-
Notifications
You must be signed in to change notification settings - Fork 14
/
ubuntu-desktop-secure.sh
1039 lines (1031 loc) · 65.5 KB
/
ubuntu-desktop-secure.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/sh
#
# Ubuntu Server Secure script v0.1 alpha by The Fan Club - May 2012
# Extra instructions about using this script - September 7, 2016:
# http://www.ostechnix.com/ubuntu-server-secure-script-secure-harden-ubuntu/
# - Zenity GUI installer version
#
echo
echo "* Ubuntu Server Secure script v0.1 alpha by The Fan Club - May 2012"
echo
echo "DISCLAIMER: Use with care. This script is provided purely for alpha testing and can harm your system if used incorrectly"
echo "NOTE: This is a GUI installer script that depends on zenity."
echo "NOTE: Run this script with gksudo sh /path/to/script/ubuntu-server-secure.sh"
# Local Variables
TFCName="Ubuntu Server Secure"
TFCVersion="v0.1 alpha"
UserName=$(whoami)
LogDay=$(date '+%Y-%m-%d')
LogTime=$(date '+%Y-%m-%d %H:%M:%S')
LogFile=/var/log/uss_$LogDay.log
#
# Start of Zenity code
#
selection=$(zenity --list --title "$TFCName $TFCVersion" --text "Select the security features you require" --checklist --width 480 --height 550 \
--column "pick" --column "options" \
FALSE " 1. Install and configure Firewall - ufw" \
FALSE " 2. Secure shared memory - fstab" \
FALSE " 3. SSH - Disable root login and change port" \
FALSE " 4. Protect su by limiting access only to admin group" \
FALSE " 5. Harden network with sysctl settings" \
FALSE " 6. Disable Open DNS Recursion" \
FALSE " 7. Prevent IP Spoofing" \
FALSE " 8. Harden PHP for security" \
FALSE " 9. Install and configure ModSecurity" \
FALSE "10. Protect from DDOS attacks with ModEvasive" \
FALSE "11. Scan logs and ban suspicious hosts - DenyHosts" \
FALSE "12. Intrusion Detection - PSAD" \
FALSE "13. Check for RootKits - RKHunter" \
FALSE "14. Scan open Ports - Nmap" \
FALSE "15. Analyse system LOG files - LogWatch" \
FALSE "16. SELinux - Apparmor" \
FALSE "17. Audit your system security - Tiger" \
--separator=",");
if [ ! "$selection" = "" ]
then
# Start of Zenity Progress code
echo "$LogTime uss: [$UserName] * $TFCName $TFCVersion - Install Log Started" >> $LogFile
(
echo "5" ; sleep 0.1
# 1. Install and configure Firewall
option=$(echo $selection | grep -c "ufw")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 1. Install and configure Firewall - ufw" >> $LogFile
echo "# 1. Install and configure :Firewall - ufw"
echo "# Check if ufw Firewall is installed..."
echo "$LogTime uss: [$UserName] Check if ufw Firewall is installed..." >> $LogFile
if [ -f /usr/sbin/ufw ]
then
echo "# ufw Firewall is already installed"
echo "$LogTime uss: [$UserName] ufw Firewall is already installed" >> $LogFile
#sudo ufw status verbose | zenity --title "Firewall Status - $TFCName $TFCVersion" --text-info --width 600 --height 400
fi
if [ ! -f /usr/sbin/ufw ]
then
echo "# ufw Firewall NOT installed, installing..."
echo "$LogTime uss: [$UserName] ufw Firewall NOT installed, installing..." >> $LogFile
sudo apt-get install -y ufw
sudo ufw enable
echo "# ufw Firewall installed and enabled"
echo "$LogTime uss: [$UserName] ufw Firewall installed and enabled" >> $LogFile
sudo ufw allow ssh
sudo ufw allow http
echo "# ufw Firewall ports for SSH and Http configured"
echo "$LogTime uss: [$UserName] ufw Firewall ports for SSH and Http configured" >> $LogFile
fi
fi
echo "10" ; sleep 0.1
# 2. secure shared memory
option=$(echo $selection | grep -c "fstab")
if [ "$option" -eq "1" ]
then
echo "# 2. Secure shared memory."
echo "$LogTime uss: [$UserName] 2. Secure shared memory." >> $LogFile
echo "# Check if shared memory is secured"
echo "$LogTime uss: [$UserName] Check if shared memory is secured" >> $LogFile
# Make sure fstab does not already contain a tmpfs reference
fstab=$(grep -c "tmpfs" /etc/fstab)
if [ ! "$fstab" -eq "0" ]
then
echo "# fstab already contains a tmpfs partition. Nothing to be done."
