From 4dcc293786a528180946d42d1172a96d3a88e0b8 Mon Sep 17 00:00:00 2001 From: newnix Date: Thu, 23 Jul 2020 03:30:30 +0000 Subject: [PATCH 1/3] Begin Refactor * UbuntuServer_18.04LTS/helpers.sh - Change shebang to `#!/usr/bin/env bash` - Collect numeric user id as CUID - Add function `perr()` - Replace echo statements with printf where possible - `__get_ip()` now only sets the address - Rename `tunning` -> `tuning` - Remove needless variable `whoapp` * UbuntuServer_18.04LTS/jshielder.sh - Change shebang to `#!/usr/bin/env bash` - Remove extraneous `echo` statements in `f_banner` - Add call to `clear` in `f_banner` - Update `check_root()` to use `CUID` from helper scripts * jsheilder.sh - Create `main` function - Simplify and generalize distro/system selection - Utilize `perr` and printf instead of echo where possible --- UbuntuServer_18.04LTS/helpers.sh | 43 ++++----- UbuntuServer_18.04LTS/jshielder.sh | 32 +++---- jshielder.sh | 137 ++++++++++++++++------------- 3 files changed, 111 insertions(+), 101 deletions(-) diff --git a/UbuntuServer_18.04LTS/helpers.sh b/UbuntuServer_18.04LTS/helpers.sh index f7b2ba3..daf2712 100644 --- a/UbuntuServer_18.04LTS/helpers.sh +++ b/UbuntuServer_18.04LTS/helpers.sh @@ -1,7 +1,9 @@ -#!/bin/bash +#!/usr/bin/env bash -spinner () -{ +# Current user ID +CUID="$(id -u)" + +spinner () { bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" barlength=${#bar} i=0 @@ -14,38 +16,39 @@ spinner () } +# Print formatted message to stdout and stderr +perr() { + printf "[%s]: %s\n" "${MYNAME}" "${@}" >&2 +} # Show "Done." -function say_done() { - echo " " - echo -e "Done." +say_done() { + printf "%s\n" "Done." say_continue } # Ask to Continue -function say_continue() { - echo -n " To EXIT Press x Key, Press ENTER to Continue" - read acc +say_continue() { + printf "%s" "To EXIT Press x Key, Press ENTER to Continue: " + read -r acc if [ "$acc" == "x" ]; then - exit + exit 0 fi - echo " " } -# Obtain Server IP -function __get_ip() { +# Obtain Server IP, store for later use +__get_ip() { + # This will be accessible to the script after sourcing, + # so the variable can be re-used instead of this function serverip=$(ip route get 1 | awk '{print $7;exit}') - echo $serverip } # Copy Local Config Files -function tunning() { - whoapp=$1 - cp templates/$whoapp /root/.$whoapp - cp templates/$whoapp /home/$username/.$whoapp - chown $username:$username /home/$username/.$whoapp +tuning() { + cp templates/"${1}" /root/."${1}" + cp templates/"${1}" /home/"${username}"/."${1}" + chown "${username}":"${username}" /home/"${username}"/."${1}" } - diff --git a/UbuntuServer_18.04LTS/jshielder.sh b/UbuntuServer_18.04LTS/jshielder.sh index c088193..2b6f5df 100644 --- a/UbuntuServer_18.04LTS/jshielder.sh +++ b/UbuntuServer_18.04LTS/jshielder.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # JShielder v2.4 # Deployer for Ubuntu Server 18.04 LTS @@ -23,8 +23,9 @@ source helpers.sh ############################################################################################################## f_banner(){ -echo -echo " + clear + echo " + ██╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ███████╗██████╗ ██║██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗██╔════╝██╔══██╗ @@ -34,9 +35,9 @@ echo " ╚════╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝╚═╝ ╚═╝ For Ubuntu Server 18.04 LTS -Developed By Jason Soto @Jsitech" -echo -echo +Developed By Jason Soto @Jsitech + +" } @@ -44,20 +45,13 @@ echo # Check if running with root User -clear -f_banner - - check_root() { -if [ "$USER" != "root" ]; then - echo "Permission Denied" - echo "Can only be run by root" - exit +if [ "${CUID}" -ne 0 ]; then + perr "You must be root to run this script!" + exit 1 else - clear - f_banner - jshielder_home=$(pwd) - cat templates/texts/welcome + jshielder_home=$(pwd) + cat templates/texts/welcome fi } @@ -66,8 +60,6 @@ fi # Installing Dependencies # Needed Prerequesites will be set up here install_dep(){ - clear - f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting some Prerequisites" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" diff --git a/jshielder.sh b/jshielder.sh index f751c70..fadd8c0 100755 --- a/jshielder.sh +++ b/jshielder.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # JShielder v2.4 @@ -22,8 +22,9 @@ ############################################################################################################## f_banner(){ -echo -echo " + clear + echo " + ██╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ███████╗██████╗ ██║██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗██╔════╝██╔══██╗ @@ -33,66 +34,80 @@ echo " ╚════╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝╚═╝ ╚═╝ Automated Hardening Script for Linux Servers -Developed By Jason Soto @JsiTech " -echo -echo +Developed By Jason Soto @JsiTech + +" } ############################################################################################################## -#Check if Running with root user - -if [ "$USER" != "root" ]; then - echo "Permission Denied" - echo "Can only be run by root" - exit -else - clear - f_banner -fi - - -menu="" -until [ "$menu" = "10" ]; do - -clear -f_banner - -echo -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo -e "\e[93m[+]\e[00m SELECT YOUR LINUX DISTRIBUTION" -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo "" -echo "1. Ubuntu Server 16.04 LTS" -echo "2. Ubuntu Server 18.04 LTS" -echo "3. Linux CentOS 7 (Coming Soon)" -echo "4. Debian GNU/Linux 8 (Coming Soon)" -echo "5. Debian GNU/Linux 9 (Coming Soon)" -echo "6. Red Hat Linux 7 (Coming Soon)" -echo "7. Exit" -echo - -read menu -case $menu in - -1) -cd UbuntuServer_16.04LTS/ -chmod +x jshielder.sh -./jshielder.sh -;; - -2) -cd UbuntuServer_18.04LTS/ -chmod +x jshielder.sh -./jshielder.sh -;; - -8) -break -;; - -*) ;; - -esac -done +# Create distro variable +DISTRO="" +CUID=$(id -u) +MYNAME="$(basename "${0}")" + +# Allow more generalized selection of distro scripts +run_script() { + if [ -n "${1}" ] + then + if [ -d "${1}" ] + then + # Leverage the fact that the child script has the same name + cd "${1}" 2<&- && chmod +x ./"${MYNAME}" && ./"${MYNAME}" + else + perr "${1} is not currently supported!" + fi + else + printf "[%s]: Unknown input provided\n" "${MYNAME%.sh}" + fi +} + +# Print formatted message to stdout and stderr +perr() { + printf "[%s]: %s\n" "${MYNAME%.sh}" "${@}" >&2 +} + +main() { + # Check if Running with root user + if [ "${CUID}" -ne 0 ]; then + perr "You must be root to run this script!" + exit 1 + else + f_banner + fi + + + menu="" + until [ "$menu" = "10" ]; do + + f_banner + + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo -e "\e[93m[+]\e[00m SELECT YOUR LINUX DISTRIBUTION" + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + printf "\t%d. %s\n"\ + "1" "Ubuntu Server 16.04 LTS"\ + "2" "Ubuntu Server 18.04 LTS"\ + "3" "Linux CentOS 7 (Coming Soon)"\ + "4" "Debian GNU/Linux 8 (Coming Soon)"\ + "5" "Debian GNU/Linux 9 (Coming Soon)"\ + "6" "Red Hat Linux 7 (Coming Soon)"\ + "7" "Exit" + + read -r menu + case $menu in + + # Simply retain this pattern to make additions easier + 1) DISTRO="UbuntuServer_16.04LTS" ;; + 2) DISTRO="UbuntuServer_18.04LTS" ;; + 7) return 0 ;; # Exit, as stated by the menu + 8) break ;; + *) return 1 ;; # Invalid selection + + esac + done + run_script "${DISTRO}" +} + +main