclusion ## 54 | 55 | Phishing is a hard and painful process and this script is only part of the battle. Some organizations have hardened spam filters that can be incredibly difficult to get around. Things like domain categorization, and domain age can help but ultimately may still not be enough. In my testing, this script will get through to Gmail inboxes on DigitalFyre’s infrastructure. However, the story is different when used with Digital Ocean. You can find the script on Github [here](https://github.com/jcatrambone94/Postfix-Server-Setup). 56 | -------------------------------------------------------------------------------- /ServerSetup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $EUID -ne 0 ]]; then 4 | echo "Please run this script as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | ### Functions ### 9 | 10 | debian_initialize() { 11 | echo "Updating and Installing Dependicies" 12 | apt-get -qq update > /dev/null 2>&1 13 | apt-get -qq -y upgrade > /dev/null 2>&1 14 | apt-get install -qq -y nmap > /dev/null 2>&1 15 | apt-get install -qq -y git > /dev/null 2>&1 16 | apt-get remove -qq -y exim4 exim4-base exim4-config exim4-daemon-light > /dev/null 2>&1 17 | rm -r /var/log/exim4/ > /dev/null 2>&1 18 | 19 | update-rc.d nfs-common disable > /dev/null 2>&1 20 | update-rc.d rpcbind disable > /dev/null 2>&1 21 | 22 | echo "IPv6 Disabled" 23 | 24 | cat <<-EOF >> /etc/sysctl.conf 25 | net.ipv6.conf.all.disable_ipv6 = 1 26 | net.ipv6.conf.default.disable_ipv6 = 1 27 | net.ipv6.conf.lo.disable_ipv6 = 1 28 | net.ipv6.conf.eth0.disable_ipv6 = 1 29 | net.ipv6.conf.eth1.disable_ipv6 = 1 30 | net.ipv6.conf.ppp0.disable_ipv6 = 1 31 | net.ipv6.conf.tun0.disable_ipv6 = 1 32 | EOF 33 | 34 | sysctl -p > /dev/null 2>&1 35 | 36 | echo "Changing Hostname" 37 | 38 | read -p "Enter your hostname: " -r primary_domain 39 | 40 | cat <<-EOF > /etc/hosts 41 | 127.0.1.1 $primary_domain $primary_domain 42 | 127.0.0.1 localhost 43 | EOF 44 | 45 | cat <<-EOF > /etc/hostname 46 | $primary_domain 47 | EOF 48 | 49 | echo "The System will now reboot!" 50 | reboot 51 | } 52 | 53 | ubuntu_initialize() { 54 | echo "Updating and Installing Dependicies" 55 | apt-get -qq update > /dev/null 2>&1 56 | apt-get -qq -y upgrade > /dev/null 2>&1 57 | apt-get install -qq -y nmap > /dev/null 2>&1 58 | apt-get install -qq -y git > /dev/null 2>&1 59 | rm -r /var/log/exim4/ > /dev/null 2>&1 60 | 61 | update-rc.d nfs-common disable > /dev/null 2>&1 62 | update-rc.d rpcbind disable > /dev/null 2>&1 63 | 64 | echo "IPv6 Disabled" 65 | 66 | cat <<-EOF >> /etc/sysctl.conf 67 | net.ipv6.conf.all.disable_ipv6 = 1 68 | net.ipv6.conf.default.disable_ipv6 = 1 69 | net.ipv6.conf.lo.disable_ipv6 = 1 70 | net.ipv6.conf.eth0.disable_ipv6 = 1 71 | net.ipv6.conf.eth1.disable_ipv6 = 1 72 | net.ipv6.conf.ppp0.disable_ipv6 = 1 73 | net.ipv6.conf.tun0.disable_ipv6 = 1 74 | EOF 75 | 76 | sysctl -p > /dev/null 2>&1 77 | 78 | echo "Changing Hostname" 79 | 80 | read -p "Enter your hostname: " -r primary_domain 81 | 82 | cat <<-EOF > /etc/hosts 83 | 127.0.1.1 $primary_domain $primary_domain 84 | 127.0.0.1 localhost 85 | EOF 86 | 87 | cat <<-EOF > /etc/hostname 88 | $primary_domain 89 | EOF 90 | 91 | echo "The System will now reboot!" 92 | reboot 93 | } 94 | 95 | 96 | reset_firewall() { 97 | apt-get install iptables-persistent -q -y > /dev/null 2>&1 98 | 99 | iptables -F 100 | echo "Current iptables rules flushed" 101 | cat <<-ENDOFRULES > /etc/iptables/rules.v4 102 | *filter 103 | 104 | # Allow all loopback (lo) traffic and reject anything to localhost that does not originate from lo. 105 | -A INPUT -i lo -j ACCEPT 106 | -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT 107 | -A OUTPUT -o lo -j ACCEPT 108 | 109 | # Allow ping and ICMP error returns. 