echo "$LogTime uss: [$UserName] fstab already contains a tmpfs partition. Nothing to be done." >> $LogFile
fi
if [ "$fstab" -eq "0" ]
then
echo "# fstab being updated to secure shared memory"
echo "$LogTime uss: [$UserName] fstab being updated to secure shared memory" >> $LogFile
sudo echo "# $TFCName Script Entry - Secure Shared Memory - $LogTime" >> /etc/fstab
sudo echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab
echo "# Shared memory secured. Reboot required"
echo "$LogTime uss: [$UserName] Shared memory secured. Reboot required" >> $LogFile
fi
fi
echo "15" ; sleep 0.1
# 3. SSH Hardening - disable root login and change port
option=$(echo $selection | grep -c "SSH")
if [ "$option" -eq "1" ]
then
echo "# 3. SSH Hardening - disable root login and change port"
echo "$LogTime uss: [$UserName] 3. SSH Hardening - disable root login and change port" >> $LogFile
sshNewPort=$(zenity --entry --text "Select a new SSH port?" --title "SSH Hardening - $TFCName $TFCVersion" --entry-text "22")
echo "# Updating SSH settings"
echo "$LogTime uss: [$UserName] Updating SSH settings" >> $LogFile
# Check if Port entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if Port entry exists comment out old entries" >> $LogFile
sshconfigPort=$(grep -c "Port" /etc/ssh/sshd_config)
if [ ! "$sshconfigPort" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/Port/#Port/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
# Check if Protocol entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if Protocol entry exists comment out old entries" >> $LogFile
sshconfigProtocol=$(grep -c "Protocol" /etc/ssh/sshd_config)
if [ ! "$sshconfigProtocol" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/Protocol/#Protocol/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
# Check if PermitRootLogin entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if PermitRootLogin entry exists comment out old entries" >> $LogFile
sshconfigPermitRoot=$(grep -c "PermitRootLogin" /etc/ssh/sshd_config)
if [ ! "$sshconfigPermitRoot" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/PermitRootLogin/#PermitRootLogin/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
echo "# Write new SSH configuration settings"
echo "$LogTime uss: [$UserName] Write new SSH configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - SSH settings $LogTime" >> /etc/ssh/sshd_config
sudo echo "Port $sshNewPort" >> /etc/ssh/sshd_config
sudo echo "Protocol 2" >> /etc/ssh/sshd_config
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "# SSH settings update complete"
echo "$LogTime uss: [$UserName] SSH settings update complete" >> $LogFile
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Open new SSH port $sshNewPort on UFW Firewall ?"
if [ "$?" -eq "0" ]
then
# open new port on UFW Firewall
sudo ufw $sshNewPort
echo "# Port $sshNewPort opened on UFW Firewall"
echo "$LogTime uss: [$UserName] Port $sshNewPort opened on UFW Firewall" >> $LogFile
fi
if [ ! "$sshNewPort" -eq "22" ]
then
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Close old SSH port 22 on UFW Firewall ?"
if [ "$?" -eq "0" ]
then
# close old port on UFW Firewall
sudo ufw deny port 22
echo "# Port 22 closed on UFW Firewall"
echo "$LogTime uss: [$UserName] Port 22 closed on UFW Firewall" >> $LogFile
fi
fi
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Would you like to restart the SSH server now?"
if [ "$?" -eq "0" ]
then
# restart SSHd
sudo /etc/init.d/ssh restart
echo "# SSH server restarted"
echo "$LogTime uss: [$UserName] SSH server restarted" >> $LogFile
fi
fi
echo "20" ; sleep 0.1
# 4. Protect su by limiting access only to admin group
option=$(echo $selection | grep -c "Protect[[:space:]]su")
if [ "$option" -eq "1" ]
then
echo "# 4. Protect su by limiting access only to admin group"
echo "$LogTime uss: [$UserName] 4. Protect su by limiting access only to admin group" >> $LogFile
# Get new admin group name
newAdminGroup=$(zenity --entry --title "Protect su - $TFCName $TFCVersion" --text "Select name of new admin group?" --entry-text "admin")
# Check if new group already exists
echo "# Checking if Group: $newAdminGroup already exists"
echo "$LogTime uss: [$UserName] Checking if Group: $newAdminGroup already exists" >> $LogFile
groupCheck=$(grep -c -w "$newAdminGroup" /etc/group)
if [ ! "$groupCheck" -eq "0" ]
then
# group already exists
echo "# Group: $newAdminGroup already exists. Group not added"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup already exists. Group not added" >> $LogFile
fi
if [ "$groupCheck" -eq "0" ]
then
# group does not exist create new group
echo "# Group: $newAdminGroup does not exist"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup does not exist" >> $LogFile
sudo groupadd $newAdminGroup
echo "# Group: $newAdminGroup added"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup added" >> $LogFile
fi
# Add current administrator user to new admin group
addAdminUser=$(zenity --entry --title "Protect su - $TFCName $TFCVersion" --text "Which current user should be added to the new admin group?" --entry-text "admin")
# Check if user is already part of the admin group
echo "# Checking if User: $addAdminUser is already part of the Group: $newAdminGroup"
echo "$LogTime uss: [$UserName] Checking if User: $addAdminUser is already part of the Group: $newAdminGroup" >> $LogFile
userCheck=$(groups $addAdminUser | grep -c -w "$newAdminGroup")
if [ ! "$userCheck" -eq "0" ]
then
# user is already part of the admin group
echo "# User: $addAdminUser is already part of the Group: $newAdminGroup. User not added"
echo "$LogTime uss: [$UserName] User: $addAdminUser is already part of the Group: $newAdminGroup. User not added" >> $LogFile
fi
if [ "$userCheck" -eq "0" ]
then
# user is not part of admin group and needs to be added
echo "# User: $addAdminUser is not part of the Group: $newAdminGroup, adding user to group"
echo "$LogTime uss: [$UserName] User: $addAdminUser is not part of the Group: $newAdminGroup, adding user to group" >> $LogFile
sudo usermod -a -G $newAdminGroup $addAdminUser
echo "# User: $addAdminUser added to the Group: $newAdminGroup"
echo "$LogTime uss: [$UserName] User: $addAdminUser added to the Group: $newAdminGroup" >> $LogFile
fi
# change su permission to limit access only to admin group
echo "# Checking if dpkg state override aleady exists"
echo "$LogTime uss: [$UserName] Checking if dpkg state override aleady exists" >> $LogFile
dpkgCheck=$(sudo dpkg-statoverride --list | grep -c "4750[[:space:]]/bin/su")
if [ ! "$dpkgCheck" -eq "0" ]
then
# dpkg state override already exists. do nothing
echo "# User: dpkg state override already exists. Override not set."
