# Ubuntu Server Secure script v0.1 alpha May 2012
#
# - Zenity GUI installer version
#
* Ubuntu Server Secure script v0.1 alpha May 2012
DISCLAIMER: Use with care. This script is provided purely for alpha testing and can harm your system if used incorrectly
NOTE: This is a GUI installer script that depends on zenity.
* Installation Instruction
- Install zenity if not already installed by default on Ubuntu : sudo apt-get install zenity
- Download the Ubuntu Server Secure script
- Change Directory to the downloaded file : cd /path/to/download
- From terminal enter :
sudo tar -zxvf ubuntu-server-secure.tar.gz
cd ubuntu-server-secure
sudo chmod +x ubuntu-server-secure.sh
gksudo sh ubuntu-server-secure.sh
* Log File
Complete log can be found at: /var/log/uss_YYYY-MM-DD.log (replace YYYY-MM-DD with current date)
#!/bin/sh
#
# Ubuntu Server Secure script v0.1 alpha by The Fan Club - May 2012
#
# - Zenity GUI installer version
#
echo
echo "* Ubuntu Server Secure script v0.1 alpha by The Fan Club - May 2012"
echo
echo "DISCLAIMER: Use with care. This script is provided purely for alpha testing and can harm your system if used incorrectly"
echo "NOTE: This is a GUI installer script that depends on zenity."
echo "NOTE: Run this script with gksudo sh /path/to/script/ubuntu-server-secure.sh"
# Local Variables
TFCName="Ubuntu Server Secure"
TFCVersion="v0.1 alpha"
UserName=$(whoami)
LogDay=$(date '+%Y-%m-%d')
LogTime=$(date '+%Y-%m-%d %H:%M:%S')
LogFile=/var/log/uss_$LogDay.log
#
# Start of Zenity code
#
selection=$(zenity --list --title "$TFCName $TFCVersion" --text "Select the security features you require" --checklist --width 480 --height 550 \
--column "pick" --column "options" \
FALSE " 1. Install and configure Firewall - ufw" \
FALSE " 2. Secure shared memory - fstab" \
FALSE " 3. SSH - Disable root login and change port" \
FALSE " 4. Protect su by limiting access only to admin group" \
FALSE " 5. Harden network with sysctl settings" \
FALSE " 6. Disable Open DNS Recursion" \
FALSE " 7. Prevent IP Spoofing" \
FALSE " 8. Harden PHP for security" \
FALSE " 9. Install and configure ModSecurity" \
FALSE "10. Protect from DDOS attacks with ModEvasive" \
FALSE "11. Scan logs and ban suspicious hosts - DenyHosts" \
FALSE "12. Intrusion Detection - PSAD" \
FALSE "13. Check for RootKits - RKHunter" \
FALSE "14. Scan open Ports - Nmap" \
FALSE "15. Analyse system LOG files - LogWatch" \
FALSE "16. SELinux - Apparmor" \
FALSE "17. Audit your system security - Tiger" \
--separator=",");
if [ ! "$selection" = "" ]
then
# Start of Zenity Progress code
echo "$LogTime uss: [$UserName] * $TFCName $TFCVersion - Install Log Started" >> $LogFile
(
echo "5" ; sleep 0.1
# 1. Install and configure Firewall
option=$(echo $selection | grep -c "ufw")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 1. Install and configure Firewall - ufw" >> $LogFile
echo "# 1. Install and configure :Firewall - ufw"
echo "# Check if ufw Firewall is installed..."
echo "$LogTime uss: [$UserName] Check if ufw Firewall is installed..." >> $LogFile
if [ -f /usr/sbin/ufw ]
then
echo "# ufw Firewall is already installed"
echo "$LogTime uss: [$UserName] ufw Firewall is already installed" >> $LogFile
#sudo ufw status verbose | zenity --title "Firewall Status - $TFCName $TFCVersion" --text-info --width 600 --height 400
fi
if [ ! -f /usr/sbin/ufw ]
then
echo "# ufw Firewall NOT installed, installing..."
echo "$LogTime uss: [$UserName] ufw Firewall NOT installed, installing..." >> $LogFile
sudo apt-get install -y ufw
sudo ufw enable
echo "# ufw Firewall installed and enabled"
echo "$LogTime uss: [$UserName] ufw Firewall installed and enabled" >> $LogFile
sudo ufw allow ssh
sudo ufw allow http
echo "# ufw Firewall ports for SSH and Http configured"
echo "$LogTime uss: [$UserName] ufw Firewall ports for SSH and Http configured" >> $LogFile
fi
fi
echo "10" ; sleep 0.1
# 2. secure shared memory
option=$(echo $selection | grep -c "fstab")
if [ "$option" -eq "1" ]
then
echo "# 2. Secure shared memory."
echo "$LogTime uss: [$UserName] 2. Secure shared memory." >> $LogFile
echo "# Check if shared memory is secured"
echo "$LogTime uss: [$UserName] Check if shared memory is secured" >> $LogFile
# Make sure fstab does not already contain a tmpfs reference
fstab=$(grep -c "tmpfs" /etc/fstab)
if [ ! "$fstab" -eq "0" ]
then
echo "# fstab already contains a tmpfs partition. Nothing to be done."