From 863fe1cefe0adf2dcd481b2115b26f6667e42e75 Mon Sep 17 00:00:00 2001 From: newnix Date: Thu, 23 Jul 2020 05:00:25 +0000 Subject: [PATCH 2/3] Finish Initial Refactor * UbuntuServer_18.04LTS/helpers.sh - Add echo to `spinner` * UbuntuServer_18.04LTS/ - Evaluate `MYNAME` - Turn unconditional command chains into lists with conditional execution, typically using `{}` and `&&` constructs - Add `-r` to all `read` calls - Utilize `printf` to reduce calls to `echo` and some loops - Add comments noting where improvements can be made, that would require some deeper understanding of the script functionality to ensure proper configuration - Remove calls to `clear` before `f_banner` - Simplify handling of `/tmp` modifications - Utilize subshells when traversing the filesystem using `cd` - Reduce several installation steps to single lines - Ensure proper quoting of variables - Simplify subshell in `additional_hardening` to not pipe `awk(1)` into `grep(1)` - Turn `disable_compilers` into a loop - Moved menu selection logic into newly created `main()` function --- UbuntuServer_18.04LTS/helpers.sh | 1 + UbuntuServer_18.04LTS/jshielder.sh | 1421 +++++++++++++--------------- 2 files changed, 681 insertions(+), 741 deletions(-) diff --git a/UbuntuServer_18.04LTS/helpers.sh b/UbuntuServer_18.04LTS/helpers.sh index daf2712..c17477c 100644 --- a/UbuntuServer_18.04LTS/helpers.sh +++ b/UbuntuServer_18.04LTS/helpers.sh @@ -7,6 +7,7 @@ spinner () { bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" barlength=${#bar} i=0 + echo "" while ((i < 100)); do n=$((i*barlength / 100)) printf "\e[00;34m\r[%-${barlength}s]\e[00m" "${bar:0:n}" diff --git a/UbuntuServer_18.04LTS/jshielder.sh b/UbuntuServer_18.04LTS/jshielder.sh index 2b6f5df..c83cc26 100644 --- a/UbuntuServer_18.04LTS/jshielder.sh +++ b/UbuntuServer_18.04LTS/jshielder.sh @@ -19,6 +19,7 @@ source helpers.sh +MYNAME="$(basename "${0%.sh}" )" ############################################################################################################## @@ -63,84 +64,74 @@ install_dep(){ echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting some Prerequisites" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" spinner - add-apt-repository universe - say_done + add-apt-repository universe\ + && say_done } ############################################################################################################## # Configure Hostname config_host() { -echo -n " ¿Do you Wish to Set a HostName? (y/n): "; read config_host -if [ "$config_host" == "y" ]; then - serverip=$(__get_ip) - echo " Type a Name to Identify this server :" - echo -n " (For Example: myserver): "; read host_name - echo -n " ¿Type Domain Name?: "; read domain_name - echo $host_name > /etc/hostname - hostname -F /etc/hostname - echo "127.0.0.1 localhost.localdomain localhost" >> /etc/hosts - echo "$serverip $host_name.$domain_name $host_name" >> /etc/hosts - #Creating Legal Banner for unauthorized Access - echo "" - echo "Creating legal Banners for unauthorized access" - spinner - cat templates/motd > /etc/motd - cat templates/motd > /etc/issue - cat templates/motd > /etc/issue.net - sed -i s/server.com/$host_name.$domain_name/g /etc/motd /etc/issue /etc/issue.net - echo "OK " -fi - say_done + echo -n " ¿Do you Wish to Set a HostName? (y/n): "; read -r config_host + if [ "$config_host" == "y" ]; then + __get_ip + echo " Type a Name to Identify this server :" + echo -n " (For Example: myserver): "; read -r host_name + echo -n " ¿Type Domain Name?: "; read -r domain_name + echo "${host_name}" > /etc/hostname && hostname -F /etc/hostname + printf "%s\t%s\t%s\n"\ + "127.0.0.1" "localhost.localdomain" "localhost"\ + "$serverip" "$host_name.$domain_name" "$host_name" >> /etc/hosts + # Creating Legal Banner for unauthorized Access + perr "Creating legal Banners for unauthorized access" + spinner + # Retain execution context, create command list + { + sed -i s/server.com/"${host_name}.${domain_name}"/g templates/motd\ + && cat templates/motd > /etc/motd\ + && cat templates/motd > /etc/issue\ + && cat templates/motd > /etc/issue.net + } && echo "OK " + fi + say_done } ############################################################################################################## # Configure TimeZone config_timezone(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m We will now Configure the TimeZone" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - sleep 10 - dpkg-reconfigure tzdata - say_done + dpkg-reconfigure tzdata && say_done } ############################################################################################################## # Update System, Install sysv-rc-conf tool update_system(){ - clear - f_banner - echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo -e "\e[93m[+]\e[00m Updating the System" - echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - apt update - apt upgrade -y - apt dist-upgrade -y - say_done + f_banner + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo -e "\e[93m[+]\e[00m Updating the System" + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + { + apt update && apt upgrade -y && apt dist-upgrade -y + } >/dev/null && say_done } ############################################################################################################## # Setting a more restrictive UMASK restrictive_umask(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting UMASK to a more Restrictive Value (027)" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" spinner - cp templates/login.defs /etc/login.defs - echo "" - echo "OK" + cp templates/login.defs /etc/login.defs && echo "OK" say_done } @@ -149,77 +140,71 @@ restrictive_umask(){ #Disabling Unused Filesystems unused_filesystems(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Disabling Unused FileSystems" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" spinner - echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf - echo " OK" + printf "install %s /bin/true"\ + "cramfs"\ + "freevxfs"\ + "jffs2"\ + "hfs"\ + "hfsplus"\ + "squashfs"\ + "udf"\ + "vfat"\ + >> /etc/modprobe.d/CIS.conf && echo " OK" say_done } ############################################################################################################## uncommon_netprotocols(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Disabling Uncommon Network Protocols" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" spinner - echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf - echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf - echo " OK" + printf "install %s /bin/true"\ + "dccp"\ + "sctp"\ + "rds"\ + "tipc"\ + >> /etc/modprobe.d/CIS.conf && echo " OK" say_done - } ############################################################################################################## # Create Privileged User admin_user(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m We will now Create a New User" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - echo -n " Type the new username: "; read username - adduser $username - say_done + ## XXX: Consider using an until loop here to loop until a user is successfully created + printf "\n Type the new username: "; read -r username + adduser "${username}" + say_done } ############################################################################################################## # Instruction