echo "$LogTime uss: [$UserName] dpkg state override already exists. Override not set." >> $LogFile
fi
if [ "$dpkgCheck" -eq "0" ]
then
echo "# Setting new dpkg state override"
echo "$LogTime uss: [$UserName] Setting new dpkg state override" >> $LogFile
sudo dpkg-statoverride --update --add root $newAdminGroup 4750 /bin/su
echo "# dpkg state override done. /bin/su only accessible by $newAdminGroup group members"
echo "$LogTime uss: [$UserName] dpkg state override done. /bin/su only accessible by $newAdminGroup group members" >> $LogFile
fi
fi
echo "25" ; sleep 0.1
# 5. Harden network with sysctl settings
option=$(echo $selection | grep -c "sysctl")
if [ "$option" -eq "1" ]
then
echo "# 5. Harden network with sysctl settings"
echo "$LogTime uss: [$UserName] 5. Harden network with sysctl settings" >> $LogFile
echo "# Updating sysctl network settings"
echo "$LogTime uss: [$UserName] Updating sysctl network settings" >> $LogFile
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.default.rp_filter entry exists comment out old entries" >> $LogFile
sysctlConfig1=$(grep -c "net.ipv4.conf.default.rp_filter" /etc/sysctl.conf)
if [ ! "$sysctlConfig1" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.default.rp_filter/#net.ipv4.conf.default.rp_filter/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.rp_filter entry exists comment out old entries" >> $LogFile
sysctlConfig2=$(grep -c "net.ipv4.conf.all.rp_filter" /etc/sysctl.conf)
if [ ! "$sysctlConfig2" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.rp_filter/#net.ipv4.conf.all.rp_filter/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.icmp_echo_ignore_broadcasts entry exists comment out old entries" >> $LogFile
sysctlConfig3=$(grep -c "net.ipv4.icmp_echo_ignore_broadcasts" /etc/sysctl.conf)
if [ ! "$sysctlConfig3" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.icmp_echo_ignore_broadcasts/#net.ipv4.icmp_echo_ignore_broadcasts/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.tcp_syncookies entry exists comment out old entries" >> $LogFile
sysctlConfig4=$(grep -c "net.ipv4.tcp_syncookies" /etc/sysctl.conf)
if [ ! "$sysctlConfig4" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.tcp_syncookies/#net.ipv4.tcp_syncookies/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig5=$(grep -c "net.ipv4.conf.all.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig5" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.accept_source_route/#net.ipv4.conf.all.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv6.conf.all.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig6=$(grep -c "net.ipv6.conf.all.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig6" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv6.conf.all.accept_source_route/#net.ipv6.conf.all.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.default.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig7=$(grep -c "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig7" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.default.accept_source_route/#net.ipv4.conf.default.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv6.conf.default.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig8=$(grep -c "net.ipv6.conf.default.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig8" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv6.conf.default.accept_source_route/#net.ipv6.conf.default.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.log_martians entry exists comment out old entries" >> $LogFile
sysctlConfig9=$(grep -c "net.ipv4.conf.all.log_martians" /etc/sysctl.conf)
if [ ! "$sysctlConfig9" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.log_martians/#net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
echo "# Write new sysctl configuration settings"
echo "$LogTime uss: [$UserName] Write new sysctl configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - sysctl settings $LogTime" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
echo "# sysctl settings update complete"
echo "$LogTime uss: [$UserName] sysctl settings update complete" >> $LogFile
zenity --question --title "Network hardening - $TFCName $TFCVersion" --text "Would you like restart sysctl with the new settings now?"
if [ "$?" -eq "0" ]
then
# reload sysctl
sudo sysctl -p
echo "# sysctl settings reloaded"
echo "$LogTime uss: [$UserName] sysctl settings reloaded" >> $LogFile
fi
fi
echo "30" ; sleep 0.1
# 6. Disable Open DNS Recursion - BIND DNS Server
option=$(echo $selection | grep -c "DNS")
if [ "$option" -eq "1" ]
then
echo "# 6. Disable Open DNS Recursion - BIND DNS Server"
echo "$LogTime uss: [$UserName] 6. Disable Open DNS Recursion - BIND DNS Server" >> $LogFile
# Make sure DNS recursion entry does not exist
echo "# Check if DNS recursion option exists"
echo "$LogTime uss: [$UserName] Check if DNS recursion option exists" >> $LogFile
dnsRecur=$(grep -c "recursion" /etc/bind/named.conf.options )
if [ ! "$dnsRecur" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# DNS recursion entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] DNS recursion entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/recursion/#recursion/g' /etc/bind/named.conf.options > /tmp/.named_config
sudo mv /etc/bind/named.conf.options /etc/bind/_named.conf.options.backup
sudo mv /tmp/.named_config /etc/bind/named.conf.options
fi
# add DNS recursion option setting
echo "# Add DNS recursion option setting"
echo "$LogTime uss: [$UserName] Add DNS recursion option setting" >> $LogFile
sudo sed 's/options[[:space:]]{/options { recursion no; # $TFCName Script /g' /etc/bind/named.conf.options > /tmp/.named_config
sudo mv /etc/bind/named.conf.options /etc/bind/_named.conf.options.backup
sudo mv /tmp/.named_config /etc/bind/named.conf.options
echo "# Restart bind9 DNS server"
echo "$LogTime uss: [$UserName] Restart bind9 DNS server" >> $LogFile
sudo /etc/init.d/bind9 restart
echo "# DNS server restarted"
echo "$LogTime uss: [$UserName] DNS server restarted" >> $LogFile
fi
echo "35" ; sleep 0.1