echo "$LogTime uss: [$UserName] fstab already contains a tmpfs partition. Nothing to be done." >> $LogFile
fi
if [ "$fstab" -eq "0" ]
then
echo "# fstab being updated to secure shared memory"
echo "$LogTime uss: [$UserName] fstab being updated to secure shared memory" >> $LogFile
sudo echo "# $TFCName Script Entry - Secure Shared Memory - $LogTime" >> /etc/fstab
sudo echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab
echo "# Shared memory secured. Reboot required"
echo "$LogTime uss: [$UserName] Shared memory secured. Reboot required" >> $LogFile
fi
fi
echo "15" ; sleep 0.1
# 3. SSH Hardening - disable root login and change port
option=$(echo $selection | grep -c "SSH")
if [ "$option" -eq "1" ]
then
echo "# 3. SSH Hardening - disable root login and change port"
echo "$LogTime uss: [$UserName] 3. SSH Hardening - disable root login and change port" >> $LogFile
sshNewPort=$(zenity --entry --text "Select a new SSH port?" --title "SSH Hardening - $TFCName $TFCVersion" --entry-text "22")
echo "# Updating SSH settings"
echo "$LogTime uss: [$UserName] Updating SSH settings" >> $LogFile
# Check if Port entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if Port entry exists comment out old entries" >> $LogFile
sshconfigPort=$(grep -c "Port" /etc/ssh/sshd_config)
if [ ! "$sshconfigPort" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/Port/#Port/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
# Check if Protocol entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if Protocol entry exists comment out old entries" >> $LogFile
sshconfigProtocol=$(grep -c "Protocol" /etc/ssh/sshd_config)
if [ ! "$sshconfigProtocol" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/Protocol/#Protocol/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
# Check if PermitRootLogin entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if PermitRootLogin entry exists comment out old entries" >> $LogFile
sshconfigPermitRoot=$(grep -c "PermitRootLogin" /etc/ssh/sshd_config)
if [ ! "$sshconfigPermitRoot" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/PermitRootLogin/#PermitRootLogin/g' /etc/ssh/sshd_config > /tmp/.sshd_config
sudo mv /etc/ssh/sshd_config /etc/ssh/ssh_config.backup
sudo mv /tmp/.sshd_config /etc/ssh/sshd_config
fi
echo "# Write new SSH configuration settings"
echo "$LogTime uss: [$UserName] Write new SSH configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - SSH settings $LogTime" >> /etc/ssh/sshd_config
sudo echo "Port $sshNewPort" >> /etc/ssh/sshd_config
sudo echo "Protocol 2" >> /etc/ssh/sshd_config
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "# SSH settings update complete"
echo "$LogTime uss: [$UserName] SSH settings update complete" >> $LogFile
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Open new SSH port $sshNewPort on UFW Firewall ?"
if [ "$?" -eq "0" ]
then
# open new port on UFW Firewall
sudo ufw $sshNewPort
echo "# Port $sshNewPort opened on UFW Firewall"
echo "$LogTime uss: [$UserName] Port $sshNewPort opened on UFW Firewall" >> $LogFile
fi
if [ ! "$sshNewPort" -eq "22" ]
then
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Close old SSH port 22 on UFW Firewall ?"
if [ "$?" -eq "0" ]
then
# close old port on UFW Firewall
sudo ufw deny port 22
echo "# Port 22 closed on UFW Firewall"
echo "$LogTime uss: [$UserName] Port 22 closed on UFW Firewall" >> $LogFile
fi
fi
zenity --question --title "SSH Hardening - $TFCName $TFCVersion" --text "Would you like to restart the SSH server now?"
if [ "$?" -eq "0" ]
then
# restart SSHd
sudo /etc/init.d/ssh restart
echo "# SSH server restarted"
echo "$LogTime uss: [$UserName] SSH server restarted" >> $LogFile
fi
fi
echo "20" ; sleep 0.1
# 4. Protect su by limiting access only to admin group
option=$(echo $selection | grep -c "Protect[[:space:]]su")
if [ "$option" -eq "1" ]
then
echo "# 4. Protect su by limiting access only to admin group"
echo "$LogTime uss: [$UserName] 4. Protect su by limiting access only to admin group" >> $LogFile
# Get new admin group name
newAdminGroup=$(zenity --entry --title "Protect su - $TFCName $TFCVersion" --text "Select name of new admin group?" --entry-text "admin")
# Check if new group already exists
echo "# Checking if Group: $newAdminGroup already exists"
echo "$LogTime uss: [$UserName] Checking if Group: $newAdminGroup already exists" >> $LogFile
groupCheck=$(grep -c -w "$newAdminGroup" /etc/group)
if [ ! "$groupCheck" -eq "0" ]
then
# group already exists
echo "# Group: $newAdminGroup already exists. Group not added"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup already exists. Group not added" >> $LogFile
fi
if [ "$groupCheck" -eq "0" ]
then
# group does not exist create new group
echo "# Group: $newAdminGroup does not exist"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup does not exist" >> $LogFile
sudo groupadd $newAdminGroup
echo "# Group: $newAdminGroup added"
echo "$LogTime uss: [$UserName] Group: $newAdminGroup added" >> $LogFile
fi
# Add current administrator user to new admin group
addAdminUser=$(zenity --entry --title "Protect su - $TFCName $TFCVersion" --text "Which current user should be added to the new admin group?" --entry-text "admin")
# Check if user is already part of the admin group
echo "# Checking if User: $addAdminUser is already part of the Group: $newAdminGroup"
echo "$LogTime uss: [$UserName] Checking if User: $addAdminUser is already part of the Group: $newAdminGroup" >> $LogFile
userCheck=$(groups $addAdminUser | grep -c -w "$newAdminGroup")
if [ ! "$userCheck" -eq "0" ]
then
# user is already part of the admin group
echo "# User: $addAdminUser is already part of the Group: $newAdminGroup. User not added"
echo "$LogTime uss: [$UserName] User: $addAdminUser is already part of the Group: $newAdminGroup. User not added" >> $LogFile
fi
if [ "$userCheck" -eq "0" ]
then
# user is not part of admin group and needs to be added
echo "# User: $addAdminUser is not part of the Group: $newAdminGroup, adding user to group"
echo "$LogTime uss: [$UserName] User: $addAdminUser is not part of the Group: $newAdminGroup, adding user to group" >> $LogFile
sudo usermod -a -G $newAdminGroup $addAdminUser
echo "# User: $addAdminUser added to the Group: $newAdminGroup"
echo "$LogTime uss: [$UserName] User: $addAdminUser added to the Group: $newAdminGroup" >> $LogFile
fi
# change su permission to limit access only to admin group
echo "# Checking if dpkg state override aleady exists"
echo "$LogTime uss: [$UserName] Checking if dpkg state override aleady exists" >> $LogFile
dpkgCheck=$(sudo dpkg-statoverride --list | grep -c "4750[[:space:]]/bin/su")
if [ ! "$dpkgCheck" -eq "0" ]
then
# dpkg state override already exists. do nothing
echo "# User: dpkg state override already exists. Override not set."
