As a follow-up, here is the script I made.
IT IS NOT COMPLETE, IT DOES NOT work as it should. This is only for interested people looking to fix it, improve it and know what they are doing.
[code]#!/bin/bash
automatic attended install script
#Colours
############
#ToDo
############
#make variables for to download files
#add ossec agent
#add ossec server
#add zabbix server
#add config for fail2ban
#add logfile
#complete virtualmin change port && restart services
#mail to admin upon file completion
issue in if [ ${AddServerIPPort[$iserver]} != $Nullport ]
############
#Functions
############
Check IP function (Thanks to Mitch Frazier)
function valid_ip()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
Blue=’\e[0;34m’
Red=’\e[0;31m’
Green=’\e[0;32m’
RedBold=’\e[0;31m’
GreenBold=’\e[0;32m’
LightGrey=’\e[0;37m’
Purple=’\e[0;35m’
Brown=’\e[0;33m’
NoColour=’\e[0m’
Yes=y
if [ $(whoami) != ‘root’ ]; then
echo “Must be root to run”
exit 1;
fi
echo -e “------------------------------”
echo -e “-----${Purple}New Server Install${NoColour}-------”
echo -e “------------------------------”
echo -e “Please note the following:”
echo -e “There is no check if this system is running CentOS 6.5. \nIf it is not running CentOS 6.5 this install will not work.”
echo -e “\n${RedBold}Internet connectivity${NoColour} is required to run this script. \nIf you are behind a proxy or need to alter connectivity settings in order to connect to the internet \npress CTRL + C now to abort and set this first. \nIf you are not sure if you have internet press CTRL + C all the same and first do a ping.”
echo -e “${RedBold}No information is being collected or sent.${NoColour}”
echo -e “${Green}press enter to continue${NoColour}”
read empty
echo -e “${Green}first a check for basic tools${NoColour}”
yum install -y wget vim
#############
#ask for basic info
#############
#Initiating vars
TopDomain=""
ServerName=""
ServerIpv4=""
ServerIpv6=""
AdminMail=""
ZabAg=""
VirtMin=""
while [ -z “$TopDomain” ];
do
echo -e “${Purple}Top Level Domain Name${NoColour}”
read TopDomain
done
while [ -z “$ServerName” ];
do
echo -e “Server ${Purple}Name${NoColour}”
read ServerName
done
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “Server ${Purple}IP v4${NoColour}”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “IP is correct”
ServerIpv4="$ipvalue"
iploop=“n”
else
echo -e “ip is wrong”
fi
done
iploop=""
echo -e “Server ${Purple}IP v6 (leave blank if not available)${NoColour}”
read ServerIpv6
while [ -z “$AdminMail” ];
do
echo -e “Administrator (working) ${Purple}Email Address ${NoColour}(for logs, warnings, errors, …)”
read AdminMail
done
while [[ ! “$VirtMin” =~ ^(y|n|Y|N)$ ]];
do
echo -e “Install ${Purple}Virtualmin? ${NoColour}(y/n)”
read VirtMin
done
while [[ ! “$ZabAg” =~ ^(y|n|Y|N)$ ]];
do
echo -e “Install ${Purple}Zabbix Agent${NoColour} (Monitoring. Zabbix server required) (y/n)”
read ZabAg
done
echo -e “${Purple}Top Level Domain is $TopDomain”
echo -e “Server Name is $ServerName”
echo -e “IP v4 is $ServerIpv4”
echo -e “Server IP v6 is $ServerIpv6”
echo -e “Admin Email is $AdminMail”
echo -e “Installing Virtualmin: $VirtMin”
echo -e “Installing Zabbix Agent: $ZabAg ${NoColour}”
echo -e “Press enter if OK, CTRL + C if not”
read empty
#############
#ask for services, ports and protocols
#############
echo -e “${Purple}Which services will run? ${NoColour}”
echo -e “reminder: ssh (default 22), http (default 80), https (default 443), smtp (default 587, 465, 25), pop (default 110 995), zabbix (default 10050), snmp (default 161), webmin and virtualmin (default 10000), usermin (default 20000), dns (default 53, tcp and utp), whois (default 43), NTP (default 123)”
echo -e “\n SSH This port information will be written in the config files of the services if you write the services in lower case, according to the service name (do not include the D for deamon)”
echo -e “${Green}These ports will also be written in the firewall file made in /home/newuser/firewall.sh ${NoColour}”
echo -e “the firewall file executes iptables.”