# 7. Prevent IP Spoofing
option=$(echo $selection | grep -c "Spoofing")
if [ "$option" -eq "1" ]
then
echo "# 7. Prevent IP Spoofing"
echo "$LogTime uss: [$UserName] 7. Prevent IP Spoofing" >> $LogFile
# Make sure IP Spoofing entry does not exist
echo "# Check if IP Spoofing option exists"
echo "$LogTime uss: [$UserName] Check if IP Spoofing option exists" >> $LogFile
ipSpoof=$(grep -c "nospoof" /etc/host.conf )
if [ ! "$ipSpoof" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# nospoof entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] nospoof entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/nospoof/#nospoof/g' /etc/host.conf > /tmp/.host_config
sudo mv /etc/host.conf /etc/host.conf.backup
sudo mv /tmp/.host_config /etc/host.conf
fi
# Make sure order entry does not exist
echo "# Check if order entry exists"
echo "$LogTime uss: [$UserName] Check if order option exists" >> $LogFile
orderOp=$(grep -c "order" /etc/host.conf )
if [ ! "$orderOp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# order entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] order entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/order/#order/g' /etc/host.conf > /tmp/.host_config
sudo mv /etc/host.conf /etc/host.conf.backup
sudo mv /tmp/.host_config /etc/host.conf
fi
# add new order and nospoof option settings
echo "# Write new host configuration settings"
echo "$LogTime uss: [$UserName] Write new host configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - IP nospoof settings $LogTime" >> /etc/host.conf
sudo echo "order bind,hosts" >> /etc/host.conf
sudo echo "nospoof on" >> /etc/host.conf
echo "# host configuration settings update complete"
echo "$LogTime uss: [$UserName] host configuration settings update complete" >> $LogFile
echo "# Restart bind9 DNS server"
echo "$LogTime uss: [$UserName] Restart bind9 DNS server" >> $LogFile
sudo /etc/init.d/bind9 restart
echo "# DNS server restarted"
echo "$LogTime uss: [$UserName] DNS server restarted" >> $LogFile
fi
echo "40" ; sleep 0.1
# 8. Harden PHP for security
option=$(echo $selection | grep -c "PHP")
if [ "$option" -eq "1" ]
then
echo "# 8. Harden PHP for security"
echo "$LogTime uss: [$UserName] 8. Harden PHP for security" >> $LogFile
# Make sure disable_functions entry does not exist
echo "# Check if disable_functions option exists"
echo "$LogTime uss: [$UserName] Check if disable_functions option exists" >> $LogFile
disPhp=$(grep -c "disable_functions" /etc/php5/apache2/php.ini )
if [ ! "$disPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# disable_functions entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] disable_functions entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/disable_functions/;disable_functions/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure register_globals entry does not exist
echo "# Check if register_globals entry exists"
echo "$LogTime uss: [$UserName] Check if register_globals option exists" >> $LogFile
gloPhp=$(grep -c "register_globals" /etc/php5/apache2/php.ini )
if [ ! "$gloPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# register_globals entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] register_globals entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/register_globals/;register_globals/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure expose_php entry does not exist
echo "# Check if register_globals entry exists"
echo "$LogTime uss: [$UserName] Check if register_globals option exists" >> $LogFile
expPhp=$(grep -c "expose_php" /etc/php5/apache2/php.ini )
if [ ! "$expPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# expose_php entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] expose_php entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/expose_php/;expose_php/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure magic_quotes_gpc entry does not exist
echo "# Check if magic_quotes_gpc entry exists"
echo "$LogTime uss: [$UserName] Check if magic_quotes_gpc option exists" >> $LogFile
expPhp=$(grep -c "magic_quotes_gpc" /etc/php5/apache2/php.ini )
if [ ! "$expPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# magic_quotes_gpc entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] magic_quotes_gpc entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/magic_quotes_gpc/;magic_quotes_gpc/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# add new PHP configuration option settings
echo "# Write new PHP configuration settings"
echo "$LogTime uss: [$UserName] Write new PHP configuration settings" >> $LogFile
sudo echo "; $TFCName Script Entry - PHP security settings settings $LogTime" >> /etc/php5/apache2/php.ini
sudo echo "disable_functions = exec,system,shell_exec,passthru" >> /etc/php5/apache2/php.ini
sudo echo "register_globals = Off" >> /etc/php5/apache2/php.ini
sudo echo "expose_php = Off" >> /etc/php5/apache2/php.ini
sudo echo "magic_quotes_gpc = On" >> /etc/php5/apache2/php.ini
echo "# PHP configuration settings update complete"
echo "$LogTime uss: [$UserName] PHP configuration settings update complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "PHP Security - $TFCName $TFCVersion" --text "Would you like restart Apache2 with the new settings now?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 server"
echo "$LogTime uss: [$UserName] Restart Apache2 server" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted" >> $LogFile
fi
fi
echo "45" ; sleep 0.1
# 9. Install ModSecurity
option=$(echo $selection | grep -c "ModSecurity")
if [ "$option" -eq "1" ]
then
echo "# 9. Install ModSecurity"
echo "$LogTime uss: [$UserName] 9. Install ModSecurity" >> $LogFile
# install dependencies
echo "# Install dependencies libxml2 libxml2-dev libxml2-utils elinks"
echo "$LogTime uss: [$UserName] Install dependencies libxml2 libxml2-dev libxml2-utils" >> $LogFile
sudo apt-get install -y libxml2 libxml2-dev libxml2-utils 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libxml2 libxml2-dev libxml2-utils" --auto-close
echo "# Install dependencies libaprutil1 libaprutil1-dev"