echo "$LogTime uss: [$UserName] dpkg state override already exists. Override not set." >> $LogFile
fi
if [ "$dpkgCheck" -eq "0" ]
then
echo "# Setting new dpkg state override"
echo "$LogTime uss: [$UserName] Setting new dpkg state override" >> $LogFile
sudo dpkg-statoverride --update --add root $newAdminGroup 4750 /bin/su
echo "# dpkg state override done. /bin/su only accessible by $newAdminGroup group members"
echo "$LogTime uss: [$UserName] dpkg state override done. /bin/su only accessible by $newAdminGroup group members" >> $LogFile
fi
fi
echo "25" ; sleep 0.1
# 5. Harden network with sysctl settings
option=$(echo $selection | grep -c "sysctl")
if [ "$option" -eq "1" ]
then
echo "# 5. Harden network with sysctl settings"
echo "$LogTime uss: [$UserName] 5. Harden network with sysctl settings" >> $LogFile
echo "# Updating sysctl network settings"
echo "$LogTime uss: [$UserName] Updating sysctl network settings" >> $LogFile
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.default.rp_filter entry exists comment out old entries" >> $LogFile
sysctlConfig1=$(grep -c "net.ipv4.conf.default.rp_filter" /etc/sysctl.conf)
if [ ! "$sysctlConfig1" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.default.rp_filter/#net.ipv4.conf.default.rp_filter/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.rp_filter entry exists comment out old entries" >> $LogFile
sysctlConfig2=$(grep -c "net.ipv4.conf.all.rp_filter" /etc/sysctl.conf)
if [ ! "$sysctlConfig2" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.rp_filter/#net.ipv4.conf.all.rp_filter/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.icmp_echo_ignore_broadcasts entry exists comment out old entries" >> $LogFile
sysctlConfig3=$(grep -c "net.ipv4.icmp_echo_ignore_broadcasts" /etc/sysctl.conf)
if [ ! "$sysctlConfig3" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.icmp_echo_ignore_broadcasts/#net.ipv4.icmp_echo_ignore_broadcasts/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.tcp_syncookies entry exists comment out old entries" >> $LogFile
sysctlConfig4=$(grep -c "net.ipv4.tcp_syncookies" /etc/sysctl.conf)
if [ ! "$sysctlConfig4" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.tcp_syncookies/#net.ipv4.tcp_syncookies/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig5=$(grep -c "net.ipv4.conf.all.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig5" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.accept_source_route/#net.ipv4.conf.all.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv6.conf.all.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig6=$(grep -c "net.ipv6.conf.all.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig6" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv6.conf.all.accept_source_route/#net.ipv6.conf.all.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.default.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig7=$(grep -c "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig7" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.default.accept_source_route/#net.ipv4.conf.default.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv6.conf.default.accept_source_route entry exists comment out old entries" >> $LogFile
sysctlConfig8=$(grep -c "net.ipv6.conf.default.accept_source_route" /etc/sysctl.conf)
if [ ! "$sysctlConfig8" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv6.conf.default.accept_source_route/#net.ipv6.conf.default.accept_source_route/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
# Check if sysctl entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if net.ipv4.conf.all.log_martians entry exists comment out old entries" >> $LogFile
sysctlConfig9=$(grep -c "net.ipv4.conf.all.log_martians" /etc/sysctl.conf)
if [ ! "$sysctlConfig9" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/net.ipv4.conf.all.log_martians/#net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf > /tmp/.sysctl_config
sudo mv /etc/sysctl.conf /etc/sysctl.conf.backup
sudo mv /tmp/.sysctl_config /etc/sysctl.conf
fi
echo "# Write new sysctl configuration settings"
echo "$LogTime uss: [$UserName] Write new sysctl configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - sysctl settings $LogTime" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
echo "# sysctl settings update complete"
echo "$LogTime uss: [$UserName] sysctl settings update complete" >> $LogFile
zenity --question --title "Network hardening - $TFCName $TFCVersion" --text "Would you like restart sysctl with the new settings now?"
if [ "$?" -eq "0" ]
then
# reload sysctl
sudo sysctl -p
echo "# sysctl settings reloaded"
echo "$LogTime uss: [$UserName] sysctl settings reloaded" >> $LogFile
fi
fi
echo "30" ; sleep 0.1
# 6. Disable Open DNS Recursion - BIND DNS Server
option=$(echo $selection | grep -c "DNS")
if [ "$option" -eq "1" ]
then
echo "# 6. Disable Open DNS Recursion - BIND DNS Server"
echo "$LogTime uss: [$UserName] 6. Disable Open DNS Recursion - BIND DNS Server" >> $LogFile
# Make sure DNS recursion entry does not exist
echo "# Check if DNS recursion option exists"
echo "$LogTime uss: [$UserName] Check if DNS recursion option exists" >> $LogFile
dnsRecur=$(grep -c "recursion" /etc/bind/named.conf.options )
if [ ! "$dnsRecur" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# DNS recursion entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] DNS recursion entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/recursion/#recursion/g' /etc/bind/named.conf.options > /tmp/.named_config
sudo mv /etc/bind/named.conf.options /etc/bind/_named.conf.options.backup
sudo mv /tmp/.named_config /etc/bind/named.conf.options
fi
# add DNS recursion option setting
echo "# Add DNS recursion option setting"
echo "$LogTime uss: [$UserName] Add DNS recursion option setting" >> $LogFile
sudo sed 's/options[[:space:]]{/options { recursion no; # $TFCName Script /g' /etc/bind/named.conf.options > /tmp/.named_config
sudo mv /etc/bind/named.conf.options /etc/bind/_named.conf.options.backup
sudo mv /tmp/.named_config /etc/bind/named.conf.options
echo "# Restart bind9 DNS server"
echo "$LogTime uss: [$UserName] Restart bind9 DNS server" >> $LogFile
sudo /etc/init.d/bind9 restart
echo "# DNS server restarted"
echo "$LogTime uss: [$UserName] DNS server restarted" >> $LogFile
fi
echo "35" ; sleep 0.1
# 7. Prevent IP Spoofing
option=$(echo $selection | grep -c "Spoofing")
if [ "$option" -eq "1" ]
then
echo "# 7. Prevent IP Spoofing"
echo "$LogTime uss: [$UserName] 7. Prevent IP Spoofing" >> $LogFile
# Make sure IP Spoofing entry does not exist
echo "# Check if IP Spoofing option exists"
echo "$LogTime uss: [$UserName] Check if IP Spoofing option exists" >> $LogFile
ipSpoof=$(grep -c "nospoof" /etc/host.conf )
if [ ! "$ipSpoof" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# nospoof entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] nospoof entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/nospoof/#nospoof/g' /etc/host.conf > /tmp/.host_config
