#Please check a script regarding Linux Hardening, it may help you to configure your system<\/p>\n
#######################################################
\n#!\/bin\/bash<\/p>\n
#####LInux Hardening Script#####<\/p>\n
#######################################################<\/p>\n
# #<\/p>\n
# Files involved in this script are as follow: #<\/p>\n
# \/etc\/ssh\/ssh_config #<\/p>\n
# \/etc\/init.d\/functions #<\/p>\n
# \/boot\/grub\/grub.conf #<\/p>\n
# \/etc\/vsftpd\/ftpusers #<\/p>\n
# \/etc\/securetty #<\/p>\n
# \/etc\/issue #<\/p>\n
# \/etc\/motd #<\/p>\n
# \/etc\/passwd #<\/p>\n
# \/etc\/ssh\/sshd_config #<\/p>\n
#######################################################<\/p>\n
HOSTNAME=`hostname`<\/p>\n
HARD_LOG=”\/var\/log\/`hostname`_hard_log”<\/p>\n
echo “HOSTNAME:”$HOSTNAME >>${HARD_LOG}<\/p>\n
date ‘+DATE: %m\/%d\/%y%nTIME:%H:%M:%S’ >>${HARD_LOG}<\/p>\n
echo -n “Please Enter Your Name: ”<\/p>\n
read NAME<\/p>\n
echo “Unix Administrator:” $NAME >>${HARD_LOG}<\/p>\n
echo “Please Enter Project Name: ”<\/p>\n
read PROJECT<\/p>\n
echo “Project Name:” $PROJECT >>${HARD_LOG}<\/p>\n
echo “Please Enter the name of Owner\/SPOC for the server: ”<\/p>\n
read OWNER<\/p>\n
echo “Owner\/SPOC:” $OWNER >>${HARD_LOG}<\/p>\n
echo “Please wait…..Hardening is in progess”<\/p>\n
echo ” Creating Directory Called \/etc\/BackupSystemFiles for Backup of critical files and files copying are in progress” >> ${HARD_LOG}<\/p>\n
mkdir \/etc\/BackupSystemFiles<\/p>\n
cd \/<\/p>\n
tar -cvf \/etc\/BackupSystemFiles\/etc.tar etc &>\/dev\/null<\/p>\n
sleep 10<\/p>\n
echo “Files have been copied to \/etc\/BackupSystemFiles ” >>${HARD_LOG}<\/p>\n
echo “\/etc\/passwd,\/etc\/securetty,\/etc\/vsftpd\/ftpusers,\/boot\/grub\/grub.conf,\/etc\/init.d\/functions,\/etc\/ssh\/ssh_config & \/etc\/ssh\/sshd_config files will be modified during the script execution” >>${HARD_LOG}<\/p>\n
######Banner#####<\/p>\n
echo “Updating the banner in \/etc\/issue.net file” >> ${HARD_LOG}<\/p>\n
echo “********************************************************************************” >\/etc\/issue.net<\/p>\n
echo “* *”>>\/etc\/issue.net<\/p>\n
echo “* ATTENTION! PLEASE READ CAREFULLY. *”>>\/etc\/issue.net<\/p>\n
echo “* *”>>\/etc\/issue.net<\/p>\n
echo “* This system is the property of xyz. It is for authorized use only. *”>>\/etc\/issue.net<\/p>\n
echo “* Users (authorized and unauthorized) have no explicit or implicit expectation *”>>\/etc\/issue.net<\/p>\n
echo “* of privacy. Any or all uses of this system and all files on the this system *”>>\/etc\/issue.net<\/p>\n
echo “* will be intercepted, monitored, recorded, copied, audited, inspected, and *”>>\/etc\/issue.net<\/p>\n
echo “* disclosed to xyz management, and law enforcement personnel as *”>>\/etc\/issue.net<\/p>\n
echo “* well as other authorized agencies. By using this system, the user consents *”>>\/etc\/issue.net<\/p>\n
echo “* to such interception,monitoring, recording, copying, auditing, inspection, *”>>\/etc\/issue.net<\/p>\n
echo “* and disclosure at the discretion of xyz. Unauthorized or improper *”>>\/etc\/issue.net<\/p>\n
echo “* use of this system may result in administrative disciplinary action and civil*”>>\/etc\/issue.net<\/p>\n
echo “* and criminal penalties. By continuing to use this system you indicate the *”>>\/etc\/issue.net<\/p>\n
echo “* awareness of and consent to these terms and conditions of use. LOG OFF *”>>\/etc\/issue.net<\/p>\n
echo “* IMMEDIATELY if you do not agree to the terms and conditions stated in this *”>>\/etc\/issue.net<\/p>\n
echo “* warning. *”>>\/etc\/issue.net<\/p>\n
echo “* *”>>\/etc\/issue.net<\/p>\n
echo “********************************************************************************”>>\/etc\/issue.net<\/p>\n
#######motd#######<\/p>\n
echo “Updating the banner in \/etc\/motd file” >> ${HARD_LOG}<\/p>\n
