Help - Search - Members - Calendar
Full Version: Linux Security Script
The Planet Forums > Security > General Security > UNIX Security
Pages: 1, 2, 3, 4, 5, 6, 7
Blue|Fusion
May 22 2005, 05:58 PM
A few of you may remember a few months back I started to learn Shell and Bash and made a script to automatically do some basic security things. Well lately, I have been puting some more time into it and here's what I came up with so far, although I usually add/edit a little something every once in a while to make it better (like all developers...except for Microsoft icon_smile.gif ).

Update April 14, 2006:
You can now call upon ELS with els --option OR /usr/local/els/els.sh --option.

Updated: December 21st, 2006
Current Version: 1.6.1-2

Anyway, here's what it does:
-Install RKHunter
-Install RKHunter Cronjob which emails a user-set email address nightly
-Install/update APF
-Import old APF rules in an upgrade
-Add SM/TP monitoring IPs (view information on these in Orbit)
-Install/update BFD
-Install CHKROOTKIT
-Install CHKROOTKIT Cronjob which emails a user-set email address nightly
-Disable Telnet
-Force SSH Protocol 2
-Secure /tmp
-Secure /var/tmp
-Secure /dev/shm
-Install/update Zend Optimizer
-Install/update eAccelerator
-MySQL 4.0 4.1, 5.0 Configuration Optimization (cPanel only)
-Upgrade MySQL to 4.1 or 5.0 (cPanel only)
-Tweak WHM Settings for security and stability
-Configure RNDC if not already done (cPanel only)
-Change SSH port (also configure APF as necessary)
-Add wheel user and disable direct root login over SSH
-Optimize MySQL tables
-Install/update Libsafe
-Install/update ImageMagick (from latest source)
-Uninstall LAuS
-Harden sysctl.conf
-Install Chirpy's Free Exim Dictionary Attack ACL
-Dsable SELinux on cPanel servers
-Install mytop
-Renice MySQL
-Install Fantastico (cPanel and Fantastico license required)
And more!


You can also run it with the --updatesoftware option and it will automatically upgrade RKHunter, APF, and BFD to the latest version.

The downloaded tarballs of RKHunter, BFD, APF, and CHKROOTKIT are from my own repository, however they are unchanged from the original sites. You can confirm this with the MD5s if you wish.

RKHunter, APF, BFD, CHKROOTKIT, and other tarballs are checked for MD5 mismatches before extracting to ensure the downloads are not corrupted.

Better OS/binary checks are performed before any installing. If a necessary binary isn't present, it will stop before making any changes.

Backups of changed files are kept in /usr/local/els/bakfiles and all source files are are worked with in /usr/local/els/src to keep things more organized.

This script works best with Red Hat Enterprise Linux version 3 (Taroon Update 4 and 5) and with cPanel 10.x installed.

Please let me know if you have any problems with this script, or any additions you would like to see. I'm also not the best at coding so if you know how to code and you see a problem with it, please let me know.

You can download and execute this script by copying the following command:
CODE
wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh


The installer script will automatically download and check the md5sum of the tarball (which is only another 2 scripts), as well as make the /usr/local/els directory and subdirectories.

Please tell me what you think!
Blue|Fusion
May 22 2005, 08:01 PM
Please note these examples are heavily outdated by the new versions with many more options, and a different program name.

Here's some examples of output on a brand new box.

Downloading and running the installer:
QUOTE
root@ladefoged [~]# wget --output-document=installer.sh http://richgannon.net/securescript/installer.sh; chmod +x installer.sh; sh installer.sh
--20:56:00-- http://richgannon.net/securescript/installer.sh
=> `installer.sh'
Resolving richgannon.net... 70.84.107.20
Connecting to richgannon.net[70.84.107.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,233 [application/x-sh]

100%[============>] 1,233 --.--K/s

20:56:00 (35.63 MB/s) - `installer.sh' saved [1,233/1,233]

--20:56:00-- http://richgannon.net/securescript/rgsecurity.tar.gz
=> `/usr/local/rgsecurity/src/rgsecurity.tar.gz'
Resolving richgannon.net... 70.84.107.20
Connecting to richgannon.net[70.84.107.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,643 [application/x-tar]

100%[============>] 4,643 --.--K/s

20:56:00 (2.09 MB/s) - `/usr/local/rgsecurity/src/rgsecurity.tar.gz' saved [4,643/4,643]

MD5 valid.
Extracting...
rgsecurity/
rgsecurity/rgsecurity.sh
rgsecurity/updater.sh
Done.