echo "$LogTime uss: [$UserName] Install dependencies libaprutil1 libaprutil1-dev" >> $LogFile
sudo apt-get -y install libaprutil1 libaprutil1-dev 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libaprutil1 libaprutil1-dev" --auto-close
echo "# create symbolic link for 64bit users to libxml2.so.2"
echo "$LogTime uss: [$UserName] create symbolic link for 64bit users to libxml2.so.2" >> $LogFile
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
# Install ModSecurity
echo "# Install Apache ModSecurity"
echo "$LogTime uss: [$UserName] Install Apache ModSecurity" >> $LogFile
sudo apt-get install -y libapache-mod-security 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libaprutil1 libaprutil1-dev" --auto-close
# Activate default configuration file
echo "# Activate Apache ModSecurity recommended rules"
echo "$LogTime uss: [$UserName] Activate Apache Mod Security" >> $LogFile
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Edit modsecurity.conf and change the SecRequestBody Limits as the default 128KB is too low
RecLimit=$(zenity --entry --text "Select the page request body limit (SecRequestBodyLimit)? Default is 128KB and is very low. Value in bytes:" --title "ModSecurity Configuration - $TFCName $TFCVersion" --entry-text "131072")
echo "# Updating ModSecurity settings"
echo "$LogTime uss: [$UserName] Updating ModSecurity settings" >> $LogFile
# Check if SecRequestBodyLimit entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if SecRequestBodyLimit entry exists comment out old entries" >> $LogFile
modsecSecReq=$(grep -c "SecRequestBodyLimit" /etc/modsecurity/modsecurity.conf)
if [ ! "$modsecSecReq" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/SecRequestBodyLimit/#SecRequestBodyLimit/g' /etc/modsecurity/modsecurity.conf > /tmp/.modsec_config
sudo mv /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.backup
sudo mv /tmp/.modsec_config /etc/modsecurity/modsecurity.conf
fi
# Check if SecRequestBodyInMemoryLimit entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if SecRequestBodyInMemoryLimit entry exists comment out old entries" >> $LogFile
modsecSecReqMem=$(grep -c "SecRequestBodyInMemoryLimit" /etc/modsecurity/modsecurity.conf)
if [ ! "$modsecSecReqMem" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/SecRequestBodyInMemoryLimit/#SecRequestBodyInMemoryLimit/g' /etc/modsecurity/modsecurity.conf > /tmp/.modsec_config
sudo mv /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.backup
sudo mv /tmp/.modsec_config /etc/modsecurity/modsecurity.conf
fi
echo "# Write new ModSecurity configuration settings"
echo "$LogTime uss: [$UserName] Write new ModSecurity configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - ModSecurity settings $LogTime" >> /etc/modsecurity/modsecurity.conf
sudo echo "SecRequestBodyLimit $RecLimit" >> /etc/modsecurity/modsecurity.conf
sudo echo "SecRequestBodyInMemoryLimit $RecLimit" >> /etc/modsecurity/modsecurity.conf
echo "# ModSecurity settings update complete"
echo "$LogTime uss: [$UserName] ModSecurity settings update complete" >> $LogFile
# Download latest OWASP Core Rule Set
echo "# Download latest OWASP Core Rule Set"
echo "$LogTime uss: [$UserName] Download latest OWASP Core Rule Set for SourceForge" >> $LogFile
sourceforgeUrl="http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/"
modesecurityFilePattern="modsecurity-crs_2.*"
# Read sourceforge webpage with elinks and find the latest version filename
crsFilename=$(elinks $sourceforgeUrl | grep -o -w --max-count=1 "$modesecurityFilePattern.tar.gz")
# Create a tmp install folder
sudo mkdir /tmp/modsecurity-crs
cd /tmp/modsecurity-crs
# Download the latest crs from sourceforge
echo "# Downloading Core Rule Set: $crsFilename from SourceForge"
echo "$LogTime uss: [$UserName] Downloading Core Rule Set: $crsFilename from SourceForge" >> $LogFile
# Download and show progress and download speed with zenity
sudo wget $sourceforgeUrl$crsFilename 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Downloading $crsFilename" --auto-close
# UnTar and install crs rules
sudo tar -zxvf $crsFilename
sudo cp -R $modesecurityFilePattern/* /etc/modsecurity/
# Delete tmp install folder
cd /tmp
sudo rm -R /tmp/modsecurity-crs
# Activate the default crs ruleset
sudo mv /etc/modsecurity/modsecurity_crs_10_config.conf.example /etc/modsecurity/modsecurity_crs_10_config.conf
# Enable ModSecurity in Apache2
sudo a2enmod mod-security
echo "# Apache2 ModSecurity installation complete"
echo "$LogTime uss: [$UserName] Apache2 ModSecurity installation complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "Apache2 ModSecurity - $TFCName $TFCVersion" --text "Would you like restart Apache2 with ModSecurity?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 with ModSecurity"
echo "$LogTime uss: [$UserName] Restart Apache2 with ModSecurity" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted with ModSecurity" >> $LogFile
# Output the Apache2 error.log file entries for ModSecurity to check status after install in zenity info box
sudo grep "ModSecurity" /var/log/apache2/error.log | zenity --title "Apache2 ModSecurity Status - $TFCName $TFCVersion" --text-info --width 800 --height 400
fi
fi
echo "50" ; sleep 0.1
# 10. Protect from DDOS (Denial of Service) attacks - ModEvasive
option=$(echo $selection | grep -c "ModEvasive")
if [ "$option" -eq "1" ]
then
echo "# 10. Protect from DDOS (Denial of Service) attacks - ModEvasive"
echo "$LogTime uss: [$UserName] 10. Protect from DDOS (Denial of Service) attacks - ModEvasive" >> $LogFile
# Install ModEvasive
echo "# Install Apache ModEvasive"
echo "$LogTime uss: [$UserName] Install Apache ModEvasive" >> $LogFile
sudo apt-get install -y libapache2-mod-evasive 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libapache2-mod-evasive" --auto-close
# Create log file for ModEvasive
sudo mkdir /var/log/mod_evasive
# Change the log folder permissions
sudo chown www-data:www-data /var/log/mod_evasive/
# Enter Email address to receive notifications from ModEvasive
echo "# Enter Email address to receive notifications from ModEvasive"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from ModEvasive" >> $LogFile