sudo mv /etc/host.conf /etc/host.conf.backup
sudo mv /tmp/.host_config /etc/host.conf
fi
# Make sure order entry does not exist
echo "# Check if order entry exists"
echo "$LogTime uss: [$UserName] Check if order option exists" >> $LogFile
orderOp=$(grep -c "order" /etc/host.conf )
if [ ! "$orderOp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# order entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] order entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/order/#order/g' /etc/host.conf > /tmp/.host_config
sudo mv /etc/host.conf /etc/host.conf.backup
sudo mv /tmp/.host_config /etc/host.conf
fi
# add new order and nospoof option settings
echo "# Write new host configuration settings"
echo "$LogTime uss: [$UserName] Write new host configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - IP nospoof settings $LogTime" >> /etc/host.conf
sudo echo "order bind,hosts" >> /etc/host.conf
sudo echo "nospoof on" >> /etc/host.conf
echo "# host configuration settings update complete"
echo "$LogTime uss: [$UserName] host configuration settings update complete" >> $LogFile
echo "# Restart bind9 DNS server"
echo "$LogTime uss: [$UserName] Restart bind9 DNS server" >> $LogFile
sudo /etc/init.d/bind9 restart
echo "# DNS server restarted"
echo "$LogTime uss: [$UserName] DNS server restarted" >> $LogFile
fi
echo "40" ; sleep 0.1
# 8. Harden PHP for security
option=$(echo $selection | grep -c "PHP")
if [ "$option" -eq "1" ]
then
echo "# 8. Harden PHP for security"
echo "$LogTime uss: [$UserName] 8. Harden PHP for security" >> $LogFile
# Make sure disable_functions entry does not exist
echo "# Check if disable_functions option exists"
echo "$LogTime uss: [$UserName] Check if disable_functions option exists" >> $LogFile
disPhp=$(grep -c "disable_functions" /etc/php5/apache2/php.ini )
if [ ! "$disPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# disable_functions entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] disable_functions entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/disable_functions/;disable_functions/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure register_globals entry does not exist
echo "# Check if register_globals entry exists"
echo "$LogTime uss: [$UserName] Check if register_globals option exists" >> $LogFile
gloPhp=$(grep -c "register_globals" /etc/php5/apache2/php.ini )
if [ ! "$gloPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# register_globals entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] register_globals entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/register_globals/;register_globals/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure expose_php entry does not exist
echo "# Check if register_globals entry exists"
echo "$LogTime uss: [$UserName] Check if register_globals option exists" >> $LogFile
expPhp=$(grep -c "expose_php" /etc/php5/apache2/php.ini )
if [ ! "$expPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# expose_php entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] expose_php entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/expose_php/;expose_php/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# Make sure magic_quotes_gpc entry does not exist
echo "# Check if magic_quotes_gpc entry exists"
echo "$LogTime uss: [$UserName] Check if magic_quotes_gpc option exists" >> $LogFile
expPhp=$(grep -c "magic_quotes_gpc" /etc/php5/apache2/php.ini )
if [ ! "$expPhp" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# magic_quotes_gpc entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] magic_quotes_gpc entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/magic_quotes_gpc/;magic_quotes_gpc/g' /etc/php5/apache2/php.ini > /tmp/.php_config
sudo mv /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.backup
sudo mv /tmp/.php_config /etc/php5/apache2/php.ini
fi
# add new PHP configuration option settings
echo "# Write new PHP configuration settings"
echo "$LogTime uss: [$UserName] Write new PHP configuration settings" >> $LogFile
sudo echo "; $TFCName Script Entry - PHP security settings settings $LogTime" >> /etc/php5/apache2/php.ini
sudo echo "disable_functions = exec,system,shell_exec,passthru" >> /etc/php5/apache2/php.ini
sudo echo "register_globals = Off" >> /etc/php5/apache2/php.ini
sudo echo "expose_php = Off" >> /etc/php5/apache2/php.ini
sudo echo "magic_quotes_gpc = On" >> /etc/php5/apache2/php.ini
echo "# PHP configuration settings update complete"
echo "$LogTime uss: [$UserName] PHP configuration settings update complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "PHP Security - $TFCName $TFCVersion" --text "Would you like restart Apache2 with the new settings now?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 server"
echo "$LogTime uss: [$UserName] Restart Apache2 server" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted" >> $LogFile
fi
fi
echo "45" ; sleep 0.1
# 9. Install ModSecurity
option=$(echo $selection | grep -c "ModSecurity")
if [ "$option" -eq "1" ]
then
echo "# 9. Install ModSecurity"
echo "$LogTime uss: [$UserName] 9. Install ModSecurity" >> $LogFile
# install dependencies
echo "# Install dependencies libxml2 libxml2-dev libxml2-utils elinks"
echo "$LogTime uss: [$UserName] Install dependencies libxml2 libxml2-dev libxml2-utils" >> $LogFile
sudo apt-get install -y libxml2 libxml2-dev libxml2-utils 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libxml2 libxml2-dev libxml2-utils" --auto-close
echo "# Install dependencies libaprutil1 libaprutil1-dev"
echo "$LogTime uss: [$UserName] Install dependencies libaprutil1 libaprutil1-dev" >> $LogFile
sudo apt-get -y install libaprutil1 libaprutil1-dev 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libaprutil1 libaprutil1-dev" --auto-close
echo "# create symbolic link for 64bit users to libxml2.so.2"
echo "$LogTime uss: [$UserName] create symbolic link for 64bit users to libxml2.so.2" >> $LogFile
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
# Install ModSecurity
echo "# Install Apache ModSecurity"
echo "$LogTime uss: [$UserName] Install Apache ModSecurity" >> $LogFile
sudo apt-get install -y libapache-mod-security 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libaprutil1 libaprutil1-dev" --auto-close
# Activate default configuration file
echo "# Activate Apache ModSecurity recommended rules"
echo "$LogTime uss: [$UserName] Activate Apache Mod Security" >> $LogFile
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Edit modsecurity.conf and change the SecRequestBody Limits as the default 128KB is too low
RecLimit=$(zenity --entry --text "Select the page request body limit (SecRequestBodyLimit)? Default is 128KB and is very low. Value in bytes:" --title "ModSecurity Configuration - $TFCName $TFCVersion" --entry-text "131072")