RGSecurity successfully installed in /usr/local/rgsecurity
root@ladefoged [~]#


Running the RGSecurity script:
QUOTE
root@ladefoged [~]# /usr/local/rgsecurity/rgsecurity.sh --all

Making sure necessary binaries are available...
-> /usr/bin/replace found.
-> /usr/bin/wget found.
-> /bin/grep found.
-> /usr/bin/cut found.
-> /bin/tar found.
-> /bin/cat found.
Everything we need is here.

Checking existance of installation directory...
/usr/local/rgsecurity exists.
/usr/local/rgsecurity/src exists.
/usr/local/rgsecurity/bakfiles exists.

You're running the latest version of this script. [ Version: 0.8.4 ]

Checking distribution and version...
OK

Downloading RKHunter...
Download Successful!
MD5 matches.
Extracting...
Extraction Successful!
Installing...
RKHunter Install Completed Successfully!
Running RKHunter...
This may take a few minutes.
warning, got duplicate tcp line.
RKHunter is done checking your system!
View the firstrun log in /usr/local/rgsecurity/rkhunter-firstrun.log

This will set RKHunter run nightly and send you a detailed email of the full
output from RKHunter. Please enter your email address to recieve the output below.
Admin E-Mail Address:
me@mydomain.com <-- USER INPUT
You enetered: me@mydomain.com
Is this correct? (y/n):
y <-- USER INPUT

Downloading APF...
Download Successful!
MD5 matches.
Extracting...
Extraction Successful!
Installing...
Starting APF:Development mode enabled!; firewall will flush every 5 minutes.
[ OK ]
APF Install Completed Successfully!

Downloading BFD...
Download Successful!
MD5 matches.
Extracting...
Extraction Successful!
Installing...
BFD Install Completed Successfully!

Found Telnet configuration.
Backing up Telnet configuration...
Successfully backed up as /usr/local/rgsecurity/xinetd-telnet.bak!
Editing file...
/etc/xinetd.d/telnet converted
Restarting service...
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Done.

Found SSHd configuration.
Backing up current configuration file...
Successfully backed up as /usr/local/rgsecurity/bakfiles/sshd_config.bak!
Modifying configuration file...
/etc/ssh/sshd_config converted
Edit successful!
Restarting SSHd service...
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Done. SSH now forces Protocol 2.

Found /tmp partition in /etc/fstab.
Backing up current configuration file...
Successfully backed up as '/usr/local/rgsecurity/bakfiles/fstab.bak'!
Modifying /etc/fstab...
/etc/fstab converted
Done.
Remounting /tmp...
mount: /dev/hda7 already mounted or /tmp busy
mount: according to mtab, /dev/hda7 is already mounted on /tmp
Done.
You should check '/etc/fstab' before you reboot your system!!!

/var/tmp currently not mounted.
I'll mount it ontop of /tmp and secure it...
Stopping chkservd: [ OK ]
Starting chkservd: [ OK ]
Done.

Found /dev/shm partition in /etc/fstab.
Backing up current configuration file...
Backup already exists.
Modifying /etc/fstab...
/etc/fstab converted
Done.
Remounting /dev/shm...
Done.
You should check '/etc/fstab' before you reboot your system!!!