modEvaEmail=$(zenity --entry --text "Enter the email for ModEvasive notifications" --title "Apache2 ModEvasive - $TFCName $TFCVersion" --entry-text "[email protected]")
# Check for previous ModEvasive configuration file
if [ -f /etc/apache2/mods-available/mod-evasive.conf ]
then
echo "# Backup previous ModEvasive configuration file"
echo "$LogTime uss: [$UserName] # Backup previous ModEvasive configuration file" >> $LogFile
sudo mv /etc/apache2/mods-available/mod-evasive.conf /etc/apache2/mods-available/mod-evasive.conf.backup
fi
# Writing New Configuration file for ModEvasive
echo "# Writing New Configuration file for ModEvasive"
echo "$LogTime uss: [$UserName] Writing New Configuration file for ModEvasive" >> $LogFile
# Create Config file
sudo echo "# $TFCName Script Entry - Apache2 ModEvasive Configuration $LogTime" > /etc/apache2/mods-available/mod-evasive.conf
sudo echo "<ifmodule mod_evasive20.c>" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSHashTableSize 3097" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSPageCount 2" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSSiteCount 50" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSPageInterval 1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSSiteInterval 1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSBlockingPeriod 10" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSLogDir /var/log/mod_evasive" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSEmailNotify $modEvaEmail" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSWhitelist 127.0.0.1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo "</ifmodule>" >> /etc/apache2/mods-available/mod-evasive.conf
# Enable ModEvasive in Apache2
sudo a2enmod mod-evasive
echo "# Apache2 ModEvasive installation complete"
echo "$LogTime uss: [$UserName] Apache2 ModEvasive installation complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "Apache2 ModEvasive - $TFCName $TFCVersion" --text "Would you like restart Apache2 with ModEvasive?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 with ModSecurity"
echo "$LogTime uss: [$UserName] Restart Apache2 with ModEvasive" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted with ModEvasive" >> $LogFile
fi
fi
echo "55" ; sleep 0.1
# 11. Scan logs and ban suspicious hosts - DenyHosts
option=$(echo $selection | grep -c "DenyHosts")
if [ "$option" -eq "1" ]
then
echo "# 11. Scan logs and ban suspicious hosts - DenyHosts"
echo "$LogTime uss: [$UserName] 11. Scan logs and ban suspicious hosts - DenyHosts" >> $LogFile
echo "# Check if Denyhosts is installed..."
echo "$LogTime uss: [$UserName] Check if Denyhosts is installed..." >> $LogFile
if [ -f /usr/sbin/denyhosts ]
then
# RKHunter already installed
echo "# Denyhosts is already installed"
echo "$LogTime uss: [$UserName] Denyhosts is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/denyhosts ]
then
# Install DenyHosts
echo "# Install DenyHosts"
echo "$LogTime uss: [$UserName] Install DenyHosts" >> $LogFile
sudo apt-get install -y denyhosts 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing DenyHosts" --auto-close
fi
# Enter Email address to receive notifications from DenyHosts
echo "# Enter Email address to receive notifications from DenyHosts"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from DenyHosts" >> $LogFile
denyhostEmail=$(zenity --entry --text "Enter the email for DenyHosts notifications" --title "DenyHosts - $TFCName $TFCVersion" --entry-text "root@localhost")
denyhostFrom=$(zenity --entry --text "Enter the email from field for DenyHosts notifications" --title "DenyHosts - $TFCName $TFCVersion" --entry-text "DenyHosts <nobody@localhost>")
# Make sure ADMIN_EMAIL entry does not exist
echo "# Check if ADMIN_EMAIL option exists"
echo "$LogTime uss: [$UserName] Check if ADMIN_EMAIL option exists" >> $LogFile
adminEmail=$(grep -c "ADMIN_EMAIL" /etc/denyhosts.conf )
if [ ! "$adminEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# ADMIN_EMAIL entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] ADMIN_EMAIL entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/ADMIN_EMAIL/#ADMIN_EMAIL/g' /etc/denyhosts.conf > /tmp/.denyhosts_config
sudo mv /etc/denyhosts.conf /etc/denyhosts.conf.backup
sudo mv /tmp/.denyhosts_config /etc/denyhosts.conf
fi
# Make sure order entry does not exist
echo "# Check if SMTP_FROM entry exists"
echo "$LogTime uss: [$UserName] Check if SMTP_FROM option exists" >> $LogFile
smtpFrom=$(grep -c "SMTP_FROM" /etc/denyhosts.conf )
if [ ! "$smtpFrom" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# SMTP_FROM entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] SMTP_FROM entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/SMTP_FROM/#SMTP_FROM/g' /etc/denyhosts.conf > /tmp/.denyhosts_config
sudo mv /etc/denyhosts.conf /etc/denyhosts.conf.backup
sudo mv /tmp/.denyhosts_config /etc/denyhosts.conf
fi
# write new DenyHosts settings
echo "# Write new DenyHosts configuration settings"
echo "$LogTime uss: [$UserName] Write new DenyHosts configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - DenyHosts settings $LogTime" >> /etc/denyhosts.conf
sudo echo "ADMIN_EMAIL = $denyhostEmail" >> /etc/denyhosts.conf
sudo echo "SMTP_FROM = $denyhostFrom" >> /etc/denyhosts.conf
echo "# DenyHosts configuration settings update complete"
echo "$LogTime uss: [$UserName] DenyHosts configuration settings update complete" >> $LogFile
echo "# Restart DenyHosts service"
echo "$LogTime uss: [$UserName] Restart DenyHosts service" >> $LogFile
sudo /etc/init.d/denyhosts restart
echo "# DenyHosts service restarted"
echo "$LogTime uss: [$UserName] DenyHosts service restarted" >> $LogFile
fi
echo "60" ; sleep 0.1
# 12. Intrusion Detection - PSAD
option=$(echo $selection | grep -c "PSAD")
if [ "$option" -eq "1" ]
then
echo "# 12. Intrusion Detection - PSAD"
echo "$LogTime uss: [$UserName] 12. Intrusion Detection - PSAD" >> $LogFile
echo "# Check if PSAD is installed..."