echo "# Updating ModSecurity settings"
echo "$LogTime uss: [$UserName] Updating ModSecurity settings" >> $LogFile
# Check if SecRequestBodyLimit entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if SecRequestBodyLimit entry exists comment out old entries" >> $LogFile
modsecSecReq=$(grep -c "SecRequestBodyLimit" /etc/modsecurity/modsecurity.conf)
if [ ! "$modsecSecReq" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/SecRequestBodyLimit/#SecRequestBodyLimit/g' /etc/modsecurity/modsecurity.conf > /tmp/.modsec_config
sudo mv /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.backup
sudo mv /tmp/.modsec_config /etc/modsecurity/modsecurity.conf
fi
# Check if SecRequestBodyInMemoryLimit entry exists comment out old entries
echo "$LogTime uss: [$UserName] Check if SecRequestBodyInMemoryLimit entry exists comment out old entries" >> $LogFile
modsecSecReqMem=$(grep -c "SecRequestBodyInMemoryLimit" /etc/modsecurity/modsecurity.conf)
if [ ! "$modsecSecReqMem" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
sudo sed 's/SecRequestBodyInMemoryLimit/#SecRequestBodyInMemoryLimit/g' /etc/modsecurity/modsecurity.conf > /tmp/.modsec_config
sudo mv /etc/modsecurity/modsecurity.conf /etc/modsecurity/modsecurity.conf.backup
sudo mv /tmp/.modsec_config /etc/modsecurity/modsecurity.conf
fi
echo "# Write new ModSecurity configuration settings"
echo "$LogTime uss: [$UserName] Write new ModSecurity configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - ModSecurity settings $LogTime" >> /etc/modsecurity/modsecurity.conf
sudo echo "SecRequestBodyLimit $RecLimit" >> /etc/modsecurity/modsecurity.conf
sudo echo "SecRequestBodyInMemoryLimit $RecLimit" >> /etc/modsecurity/modsecurity.conf
echo "# ModSecurity settings update complete"
echo "$LogTime uss: [$UserName] ModSecurity settings update complete" >> $LogFile
# Download latest OWASP Core Rule Set
echo "# Download latest OWASP Core Rule Set"
echo "$LogTime uss: [$UserName] Download latest OWASP Core Rule Set for SourceForge" >> $LogFile
sourceforgeUrl="http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/"
modesecurityFilePattern="modsecurity-crs_2.*"
# Read sourceforge webpage with elinks and find the latest version filename
crsFilename=$(elinks $sourceforgeUrl | grep -o -w --max-count=1 "$modesecurityFilePattern.tar.gz")
# Create a tmp install folder
sudo mkdir /tmp/modsecurity-crs
cd /tmp/modsecurity-crs
# Download the latest crs from sourceforge
echo "# Downloading Core Rule Set: $crsFilename from SourceForge"
echo "$LogTime uss: [$UserName] Downloading Core Rule Set: $crsFilename from SourceForge" >> $LogFile
# Download and show progress and download speed with zenity
sudo wget $sourceforgeUrl$crsFilename 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Downloading $crsFilename" --auto-close
# UnTar and install crs rules
sudo tar -zxvf $crsFilename
sudo cp -R $modesecurityFilePattern/* /etc/modsecurity/
# Delete tmp install folder
cd /tmp
sudo rm -R /tmp/modsecurity-crs
# Activate the default crs ruleset
sudo mv /etc/modsecurity/modsecurity_crs_10_config.conf.example /etc/modsecurity/modsecurity_crs_10_config.conf
# Enable ModSecurity in Apache2
sudo a2enmod mod-security
echo "# Apache2 ModSecurity installation complete"
echo "$LogTime uss: [$UserName] Apache2 ModSecurity installation complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "Apache2 ModSecurity - $TFCName $TFCVersion" --text "Would you like restart Apache2 with ModSecurity?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 with ModSecurity"
echo "$LogTime uss: [$UserName] Restart Apache2 with ModSecurity" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted with ModSecurity" >> $LogFile
# Output the Apache2 error.log file entries for ModSecurity to check status after install in zenity info box
sudo grep "ModSecurity" /var/log/apache2/error.log | zenity --title "Apache2 ModSecurity Status - $TFCName $TFCVersion" --text-info --width 800 --height 400
fi
fi
echo "50" ; sleep 0.1
# 10. Protect from DDOS (Denial of Service) attacks - ModEvasive
option=$(echo $selection | grep -c "ModEvasive")
if [ "$option" -eq "1" ]
then
echo "# 10. Protect from DDOS (Denial of Service) attacks - ModEvasive"
echo "$LogTime uss: [$UserName] 10. Protect from DDOS (Denial of Service) attacks - ModEvasive" >> $LogFile
# Install ModEvasive
echo "# Install Apache ModEvasive"
echo "$LogTime uss: [$UserName] Install Apache ModEvasive" >> $LogFile
sudo apt-get install -y libapache2-mod-evasive 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing libapache2-mod-evasive" --auto-close
# Create log file for ModEvasive
sudo mkdir /var/log/mod_evasive
# Change the log folder permissions
sudo chown www-data:www-data /var/log/mod_evasive/
# Enter Email address to receive notifications from ModEvasive
echo "# Enter Email address to receive notifications from ModEvasive"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from ModEvasive" >> $LogFile
modEvaEmail=$(zenity --entry --text "Enter the email for ModEvasive notifications" --title "Apache2 ModEvasive - $TFCName $TFCVersion" --entry-text "email@domain.com")
# Check for previous ModEvasive configuration file
if [ -f /etc/apache2/mods-available/mod-evasive.conf ]
then
echo "# Backup previous ModEvasive configuration file"
echo "$LogTime uss: [$UserName] # Backup previous ModEvasive configuration file" >> $LogFile
sudo mv /etc/apache2/mods-available/mod-evasive.conf /etc/apache2/mods-available/mod-evasive.conf.backup
fi
# Writing New Configuration file for ModEvasive
echo "# Writing New Configuration file for ModEvasive"
echo "$LogTime uss: [$UserName] Writing New Configuration file for ModEvasive" >> $LogFile
# Create Config file
sudo echo "# $TFCName Script Entry - Apache2 ModEvasive Configuration $LogTime" > /etc/apache2/mods-available/mod-evasive.conf
sudo echo "
sudo echo " DOSHashTableSize 3097" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSPageCount 2" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSSiteCount 50" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSPageInterval 1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSSiteInterval 1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSBlockingPeriod 10" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSLogDir /var/log/mod_evasive" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSEmailNotify $modEvaEmail" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo " DOSWhitelist 127.0.0.1" >> /etc/apache2/mods-available/mod-evasive.conf
sudo echo "
" >> /etc/apache2/mods-available/mod-evasive.conf # Enable ModEvasive in Apache2
sudo a2enmod mod-evasive
echo "# Apache2 ModEvasive installation complete"
echo "$LogTime uss: [$UserName] Apache2 ModEvasive installation complete" >> $LogFile
# Ask to restart Apache2
zenity --question --title "Apache2 ModEvasive - $TFCName $TFCVersion" --text "Would you like restart Apache2 with ModEvasive?"