RGSecurity Copyright © 2005 Richard Gannon. All rights reserved.
Please visit the homepage for more info and support at http://richgannon.net

root@ladefoged [~]#


Help screen:
QUOTE
root@ladefoged [~]# /usr/local/rgsecurity/rgsecurity.sh --help
--all : Run compatability tests, install/update APF, BFD,
and RKHunter, and tweak various security points
--dryrun : Run system compatability tests only
--help : Print this screen
--updatesoftware : Install/Update APF, BFD, RKHunter only
--version : Print the current version and any updates
available for this script

root@ladefoged [~]#
Serhat
May 23 2005, 02:31 AM
I think that it's a really good initiative. Thanks for sharing!

I won't run the script right away, but it gives a good reference on how to install each subcomponent.
ShaneAu
May 23 2005, 06:43 AM
Very nice. icon_smile.gif. Thanks! icon_biggrin.gif.
xenneo
May 24 2005, 12:10 AM
Using this on my dev server, works great icon_smile.gif, keep it up!!

// Edit
Ehhh, I dont know if its my DSL connection however I cant get to:
http://richgannon.net/securescript/source.txt
anyone else experiancing this problem? Thanks.

// Edit 2
the site is now working, must have been a problem on my end.. icon_mad.gif
Blue|Fusion
May 24 2005, 02:09 PM
Updated to use RKHunter 1.2.7 now. Installer was also fixed (glitch with MD5 check).

4 servers (3 RHEL3U5, 1 RH9) and no problems thusfar at my end.
Altec
May 24 2005, 03:01 PM
Blue, question for ya. How would this affect systems that already have said scripts installed already(or most of them)?

Should they be removed or will your script just update the nessary scripts?

Nice work btw, cant wait to try it.
Blue|Fusion
May 24 2005, 03:49 PM
It checks to see if directories/files exist for the scripts it installs.

It checks to see if the directory /etc/apf is already there, and if it is, it with check to see what version /etc/apf/apf is and if it is older than the latest release, it wil upgrade. It does keep a backup, however, so that's always good, if something happens, however APF's installer automatically moves the current apf directory to /etc/apf.bak(date) and then transfers the old config and deny_hosts and allow_hosts files over to the new installation.

As for the other parts where it edits stuff, it checks to see first if it's already been edited or if there may be a problem. No guarantees it will work 100%, but that's why developers need input.
ghideout
May 24 2005, 03:57 PM
I had thought about doing this for my future servers so I knew each install was done exactly the same and I wouldn't miss anything. Good thinking!
lvalics
May 31 2005, 12:49 PM
great script. Can be added that /etc/apf/ad/conf.antidos to be generated with same email like on rkhunter and to be enabled to send mail on some problems??
lvalics
Jun 2 2005, 09:51 AM
OK, what I think like an update:
- to /usr/local/bfd/ignore.hosts an /etc/apf/allow_hosts.rules possibility to add IP to ignore it.
- Also I don't know if you add to start BDF automatically. Maybe I'm wrong. I mean as a service on restart or to /etc/rc.local
- You disable root to access the server, but maybe you can ALERT user that need to create an another user with shell access to SSH. Otherway is bad.
- Add to APF possibilities to enter IP from where SSH will be allowed, all other to be restricted by default. Of course user can chooose none, if he is on not a fix IP.
Blue|Fusion
Jun 2 2005, 01:14 PM
Thanks for the input.
I will add in the prompt to enter IPs to /usr/local/bfd/ignore.hosts and /etc/apf/allow_hosts.rules

I do believe BFD starts automatically on boot. I never have to start the BFD service after a reboot, and never added any special services to run it. I do get a few notices every now and then, so I do know it's working, too. If the case is different, please let me know and I'll make a service script for /etc/init.d.

I have considered adding in the funtion to disable direct root access from SSH, however decided not to as too many people would have trouble with that. The script currently does not support that, but will maybe add a note that an admin should consider disable direct root login over SSH.

I will also set /usr/local/bfd/conf.bfd and /etc/apf/ad/conf.antidos to use the same admin email address as the RKHunter cronjob.