echo -e “if you make a mistake here, see the firewall file and the service config file”
Begin services
declare -a ServicesList
declare -a ServicesPortList
declare -a ServicesProtList
i=“0”
doloop=""
while [[ ! “$doloop” =~ ^(y|n|Y|N)$ ]];
do
echo -e “${Purple}Add Service?${NoColour} (y/n)”
read doloop
done
if [ “$doloop” = “$Yes” ];
then
while [ "$doloop" = "$Yes" ]
do
while [[ -z "${ServicesList[$i]}" ]];
do
echo -e "${Purple}Name of Service${NoColour}"
read ServicesList[$i]
done
while [[ ! "${ServicesPortList[$i]}" =~ ^[0-9]+$ ]];
do
echo -e "${Purple}Port of Service${NoColour}"
read ServicesPortList[$i]
done
while [[ ! "${ServicesProtList[$i]}" =~ ^(tcp|udp)$ ]];
do
echo -e "${Purple}Protocol of Service ${NoColour}(tcp or udp) (lower case)"
read ServicesProtList[$i]
done
i=$(( $i + 1 ))
doloop=""
while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]];
do
echo -e "${Purple}Add another Service?${NoColour} (y/n)"
read doloop
done
done
else
echo -e “${Red}no services will be added${NoColour}”
#######MAKE SSH DEFAULT => for config file of ssh => make if array contains ssh
fi
#############
#ask for accept all from certain IP’s
#############
doloop=""
echo -e “${Green}specific firewall ports open?${NoColour}”
while [[ ! “$doloop” =~ ^(y|n|Y|N)$ ]];
do
echo -e “${Purple}Add a server? ${NoColour}(y/n)”
read doloop
done
iServer=“0”
declare -a AddServerIP
declare -a AddServerIPDesc
declare -a AddServerIPPort
declare -a AddServerIPProt
if [[ ! “$doloop” =~ ^(n|N)$ ]];
then
while [[ ! “$doloop” =~ ^(n|N)$ ]]
do
while [[ -z “${AddServerIPDescr[$iServer]}” ]];
do
echo -e “${Purple}Give Server description${NoColour}”
read AddServerIPDescr[$iServer]
done
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “${Purple}Give Server IP ${NoColour}(ipv4)”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “${Green}IP is correct${NoColour}”
AddServerIP[$iServer]="$ipvalue"
echo -e “written to array=: $ipvalue "
iploop=“n”
else
echo -e “${Red}ip is wrong${NoColour}”
fi
done
iploop=”"
while [[ ! "${AddServerIPPort[$iServer]}" =~ ^[0-9]+$ ]];
do
echo -e "${Purple}Specific port ${NoColour}(enter 0 to open all ports)"
read AddServerIPPort[$iServer]
done
if [ ${AddServerIPPort[$iServer]} != "0" ];
then
while [[ ! "${AddServerIPProt[$iServer]}" =~ ^(tcp|udp)$ ]];
do
echo -e "${Purple}specific protocol${NoColour} (tcp or udp)"
read AddServerIPProt[$iServer]
done
fi
iServer=$(( $iServer + 1 ))
doloop=""
while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]];
do
echo -e "${Purple}Add another Server?${NoColour} (y/n)"
read doloop
done
done
fi
#############
#setup users and root
#############
echo -e “${Red}change root password${NoColour}”
passwd root
echo -e "${Purple}New User${NoColour} "
read NewUser
useradd $NewUser
passwd $NewUser
Append after root line
##############Make sure to put a TAB sign after root!