to Generate RSA Keys rsa_keygen(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Instructions to Generate an RSA KEY PAIR" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - serverip=$(__get_ip) echo " *** IF YOU DONT HAVE A PUBLIC RSA KEY, GENERATE ONE ***" echo " Follow the Instruction and Hit Enter When Done" echo " To receive a new Instruction" echo " " + ## XXX: Look at supporting additional key types, should not be particularly difficult echo " RUN THE FOLLOWING COMMANDS" - echo -n " a) ssh-keygen -t rsa -b 4096 "; read foo1 - echo -n " b) cat /home/$username/.ssh/id_rsa.pub >> /home/$username/.ssh/authorized_keys "; read foo2 + echo -n " a) ssh-keygen -t rsa -b 4096 "; read -r foo1 + echo -n " b) cat /home/${username}/.ssh/id_rsa.pub >> /home/${username}/.ssh/authorized_keys "; read -r foo2 say_done } ############################################################################################################## @@ -228,40 +213,35 @@ rsa_keygen(){ rsa_keycopy(){ echo " Run the Following Command to copy the Key" echo " Press ENTER when done " - echo " ssh-copy-id -i $HOME/.ssh/id_rsa.pub $username@$serverip " + echo " ssh-copy-id -i ${HOME}/.ssh/id_rsa.pub ${username}@${serverip} " say_done } ############################################################################################################## #Securing /tmp Folder secure_tmp(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Securing /tmp Folder" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - echo -n " ¿Did you Create a Separate /tmp partition during the Initial Installation? (y/n): "; read tmp_answer - if [ "$tmp_answer" == "n" ]; then - echo "We will create a FileSystem for the /tmp Directory and set Proper Permissions " - spinner - dd if=/dev/zero of=/usr/tmpDISK bs=1024 count=2048000 - mkdir /tmpbackup - cp -Rpf /tmp /tmpbackup - mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDISK /tmp - chmod 1777 /tmp - cp -Rpf /tmpbackup/* /tmp/ - rm -rf /tmpbackup - echo "/usr/tmpDISK /tmp tmpfs loop,nosuid,nodev,noexec,rw 0 0" >> /etc/fstab - sudo mount -o remount /tmp - say_done - else + echo -n " ¿Did you Create a Separate /tmp partition during the Initial Installation? (y/n): "; read -r tmp_answer + # Change behaviour to require explicit "y" + if [ "$tmp_answer" == "y" ]; then echo "Nice Going, Remember to set proper permissions in /etc/fstab" echo "" echo "Example:" echo "" echo "/dev/sda4 /tmp tmpfs loop,nosuid,noexec,rw 0 0 " say_done + else + echo "We will create a FileSystem for the /tmp Directory and set Proper Permissions " + spinner + # May not actually be a valid fstab entry on Linux, modeled after usage on DragonFly BSD + # however, only minor modification should be necessary to ensure correct flags are set + echo "tmpfs /tmp tmpfs loop,nosuid,nodev,noexec,mode=1777,uid=0,gid=0,size=2g,rw 0 0" >> /etc/fstab\ + && perr "On the next reboot run 'rm -rf /tmp/* && reboot' to ensure settings are applied correctly" + say_done fi } @@ -269,7 +249,6 @@ secure_tmp(){ # Secure SSH secure_ssh(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Securing SSH" @@ -277,9 +256,9 @@ secure_ssh(){ echo "" echo -n " Securing SSH..." spinner - sed s/USERNAME/$username/g templates/sshd_config > /etc/ssh/sshd_config; echo "OK" - chattr -i /home/$username/.ssh/authorized_keys - service ssh restart + sed s/USERNAME/"${username}"/g templates/sshd_config > /etc/ssh/sshd_config && echo "OK"\ + && service ssh restart\ + && chattr -i /home/"${username}"/.ssh/authorized_keys say_done } @@ -287,7 +266,6 @@ secure_ssh(){ # Set IPTABLES Rules set_iptables(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting IPTABLE RULES" @@ -295,10 +273,10 @@ set_iptables(){ echo "" echo -n " Setting Iptables Rules..." spinner - sh templates/iptables.sh - cp templates/iptables.sh /etc/init.d/ - chmod +x /etc/init.d/iptables.sh - ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables.sh + sh templates/iptables.sh\ + && cp templates/iptables.sh /etc/init.d/\ + && chmod +x /etc/init.d/iptables.sh\ + && ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables.sh say_done } @@ -308,14 +286,14 @@ set_iptables(){ # To Remove a Fail2Ban rule use: # iptables -D fail2ban-ssh -s IP -j DROP install_fail2ban(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing Fail2Ban" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt install sendmail - apt install fail2ban + ## XXX: This should be replaced with something like dma or opensmtpd + MTA="sendmail" + apt install "${MTA}" fail2ban say_done } @@ -323,20 +301,18 @@ install_fail2ban(){ # Install, Configure and Optimize MySQL install_secure_mysql(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing, Configuring and Optimizing MySQL" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" apt install mysql-server - echo "" - echo -n " configuring MySQL............ " + printf "\n configuring MySQL............ " spinner - cp templates/mysql /etc/mysql/mysqld.cnf; echo " OK" - mysql_secure_installation - cp templates/usr.sbin.mysqld /etc/apparmor.d/local/usr.sbin.mysqld - service mysql restart + cp templates/mysql /etc/mysql/mysqld.cnf && echo " OK"\ + && mysql_secure_installation\ + && cp templates/usr.sbin.mysqld /etc/apparmor.d/local/usr.sbin.mysqld\ + && service mysql restart say_done } @@ -344,7 +320,6 @@ install_secure_mysql(){ # Install Apache install_apache(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing Apache Web Server" @@ -358,17 +333,18 @@ install_apache(){ # Install Nginx install_nginx(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing NginX Web Server" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" + perr "Updating repos to include Nginx PPA" echo "deb http://nginx.org/packages/ubuntu/ bionic nginx" >> /etc/apt/sources.list echo "deb-src http://nginx.org/packages/ubuntu/ bionic nginx" >> /etc/apt/sources.list - curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key - apt update - apt install nginx + curl -O https://nginx.org/keys/nginx_signing.key\ + && apt-key add ./nginx_signing.key\ + && apt update\ + && apt install nginx say_done } @@ -377,70 +353,65 @@ install_nginx(){ #Compile ModSecurity for NginX compile_modsec_nginx(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Install Prerequisites and Compiling ModSecurity for NginX" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" -apt install bison flex make automake gcc pkg-config libtool doxygen git curl zlib1g-dev libxml2-dev libpcre3-dev build-essential libyajl-dev yajl-tools liblmdb-dev rdmacm-utils libgeoip-dev libcurl4-openssl-dev liblua5.2-dev libfuzzy-dev openssl libssl-dev - -cd /opt/ -git clone https://github.com/SpiderLabs/ModSecurity - -cd ModSecurity -git checkout v3/master -git submodule init -git submodule update - -./build.sh -./configure -make -make install - -cd .. + apt install bison flex make automake gcc pkg-config libtool doxygen git curl zlib1g-dev libxml2-dev libpcre3-dev build-essential libyajl-dev yajl-tools liblmdb-dev rdmacm-utils libgeoip-dev libcurl4-openssl-dev liblua5.2-dev libfuzzy-dev openssl libssl-dev -nginx_version=$(dpkg -l |grep nginx | awk '{print $3}' | cut -d '-' -f1) + # Start a subshell since we're changing directory + ( + cd /opt/ && git clone https://github.com/SpiderLabs/ModSecurity -wget http://nginx.org/download/nginx-$nginx_version.tar.gz -tar xzvf