Give me a little time and should be up later tonight or tomorrow night. Thanks for the suggestions!
Paul
Jun 2 2005, 01:30 PM
BFD dosen't run as a service, it runs via a cron every x minutes (every 5 I think)
Blue|Fusion
Jun 4 2005, 07:40 PM
OK, I added a few new features along with some of the above suggested in version 0.8.5...

-I now added the support for the admin email being used for BFD, and RKHunter emails, and enables the BFD email user by default.

-A single admin IP may be entered via the script which gets added to /usr/local/bfd/ignore.hosts and /etc/apf/allow_hosts.rules

-If cPanel is installed, MySQL configuration can be redone with many more features enabled or disabled respectively for more security and optimization. It checks to see if MySQL 4.0 or 4.1 is installed and uses the appropriate config file from there. It asks you before proceeding, so if you run your own configuration, it won't interfere.

-If cPanel and mod_security is installed, it downloads another small script I made which downloads safe rules from http://modsecrules.monkeydev.org nightly and restarts Apache for these rules to take effect. You can edit /etc/cron.daily/modsec.sh easily to disable the automatic restart of Apache if you wish.

I have yet to work on the /etc/apf/ad/conf.antidos file, as lvalics suggested, but it will be added in the near future.

You can download the installer and run that way again (instructions in first post) or you can run /usr/local/rgsecurity/updater.sh to update.

Again, any other suggestions, or errors you see or any other tips are much appreciated!
Mack123
Jun 4 2005, 08:20 PM
Thanks Blue. I will probably try out your script next time I buy a new server. Keep up the good work. icon_smile.gif
lvalics
Jun 4 2005, 08:56 PM
You can try to add linux socket monitor (LSM) from http://rfxnetworks.net/lsm.php and a harder work is system integrity monitor (SIM) http://rfxnetworks.net/sim.php.

First is easy and is good for security, second is a monitor to restart different servicer, important, but not a security issue.

At the end of the script, I suggest to write a small HOW TO, because in some cases APF is not installing completelly, for example on some PLESK server I get

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=""

Which is not good.

So a warning for verify in APF conf this value is welcome.
In a short I think all value what need to be checked is better to be have show as a warning.
JaggedIce
Jun 4 2005, 08:59 PM
Blue Fusion can you PM me your MSN?
JaggedIce
Jun 4 2005, 10:06 PM
*******EDIT**********
lvalics
Jun 4 2005, 10:10 PM
OS RELOAD for MySQL? I think the problem is more simple. Check your logs.
JustGags
Jun 4 2005, 10:13 PM
QUOTE (JaggedIce)
Your script totally broke down MYSQL on my server.  Im sitting here giving it hell to fix, looks like it cannot be fixed and will require an OS RELOAD.

Wow.


It's up to the sysadmin to read through the script before running it to make sure it won't interfere w/ any existing system configuration.
JaggedIce
Jun 4 2005, 10:14 PM
O i know.
JaggedIce
Jun 4 2005, 10:26 PM
Any idea on how to "Un do" this?

-If cPanel is installed, MySQL configuration can be redone with many more features enabled or disabled respectively for more security and optimization. It checks to see if MySQL 4.0 or 4.1 is installed and uses the appropriate config file from there. It asks you before proceeding, so if you run your own configuration, it won't interfere.
JaggedIce
Jun 4 2005, 11:05 PM
Blue | Fusion is the best person on the internet! He helped me fix this and a couple other things!
Blue|Fusion
Jun 4 2005, 11:23 PM
And it was an /etc/fstab problem. I'm not sure if it was due to my script or not, however /var/tmp wasn't mounted with the bind option on /tmp so the PHP scripts couldn't connect to the MySQL socket.

And I can't believe a tech doesn't check that for $75/hr...
lvalics
Jun 6 2005, 01:25 AM
Also you can think to extend with chkrootkit the package :-)
Blue|Fusion
Jun 6 2005, 01:02 PM
I had planned to add CHKROOTKIT to the installer, however never got around to it, but I will do so now.
Blue|Fusion
Jun 6 2005, 01:45 PM
Alrighty, quick addition. CHKROOTKIT is now installed along with a cronjob to run it nightly as RKHunter does.