echo “********************************************************************************” >\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* ATTENTION! PLEASE READ CAREFULLY. *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* This system is the property of xyz. It is for authorized use only. *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* Users (authorized and unauthorized) have no explicit or implicit expectation *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* of privacy. Any or all uses of this system and all files on the this system *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* will be intercepted, monitored, recorded, copied, audited, inspected, and *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* disclosed to xyz, and law enforcement personnel as *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* well as other authorized agencies. By using this system, the user consents *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* to such interception,monitoring, recording, copying, auditing, inspection, *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* and disclosure at the discretion of xyz. Unauthorized or improper *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* use of this system may result in administrative disciplinary action and civil*”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* and criminal penalties. By continuing to use this system you indicate the *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* awareness of and consent to these terms and conditions of use. LOG OFF *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* IMMEDIATELY if you do not agree to the terms and conditions stated in this *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* warning. *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “* *”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “********************************************************************************”>>\/etc\/motd>> ${HARD_LOG}<\/p>\n
echo “Above Banner is updated in the System ” >> ${HARD_LOG}<\/p>\n
######Set Password Expiry Time for users#########<\/p>\n
echo “Setting Password Expiry Time for users …” >> ${HARD_LOG}<\/p>\n
cd \/etc\/<\/p>\n
cp login.defs \/etc\/BackupSystemFiles\/login.defs.prehard<\/p>\n
sed -e ‘s\/99999\/30\/g’ login.defs > login.defs1<\/p>\n
cp login.defs login.defs.before<\/p>\n
mv login.defs1 login.defs<\/p>\n
sed -e ‘s\/PASS_MIN_LEN 5\/PASS_MIN_LEN 8\/g’ login.defs > login.defs1<\/p>\n
cp login.defs login.defs.before<\/p>\n
mv login.defs1 login.defs<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
#####ssh configuration######<\/p>\n
echo “Configuring SSH service” >>${HARD_LOG}<\/p>\n
cd \/etc\/ssh<\/p>\n
cp -p ssh_config \/etc\/BackupSystemFiles\/ssh_config.prehard<\/p>\n
cp -p sshd_config \/etc\/BackupSystemFiles\/sshd_config.prehard<\/p>\n
sed -e ‘s\/#PermitRootLogin yes\/PermitRootLogin no\/g’ sshd_config >>sshd_config1<\/p>\n
cp -p sshd_config sshd_config.before<\/p>\n
mv sshd_config1 sshd_config<\/p>\n
sed -e ‘s\/#HostbasedAuthentication no\/HostbasedAuthentication no\/g’ sshd_config >>sshd_config1<\/p>\n
cp -p sshd_config sshd_config.before<\/p>\n
mv sshd_config1 sshd_config<\/p>\n
sed -e ‘s\/#RhostsRSAAuthentication no\/RhostsRSAAuthentication no\/g’ sshd_config >>sshd_config1<\/p>\n
cp -p sshd_config sshd_config.before<\/p>\n
mv sshd_config1 sshd_config<\/p>\n
sed -e ‘s\/#IgnoreRhosts yes\/IgnoreRhosts yes\/g’ sshd_config >>sshd_config1<\/p>\n
cp -p sshd_config sshd_config.before<\/p>\n
mv sshd_config1 sshd_config<\/p>\n
sed -e ‘s\/#PermitEmptyPasswords no\/PermitEmptyPasswords no\/g’ sshd_config >>sshd_config1<\/p>\n
cp -p sshd_config sshd_config.before<\/p>\n
mv sshd_config1 sshd_config<\/p>\n
echo “Banner \/etc\/issue.net” >>sshd_config<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