sed -i ‘/root ALL*/a ‘"$NewUser"’ ALL=(ALL) ALL’ /etc/sudoers
#check if executed:
if grep -q $NewUser “/etc/sudoers”; then
echo -e “New User added to sudo”
else
echo -e “${Red}something went wrong. user was not added to sudoers file. Please abort.${NoColour}”
exit 1;
fi
#############
#Get Home IP
#############
echo -e “${Green}local (home) IP ${NoColour}”
echo -e “Adding a home IP to your security ensures you cannot lock yourself out of your server”
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “${Purple}Give home IP ${NoColour}(ipv4)”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “${Green}IP is correct${NoColour}”
LocalHomeIp="$ipvalue"
iploop=“n”
else
echo -e “${Red}ip is wrong${NoColour}”
fi
done
iploop=""
#############
#set hostname
#############
echo -e “${Green} Changing Hostnames ${NoColour}”
hostname $ServerName.$TopDomain
sed -i ‘s/^HOSTNAME=*/HOSTNAME=$ServerName.$TopDomain/g’ /etc/sysconfig/network
echo $ServerIpv4 $ServerName.$TopDomain $ServerName >> /etc/hosts
echo $ServerIpv6 $ServerName.$TopDomain $ServerName >> /etc/hosts
#############
#Install EPEL
#############
echo -e “${Green}Installing EPEL…${NoColour}”
mkdir /tmp/epel
cd /tmp/epel
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
if [ ! -f /etc/epel/epel-release-6-8.noarch.rpm];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
if [ ! -f /tmp/epel/epel-release-6-8.noarch.rpm];
then
echo “File not found! cannot continue without EPEL. Aborting.”
exit 1;
fi
else
rpm -ivh epel-release-6-8.noarch.rpm
rm -fr /tmp/epel
fi
#############
#Update all packages
#############
echo -e “${Green}Updating Packages…${NoColour}”
yum update -y
#############
#Install Fail2Ban
#############
echo -e “${Green}Installing Fail2Ban…${NoColour}”
yum install -y fail2ban
sed -i ‘s/^ignoreip = 127.0.0.1*/ignoreip = 127.0.0.1 ${LocalHomeIp}/g’ /etc/fail2ban/jail.conf
sed -i ‘s/maxretry = 3/maxretry = 5/g’ /etc/fail2ban/jail.conf
#############
#Install RKHUNTER
#############
echo -e “${Green}Installing RKHUNTER…${NoColour}”
yum install -y rkhunter
touch /etc/cron.daily/rkhunter.sh
echo "
#!/bin/sh
(
rkhunter --versioncheck
rkhunter --update
rkhunter --cronjob --report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run ($ServerName)’ $AdminMail
" > /etc/cron.daily/rkhunter.sh
chmod 755 /etc/cron.daily/rkhunter.sh
#############
#Install NCDU
#############
echo -e “${Green}Installing NCDU…${NoColour}”
yum install -y ncdu
#############
#Install LMD
#############
echo -e “${Green}Installing LMD…${NoColour}”
mkdir /tmp/lmd
cd /tmp/lmd
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
if [ ! -f /tmp/lmd/maldetect-current.tar.gz ];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
if [ ! -f /tmp/lmd/maldetect-current.tar.gz];
then
echo “File not found! continuing without Linux Malware Detect. To install later, please visit http://www.rfxn.com/downloads/maldetect-current.tar.gz”
fi
else
tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
rm -fr /tmp/lmd
sed -i 's/email_alert=0/email_alert=1/g' /usr/local/maldetect/conf.maldet
sed -i 's/email_addr="you@domain.com"/email_addr="monitor@fraksken.be"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quar_hits=0/quar_hits=1/g' /usr/local/maldetect/conf.maldet
fi
#############
#SSH
#############
echo -e “${Green}Configuring SSHD…${NoColour}”
ValueSSH=“ssh”
sshcounter=“0”
for sshname in “${ServicesList[@]}”
do