Version: 0.8.8
Bruceleeon
Jun 6 2005, 10:06 PM
wow... that was fast...

I can't wait to try it!
lvalics
Jun 6 2005, 10:32 PM
I think he deserve a donation, guys, donate money :-)) I have already done.
lvalics
Jun 7 2005, 01:35 AM
Also do not forget to edit first post rto add ZEND and CHKrootkit
lvalics
Jun 7 2005, 10:59 AM
If you want to check PLESK control Panel you can try something like this.

pleskcheck() {
echo "";
if [ -e /etc/psa/psa.conf ]; then
install_location=`grep PRODUCT_ROOT_D /etc/psa/psa.conf | cut -f 3`
echo "PLESK is installed. [ Version: `tail PRODUCT_ROOT_D/version` ]";
PLESKCHECK="1";
else
echo "PLESK is not installed.";
fi
}

This is OK to install also on PLESK MySQL optimization and I will come with a few other ideeas in meantime (we are on PLESK and we have written a HOW TO secure PLESK)
Blue|Fusion
Jun 7 2005, 01:09 PM
Well I would have made something like the APF cPanel config for Plesk, however, I was unsure what ports needs to be opened for Plesk and any daemons it runs by default.
If you can compile a list of what TCP/UDP ports should be opened on a stock Plesk system, I can make that now.
xwing777
Jun 7 2005, 06:10 PM
Not sure how this happened but how to correct this?

CODE
Filesystem            Size  Used Avail Use% Mounted on

/dev/hda3              71G  6.2G   62G  10% /

/dev/hda1             487M   29M  433M   7% /boot

none                  501M     0  501M   0% /dev/shm

/tmp                   71G  6.2G   62G  10% /var/tmp

/usr/tmpDSK           496M  8.2M  463M   2% /tmp


notice /tmp is same as / which is users (home) partition
Blue|Fusion
Jun 7 2005, 06:21 PM
It's just an easy fix in /etc/fstab, but to troubleshoot, can you show me the output of cat /etc/fstab?
bsykes
Jun 7 2005, 06:26 PM
With Plesk on a linux server, you're really only going to need port 8443 for the admin panel. Of course, also the normal assortment of services like pop3, pop3s, imap, imaps, dns, apache, etc ... On upgrades, I'm not sure what port it uses to connect to the plesk key server to update the key, but if you're not doing egress filtering in iptables, then this shouldn't matter.
xwing777
Jun 7 2005, 07:11 PM
QUOTE (Blue|Fusion)
It's just an easy fix in /etc/fstab, but to troubleshoot, can you show me the output of cat /etc/fstab?


CODE
/dev/hda3               /                       ext3    defaults,usrquota        1 1

/dev/hda1               /boot                   ext3    defaults        1 2

none                    /dev/pts                devpts  gid=5,mode=620  0 0

none                    /proc                   proc    defaults        0 0

none                    /dev/shm                tmpfs   defaults,noexec,nosuid        0 0

/dev/hda2               swap                    swap    defaults        0 0

/dev/hdc1                /backup                 ext3    defaults        1 2



/tmp /var/tmp ext3 defaults,noexec,nosuid,bind 0 0

hdc1 is my backup drive
Blue|Fusion
Jun 7 2005, 07:18 PM
OK, Just to make sure, which version of the script were you using when you ran it the first time? One of the past versions had an error in it which could have caused this on a system without a physical partition for /tmp, however I thought I corrected.


anyway, just remove the very last line from the file, and then do the following:
# service chkservd stop
# service mysql stop
# service httpd stop
# unlink /tmp/mysql.sock
# umount /var/tmp
# umount /tmp
# /scripts/securetmp --auto
# service httpd start
# service mysql start
# service chkservd start
# mount (check to make sure it all looks good now)