110 | -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT 111 | -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT 112 | -A OUTPUT -p icmp -j ACCEPT 113 | 114 | # Allow SSH. 115 | -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT 116 | -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT 117 | 118 | # Allow DNS resolution and limited HTTP/S on eth0. 119 | # Necessary for updating the server and keeping time. 120 | -A INPUT -p udp -m state --state NEW,ESTABLISHED --sport 53 -j ACCEPT 121 | -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT 122 | -A INPUT -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT 123 | -A INPUT -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT 124 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT 125 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT 126 | 127 | # Allow Mail Server Traffic outbound 128 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 143 -j ACCEPT 129 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 587 -j ACCEPT 130 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 993 -j ACCEPT 131 | -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 25 -j ACCEPT 132 | 133 | # Allow Mail Server Traffic inbound 134 | -A INPUT -p tcp -m state --state NEW,ESTABLISHED --sport 143 -j ACCEPT 135 | -A INPUT -p tcp -m state --state NEW,ESTABLISHED --sport 587 -j ACCEPT 136 | -A INPUT -p tcp -m state --state NEW,ESTABLISHED --sport 993 -j ACCEPT 137 | -A INPUT -p tcp -m state --state NEW,ESTABLISHED --sport 25 -j ACCEPT 138 | 139 | COMMIT 140 | ENDOFRULES 141 | 142 | iptables -P INPUT DROP 143 | iptables -P FORWARD DROP 144 | iptables -P OUTPUT DROP 145 | 146 | cat <<-ENDOFRULES > /etc/iptables/rules.v6 147 | *filter 148 | 149 | -A INPUT -j DROP 150 | -A FORWARD -j DROP 151 | -A OUTPUT -j DROP 152 | 153 | COMMIT 154 | ENDOFRULES 155 | 156 | echo "Loading new firewall rules" 157 | iptables-restore /etc/iptables/rules.v4 158 | ip6tables-restore /etc/iptables/rules.v6 159 | } 160 | 161 | add_firewall_port(){ 162 | read -p "Enter the port you would like opened: " -r port 163 | iptables -A INPUT -p tcp --dport ${port} -j ACCEPT 164 | iptables -A OUTPUT -p tcp --sport ${port} -j ACCEPT 165 | iptables-save 166 | } 167 | 168 | 169 | install_ssl_Cert() { 170 | git clone https://github.com/certbot/certbot.git /opt/letsencrypt > /dev/null 2>&1 171 | 172 | cd /opt/letsencrypt 173 | letsencryptdomains=() 174 | end="false" 175 | i=0 176 | 177 | while [ "$end" != "true" ] 178 | do 179 | read -p "Enter your server's domain or done to exit: " -r domain 180 | if [ "$domain" != "done" ] 181 | then 182 | letsencryptdomains[$i]=$domain 183 | else 184 | end="true" 185 | fi 186 | ((i++)) 187 | done 188 | command="./certbot-auto certonly --standalone " 189 | for i in "${letsencryptdomains[@]}"; 190 | do 191 | command="$command -d $i" 192 | done 193 | command="$command -n --register-unsafely-without-email --agree-tos" 194 | 195 | eval $command 196 | 197 | } 198 | 199 | install_postfix_dovecot() { 200 | echo "Installing Dependicies" 201 | apt-get install -qq -y dovecot-imapd dovecot-lmtpd 202 | apt-get install -qq -y postfix postgrey postfix-policyd-spf-python 203 | apt-get install -qq -y opendkim opendkim-tools 204 | apt-get install -qq -y opendmarc 205 | apt-get install -qq -y mailutils 206 | 207 | read -p "Enter your mail server's domain: " -r primary_domain 208 | read -p "Enter IP's to allow Relay (if none just hit enter): " -r relay_ip 209 | echo "Configuring Postfix" 210 | 211 | cat <<-EOF > /etc/postfix/main.cf 212 | smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) 213 | biff = no 214 | append_dot_mydomain = no 215 | readme_directory = no 216 | smtpd_tls_cert_file=/etc/letsencrypt/live/${primary_domain}/fullchain.pem 217 | smtpd_tls_key_file=/etc/letsencrypt/live/${primary_domain}/privkey.pem 218 | smtpd_tls_security_level = may 219 | smtp_tls_security_level = encrypt 220 | smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache 221 | smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache 222 | smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination 223 | myhostname = ${primary_domain} 224 | alias_maps = hash:/etc/aliases 225 | alias_database = hash:/etc/aliases 226 | myorigin = /etc/mailname 227 | mydestination = ${primary_domain}, localhost.com, , localhost 228 | relayhost = 229 | mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ${relay_ip} 230 | mailbox_command = procmail -a "\$EXTENSION" 231 | mailbox_size_limit = 0 232 | recipient_delimiter = + 233 | inet_interfaces = all 234 | inet_protocols = ipv4 235 | milter_default_action = accept 236 | milter_protocol = 6 237 | smtpd_milters = inet:12301,inet:localhost:54321 238 | non_smtpd_milters = inet:12301,inet:localhost:54321 239 | EOF 240 | 241 | cat <<-EOF >> /etc/postfix/master.cf 242 | submission inet n - - - - smtpd 243 | -o syslog_name=postfix/submission 244 | -o smtpd_tls_wrappermode=no 245 | -o smtpd_tls_security_level=encrypt 246 | -o smtpd_sasl_auth_enable=yes 247 | -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject 248 | -o milter_macro_daemon_name=ORIGINATING 249 | -o smtpd_sasl_type=dovecot 250 | -o smtpd_sasl_path=private/auth 251 | EOF 252 | 253 | echo "Configuring Opendkim" 254 | 255 | mkdir -p "/etc/opendkim/keys/${primary_domain}" 256 | cp /etc/opendkim.conf /etc/opendkim.conf.orig 257 | 258 | cat <<-EOF > /etc/opendkim.conf 259 | domain * 260 | AutoRestart Yes 261 | AutoRestartRate 10/1h 262 | Umask 0002 263 | Syslog Yes 264 | SyslogSuccess Yes 265 | LogWhy Yes 266 | Canonicalization relaxed/simple 267 | ExternalIgnoreList refile:/etc/opendkim/TrustedHosts 268 | InternalHosts refile:/etc/opendkim/TrustedHosts 269 | KeyFile /etc/opendkim/keys/${primary_domain}/mail.private 270 | Selector mail 271 | Mode sv 272 | PidFile /var/run/opendkim/opendkim.pid 273 | SignatureAlgorithm rsa-sha256 274 | UserID opendkim:opendkim 275 | Socket inet:12301@localhost 276 | EOF 277 | 278 | cat <<-EOF > /etc/opendkim/TrustedHosts 279 | 127.0.0.1 280 | localhost 281 | ${primary_domain} 282 | ${relay_ip} 283 | EOF 284 | 285 | cd "/etc/opendkim/keys/${primary_domain}" || exit 286 | opendkim-genkey -s mail -d "${primary_domain}" 287 | echo 'SOCKET="inet:12301"' >> /etc/default/opendkim 288 | chown -R opendkim:opendkim /etc/opendkim 289 | 290 | echo "Configuring opendmarc" 291 | 292 | cat <<-EOF > /etc/opendmarc.conf 293 | AuthservID ${primary_domain} 294 | PidFile /var/run/opendmarc.pid 295 | RejectFailures false 296 | Syslog true 297 | TrustedAuthservIDs ${primary_domain} 298 | Socket inet:54321@localhost 299 | UMask 0002 300 | UserID opendmarc:opendmarc 301 | IgnoreHosts /etc/opendmarc/ignore.hosts 302 | HistoryFile /var/run/opendmarc/opendmarc.dat 303 | EOF 304 | 305 | mkdir "/etc/opendmarc/" 306 | echo "localhost" > /etc/opendmarc/ignore.hosts 307 | chown -R opendmarc:opendmarc /etc/opendmarc 308 | 309 | echo 'SOCKET="inet:54321"' >> /etc/default/opendmarc 310 | 311 | echo "Configuring Dovecot" 312 | 313 | cat <<-EOF > /etc/dovecot/dovecot.conf 314 | disable_plaintext_auth = no 315 | mail_privileged_group = mail 316 | mail_location = mbox:~/mail:INBOX=/var/mail/%u 317 | 318 | userdb { 319 | driver = passwd 320 | } 321 | 322 | passdb { 323 | args = %s 324 | driver = pam 325 | } 326 | 327 | protocols = " imap" 328 | 329 | protocol imap { 330 | mail_plugins = " autocreate" 331 | } 332 | 333 | plugin { 334 | autocreate = Trash 335 | autocreate2 = Sent 336 | autosubscribe = Trash 337 | autosubscribe2 = Sent 338 | } 339 | 340 | service imap-login { 341 | inet_listener imap { 342 | port = 0 343 | } 344 | inet_listener imaps { 345 | port = 993 346 | } 347 | } 348 | 349 | service auth { 350 | unix_listener /var/spool/postfix/private/auth { 351 | group = postfix 352 | mode = 0660 353 | user = postfix 354 | } 355 | } 356 | 357 | ssl=required 358 | ssl_cert = > /etc/aliases 364 | echo "Root email assigned to ${user_name}" 365 | 366 | echo "Restarting Services" 367 | service postfix restart 368 | service opendkim restart 369 | service opendmarc restart 370 | service dovecot restart 371 | 372 | echo "Checking Service Status" 373 | service postfix status 374 | service opendkim status 375 | service opendmarc status 376 | service dovecot status 377 | } 378 | 379 | function add_alias(){ 380 | read -p "What email address do you want to assign: " -r email_address 381 | read -p "What user do you want to assign to that email address: " -r user 382 | echo "${email_address}: ${user}" >> /etc/aliases 383 | newaliases 384 | echo "${email_address} assigned to ${user}" 385 | } 386 | 387 | function get_dns_entries(){ 388 | extip=$(ifconfig|grep 'Link encap\|inet '|awk '!/Loopback|:127./'|tr -s ' '|grep 'inet'|tr ':' ' '|cut -d" " -f4) 389 | domain=$(ls /etc/opendkim/keys/ | head -1) 390 | fields=$(echo "${domain}" | tr '.' '\n' | wc -l) 391 | dkimrecord=$(cut -d '"' -f 2 "/etc/opendkim/keys/${domain}/mail.txt" | tr -d "[:space:]") 392 | 393 | if [[ $fields -eq 2 ]]; then 394 | cat <<-EOF > dnsentries.txt 395 | DNS Entries for ${domain}: 396 | 397 | ==================================================================== 398 | Namecheap - Enter under Advanced DNS 399 | 400 | Record Type: A 401 | Host: @ 402 | Value: ${extip} 403 | TTL: 5 min 404 | 405 | Record Type: TXT 406 | Host: @ 407 | Value: v=spf1 ip4:${extip} -all 408 | TTL: 5 min 409 | 410 | Record Type: TXT 411 | Host: mail._domainkey 412 | Value: ${dkimrecord} 413 | TTL: 5 min 414 | 415 | Record Type: TXT 416 | Host: ._dmarc 417 | Value: v=DMARC1; p=reject 418 | TTL: 5 min 419 | 420 | Change Mail Settings to Custom MX and Add New Record 421 | Record Type: MX 422 | Host: @ 423 | Value: ${domain} 424 | Priority: 10 425 | TTL: 5 min 426 | EOF 427 | cat dnsentries.txt 428 | else 429 | prefix=$(echo "${domain}" | rev | cut -d '.' -f 3- | rev) 430 | cat <<-EOF > dnsentries.txt 431 | DNS Entries for ${domain}: 432 | 433 | ==================================================================== 434 | Namecheap - Enter under Advanced DNS 435 | 436 | Record Type: A 437 | Host: ${prefix} 438 | Value: ${extip} 439 | TTL: 5 min 440 | 441 | Record Type: TXT 442 | Host: ${prefix} 443 | Value: v=spf1 ip4:${extip} -all 444 | TTL: 5 min 445 | 446 | Record Type: TXT 447 | Host: mail._domainkey.${prefix} 448 | Value: ${dkimrecord} 449 | TTL: 5 min 450 | 451 | Record Type: TXT 452 | Host: ._dmarc 453 | Value: v=DMARC1; p=reject 454 | TTL: 5 min 455 | 456 | Change Mail Settings to Custom MX and Add New Record 457 | Record Type: MX 458 | Host: ${prefix} 459 | Value: ${domain} 460 | Priority: 10 461 | TTL: 5 min 462 | EOF 463 | cat dnsentries.txt 464 | fi 465 | 466 | } 467 | 468 | setupSSH(){ 469 | apt-get -qq -y install sudo > /dev/null 2>&1 470 | apt-get -qq -y install fail2ban > /dev/null 2>&1 471 | 472 | echo "Create a User to ssh into this system securely" 473 | 474 | read -p "Enter your user name: " -r user_name 475 | 476 | adduser $user_name 477 | 478 | usermod -aG sudo $user_name 479 | 480 | cat <<-EOF > /etc/ssh/sshd_config 481 | Port 22 482 | Protocol 2 483 | HostKey /etc/ssh/ssh_host_rsa_key 484 | HostKey /etc/ssh/ssh_host_dsa_key 485 | HostKey /etc/ssh/ssh_host_ecdsa_key 486 | #Privilege Separation is turned on for security 487 | UsePrivilegeSeparation yes 488 | KeyRegenerationInterval 3600 489 | ServerKeyBits 1024 490 | SyslogFacility AUTH 491 | LogLevel INFO 492 | LoginGraceTime 120 493 | PermitRootLogin no 494 | StrictModes yes 495 | RSAAuthentication yes 496 | PubkeyAuthentication yes 497 | IgnoreRhosts yes 498 | RhostsRSAAuthentication no 499 | HostbasedAuthentication no 500 | PermitEmptyPasswords no 501 | ChallengeResponseAuthentication no 502 | PasswordAuthentication yes 503 | X11Forwarding yes 504 | X11DisplayOffset 10 505 | PrintMotd no 506 | PrintLastLog yes 507 | TCPKeepAlive yes 508 | Banner no 509 | AcceptEnv LANG LC_* 510 | Subsystem sftp /usr/lib/openssh/sftp-server 511 | UsePAM yes 512 | EOF 513 | 514 | echo "AllowUsers ${user_name}" > /etc/ssh/sshd_config 515 | 516 | cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 517 | 518 | cd /home/$user_name 519 | runuser -l $user_name -c "mkdir '.ssh'" 520 | runuser -l $user_name -c "chmod 700 ~/.ssh" 521 | 522 | service ssh restart 523 | 524 | } 525 | 526 | function Install_GoPhish { 527 | apt-get install unzip > /dev/null 2>&1 528 | wget https://github.com/gophish/gophish/releases/download/v0.4.0/gophish-v0.4-linux-64bit.zip 529 | unzip gophish-v0.4-linux-64bit.zip 530 | cd gophish-v0.4-linux-64bit 531 | sed -i 's/"listen_url" : "127.0.0.1:3333"/"listen_url" : "0.0.0.0:3333"/g' config.json 532 | read -r -p "Do you want to add an SSL certificate to your GoPhish? [y/N] " response 533 | case "$response" in 534 | [yY][eE][sS]|[yY]) 535 | read -p "Enter your web server's domain: " -r primary_domain 536 | if [ -f "/etc/letsencrypt/live/${primary_domain}/fullchain.pem" ];then 537 | ssl_cert="/etc/letsencrypt/live/${primary_domain}/fullchain.pem" 538 | ssl_key="/etc/letsencrypt/live/${primary_domain}/privkey.pem" 539 | cp $ssl_cert ${primary_domain}.crt 540 | cp $ssl_key ${primary_domain}.key 541 | sed -i "s/0.0.0.0:80/0.0.0.0:443/g" config.json 542 | sed -i "s/gophish_admin.crt/${primary_domain}.crt/g" config.json 543 | sed -i "s/gophish_admin.key/${primary_domain}.key/g" config.json 544 | sed -i 's/"use_tls" : false/"use_tls" : true/g' config.json 545 | sed -i "s/example.crt/${primary_domain}.crt/g" config.json 546 | sed -i "s/example.key/${primary_domain}.key/g" config.json 547 | else 548 | echo "Certificate not found, use Install SSL option first" 549 | fi 550 | ;; 551 | *) 552 | echo "GoPhish installed" 553 | ;; 554 | esac 555 | } 556 | 557 | 558 | function Install_IRedMail { 559 | echo "Downloading iRedMail" 560 | wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.6.tar.bz2 561 | tar -xvf iRedMail-0.9.6.tar.bz2 562 | cd iRedMail-0.9.6/ 563 | chmod +x iRedMail.sh 564 | echo "Running iRedMail Installer" 565 | ./iRedMail.sh 566 | } 567 | 568 | PS3="Server Setup Script - Pick an option: " 569 | options=("Setup SSH" "Debian Prep" "Ubuntu Prep" "Install SSL" "Install Mail Server" "Add Aliases" "Get DNS Entries" "Install GoPhish" "Install IRedMail") 570 | select opt in "${options[@]}" "Quit"; do 571 | 572 | case "$REPLY" in 573 | 574 | #Prep 575 | 1) setupSSH;; 576 | 577 | 2) debian_initialize;; 578 | 579 | 3) ubuntu_initialize;; 580 | 581 | 4) install_ssl_Cert;; 582 | 583 | 5) install_postfix_dovecot;; 584 | 585 | 6) add_alias;; 586 | 587 | 7) get_dns_entries;; 588 | 589 | 8) Install_GoPhish;; 590 | 591 | 9) Install_IRedMail;; 592 | 593 | $(( ${#options[@]}+1 )) ) echo "Goodbye!"; break;; 594 | *) echo "Invalid option. Try another one.";continue;; 595 | 596 | esac 597 | 598 | done 599 | 600 | --------------------------------------------------------------------------------