nginx-$nginx_version.tar.gz + cd ModSecurity\ + && git checkout v3/master\ + && git submodule init\ + && git submodule update\ + && ./build.sh\ + && ./configure\ + && make\ + && make install -git clone https://github.com/SpiderLabs/ModSecurity-nginx + cd .. -cd nginx-$nginx_version/ + nginx_version=$(dpkg -l |grep nginx | awk '{print $3}' | cut -d '-' -f1) -./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx -make modules + wget "http://nginx.org/download/nginx-${nginx_version}.tar.gz"\ + && tar xzvf "nginx-${nginx_version}.tar.gz" -cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/ + git clone https://github.com/SpiderLabs/ModSecurity-nginx -cd /etc/nginx/ + cd "nginx-${nginx_version}"\ + && ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx\ + && make modules\ + && cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/ -mkdir /etc/nginx/modsec -cd /etc/nginx/modsec -git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git -mv /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf.example /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf + cd /etc/nginx/ || perr "Cannot chdir to /etc/nginx!" -cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf + mkdir -p /etc/nginx/modsec + cd /etc/nginx/modsec\ + && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git\ + && mv /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf.example /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf\ + && cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf\ + && printf "Include /etc/nginx/modsec/%s\n"\ + "modsecurity.conf"\ + "owasp-modsecurity-crs/crs-setup.conf"\ + 'owasp-modsecurity-crs/rules/*.conf'\ + >> /etc/nginx/modsec/main.conf\ + && wget -P /etc/nginx/modsec/ https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping + ) -echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf -echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf" >> /etc/nginx/modsec/main.conf -echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/rules/*.conf" >> /etc/nginx/modsec/main.conf - -wget -P /etc/nginx/modsec/ https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping -cd $jshielder_home - - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Configuring ModSecurity for NginX" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" spinner - cp templates/nginx /etc/nginx/nginx.conf - cp templates/nginx_default /etc/nginx/conf.d/default.conf - service nginx restart + cp templates/nginx /etc/nginx/nginx.conf\ + && cp templates/nginx_default /etc/nginx/conf.d/default.conf\ + && service nginx restart say_done } @@ -449,14 +420,11 @@ cd $jshielder_home # Install, Configure and Optimize PHP install_secure_php(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing, Configuring and Optimizing PHP" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - apt install -y php php-cli php-pear - apt install -y php-mysql python-mysqldb libapache2-mod-php7.2 + apt install -y php php-cli php-pear php-mysql python-mysqldb libapache2-mod-php7.2 echo "" echo -n " Replacing php.ini..." spinner @@ -470,7 +438,6 @@ install_secure_php(){ # Install, Configure and Optimize PHP for Nginx install_secure_php_nginx(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing, Configuring and Optimizing PHP for NginX" @@ -489,16 +456,13 @@ install_secure_php_nginx(){ # Install ModSecurity install_modsecurity(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing ModSecurity" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt install libxml2 libxml2-dev libxml2-utils - apt install libaprutil1 libaprutil1-dev - apt install libapache2-mod-security2 - service apache2 restart + apt install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-mod-security2\ + && service apache2 restart say_done } @@ -506,32 +470,24 @@ install_modsecurity(){ # Configure OWASP ModSecurity Core Rule Set (CRS3) set_owasp_rules(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting UP OWASP ModSecurity Core Rule Set (CRS3)" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - - #for archivo in /usr/share/modsecurity-crs/base_rules/* - # do ln -s $archivo /usr/share/modsecurity-crs/activated_rules/ - #done - #for archivo in /usr/share/modsecurity-crs/optional_rules/* - # do ln -s $archivo /usr/share/modsecurity-crs/activated_rules/ - #done spinner echo "OK" - sed s/SecRuleEngine\ DetectionOnly/SecRuleEngine\ On/g /etc/modsecurity/modsecurity.conf-recommended > salida - mv salida /etc/modsecurity/modsecurity.conf - - echo 'SecServerSignature "AntiChino Server 1.0.4 LS"' >> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf - echo 'Header set X-Powered-By "Plankalkül 1.0"' >> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf - echo 'Header set X-Mamma "Mama mia let me go"' >> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf + sed s/SecRuleEngine\ DetectionOnly/SecRuleEngine\ On/g /etc/modsecurity/modsecurity.conf-recommended > salida\ + && mv salida /etc/modsecurity/modsecurity.conf - a2enmod headers - service apache2 restart + printf "%s\n"\ + 'SecServerSignature "AntiChino Server 1.0.4 LS"'\ + 'Header set X-Powered-By "Plankalkül 1.0"'\ + 'Header set X-Mamma "Mama mia let me go"'\ + >> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf\ + && a2enmod headers\ + && service apache2 restart say_done } @@ -539,7 +495,6 @@ set_owasp_rules(){ # Configure and optimize Apache secure_optimize_apache(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Optimizing Apache" @@ -548,8 +503,7 @@ secure_optimize_apache(){ cp templates/apache /etc/apache2/apache2.conf echo " -- Enabling ModRewrite" spinner - a2enmod rewrite - service apache2 restart + a2enmod rewrite && service apache2 restart say_done } @@ -557,18 +511,16 @@ secure_optimize_apache(){ # Install ModEvasive install_modevasive(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing ModEvasive" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo "" - echo -n " Type Email to Receive Alerts "; read inbox - apt install libapache2-mod-evasive - mkdir /var/log/mod_evasive - chown www-data:www-data /var/log/mod_evasive/ - sed s/MAILTO/$inbox/g templates/mod-evasive > /etc/apache2/mods-available/mod-evasive.conf - service apache2 restart + printf " Type Email to Receive Alerts "; read -r inbox + apt install libapache2-mod-evasive\ + && mkdir /var/log/mod_evasive\ + && chown www-data:www-data /var/log/mod_evasive/\ + && sed s/MAILTO/"${inbox}"/g templates/mod-evasive > /etc/apache2/mods-available/mod-evasive.conf\ + && service apache2 restart say_done } @@ -576,17 +528,15 @@ install_modevasive(){ # Install Mod_qos/spamhaus install_qos_spamhaus(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing Mod_Qos/Spamhaus" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt -y install libapache2-mod-qos - cp templates/qos /etc/apache2/mods-available/qos.conf - apt -y install libapache2-mod-spamhaus - cp templates/spamhaus /etc/apache2/mods-available/spamhaus.conf - service apache2 restart + apt -y install libapache2-mod-qos libapache2-mod-spamhaus\ + && cp templates/qos /etc/apache2/mods-available/qos.conf\ + && cp templates/spamhaus /etc/apache2/mods-available/spamhaus.conf\ + && service apache2 restart say_done } @@ -594,7 +544,6 @@ install_qos_spamhaus(){ # Configure fail2ban config_fail2ban(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Configuring Fail2Ban" @@ -602,9 +551,9 @@ config_fail2ban(){ echo "" echo " Configuring Fail2Ban......" spinner - sed s/MAILTO/$inbox/g templates/fail2ban > /etc/fail2ban/jail.local - cp /etc/fail2ban/jail.local /etc/fail2ban/jail.conf - /etc/init.d/fail2ban restart + sed s/MAILTO/"${inbox}"/g templates/fail2ban > /etc/fail2ban/jail.local\ + && cp /etc/fail2ban/jail.local /etc/fail2ban/jail.conf\ + && /etc/init.d/fail2ban restart say_done } @@ -612,12 +561,12 @@ config_fail2ban(){ # Install Additional Packages additional_packages(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing Additional Packages" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" + ## XXX: This should be a loop to collect which packages to install echo "Install tree............."; apt install tree echo "Install Python-MySQLdb..."; apt install python-mysqldb echo "Install WSGI............."; apt install libapache2-mod-wsgi @@ -640,7 +589,6 @@ additional_packages(){ # Tune and Secure Kernel tune_secure_kernel(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Tuning and Securing the Linux Kernel" @@ -659,7 +607,6 @@ tune_secure_kernel(){ # Install RootKit Hunter install_rootkit_hunter(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing RootKit Hunter" @@ -674,11 +621,10 @@ install_rootkit_hunter(){ - Look for hidden files - Optional scan within plaintext and binary files " sleep 1 - cd rkhunter-1.4.6/ - sh installer.sh --layout /usr --install - cd .. - rkhunter --update - rkhunter --propupd + ( + cd rkhunter-1.4.6/\ + && sh installer.sh --layout /usr --install + ) && rkhunter --update && rkhunter --propupd echo "" echo " ***To Run RootKit Hunter ***" echo " rkhunter -c --enable all --disable none" @@ -690,33 +636,32 @@ install_rootkit_hunter(){ # Tuning tune_nano_vim_bashrc(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" - echo -e "\e[93m[+]\e[00m Tunning bashrc, nano and Vim" + echo -e "\e[93m[+]\e[00m Tuning bashrc, nano and Vim" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" # Tune .bashrc - echo "Tunning .bashrc......" + echo "Tuning .bashrc......" spinner - cp templates/bashrc-root /root/.bashrc - cp templates/bashrc-user /home/$username/.bashrc - chown $username:$username /home/$username/.bashrc + cp templates/bashrc-root /root/.bashrc\ + && cp templates/bashrc-user /home/"${username}"/.bashrc\ + && chown "${username}":"${username}" /home/"${username}"/.bashrc echo "OK" # Tune Vim - echo "Tunning Vim......" + echo "Tuning Vim......" spinner - tunning vimrc + tuning vimrc echo "OK" # Tune Nano - echo "Tunning Nano......" + echo "Tuning Nano......" spinner - tunning nanorc + tuning nanorc echo "OK" say_done } @@ -725,7 +670,6 @@ tune_nano_vim_bashrc(){ # Add Daily Update Cron Job daily_update_cronjob(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Adding Daily System Update Cron Job" @@ -734,10 +678,10 @@ daily_update_cronjob(){ echo "Creating Daily Cron Job" spinner job="@daily apt update; apt dist-upgrade -y" - touch job - echo $job >> job - crontab job - rm job + touch job\ + && echo "${job}" > job\ + && crontab job\ + && rm job say_done } @@ -745,18 +689,17 @@ daily_update_cronjob(){ # Install PortSentry install_portsentry(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing PortSentry" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt install portsentry - mv /etc/portsentry/portsentry.conf /etc/portsentry/portsentry.conf-original - cp templates/portsentry /etc/portsentry/portsentry.conf - sed s/tcp/atcp/g /etc/default/portsentry > salida.tmp - mv salida.tmp /etc/default/portsentry - /etc/init.d/portsentry restart + apt install portsentry\ + && mv /etc/portsentry/portsentry.conf /etc/portsentry/portsentry.conf-original\ + && cp templates/portsentry /etc/portsentry/portsentry.conf\ + && sed s/tcp/atcp/g /etc/default/portsentry > salida.tmp\ + && mv salida.tmp /etc/default/portsentry\ + && /etc/init.d/portsentry restart say_done } @@ -764,22 +707,34 @@ install_portsentry(){ # Install and Configure Artillery install_artillery (){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Cloning Repo and Installing Artillery" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - git clone https://github.com/BinaryDefense/artillery - cd artillery/ - python setup.py - cd .. + ( + git clone https://github.com/BinaryDefense/artillery\ + && cd artillery/\ + && python setup.py + ) echo "" echo "Setting Iptable rules for artillery" spinner - for port in 22 1433 8080 21 5900 53 110 1723 1337 10000 5800 44443 16993; do - echo "iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT" >> /etc/init.d/iptables.sh - done + printf "iptables -A INPUT -p tcp -m tcp --dport %d -j ACCEPT\n"\ + "22"\ + "1433"\ + "8080"\ + "21"\ + "5900"\ + "53"\ + "110"\ + "1723"\ + "1337"\ + "10000"\ + "5800"\ + "44443"\ + "16993"\ + >> /etc/init.d/iptables.sh echo "" echo "Artillery configuration file is /var/artillery/config" say_done @@ -788,7 +743,6 @@ install_artillery (){ # Additional Hardening Steps additional_hardening(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Running additional Hardening Steps" @@ -801,16 +755,15 @@ additional_hardening(){ chmod 700 /root chmod 600 /boot/grub/grub.cfg #Remove AT and Restrict Cron - apt purge at - apt install -y libpam-cracklib + apt purge at && apt install -y libpam-cracklib echo "" echo " Securing Cron " spinner touch /etc/cron.allow chmod 600 /etc/cron.allow - awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny + awk -F: '$1 !~ /root/ {print $1;}' /etc/passwd > /etc/cron.deny echo "" - echo -n " Do you want to Disable USB Support for this Server? (y/n): " ; read usb_answer + echo -n " Do you want to Disable USB Support for this Server? (y/n): " ; read -r usb_answer if [ "$usb_answer" == "y" ]; then echo "" echo "Disabling USB Support" @@ -818,18 +771,16 @@ additional_hardening(){ echo "blacklist usb-storage" | sudo tee -a /etc/modprobe.d/blacklist.conf update-initramfs -u echo "OK" - say_done else echo "OK" - say_done fi + say_done } ############################################################################################################## # Install Unhide install_unhide(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing UnHide" @@ -850,7 +801,6 @@ install_unhide(){ # Install Tiger #Tiger is and Auditing and Intrusion Detection System install_tiger(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing Tiger" @@ -870,7 +820,6 @@ install_tiger(){ #Install PSAD #PSAD actively monitors firewall logs to determine if a scan or attack is taking place install_psad(){ -clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Install PSAD" @@ -886,14 +835,14 @@ echo " PSAD is a piece of Software that actively monitors you Firewall Logs to D " echo "" -echo -n " Do you want to install PSAD (Recommended)? (y/n): " ; read psad_answer +echo -n " Do you want to install PSAD (Recommended)? (y/n): " ; read -r psad_answer if [ "$psad_answer" == "y" ]; then - echo -n " Type an Email Address to Receive PSAD Alerts: " ; read inbox1 - apt install psad - sed -i s/INBOX/$inbox1/g templates/psad.conf - sed -i s/CHANGEME/$host_name.$domain_name/g templates/psad.conf - cp templates/psad.conf /etc/psad/psad.conf - psad --sig-update + echo -n " Type an Email Address to Receive PSAD Alerts: " ; read -r inbox1 + apt install psad\ + && sed -i s/INBOX/"${inbox1}"/g templates/psad.conf\ + && sed -i s/CHANGEME/"${host_name}.