######Set Daemon Umask######<\/p>\n
cd \/etc\/init.d<\/p>\n
cp -p functions \/etc\/BackupSystemFiles\/functions.prehard<\/p>\n
# edit the line with umask<\/p>\n
sed -e ‘s\/umask 022\/umask 027\/g’ functions >>functions1<\/p>\n
cp -p functions functions.before<\/p>\n
mv functions1 functions<\/p>\n
######Stop Uneccessary Services#######<\/p>\n
echo “Stoping Unneccessary Services” >> ${HARD_LOG}<\/p>\n
for FILE in apmd canna dhcdbd FreeWnn gpm hpoj innd irda isdn kdcrotate lvs mars-nwe oki4daemon privoxy rstatd rusersd rwalld rwhod spamassassin wine<\/p>\n
do<\/p>\n
service $FILE stop &>\/dev\/null<\/p>\n
chkconfig –list $FILE &>\/dev\/null 1>>\/etc\/BackupSystemFiles\/boot.service.prehard<\/p>\n
chkconfig $FILE off &>\/dev\/null<\/p>\n
done<\/p>\n
for FILE in nfs nfslock autofs ypbind ypserv yppasswdd \\<\/p>\n
portmap smb netfs lpd apache httpd tux snmpd \\<\/p>\n
named postgresql vsftpd mysqld webmin kudzu squid cups \\<\/p>\n
ip6tables iptables pcmcia bluetooth mDNSResponder<\/p>\n
do<\/p>\n
service $FILE stop &>\/dev\/null<\/p>\n
chkconfig –list $FILE &>\/dev\/null 1>>\/etc\/BackupSystemFiles\/boot.service.prehard<\/p>\n
chkconfig $FILE off &>\/dev\/null<\/p>\n
done<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
######Disable network services######<\/p>\n
echo “Disabling unnecessary Network Services now.”>> ${HARD_LOG}<\/p>\n
mkdir \/etc\/BackupSystemFiles\/xinetd.d >> ${HARD_LOG}<\/p>\n
cp -rf \/etc\/xinetd.d\/* \/etc\/BackupSystemFiles\/xinetd.d\/ >> ${HARD_LOG}<\/p>\n
cd \/etc\/xinetd.d >> ${HARD_LOG}<\/p>\n
for FILE in chargen chargen-udp cups-lpd cups daytime \\<\/p>\n
daytime-udp echo echo-udp eklogin finger imap \\<\/p>\n
imaps ipop2 ipop3 klogin kshell ktalk ntalk \\<\/p>\n
pop3s rexec rsync servers services sgi_fam \\<\/p>\n
talk tftp time time-udp<\/p>\n
do<\/p>\n
chkconfig –list ${FILE} &>\/dev\/null 1>> \/etc\/BackupSystemFiles\/standard.service.prehard<\/p>\n
chkconfig ${FILE} off &>\/dev\/null<\/p>\n
done<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
#######Lock the Unneccessary Accounts########<\/p>\n
echo “Locking the Uneccessary Accounts”>>${HARD_LOG}<\/p>\n
cp -p \/etc\/passwd \/etc\/BackupSystemFiles\/passwd.prehard<\/p>\n
for USERID in rpc rpcuser lp apache http httpd named dns \\<\/p>\n
mysql postgres squid news netdump<\/p>\n
do<\/p>\n
usermod -L -s \/sbin\/nologin $USERID &>\/dev\/null<\/p>\n
done<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
#######Confirm Permissions On System Log files######<\/p>\n
cd \/var\/log<\/p>\n
ls -l > \/etc\/BackupSystemFiles\/system.logfiles<\/p>\n
chmod o-rwx boot.log* cron* dmesg ksyms* httpd\/* maillog* messages* news\/* pgsql rpmpkgs* samba\/* sa\/* scrollkeeper.log secure* spooler* squid\/* vbox\/* wtmp &>\/dev\/null<\/p>\n
chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid\/* sa\/* &>\/dev\/null<\/p>\n
chmod g-w boot.log* cron* dmesg httpd\/* ksyms* maillog* messages* pgsql rpmpkgs* samba\/* sa\/* scrollkeeper.log secure* spooler* &>\/dev\/null<\/p>\n
chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler* &>\/dev\/null<\/p>\n
chmod o-w gdm\/ httpd\/ news\/ samba\/ squid\/ sa\/ vbox\/ &>\/dev\/null<\/p>\n
chmod o-rx httpd\/ samba\/ squid\/ sa\/ &>\/dev\/null<\/p>\n
chmod g-w gdm\/ httpd\/ news\/ samba\/ squid\/ sa\/ vbox\/ &>\/dev\/null<\/p>\n
chmod g-rx httpd\/ samba\/ sa\/ &>\/dev\/null<\/p>\n
chmod u-x kernel syslog loginlog &>\/dev\/null<\/p>\n
chown -R root:root . &>\/dev\/null<\/p>\n
chgrp utmp wtmp &>\/dev\/null<\/p>\n
[ -e news ] && chown -R news:news news &>\/dev\/null<\/p>\n
[ -e pgsql ] && chown postgres:postgres pgsql &>\/dev\/null<\/p>\n
chown -R squid:squid squid &>\/dev\/null<\/p>\n
######Verify passwd, shadow and group file permissions#######<\/p>\n
cd \/etc<\/p>\n
ls -l > \/etc\/BackupSystemFiles\/etc.files<\/p>\n