if [ “$sshname” = “$ValueSSH” ] ; then
echo -e “${Green} Found ${NoColour}”
echo “value in $sshcounter”
endvalue=$sshcounter
echo -e “${Green}The SSH port number is stored in $endvalue and is port ${ServicesPortList[$endvalue]} ${NoColour}”
sed -i ‘s/"#Port 22"/“Port ${ServicesPortList[$endvalue]}”/g’ /etc/ssh/sshd_config
else
echo “parsing”
sshcounter=$(( $sshcounter + 1 ))
echo “counting $sshcounter”
fi
done
####### does not work
#######
sed -i ‘s/#LoginGraceTime 2m/LoginGraceTime 30/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
sed -i ‘s/#MaxAuthTries 6/MaxAuthTries 5/g’ /etc/ssh/sshd_config
sed -i ‘s/MaxAuthTries 5/a AllowUsers $NewUser/’ /etc/ssh/sshd_config
echo -e “${Green}sshd config file changed.${NoColour}”
#############
#firewall
#############
echo -e “${Green}Creating IPTables Firewall…${NoColour}”
touch /home/$NewUser/firewall.sh
echo -n “#!/bin/bash
service iptables start
iptables -F” >> /home/$NewUser/firewall.sh
i2=“0”
while [ “$i2” -lt “$i” ]
do
echo -n "
iptables -A INPUT -p " >> /home/$NewUser/firewall.sh
printf “%s” “${ServicesProtList[$i2]}” >> /home/$NewUser/firewall.sh
echo -n “–dport " >> /home/$NewUser/firewall.sh
printf “%s” “${ServicesPortList[$i2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #” >> /home/$NewUser/firewall.sh
printf “%s\n” “${ServicesList[$i2]}” >> /home/$NewUser/firewall.sh
i2=$(( $i2 + 1 ))
done
if [ -n “$LocalHomeIp” ]; then
echo -n "
iptables -A INPUT -s $LocalHomeIp -j ACCEPT #Home
" >> /home/$NewUser/firewall.sh
fi
iServer2=“0”
while [ “$iServer2” -lt “$iServer” ]
do
echo -n "
iptables -A INPUT -s " >> /home/$NewUser/firewall.sh
if [ “${AddServerIPPort[$iServer2]}” = “0” ];
then
echo -n "
iptables -A INPUT -s "
printf “%s” “${AddServerIP[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #"
printf “%s\n” “${AddServerIPDesc[$iServer2]}” >> /home/$NewUser/firewall.sh
else
echo -n "
iptables -A INPUT -s "
printf “%s” “${AddServerIP[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -p "
printf “%s” “${AddServerIPProt[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " --dport "
printf “%s” “${AddServerIPPort[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #"
printf “%s\n” “${AddServerIPDesc[$iServer2]}” >> /home/$NewUser/firewall.sh
fi
iServer2=$(( $iServer2 + 1 ))
done
echo -n “iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
iptables -L -v” >> /home/$NewUser/firewall.sh
chmod 755 /home/$NewUser/firewall.sh
/home/$NewUser/firewall.sh
#############
#Disable Single User Mode
#############
echo -e “${Green}Disabling Single User Mode…${NoColour}”
sed -i ‘s/SINGLE=/sbin/sushell/SINGLE=/sbin/sulogin/’ /etc/sysconfig/init
touch /tmp/out
echo “su:S:wait:/sbin/sulogin”|cat - /etc/inittab > /tmp/out && mv /tmp/out /etc/inittab
#############
#Install LYNIS
#############
echo -e “${Green}Installing LYNIS…${NoColour}”
mkdir /tmp/lynis
cd /tmp/lynis
wget http://cisofy.com/files/lynis-1.5.2.tar.gz
if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://cisofy.com/files/lynis-1.5.2.tar.gz
if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz];
then
echo “File not found! continuing without LYNIS. To install later, please visit http://cisofy.com/files/”
fi
else
tar xvfvz lynis-*.tar.gz -C /opt
rm -fr /tmp/lynis
fi
#############
#INSTALL LOGWATCH And TCPDUMP
#############
echo -e “${Green}Installing LOGWATCH and TCPDUMP…${NoColour}”
yum install –y logwatch tcpdump
Asks anyway and halts