${domain_name}"/g templates/psad.conf \ + && cp templates/psad.conf /etc/psad/psad.conf\ + && psad --sig-update\ service psad restart echo "Installation and Configuration Complete" echo "Run service psad status, for detected events" @@ -910,7 +859,6 @@ fi # Disable Compilers disable_compilers(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Disabling Compilers" @@ -918,15 +866,16 @@ disable_compilers(){ echo "" echo "Disabling Compilers....." spinner - chmod 000 /usr/bin/as >/dev/null 2>&1 - chmod 000 /usr/bin/byacc >/dev/null 2>&1 - chmod 000 /usr/bin/yacc >/dev/null 2>&1 - chmod 000 /usr/bin/bcc >/dev/null 2>&1 - chmod 000 /usr/bin/kgcc >/dev/null 2>&1 - chmod 000 /usr/bin/cc >/dev/null 2>&1 - chmod 000 /usr/bin/gcc >/dev/null 2>&1 - chmod 000 /usr/bin/*c++ >/dev/null 2>&1 - chmod 000 /usr/bin/*g++ >/dev/null 2>&1 + for x in as byacc yacc bcc kgcc cc gcc cpp; + do + if [ "${x}" = cpp ] + then + chmod 000 /usr/bin/*c++ >/dev/null 2<&- + chmod 000 /usr/bin/*g++ >/dev/null 2<&- + else + chmod 000 "/usr/bin/${x}" >/dev/null 2<&- + fi + done spinner echo "" echo " If you wish to use them, just change the Permissions" @@ -939,7 +888,6 @@ disable_compilers(){ # Restrict Access to Apache Config Files apache_conf_restrictions(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Restricting Access to Apache Config Files" @@ -962,13 +910,12 @@ apache_conf_restrictions(){ # Additional Security Configurations #Enable Unattended Security Updates unattended_upgrades(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Enable Unattended Security Updates" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - echo -n " ¿Do you Wish to Enable Unattended Security Updates? (y/n): "; read unattended + echo -n " ¿Do you Wish to Enable Unattended Security Updates? (y/n): "; read -r unattended if [ "$unattended" == "y" ]; then dpkg-reconfigure -plow unattended-upgrades else @@ -980,14 +927,12 @@ apache_conf_restrictions(){ # Enable Process Accounting enable_proc_acct(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Enable Process Accounting" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt install acct - touch /var/log/wtmp + apt install acct && touch /var/log/wtmp echo "OK" } @@ -996,7 +941,6 @@ enable_proc_acct(){ #Install and enable auditd install_auditd(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing auditd" @@ -1037,15 +981,14 @@ install_auditd(){ #Install and Enable sysstat install_sysstat(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Installing and enabling sysstat" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - apt install sysstat - sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat - service sysstat start + apt install sysstat\ + && sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat\ + && service sysstat start echo "OK" say_done } @@ -1055,7 +998,6 @@ install_sysstat(){ #Install ArpWatch install_arpwatch(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m ArpWatch Install" @@ -1063,13 +1005,13 @@ install_arpwatch(){ echo "" echo "ArpWatch is a tool for monitoring ARP traffic on System. It generates log of observed pairing of IP and MAC." echo "" - echo -n " Do you want to Install ArpWatch on this Server? (y/n): " ; read arp_answer + echo -n " Do you want to Install ArpWatch on this Server? (y/n): " ; read -r arp_answer if [ "$arp_answer" == "y" ]; then echo "Installing ArpWatch" spinner - apt install -y arpwatch - systemctl enable arpwatch.service - service arpwatch start + apt install -y arpwatch\ + && systemctl enable arpwatch.service\ + && service arpwatch start echo "OK" say_done else @@ -1081,7 +1023,6 @@ install_arpwatch(){ ############################################################################################################## set_grubpassword(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m GRUB Bootloader Password" @@ -1089,36 +1030,34 @@ set_grubpassword(){ echo "" echo "It is recommended to set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" echo "" - echo -n " Do you want to set a GRUB Bootloader Password? (y/n): " ; read grub_answer + echo -n " Do you want to set a GRUB Bootloader Password? (y/n): " ; read -r grub_answer if [ "$grub_answer" == "y" ]; then grub-mkpasswd-pbkdf2 | tee grubpassword.tmp - grubpassword=$(cat grubpassword.tmp | sed -e '1,2d' | cut -d ' ' -f7) - echo " set superusers="root" " >> /etc/grub.d/40_custom - echo " password_pbkdf2 root $grubpassword " >> /etc/grub.d/40_custom - rm grubpassword.tmp - update-grub + grubpassword=$(sed -e '1,2d' grubpassword.tmp | cut -d ' ' -f7) + printf "%s\n"\ + "set superusers=\"root\""\ + "password_pbkdf2 root ${grubpassword} "\ + >> /etc/grub.d/40_custom\ + && rm grubpassword.tmp\ + && update-grub echo "On every boot enter root user and the password you just set" - echo "OK" - say_done - else - echo "OK" - say_done fi + echo "OK" + say_done -echo -e "" -echo -e "Securing Boot Settings" -spinner -sleep 2 -chown root:root /boot/grub/grub.cfg -chmod og-rwx /boot/grub/grub.cfg -say_done + echo -e "" + echo -e "Securing Boot Settings" + spinner + sleep 2 + chown root:root /boot/grub/grub.cfg + chmod og-rwx /boot/grub/grub.cfg + say_done } ############################################################################################################## file_permissions(){ - clear f_banner echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo -e "\e[93m[+]\e[00m Setting File Permissions on Critical System Files" @@ -1177,12 +1116,12 @@ reboot_server(){ echo -e "\e[93m[+]\e[00m Final Step" echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" echo "" - sed -i s/USERNAME/$username/g templates/texts/bye - sed -i s/SERVERIP/$serverip/g templates/texts/bye + sed -i s/USERNAME/"${username}"/g templates/texts/bye + sed -i s/SERVERIP/"${serverip}"/g templates/texts/bye cat templates/texts/bye - echo -n " ¿Were you able to connect via SSH to the Server using $username? (y/n): "; read answer + echo -n " ¿Were you able to connect via SSH to the Server using $username? (y/n): "; read -r answer if [ "$answer" == "y" ]; then - reboot + rm -rf /tmp/* ; reboot else echo "Server will not Reboot" echo "Bye." @@ -1191,457 +1130,457 @@ reboot_server(){ ################################################################################################################## -clear -f_banner -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo -e "\e[93m[+]\e[00m SELECT THE DESIRED OPTION" -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo "" -echo "1. LAMP Deployment" -echo "2. LEMP Deployment" -echo "3. Reverse Proxy Deployment With Apache" -echo "4. General Purpose (without WebServer or DBServer)" -echo "5. Running With SecureWPDeployer or JSDeployer Script" -echo "6. Customized Run (Only run desired Options)" -echo "7. CIS Benchmark Hardening" -echo "8. Exit" -echo - -read choice - -case $choice in - -1) -check_root -install_dep -config_host -config_timezone -update_system -restrictive_umask -unused_filesystems -uncommon_netprotocols -admin_user -rsa_keygen -rsa_keycopy -secure_ssh -set_iptables -install_fail2ban -install_secure_mysql -install_apache -install_secure_php -install_modsecurity -set_owasp_rules -secure_optimize_apache -install_modevasive -install_qos_spamhaus -config_fail2ban -additional_packages -tune_secure_kernel -install_rootkit_hunter -tune_nano_vim_bashrc -daily_update_cronjob -install_artillery -additional_hardening -install_unhide -install_tiger -install_psad -disable_compilers -secure_tmp -apache_conf_restrictions -unattended_upgrades -enable_proc_acct -install_auditd -install_sysstat -install_arpwatch -set_grubpassword -file_permissions -reboot_server -;; - - -2) -check_root -install_dep -config_host -config_timezone -update_system -restrictive_umask -unused_filesystems -uncommon_netprotocols -admin_user -rsa_keygen -rsa_keycopy -secure_ssh -set_iptables -install_fail2ban -install_secure_mysql -install_nginx -compile_modsec_nginx -install_secure_php_nginx -config_fail2ban -additional_packages -tune_secure_kernel -install_rootkit_hunter -tune_nano_vim_bashrc -daily_update_cronjob -install_artillery -additional_hardening -install_unhide -install_tiger -install_psad -disable_compilers -secure_tmp -unattended_upgrades -enable_proc_acct -install_auditd -install_sysstat -install_arpwatch -set_grubpassword -file_permissions -reboot_server -;; - -3) -check_root -install_dep -config_host -config_timezone -update_system -restrictive_umask -unused_filesystems -uncommon_netprotocols -admin_user -rsa_keygen -rsa_keycopy -secure_ssh -set_iptables -install_fail2ban -install_apache -install_modsecurity -set_owasp_rules -secure_optimize_apache -install_modevasive -install_qos_spamhaus -config_fail2ban -additional_packages -tune_secure_kernel -install_rootkit_hunter -tune_nano_vim_bashrc -daily_update_cronjob -install_artillery -additional_hardening -install_unhide -install_tiger -install_psad -disable_compilers -secure_tmp -apache_conf_restrictions -unattended_upgrades -enable_proc_acct -install_auditd -install_sysstat -install_arpwatch -set_grubpassword -file_permissions -reboot_server -;; - -4) -check_root -install_dep -config_host -config_timezone -update_system -restrictive_umask -unused_filesystems -uncommon_netprotocols -admin_user -rsa_keygen -rsa_keycopy -secure_ssh -set_iptables -install_fail2ban -config_fail2ban -additional_packages -tune_secure_kernel -install_rootkit_hunter -tune_nano_vim_bashrc -daily_update_cronjob -install_artillery -additional_hardening -install_unhide -install_tiger -install_psad -disable_compilers -secure_tmp -unattended_upgrades -enable_proc_acct -install_auditd -install_arpwatch -set_grubpassword -file_permissions -;; - - -5) -check_root -install_dep -config_host -config_timezone -update_system -restrictive_umask -unused_filesystems -uncommon_netprotocols -admin_user -rsa_keygen -rsa_keycopy -secure_ssh -set_iptables -install_fail2ban -install_secure_mysql -install_apache -install_secure_php -install_modsecurity -set_owasp_rules -secure_optimize_apache -install_modevasive -install_qos_spamhaus -config_fail2ban -additional_packages -tune_secure_kernel -install_rootkit_hunter -tune_nano_vim_bashrc -daily_update_cronjob -install_artillery -additional_hardening -install_unhide -install_tiger -install_psad -disable_compilers -secure_tmp -apache_conf_restrictions -unattended_upgrades -enable_proc_acct -install_auditd -install_sysstat -install_arpwatch -set_grubpassword -file_permissions -;; - -6) - -menu="" -until [ "$menu" = "34" ]; do - -clear -f_banner -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo -e "\e[93m[+]\e[00m SELECT THE DESIRED OPTION" -echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" -echo "" -echo "1. Configure Host Name, Create Legal Banners, Update Hosts Files" -echo "2. Configure Timezone" -echo "3. Update System" -echo "4. Create Admin User" -echo "5. Instructions to Generate and move Private/Public key Pair" -echo "6. Secure SSH Configuration" -echo "7. Set Restrictive IPTable Rules" -echo "8. Install and Configure Fail2Ban" -echo "9. Install, Optimize and Secure Apache" -echo "10. Install Nginx with ModSecurity Module and Set OwaspRules" -echo "11. Set Nginx Vhost with PHP" -echo "12. Set Nginx Vhost" -echo "13. Install and Secure PHP for Apache Server" -echo "14. Install and Secure PHP for Nginx Server" -echo "15. Install ModSecurity (Apache)and Set Owasp Rules" -echo "16. Install ModEvasive" -echo "17. Install ModQos and SpamHaus" -echo "18. Tune and Secure Linux Kernel" -echo "19. Install RootKit Hunter" -echo "20. Tune Vim, Nano, Bashrc" -echo "21. Install PortSentry" -echo "22. Secure tty, root home, grub configs, cron" -echo "23. Install Unhide" -echo "24. Install Tiger" -echo "25. Disable Compilers" -echo "26. Enable Unnatended Upgrades" -echo "27. Enable Process Accounting" -echo "28. Install PHP Suhosin (Disabled for Now)" -echo "29. Install and Secure MySQL" -echo "30. Set More Restrictive UMASK Value (027)" -echo "31. Secure /tmp Directory" -echo "32. Install PSAD IDS" -echo "33. Set GRUB Bootloader Password" -echo "34. Exit" -echo " " - -read menu -case $menu in - -1) -config_host -;; - -2) -config_timezone -;; - -3) -update_system -;; - -4) -admin_user -;; - -5) -rsa_keygen -rsa_keycopy -;; - -6) -echo "key Pair must be created " -echo "What user will have access via SSH? " ; read username -rsa_keygen -rsa_keycopy -secure_ssh -;; - -7) -set_iptables -;; - -8) -echo "Type Email to receive Alerts: " ; read inbox -install_fail2ban -config_fail2ban -;; - -9) -install_apache -secure_optimize_apache -apache_conf_restrictions -;; - -10) -install_nginx_modsecurity -set_nginx_modsec_OwaspRules -;; - -11) -set_nginx_vhost -;; - - -12) -set_nginx_vhost_nophp -;; - -13) -install_secure_php -;; - -14) -install_php_nginx -;; - -15) -install_modsecurity -set_owasp_rules -;; - -16) -install_modevasive -;; - -17) -install_qos_spamhaus -;; - -18) -tune_secure_kernel -;; - -19) -install_rootkit_hunter -;; - -20) -tune_nano_vim_bashrc -;; - -21) -install_portsentry -;; +main() { + f_banner + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo -e "\e[93m[+]\e[00m SELECT THE DESIRED OPTION" + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo "" + printf "\t%d. %s\n"\ + "1" "LAMP Deployment"\ + "2" "LEMP Deployment"\ + "3" "Reverse Proxy Deployment With Apache"\ + "4" "General Purpose (without WebServer or DBServer)"\ + "5" "Running With SecureWPDeployer or JSDeployer Script"\ + "6" "Customized Run (Only run desired Options)"\ + "7" "CIS Benchmark Hardening"\ + "8" "Exit" + + read -r choice; case $choice in + + 1) + check_root + install_dep + config_host + config_timezone + update_system + restrictive_umask + unused_filesystems + uncommon_netprotocols + admin_user + rsa_keygen + rsa_keycopy + secure_ssh + set_iptables + install_fail2ban + install_secure_mysql + install_apache + install_secure_php + install_modsecurity + set_owasp_rules + secure_optimize_apache + install_modevasive + install_qos_spamhaus + config_fail2ban + additional_packages + tune_secure_kernel + install_rootkit_hunter + tune_nano_vim_bashrc + daily_update_cronjob + install_artillery + additional_hardening + install_unhide + install_tiger + install_psad + disable_compilers + secure_tmp + apache_conf_restrictions + unattended_upgrades + enable_proc_acct + install_auditd + install_sysstat + install_arpwatch + set_grubpassword + file_permissions + reboot_server + ;; + + + 2) + check_root + install_dep + config_host + config_timezone + update_system + restrictive_umask + unused_filesystems + uncommon_netprotocols + admin_user + rsa_keygen + rsa_keycopy + secure_ssh + set_iptables + install_fail2ban + install_secure_mysql + install_nginx + compile_modsec_nginx + install_secure_php_nginx + config_fail2ban + additional_packages + tune_secure_kernel + install_rootkit_hunter + tune_nano_vim_bashrc + daily_update_cronjob + install_artillery + additional_hardening + install_unhide + install_tiger + install_psad + disable_compilers + secure_tmp + unattended_upgrades + enable_proc_acct + install_auditd + install_sysstat + install_arpwatch + set_grubpassword + file_permissions + reboot_server + ;; + + 3) + check_root + install_dep + config_host + config_timezone + update_system + restrictive_umask + unused_filesystems + uncommon_netprotocols + admin_user + rsa_keygen + rsa_keycopy + secure_ssh + set_iptables + install_fail2ban + install_apache + install_modsecurity + set_owasp_rules + secure_optimize_apache + install_modevasive + install_qos_spamhaus + config_fail2ban + additional_packages + tune_secure_kernel + install_rootkit_hunter + tune_nano_vim_bashrc + daily_update_cronjob + install_artillery + additional_hardening + install_unhide + install_tiger + install_psad + disable_compilers + secure_tmp + apache_conf_restrictions + unattended_upgrades + enable_proc_acct + install_auditd + install_sysstat + install_arpwatch + set_grubpassword + file_permissions + reboot_server + ;; + + 4) + check_root + install_dep + config_host + config_timezone + update_system + restrictive_umask + unused_filesystems + uncommon_netprotocols + admin_user + rsa_keygen + rsa_keycopy + secure_ssh + set_iptables + install_fail2ban + config_fail2ban + additional_packages + tune_secure_kernel + install_rootkit_hunter + tune_nano_vim_bashrc + daily_update_cronjob + install_artillery + additional_hardening + install_unhide + install_tiger + install_psad + disable_compilers + secure_tmp + unattended_upgrades + enable_proc_acct + install_auditd + install_arpwatch + set_grubpassword + file_permissions + ;; + + + 5) + check_root + install_dep + config_host + config_timezone + update_system + restrictive_umask + unused_filesystems + uncommon_netprotocols + admin_user + rsa_keygen + rsa_keycopy + secure_ssh + set_iptables + install_fail2ban + install_secure_mysql + install_apache + install_secure_php + install_modsecurity + set_owasp_rules + secure_optimize_apache + install_modevasive + install_qos_spamhaus + config_fail2ban + additional_packages + tune_secure_kernel + install_rootkit_hunter + tune_nano_vim_bashrc + daily_update_cronjob + install_artillery + additional_hardening + install_unhide + install_tiger + install_psad + disable_compilers + secure_tmp + apache_conf_restrictions + unattended_upgrades + enable_proc_acct + install_auditd + install_sysstat + install_arpwatch + set_grubpassword + file_permissions + ;; + + 6) + + menu="" + until [ "$menu" = "34" ]; do + + clear + f_banner + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo -e "\e[93m[+]\e[00m SELECT THE DESIRED OPTION" + echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" + echo "" + printf "\t%d. %s\n"\ + "1" "Configure Host Name, Create Legal Banners, Update Hosts Files"\ + "2" "Configure Timezone"\ + "3" "Update System"\ + "4" "Create Admin User"\ + "5" "Instructions to Generate and move Private/Public key Pair"\ + "6" "Secure SSH Configuration"\ + "7" "Set Restrictive IPTable Rules"\ + "8" "Install and Configure Fail2Ban"\ + "9" "Install, Optimize and Secure Apache"\ + "10" "Install Nginx with ModSecurity Module and Set OwaspRules"\ + "11" "Set Nginx Vhost with PHP"\ + "12" "Set Nginx Vhost"\ + "13" "Install and Secure PHP for Apache Server"\ + "14" "Install and Secure PHP for Nginx Server"\ + "15" "Install ModSecurity (Apache)and Set Owasp Rules"\ + "16" "Install ModEvasive"\ + "17" "Install ModQos and SpamHaus"\ + "18" "Tune and Secure Linux Kernel"\ + "19" "Install RootKit Hunter"\ + "20" "Tune Vim, Nano, Bashrc"\ + "21" "Install PortSentry"\ + "22" "Secure tty, root home, grub configs, cron"\ + "23" "Install Unhide"\ + "24" "Install Tiger"\ + "25" "Disable Compilers"\ + "26" "Enable Unnatended Upgrades"\ + "27" "Enable Process Accounting"\ + "28" "Install PHP Suhosin (Disabled for Now)"\ + "29" "Install and Secure MySQL"\ + "30" "Set More Restrictive UMASK Value (027)"\ + "31" "Secure /tmp Directory"\ + "32" "Install PSAD IDS"\ + "33" "Set GRUB Bootloader Password"\ + "34" "Exit" + + read -r menu; case $menu in + + 1) + config_host + ;; + + 2) + config_timezone + ;; + + 3) + update_system + ;; + + 4) + admin_user + ;; + + 5) + rsa_keygen + rsa_keycopy + ;; + + 6) + echo "key Pair must be created " + echo "What user will have access via SSH? " ; read -r username + rsa_keygen + rsa_keycopy + secure_ssh + ;; + + 7) + set_iptables + ;; + + 8) + echo "Type Email to receive Alerts: " ; read -r inbox + install_fail2ban + config_fail2ban + ;; + + 9) + install_apache + secure_optimize_apache + apache_conf_restrictions + ;; + + 10) + install_nginx_modsecurity + set_nginx_modsec_OwaspRules + ;; + + 11) + set_nginx_vhost + ;; + + + 12) + set_nginx_vhost_nophp + ;; + + 13) + install_secure_php + ;; + + 14) + install_php_nginx + ;; + + 15) + install_modsecurity + set_owasp_rules + ;; + + 16) + install_modevasive + ;; + + 17) + install_qos_spamhaus + ;; + + 18) + tune_secure_kernel + ;; + + 19) + install_rootkit_hunter + ;; + + 20) + tune_nano_vim_bashrc + ;; + + 21) + install_portsentry + ;; -22) -additional_hardening -;; + 22) + additional_hardening + ;; -23) -install_unhide -;; + 23) + install_unhide + ;; -24) -install_tiger -;; + 24) + install_tiger + ;; -25) -disable_compilers; -;; + 25) + disable_compilers; + ;; -26) -unattended_upgrades -;; + 26) + unattended_upgrades + ;; -27) -enable_proc_acct -;; + 27) + enable_proc_acct + ;; -#28) -#install_phpsuhosin -#;; + #28) + #install_phpsuhosin + #;; -29) -install_secure_mysql -;; + 29) + install_secure_mysql + ;; -30) -restrictive_umask -;; + 30) + restrictive_umask + ;; -31) -secure_tmp -;; + 31) + secure_tmp + ;; -32) -install_psad -;; + 32) + install_psad + ;; -33) -set_grubpassword -;; + 33) + set_grubpassword + ;; -34) -break ;; + 34) + break ;; -*) ;; + *) ;; -esac -done -;; + esac + done + ;; -7) -chmod +x jshielder-CIS.sh -./jshielder-CIS.sh -;; + 7) + chmod +x jshielder-CIS.sh + ./jshielder-CIS.sh + ;; -8) -exit 0 -;; + 8) + exit 0 + ;; + + esac +} -esac ############################################################################################################## +main From 5daa4d3f48eb3688854df65aed5e14a4bf2478ab Mon Sep 17 00:00:00 2001 From: newnix Date: Thu, 23 Jul 2020 05:16:37 +0000 Subject: [PATCH 3/3] Update md5() Function * UbuntuServer_18.04LTS/templates/bashrc-user - Use `openssl(1)` instead of php to calculate MD5 digest --- UbuntuServer_18.04LTS/templates/bashrc-user | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/UbuntuServer_18.04LTS/templates/bashrc-user b/UbuntuServer_18.04LTS/templates/bashrc-user index 9ed5f6c..2eb4564 100644 --- a/UbuntuServer_18.04LTS/templates/bashrc-user +++ b/UbuntuServer_18.04LTS/templates/bashrc-user @@ -76,7 +76,18 @@ if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi -function md5 { - php -r "echo . md5('$1') . chr(10);" +## XXX: Enable selecting digest, falling back on a sensible default like SHA2-256 or BLAKE2b512 +md5() { + while [ $# -gt 0 ] + do + printf "MD5 Digest of '%s':\n" "${1}" + if [ ! -f "${1}" ] + then + printf "%s" | openssl dgst -r -md5 - | cut -d' ' -f1 + else + openssl dgst -r -md5 "${1}" | cut -d' ' -f1 + fi + shift + done }