chown root:root passwd shadow group<\/p>\n
chmod 644 passwd group<\/p>\n
chmod 400 shadow<\/p>\n
cp -p \/etc\/vsftpd\/ftpusers \/etc\/BackupSystemFiles\/ftpusers.prehard<\/p>\n
for NAME in `cut -d: -f1 \/etc\/passwd`; do<\/p>\n
if [ `id -u $NAME` -lt 500 ]; then<\/p>\n
echo $NAME >> \/etc\/ftpusers<\/p>\n
fi<\/p>\n
done<\/p>\n
chown root:root \/etc\/vsftpd\/ftpusers<\/p>\n
chmod 600 \/etc\/vsftpd\/ftpusers<\/p>\n
#########Banner For FTP###################<\/p>\n
cd \/etc\/vsftpd<\/p>\n
cp -p vsftpd.conf \/etc\/BackupSystemFiles\/vsftpd.conf.prehard<\/p>\n
echo “ftpd_banner=Authorized users only. All activity \\<\/p>\n
may be monitored and reported.” >> vsftpd.conf<\/p>\n
######Protect Grub With Password#######<\/p>\n
cp -p \/boot\/grub\/grub.conf \/etc\/BackupSystemFiles\/grub.conf.prehard<\/p>\n
sed -i ‘1ipassword password’ \/boot\/grub\/grub.conf<\/p>\n
chown root:root \/etc\/grub.conf<\/p>\n
chmod 600 \/etc\/grub.conf<\/p>\n
#######Restrict Root Logins To System Console By adding the entry called console in the file \/etc\/securetty#######<\/p>\n
echo “Restricting root Logins to the System Console By adding the entry called console in the file \/etc\/securetty” >> ${HARD_LOG}<\/p>\n
cp -p \/etc\/securetty \/etc\/BackupSystemFiles\/securetty.prehard<\/p>\n
for i in `seq 1 6`; do<\/p>\n
echo tty$i >> \/etc\/securetty<\/p>\n
done<\/p>\n
for i in `seq 1 11`; do<\/p>\n
echo vc\/$i >> \/etc\/securetty<\/p>\n
done<\/p>\n
echo console >> \/etc\/securetty<\/p>\n
chown root:root \/etc\/securetty<\/p>\n
chmod 400 \/etc\/securetty<\/p>\n
#######Block System Accounts#######<\/p>\n
cp -p \/etc\/passwd \/etc\/BackupSystemFiles\/passwd.prehard<\/p>\n
for NAME in `cut -d: -f1 \/etc\/passwd`;<\/p>\n
do<\/p>\n
MyUID=`id -u $NAME`<\/p>\n
if [ $MyUID -lt 500 -a $NAME != ‘root’ ]; then<\/p>\n
usermod -L -s \/sbin\/nologin $NAME<\/p>\n
fi<\/p>\n
done<\/p>\n
######Verify that no UID 0 Account exists Other than root######<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
awk -F: ‘($3 == 0) { print “UID 0 Accounts are Below. Please do block if its not neccessary\\n” $1 }’ \/etc\/passwd>> ${HARD_LOG}<\/p>\n
echo “********************************************************************************”>> ${HARD_LOG}<\/p>\n
######Setting Password expiry (must expire after 42 days and warn 7 days) for root account#######<\/p>\n
echo “Setting Password expiry (must expire after 30 days and warn 7 days) for root account” >> ${HARD_LOG}<\/p>\n
passwd -x 30 -w 7 root >> ${HARD_LOG}<\/p>\n
echo “All the activities are done by this script has been logged into $HARD_LOG”<\/p>\n
echo “Request you to save the log file in the SharePoint portal URL http:\/\/sinbngpp001\/TIM\/UNIXServerReports\/Forms\/AllItems.aspx for the Audit”<\/p>\n
echo “#———————————————————————#”<\/p>\n
echo<\/p>\n
echo ” END OF THE SCRIPT ”<\/p>\n
echo<\/p>\n
echo “#———————————————————————#”<\/p>\n","protected":false},"excerpt":{"rendered":"
#Please check a script regarding Linux Hardening, it may help you to configure your system<\/p>\n
####################################################### #!\/bin\/bash<\/p>\n
#####LInux Hardening Script#####<\/p>\n
#######################################################<\/p>\n
# #<\/p>\n
# Files involved in this script are as follow: #<\/p>\n
# \/etc\/ssh\/ssh_config #<\/p>\n
# \/etc\/init.d\/functions #<\/p>\n
# \/boot\/grub\/grub.conf #<\/p>\n
# \/etc\/vsftpd\/ftpusers #<\/p>\n
# \/etc\/securetty #<\/p>\n
# \/etc\/issue #<\/p>\n
# \/etc\/motd #<\/p>\n
# […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/961"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=961"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions"}],"predecessor-version":[{"id":963,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions\/963"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}