echo "$LogTime uss: [$UserName] Check if PSAD is installed..." >> $LogFile
if [ -f /usr/sbin/psad ]
then
# PSAD already installed
echo "# PSAD is already installed"
echo "$LogTime uss: [$UserName] PSAD is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/psad ]
then
# Install PSAD
echo "# Install PSAD"
echo "$LogTime uss: [$UserName] Install PSAD" >> $LogFile
sudo apt-get install -y psad 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing PSAD" --auto-close
fi
# Enter Email address to receive notifications from PSAD
echo "# Enter Email address to receive notifications from PSAD"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from PSAD" >> $LogFile
psadEmail=$(zenity --entry --text "Enter the email for PSAD notifications" --title "PSAD - $TFCName $TFCVersion" --entry-text "root@localhost")
# Make sure EMAIL_ADDRESSES entry does not exist
echo "# Check if EMAIL_ADDRESSES option exists"
echo "$LogTime uss: [$UserName] Check if EMAIL_ADDRESSES option exists" >> $LogFile
psadAdminEmail=$(grep -c "EMAIL_ADDRESSES" /etc/psad/psad.conf )
if [ ! "$psadAdminEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# EMAIL_ADDRESSES entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] EMAIL_ADDRESSES entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/EMAIL_ADDRESSES/#EMAIL_ADDRESSES/g' /etc/psad/psad.conf > /tmp/.psad_config
sudo mv /etc/psad/psad.conf /etc/psad/psad.conf.backup
sudo mv /tmp/.psad_config /etc/psad/psad.conf
fi
# Make sure ENABLE_AUTO_IDS entry does not exist
echo "# Check if ENABLE_AUTO_IDS entry exists"
echo "$LogTime uss: [$UserName] Check if ENABLE_AUTO_IDS option exists" >> $LogFile
psadIdsEmail=$(grep -c "ENABLE_AUTO_IDS_EMAILS" /etc/psad/psad.conf )
if [ ! "$psadIdsEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# ENABLE_AUTO_IDS entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] ENABLE_AUTO_IDS entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/ENABLE_AUTO_IDS_EMAILS/#ENABLE_AUTO_IDS_EMAILS/g' /etc/psad/psad.conf > /tmp/.psad_config
sudo mv /etc/psad/psad.conf /etc/psad/psad.conf.backup
sudo mv /tmp/.psad_config /etc/psad/psad.conf
fi
# write new PSAD settings
echo "# Write new PSAD configuration settings"
echo "$LogTime uss: [$UserName] Write new PSAD configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - DenyHosts settings $LogTime" >> /etc/psad/psad.conf
sudo echo "EMAIL_ADDRESSES $psadEmail;" >> /etc/psad/psad.conf
sudo echo "ENABLE_AUTO_IDS_EMAILS Y;" >> /etc/psad/psad.conf
echo "# PSAD configuration settings update complete"
echo "$LogTime uss: [$UserName] PSAD configuration settings update complete" >> $LogFile
echo "# Update iptables to add log rules for PSAD"
echo "$LogTime uss: [$UserName] Update iptables to add log rules for PSAD" >> $LogFile
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG
echo "# Update and Restart PSAD service"
echo "$LogTime uss: [$UserName] Update and Restart PSAD service" >> $LogFile
sudo psad -R
sudo psad --sig-update
sudo psad -H
echo "# PSAD service updated and restarted"
echo "$LogTime uss: [$UserName] PSAD service updated restarted" >> $LogFile
fi
echo "65" ; sleep 0.1
# 13. Check for rootkits - RKHunter
option=$(echo $selection | grep -c "RKHunter")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 13. Check for rootkits - RKHunter" >> $LogFile
echo "# 13. Check for rootkits - RKHunter"
echo "# Check if RKHunter is installed..."
echo "$LogTime uss: [$UserName] Check if RKHunter is installed..." >> $LogFile
if [ -f /usr/bin/rkhunter ]
then
# RKHunter already installed
echo "# RKHunter is already installed"
echo "$LogTime uss: [$UserName] RKHunter is already installed" >> $LogFile
fi
if [ ! -f /usr/bin/rkhunter ]
then
# Install RKHunter
echo "# RKHunter NOT installed, installing..."
echo "$LogTime uss: [$UserName] RKHunter NOT installed, installing..." >> $LogFile
sudo apt-get install -y rkhunter 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing RKHunter" --auto-close
fi
# Update RKHunter
echo "# Updating RKHunter"
echo "$LogTime uss: [$UserName] Updating RKHunter" >> $LogFile
sudo rkhunter --update 2>&1 | zenity --progress --title="RKHunter - $TFCName $TFCVersion" --text="Downloading updates..." --width 400 --auto-close --percentage=33
sudo rkhunter --propupd 2>&1 | zenity --progress --title="RKHunter - $TFCName $TFCVersion" --text="Updating properties..." --width 400 --auto-close --percentage=85
echo "# RKHunter installed and updated"
echo "$LogTime uss: [$UserName] RKHunter installed and updated" >> $LogFile
# Ask to run RKHunter scan now
zenity --question --title "RKHunter - $TFCName $TFCVersion" --text "Would you like to run a RKHunter check now?"