if [ "$?" -eq "0" ]
then
# restart apache2
echo "# Restart Apache2 with ModSecurity"
echo "$LogTime uss: [$UserName] Restart Apache2 with ModEvasive" >> $LogFile
sudo /etc/init.d/apache2 restart
echo "# Apache2 restarted"
echo "$LogTime uss: [$UserName] Apache2 restarted with ModEvasive" >> $LogFile
fi
fi
echo "55" ; sleep 0.1
# 11. Scan logs and ban suspicious hosts - DenyHosts
option=$(echo $selection | grep -c "DenyHosts")
if [ "$option" -eq "1" ]
then
echo "# 11. Scan logs and ban suspicious hosts - DenyHosts"
echo "$LogTime uss: [$UserName] 11. Scan logs and ban suspicious hosts - DenyHosts" >> $LogFile
echo "# Check if Denyhosts is installed..."
echo "$LogTime uss: [$UserName] Check if Denyhosts is installed..." >> $LogFile
if [ -f /usr/sbin/denyhosts ]
then
# RKHunter already installed
echo "# Denyhosts is already installed"
echo "$LogTime uss: [$UserName] Denyhosts is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/denyhosts ]
then
# Install DenyHosts
echo "# Install DenyHosts"
echo "$LogTime uss: [$UserName] Install DenyHosts" >> $LogFile
sudo apt-get install -y denyhosts 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing DenyHosts" --auto-close
fi
# Enter Email address to receive notifications from DenyHosts
echo "# Enter Email address to receive notifications from DenyHosts"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from DenyHosts" >> $LogFile
denyhostEmail=$(zenity --entry --text "Enter the email for DenyHosts notifications" --title "DenyHosts - $TFCName $TFCVersion" --entry-text "root@localhost")
denyhostFrom=$(zenity --entry --text "Enter the email from field for DenyHosts notifications" --title "DenyHosts - $TFCName $TFCVersion" --entry-text "DenyHosts
# Make sure ADMIN_EMAIL entry does not exist
echo "# Check if ADMIN_EMAIL option exists"
echo "$LogTime uss: [$UserName] Check if ADMIN_EMAIL option exists" >> $LogFile
adminEmail=$(grep -c "ADMIN_EMAIL" /etc/denyhosts.conf )
if [ ! "$adminEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# ADMIN_EMAIL entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] ADMIN_EMAIL entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/ADMIN_EMAIL/#ADMIN_EMAIL/g' /etc/denyhosts.conf > /tmp/.denyhosts_config
sudo mv /etc/denyhosts.conf /etc/denyhosts.conf.backup
sudo mv /tmp/.denyhosts_config /etc/denyhosts.conf
fi
# Make sure order entry does not exist
echo "# Check if SMTP_FROM entry exists"
echo "$LogTime uss: [$UserName] Check if SMTP_FROM option exists" >> $LogFile
smtpFrom=$(grep -c "SMTP_FROM" /etc/denyhosts.conf )
if [ ! "$smtpFrom" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# SMTP_FROM entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] SMTP_FROM entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/SMTP_FROM/#SMTP_FROM/g' /etc/denyhosts.conf > /tmp/.denyhosts_config
sudo mv /etc/denyhosts.conf /etc/denyhosts.conf.backup
sudo mv /tmp/.denyhosts_config /etc/denyhosts.conf
fi
# write new DenyHosts settings
echo "# Write new DenyHosts configuration settings"
echo "$LogTime uss: [$UserName] Write new DenyHosts configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - DenyHosts settings $LogTime" >> /etc/denyhosts.conf
sudo echo "ADMIN_EMAIL = $denyhostEmail" >> /etc/denyhosts.conf
sudo echo "SMTP_FROM = $denyhostFrom" >> /etc/denyhosts.conf
echo "# DenyHosts configuration settings update complete"
echo "$LogTime uss: [$UserName] DenyHosts configuration settings update complete" >> $LogFile
echo "# Restart DenyHosts service"
echo "$LogTime uss: [$UserName] Restart DenyHosts service" >> $LogFile
sudo /etc/init.d/denyhosts restart
echo "# DenyHosts service restarted"
echo "$LogTime uss: [$UserName] DenyHosts service restarted" >> $LogFile
fi
echo "60" ; sleep 0.1
# 12. Intrusion Detection - PSAD
option=$(echo $selection | grep -c "PSAD")
if [ "$option" -eq "1" ]
then
echo "# 12. Intrusion Detection - PSAD"
echo "$LogTime uss: [$UserName] 12. Intrusion Detection - PSAD" >> $LogFile
echo "# Check if PSAD is installed..."