If you can't umount /tmp, you may have to delete the session files in there, and then try again (make sure you're not cd'd to the /tmp or /var/tmp directory, either).
xwing777
Jun 7 2005, 07:34 PM
version used was 0.8.4
Blue|Fusion
Jun 7 2005, 07:49 PM
OK, and this was fixed in 0.8.5. Anyway, did the above commands all work OK? Is /tmp and /var/tmp correctly mounted now?
xwing777
Jun 7 2005, 08:03 PM
yes, fixed it. On a side note how hard would it be add to your script to use reports of rkhunter like this:

Create /etc/cron.daily/rkhunter.sh


CODE
#!/bin/sh

(

/usr/local/bin/rkhunter --versioncheck

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob --report-warnings-only

) | /bin/mail -s 'RKhunter Scan on nameofserver' your@email-address


This is the way i modified mine or is it to much work? Just thought those that had more than one server and/or only wanted emails for problems may like better. Or even put a select option during config part of install?

Nice scripting by the way, saves time during set up icon_biggrin.gif
lvalics
Jun 7 2005, 09:39 PM
Yes, is 8443 and rest of normal port.
I will try to see on which port PLESK do the key upgrade.
lvalics
Jun 7 2005, 10:02 PM
QUOTE
port 5224 must be open to update the key


This is what I got on forum.
Blue|Fusion
Jun 8 2005, 10:56 AM
I'll work on adding these now. And the is the 5224 port TCP or UDP or both?
Blue|Fusion
Jun 8 2005, 01:44 PM
The script now creates control panel based configs for APF. Currently for cPanel and Plesk. If one of the two are installed, it will download a tarball of the configs, and copy over the correct one as /etc/apf/conf.apf. This is only for new APF installs, not updates, so your configuration won't be overwritten.

I confirmed it works for cPanel, however I don't have access to a Plesk based server at this time. If anyone with Plesk can try it out, please let me know if any problems come up.
parisdns
Jun 8 2005, 02:57 PM
QUOTE (Blue|Fusion)
The script now creates control panel based configs for APF.  Currently for cPanel and Plesk.  If one of the two are installed, it will download a tarball of the configs, and copy over the correct one as /etc/apf/conf.apf.  This is only for new APF installs, not updates, so your configuration won't be overwritten.

I confirmed it works for cPanel, however I don't have access to a Plesk based server at this time.  If anyone with Plesk can try it out, please let me know if any problems come up.


Eh, Blue, could we run your script from a box with apf/BFD/etc. already installed ( to update everything ) or just on fresh box ?... wink.gif
Blue|Fusion
Jun 8 2005, 03:05 PM
It can be used on a box with that already installed, and if it is out of date, it will update it. But you should still be careful on a production server and make sure everything is OK once it's done.
xenneo
Jun 8 2005, 04:09 PM
QUOTE (Blue|Fusion)
It can be used on a box with that already installed, and if it is out of date, it will update it.  But you should still be careful on a production server and make sure everything is OK once it's done.


No problems here when I used it on a box that already had it installed, it was my developer box.
DeadEye686
Jun 15 2005, 04:15 PM
Just wanted to give you a heads up that your script was just mentioned on the security-basics list at securityfocus.com icon_smile.gif
Blue|Fusion
Jun 15 2005, 04:24 PM
Hey, thanks alot for the heads up. I've been working on it a little each day from minor tweaks in code to new additional features.

BTW, I was wondering if anyone knew offhand...
Is it against Zend's policy now to install ZendOptimizer by script, hence requiring the login to download? Cuase if so, I'll have to remove that part.

I was also thinking about renaming this project to "ELS", "Easy Linux Security." Good, bad, any other ideas? I suck with names. And I'm working on moving it to my new domain for my projects, and going to continue to work in advancing it.
lvalics
Jun 16 2005, 12:55 AM
Don't shoot on me, I was the bad guy who done it public :-))
ELS is OK, but I suggest to buy domain like www.EasyLinuxSecurity.com and also a shortcut like www.els.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.