if [ "$?" -eq "0" ]
then
# Run RKHunter check
echo "# Running RKHunter check"
echo "$LogTime uss: [$UserName] Running RKHunter check" >> $LogFile
# Run RKHunter check and output to Zenity
sudo rkhunter --check --nocolors --skip-keypress 2>&1 | zenity --text-info --title "RKHunter - $TFCName $TFCVersion" --width 600 --height 400
echo "# RKHunter check done"
echo "$LogTime uss: [$UserName] RKHunter check done" >> $LogFile
fi
fi
echo "70" ; sleep 0.1
# 14. Scan open ports - Nmap
option=$(echo $selection | grep -c "Nmap")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 14. Scan open ports - Nmap" >> $LogFile
echo "# 14. Scan open ports - Nmap"
echo "# Check if Nmap is installed..."
echo "$LogTime uss: [$UserName] Check if Nmap is installed..." >> $LogFile
if [ -f /usr/bin/nmap ]
then
# Nmap already installed
echo "# Nmap is already installed"
echo "$LogTime uss: [$UserName] Nmap is already installed" >> $LogFile
fi
if [ ! -f /usr/bin/nmap ]
then
# Install Nmap
echo "# Nmap NOT installed, installing..."
echo "$LogTime uss: [$UserName] Nmap NOT installed, installing..." >> $LogFile
sudo apt-get install -y nmap 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing Nmap" --auto-close
fi
echo "# Nmap installed"
echo "$LogTime uss: [$UserName] Nmap installed" >> $LogFile
# Ask to run Nmap scan now
zenity --question --title "Nmap - $TFCName $TFCVersion" --text "Would you like to run a Nmap port scan of the localhost now?"
if [ "$?" -eq "0" ]
then
# Run Nmap check
echo "# Running Nmap localhost scan"
echo "$LogTime uss: [$UserName] Running Nmap locahost scan" >> $LogFile
# Run Nmap check and output to Zenity
sudo nmap -v -sT -A localhost 2>&1 | zenity --text-info --title "Nmap Localhost Scan - $TFCName $TFCVersion" --width 800 --height 500
echo "# Nmap check done"
echo "$LogTime uss: [$UserName] Nmap check done" >> $LogFile
fi
fi
echo "75" ; sleep 0.1
# 15. Analyse system LOG files - LogWatch
option=$(echo $selection | grep -c "LogWatch")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 15. Analyse system LOG files - LogWatch" >> $LogFile
echo "# 15. Analyse system LOG files - LogWatch"
echo "# Check if LogWatch is installed..."
echo "$LogTime uss: [$UserName] Check if LogWatch is installed..." >> $LogFile
if [ -f /usr/sbin/logwatch ]
then
# LogWatch already installed
echo "# LogWatch is already installed"
echo "$LogTime uss: [$UserName] LogWatch is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/logwatch ]
then
# Install LogWatch
echo "# LogWatch NOT installed, installing..."
echo "$LogTime uss: [$UserName] LogWatch NOT installed, installing..." >> $LogFile
sudo apt-get install -y logwatch libdate-manip-perl 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing LogWatch" --auto-close
fi
echo "# LogWatch installed"
echo "$LogTime uss: [$UserName] LogWatch installed" >> $LogFile
# Ask to run LogWatch scan now
zenity --question --title "Nmap - $TFCName $TFCVersion" --text "Would you like to run a LogWatch for the past day now?"
if [ "$?" -eq "0" ]
then
# Run LogWatch check
echo "# Running LogWatch scan"
echo "$LogTime uss: [$UserName] Running LogWatch scan" >> $LogFile
# Run LogWatch check and output to Zenity
sudo logwatch | less | zenity --text-info --title "LogWatch Report - $TFCName $TFCVersion" --width 800 --height 500
echo "# LogWatch scan done"
echo "$LogTime uss: [$UserName] LogWatch scan done" >> $LogFile
fi
fi
echo "80" ; sleep 0.1
# 16. SELinux - Apparmor
option=$(echo $selection | grep -c "Apparmor")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 16. SELinux - Apparmor" >> $LogFile
echo "# 16. SELinux - Apparmor"
echo "# Check if Apparmor is installed..."
echo "$LogTime uss: [$UserName] Check if Apparmor is installed..." >> $LogFile
if [ -f /usr/sbin/apparmor_status ]
then
# Apparmor already installed
echo "# Apparmor is already installed"
echo "$LogTime uss: [$UserName] Apparmor is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/apparmor_status ]
then
# Install Apparmor
echo "# Apparmor NOT installed, installing..."
echo "$LogTime uss: [$UserName] Apparmor NOT installed, installing..." >> $LogFile
sudo apt-get install -y apparmor apparmor-profiles 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing Apparmor" --auto-close
fi
echo "# Apparmor installed"
echo "$LogTime uss: [$UserName] Apparmor installed" >> $LogFile
# Ask to run Apparmor status check now
zenity --question --title "Apparmor - $TFCName $TFCVersion" --text "Would you like to check the Apparmor status now?"
if [ "$?" -eq "0" ]
then
# Run Apparmor check
echo "# Check Apparmor status"
echo "$LogTime uss: [$UserName] Check Apparmor status" >> $LogFile
# Run Apparmor status check and output to Zenity
sudo apparmor_status 2>&1 | zenity --text-info --title "Apparmor status check - $TFCName $TFCVersion" --width 600 --height 400
echo "# Apparmor status check done"
echo "$LogTime uss: [$UserName] Apparmor status check done" >> $LogFile
fi
fi
echo "85" ; sleep 0.1
# 17. Audit your system security - Tiger
option=$(echo $selection | grep -c "Tiger")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 17. Audit your system security - Tiger" >> $LogFile
echo "# 17. Audit your system security - Tiger"
echo "# Check if Tiger is installed..."
echo "$LogTime uss: [$UserName] Check if Tiger is installed..." >> $LogFile
if [ -f /usr/sbin/tiger ]
then
# Tiger already installed
echo "# Tiger is already installed"
echo "$LogTime uss: [$UserName] Tiger is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/tiger ]