echo "$LogTime uss: [$UserName] Check if PSAD is installed..." >> $LogFile
if [ -f /usr/sbin/psad ]
then
# PSAD already installed
echo "# PSAD is already installed"
echo "$LogTime uss: [$UserName] PSAD is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/psad ]
then
# Install PSAD
echo "# Install PSAD"
echo "$LogTime uss: [$UserName] Install PSAD" >> $LogFile
sudo apt-get install -y psad 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing PSAD" --auto-close
fi
# Enter Email address to receive notifications from PSAD
echo "# Enter Email address to receive notifications from PSAD"
echo "$LogTime uss: [$UserName] Enter Email address to receive notifications from PSAD" >> $LogFile
psadEmail=$(zenity --entry --text "Enter the email for PSAD notifications" --title "PSAD - $TFCName $TFCVersion" --entry-text "root@localhost")
# Make sure EMAIL_ADDRESSES entry does not exist
echo "# Check if EMAIL_ADDRESSES option exists"
echo "$LogTime uss: [$UserName] Check if EMAIL_ADDRESSES option exists" >> $LogFile
psadAdminEmail=$(grep -c "EMAIL_ADDRESSES" /etc/psad/psad.conf )
if [ ! "$psadAdminEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# EMAIL_ADDRESSES entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] EMAIL_ADDRESSES entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/EMAIL_ADDRESSES/#EMAIL_ADDRESSES/g' /etc/psad/psad.conf > /tmp/.psad_config
sudo mv /etc/psad/psad.conf /etc/psad/psad.conf.backup
sudo mv /tmp/.psad_config /etc/psad/psad.conf
fi
# Make sure ENABLE_AUTO_IDS entry does not exist
echo "# Check if ENABLE_AUTO_IDS entry exists"
echo "$LogTime uss: [$UserName] Check if ENABLE_AUTO_IDS option exists" >> $LogFile
psadIdsEmail=$(grep -c "ENABLE_AUTO_IDS_EMAILS" /etc/psad/psad.conf )
if [ ! "$psadIdsEmail" -eq "0" ]
then
# if entry exists use sed to search and replace - write to tmp file - move to original
echo "# ENABLE_AUTO_IDS entry exists. Commenting out old entries"
echo "$LogTime uss: [$UserName] ENABLE_AUTO_IDS entry exists. Commenting out old entries" >> $LogFile
sudo sed 's/ENABLE_AUTO_IDS_EMAILS/#ENABLE_AUTO_IDS_EMAILS/g' /etc/psad/psad.conf > /tmp/.psad_config
sudo mv /etc/psad/psad.conf /etc/psad/psad.conf.backup
sudo mv /tmp/.psad_config /etc/psad/psad.conf
fi
# write new PSAD settings
echo "# Write new PSAD configuration settings"
echo "$LogTime uss: [$UserName] Write new PSAD configuration settings" >> $LogFile
sudo echo "# $TFCName Script Entry - DenyHosts settings $LogTime" >> /etc/psad/psad.conf
sudo echo "EMAIL_ADDRESSES $psadEmail;" >> /etc/psad/psad.conf
sudo echo "ENABLE_AUTO_IDS_EMAILS Y;" >> /etc/psad/psad.conf
echo "# PSAD configuration settings update complete"
echo "$LogTime uss: [$UserName] PSAD configuration settings update complete" >> $LogFile
echo "# Update iptables to add log rules for PSAD"
echo "$LogTime uss: [$UserName] Update iptables to add log rules for PSAD" >> $LogFile
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG
echo "# Update and Restart PSAD service"
echo "$LogTime uss: [$UserName] Update and Restart PSAD service" >> $LogFile
sudo psad -R
sudo psad --sig-update
sudo psad -H
echo "# PSAD service updated and restarted"
echo "$LogTime uss: [$UserName] PSAD service updated restarted" >> $LogFile
fi
echo "65" ; sleep 0.1
# 13. Check for rootkits - RKHunter
option=$(echo $selection | grep -c "RKHunter")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 13. Check for rootkits - RKHunter" >> $LogFile
echo "# 13. Check for rootkits - RKHunter"
echo "# Check if RKHunter is installed..."
echo "$LogTime uss: [$UserName] Check if RKHunter is installed..." >> $LogFile
if [ -f /usr/bin/rkhunter ]
then
# RKHunter already installed
echo "# RKHunter is already installed"
echo "$LogTime uss: [$UserName] RKHunter is already installed" >> $LogFile
fi
if [ ! -f /usr/bin/rkhunter ]
then
# Install RKHunter
echo "# RKHunter NOT installed, installing..."
echo "$LogTime uss: [$UserName] RKHunter NOT installed, installing..." >> $LogFile
sudo apt-get install -y rkhunter 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing RKHunter" --auto-close
fi
# Update RKHunter
echo "# Updating RKHunter"
echo "$LogTime uss: [$UserName] Updating RKHunter" >> $LogFile
sudo rkhunter --update 2>&1 | zenity --progress --title="RKHunter - $TFCName $TFCVersion" --text="Downloading updates..." --width 400 --auto-close --percentage=33
sudo rkhunter --propupd 2>&1 | zenity --progress --title="RKHunter - $TFCName $TFCVersion" --text="Updating properties..." --width 400 --auto-close --percentage=85
echo "# RKHunter installed and updated"
echo "$LogTime uss: [$UserName] RKHunter installed and updated" >> $LogFile
# Ask to run RKHunter scan now
zenity --question --title "RKHunter - $TFCName $TFCVersion" --text "Would you like to run a RKHunter check now?"
if [ "$?" -eq "0" ]
then
# Run RKHunter check
echo "# Running RKHunter check"
echo "$LogTime uss: [$UserName] Running RKHunter check" >> $LogFile
# Run RKHunter check and output to Zenity
sudo rkhunter --check --nocolors --skip-keypress 2>&1 | zenity --text-info --title "RKHunter - $TFCName $TFCVersion" --width 600 --height 400
echo "# RKHunter check done"
echo "$LogTime uss: [$UserName] RKHunter check done" >> $LogFile
fi
fi
echo "70" ; sleep 0.1
# 14. Scan open ports - Nmap
option=$(echo $selection | grep -c "Nmap")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 14. Scan open ports - Nmap" >> $LogFile
echo "# 14. Scan open ports - Nmap"
echo "# Check if Nmap is installed..."
echo "$LogTime uss: [$UserName] Check if Nmap is installed..." >> $LogFile
if [ -f /usr/bin/nmap ]
then
# Nmap already installed
echo "# Nmap is already installed"
echo "$LogTime uss: [$UserName] Nmap is already installed" >> $LogFile
fi
if [ ! -f /usr/bin/nmap ]
then
# Install Nmap
echo "# Nmap NOT installed, installing..."
echo "$LogTime uss: [$UserName] Nmap NOT installed, installing..." >> $LogFile
sudo apt-get install -y nmap 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing Nmap" --auto-close
fi
echo "# Nmap installed"
echo "$LogTime uss: [$UserName] Nmap installed" >> $LogFile
# Ask to run Nmap scan now
zenity --question --title "Nmap - $TFCName $TFCVersion" --text "Would you like to run a Nmap port scan of the localhost now?"