sed -i ‘s/^MailTo*/MailTo = $AdminMail/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/^MailFrom*/MailFrom = Logwatch@$ServerName.$TopDomain/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/^Detail*/Detail = Med’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-zz-network”/#Service = “-zz-network”/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-zz-sys” /#Service = “-zz-sys”/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-eximstats”/#Service = “-eximstats”/g’ /usr/share/logwatch/default.conf/logwatch.conf
#####Sed: -e expression #1, char 23: unterminated ‘s’ command
#############
#INSTALL Virtualmin
#############
echo -e “${Green}Installing VirtualMin${NoColour}”
if [[ ! “$VirtMin” =~ ^(n|N)$ ]];
then
mkdir /tmp/virtmin
cd /tmp/virtmin
wget http://software.virtualmin.com/gpl/scripts/install.sh
if [ ! -f /tmp/virtmin/install.sh];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://software.virtualmin.com/gpl/scripts/install.sh
if [ ! -f /tmp/virtmin/install.sh];
then
echo “File not found! continuing without VIRTUALMIN. To install later, please visit virtualmin.com”
fi
else
chmod 777 /tmp/virtmin/install.sh
/tmp/virtmin/install.sh
echo -e “change VirtualMin ports”
read VirtMinCh
rm -fr /tmp/virtmin
if [ “$VirtMinCh” = “$Yes” ];
then
while [[ ! “$VirtMinPort” =~ ^[0-9]+$ ]];
do
echo -e “New Virtualmin Port nr${NoColour}(y/n)”
read VirtMinPort
done
sed -i ‘s/^port=/port=$VirtMinPort/g’ /etc/webmin/miniserv.conf
sed -i 's/^listen=/listen=$VirtMinPort/g’ /etc/webmin/miniserv.conf
/etc/usermin/miniserv.conf
fi
fi
fi
############ If installed virtualmin => set versions to empty
############The main port for Virtualmin/Webmin is in /etc/webmin/miniserv.conf, entry “port”. The other entry with the default port 10000, “listen”, applies to the UDP broadcast “search for Webmins” function.
############The port for Usermin is in /etc/usermin/miniserv.conf, entry “port”.
#############
#INSTALL ZABBIX Agent
#############
echo -e “${Green}Installing Zabbix Agent ${NoColour}”
if [[ ! “$ZabAg” =~ ^(n|N)$ ]];
then
echo -e “prepairing packages for installing zabbix 2.2.5 agent”
mkdir /tmp/zabbix
cd /tmp/zabbix
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm];
then
echo “File not found! cannot continue without file. Abort”
fi
else
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm];
then
echo "File not found! Attempt download again. To cancel, press ctrl+c"
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm];
then
echo "File not found! cannot continue without file. Abort"
fi
else
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm];
then
echo "File not found! Attempt download again. To cancel, press ctrl+c"
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm];
then
echo "File not found! cannot continue without file. Abort"
fi
else
echo -e "files successfully downloaded"
echo -e "installing rpms"
rpm -ivh zabbix-2.2.5-1.el6.x86_64.rpm zabbix-agent-2.2.5-1.el6.x86_64.rpm zabbix-get-2.2.5-1.el6.x86_64.rpm
fi
fi
fi
else
echo -e "${Red}skipping Zabbix Agent Install${NoColour}"
fi
echo -e “${Green}finish${NoColour}”
exit
#At absolute end of script, before executing all securiçty checks:
if ssh = 1 sed -i …
#/etc/fail2ban/jail.conf
#mailto monitor@fraksken.be
#chkconfig --level 23 fail2ban on
#service fail2ban start
#FINAL SECURITY CHECK
rkhunter --update
rkhunter --propupd
/opt/lynis-*/lynis --check-all -Q[/code]