if [ "$?" -eq "0" ]
then
# Run Nmap check
echo "# Running Nmap localhost scan"
echo "$LogTime uss: [$UserName] Running Nmap locahost scan" >> $LogFile
# Run Nmap check and output to Zenity
sudo nmap -v -sT -A localhost 2>&1 | zenity --text-info --title "Nmap Localhost Scan - $TFCName $TFCVersion" --width 800 --height 500
echo "# Nmap check done"
echo "$LogTime uss: [$UserName] Nmap check done" >> $LogFile
fi
fi
echo "75" ; sleep 0.1
# 15. Analyse system LOG files - LogWatch
option=$(echo $selection | grep -c "LogWatch")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 15. Analyse system LOG files - LogWatch" >> $LogFile
echo "# 15. Analyse system LOG files - LogWatch"
echo "# Check if LogWatch is installed..."
echo "$LogTime uss: [$UserName] Check if LogWatch is installed..." >> $LogFile
if [ -f /usr/sbin/logwatch ]
then
# LogWatch already installed
echo "# LogWatch is already installed"
echo "$LogTime uss: [$UserName] LogWatch is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/logwatch ]
then
# Install LogWatch
echo "# LogWatch NOT installed, installing..."
echo "$LogTime uss: [$UserName] LogWatch NOT installed, installing..." >> $LogFile
sudo apt-get install -y logwatch libdate-manip-perl 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing LogWatch" --auto-close
fi
echo "# LogWatch installed"
echo "$LogTime uss: [$UserName] LogWatch installed" >> $LogFile
# Ask to run LogWatch scan now
zenity --question --title "Nmap - $TFCName $TFCVersion" --text "Would you like to run a LogWatch for the past day now?"
if [ "$?" -eq "0" ]
then
# Run LogWatch check
echo "# Running LogWatch scan"
echo "$LogTime uss: [$UserName] Running LogWatch scan" >> $LogFile
# Run LogWatch check and output to Zenity
sudo logwatch | less | zenity --text-info --title "LogWatch Report - $TFCName $TFCVersion" --width 800 --height 500
echo "# LogWatch scan done"
echo "$LogTime uss: [$UserName] LogWatch scan done" >> $LogFile
fi
fi
echo "80" ; sleep 0.1
# 16. SELinux - Apparmor
option=$(echo $selection | grep -c "Apparmor")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 16. SELinux - Apparmor" >> $LogFile
echo "# 16. SELinux - Apparmor"
echo "# Check if Apparmor is installed..."
echo "$LogTime uss: [$UserName] Check if Apparmor is installed..." >> $LogFile
if [ -f /usr/sbin/apparmor_status ]
then
# Apparmor already installed
echo "# Apparmor is already installed"
echo "$LogTime uss: [$UserName] Apparmor is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/apparmor_status ]
then
# Install Apparmor
echo "# Apparmor NOT installed, installing..."
echo "$LogTime uss: [$UserName] Apparmor NOT installed, installing..." >> $LogFile
sudo apt-get install -y apparmor apparmor-profiles 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing Apparmor" --auto-close
fi
echo "# Apparmor installed"
echo "$LogTime uss: [$UserName] Apparmor installed" >> $LogFile
# Ask to run Apparmor status check now
zenity --question --title "Apparmor - $TFCName $TFCVersion" --text "Would you like to check the Apparmor status now?"
if [ "$?" -eq "0" ]
then
# Run Apparmor check
echo "# Check Apparmor status"
echo "$LogTime uss: [$UserName] Check Apparmor status" >> $LogFile
# Run Apparmor status check and output to Zenity
sudo apparmor_status 2>&1 | zenity --text-info --title "Apparmor status check - $TFCName $TFCVersion" --width 600 --height 400
echo "# Apparmor status check done"
echo "$LogTime uss: [$UserName] Apparmor status check done" >> $LogFile
fi
fi
echo "85" ; sleep 0.1
# 17. Audit your system security - Tiger
option=$(echo $selection | grep -c "Tiger")
if [ "$option" -eq "1" ]
then
echo "$LogTime uss: [$UserName] 17. Audit your system security - Tiger" >> $LogFile
echo "# 17. Audit your system security - Tiger"
echo "# Check if Tiger is installed..."
echo "$LogTime uss: [$UserName] Check if Tiger is installed..." >> $LogFile
if [ -f /usr/sbin/tiger ]
then
# Tiger already installed
echo "# Tiger is already installed"
echo "$LogTime uss: [$UserName] Tiger is already installed" >> $LogFile
fi
if [ ! -f /usr/sbin/tiger ]
then
# Install Tiger
echo "# Tiger NOT installed, installing..."
echo "$LogTime uss: [$UserName] Tiger NOT installed, installing..." >> $LogFile
sudo apt-get install -y tiger 2>&1 | sed -u 's/.* \([0-9]\+%\)\ \+\([0-9.]\+.\) \(.*\)/\1\n# Downloading at \2\/s, ETA \3/' | zenity --progress --title="Downloading File..." --text="Installing Tiger" --auto-close
fi
echo "# Tiger installed"
echo "$LogTime uss: [$UserName] Tiger installed" >> $LogFile
# Ask to run Tiger audit now
zenity --question --title "Tiger - $TFCName $TFCVersion" --text "Would you like to run a Tiger system audit now?"
if [ "$?" -eq "0" ]
then
# Run Tiger audit
echo "# Run Tiger system audit"
echo "$LogTime uss: [$UserName] Run Tiger system audit" >> $LogFile
# Tiger system audit and output to Zenity
sudo tiger -e 2>&1 | zenity --text-info --title "Tiger system audit - $TFCName $TFCVersion" --width 800 --height 500
echo "# Tiger system audit done"
echo "$LogTime uss: [$UserName] Tiger system audit done" >> $LogFile
fi
fi
echo "100" ; sleep 0.1
echo "# Installation Complete" ; sleep 0.1
# End of Zenity Progress code
) |
zenity --progress \
--title="$TFCName $TFCVersion" \
--text="Configuring security features..." \
--width 500 \
--percentage=0
if [ "$?" = -1 ] ; then
zenity --error \
--text="Installation canceled."
fi
exit;
fi
exit;
No comments:
Post a Comment