#!/bin/bash #Roy Cohen :roy@wondercohen.nl #Wonder Cohen :The Hague The Netherlands #objective :Post install script for master node/ansible node #First line of code :07/Mar/2020 #last update :15/Nov/2021 #version :1.0 #synatx example :./ # VARS #hostnamectl set-hostname lx-ubt-rtm0-101.wondercohen.org DEB_OS="/etc/lsb-release" RHEL_OS="/etc/redhat-release" MY_IP="" SOURCE_CONNECTION=$(w -i |tail -n1|cut -d " " -f8) #SOURCE_IP=$(last -a | grep "logged in"|awk '{print $10}') mkdir -p /root/tools function install_software(){ echo "*** Starting install software function ***" if test -f "$DEB_OS"; then apt -y install net-tools apt -y install git bash-completion fail2ban apt -y update && apt -y upgrade else yum install -y vim wget curl net-tools lsof bind-utils epel-release bash-completion git yum install -y fail2ban yum install -y aide yum -y update fi } function issue_motd(){ echo "*** Starting /etc/issue ***" echo -e " ------------------------------------------------------------------------ | *** NOTICE TO USERS *** | | This computer system is the private property of Wonder Cohen | | It is for authorized use only. | | | | Users (authorized or unauthorized) have no explicit or implicit | | expectation of privacy. | | | | Any or all uses of this system and all files on this system may be | | intercepted, monitored, recorded, copied, audited, inspected, and | | disclosed to your employer, to authorized site, government, and law | | enforcement personnel, as well as authorized officials of government | | agencies, both domestic and foreign. | | | | By using this system, the user consents to such interception, | | monitoring, recording, copying, auditing, inspection, and disclosure | | at the discretion of such personnel or officials. Unauthorized or | | improper use of this system may result in civil and criminal penalties | | and administrative or disciplinary action, as appropriate. By | | continuing to use this system you indicate your awareness of and | | consent to these terms and conditions of use. LOG OFF IMMEDIATELY if | | you do not agree to the conditions stated in this warning. | ------------------------------------------------------------------------ You Are Logedin from: $(w -i |tail -n1|cut -d " " -f8) " >/etc/issue cat /etc/issue > /etc/issue.net } function tooling(){ echo "*** Starting Tooling function ***" if test -f "$DEB_OS"; then #grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" #grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" echo -e "#script to block malicious IP sources for Wonder Cohen 23-jun-2021 #!/bin/bash for ip_to_block in \$(cat /var/log/ufw.log |grep -E -oh \"SRC=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\"|grep -v \"SRC=0.0.0.0\"|cut -d \"=\" -f2|sort|uniq -c|sort -n| tail -n 20 | awk '{print \$2}') do ufw reject proto tcp from \$ip_to_block echo >/var/log/ufw.log done " > /root/tools/block_ip.sh chmod 700 /root/tools/block_ip.sh # echo "0 23 * * * root /root/tools/block_ip.sh" >> /etc/crontab else echo -e "#script to block malicious IP sources for Wonder Cohen 23-jun-2021 #!/bin/bash for ip_to_block in \$(cat /var/log/firewall-droppd.log |grep -E -oh \"SRC=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\"|grep -v \"SRC=0.0.0.0\"|cut -d \"=\" -f2|sort|uniq -c|sort -n| tail -n 20 | awk '{print \$2}') do firewall-cmd --permanent --add-rich-rule=\"rule family='ipv4' source address='$ip_to_block' drop\" firewall-cmd --reload echo > /var/log/firewall-droppd.log done " > /root/tools/block_ip.sh chmod 700 /root/tools/block_ip.sh # echo "0 23 * * * root /root/tools/block_ip.sh" >> /etc/crontab fi } function shell_sh(){ echo "*** Starting shell_sh function ***" mkdir -p /var/log/history/ chmod 1723 /var/log/history echo "ALL ALL= NOPASSWD: /usr/bin/chattr +a /var/log/history/*" > /etc/sudoers.d/chattr chmod 440 /etc/sudoers.d/chattr echo -e " #Roy Cohen :roy@wondercohen.nl #Wonder Cohen :The Hague The Netherlands #objective :create a historyfile of all user activites also after sudo command #location :/etc/profile.d/shell.sh #First line of code :02/Nov/2020 #last update :15/Nov/2021 #version :1.0 #Aditinal info :inspired by a similar script by E. de Wolf version 151119 #Instructions for installation :cp the contant to /etc/profile.d/shell.sh # :mkdir /var/log/history/ # :chmod 1723 /var/log/history # :Add to sudoers file: ALL ALL= NOPASSWD: /usr/bin/chattr +a /var/log/history/* #Vars DATE=\$(date +%Y%m%d%H%M) #Users ACTIVE_USER=\$(whoami) SOURCE_USER=\$(who -m | awk '{ print \$1 }') #Path LOG_LOCATION="/var/log/history/\$\(whoami\)_\$SOURCE_USER.log" #timeout logoff TMOUT=900 export TMOUT readonly TMOUT # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) #unlimited export HISTFILESIZE= export HISTSIZE= export \$SOURCE_USER export HISTFILE=\$LOG_LOCATION export HISTIGNORE='' export HISTCONTROL='ignoreboth' export HISTTIMEFORMAT=\${HISTTIMEFORMAT:-%F %H:%M:%S } shopt -s histappend export PROMPT_COMMAND=\"history -a; \$PROMPT_COMMAND\" readonly HISTFILE readonly HISTIGNORE #lock hisroty files Files [[ ! -f \$LOG_LOCATION ]] && touch \$LOG_LOCATION && chmod 0600 \$LOG_LOCATION && sudo /usr/bin/chattr +a \$LOG_LOCATION " > /etc/profile.d/shell.sh chmod +x /etc/profile.d/shell.sh } function sshd_config(){ echo "*** Starting Ssh function ***" echo -e " #ssh config for Wonder Cohen 23-jun-2021 SyslogFacility AUTHPRIV PermitRootLogin no MaxAuthTries 6 MaxSessions 5 AuthorizedKeysFile .ssh/authorized_keys PermitEmptyPasswords no PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS LogLevel INFO Protocol 2 IgnoreRhosts yes HostbasedAuthentication no PermitUserEnvironment no ClientAliveInterval 15m ClientAliveCountMax 0 LoginGraceTime 60 MaxStartups 10:30:60 AllowTcpForwarding no Ciphers aes128-ctr,aes192-ctr,aes256-ctr Banner /etc/issue.net " > /etc/ssh/sshd_config systemctl restart sshd #mkdir -p /home/rcohen/.ssh/ #chown rcohen:rcohen /home/rcohen/.ssh/ #chmod 700 /home/rcohen/.ssh/ #chmod 600 /home/rcohen/.ssh/authorized_keys #chown rcohen:rcohen /home/rcohen/.ssh/authorized_keys } function firewall(){ echo "*** Starting firewalld function ***" if test -f "$DEB_OS"; then systemctl enable ufw ufw --force enable else systemctl enable firewall systemctl start firewalld echo -e "#firewalld.conf config for Wonder Cohen 23-jun-2021 DefaultZone=public MinimalMark=100 CleanupOnExit=yes Lockdown=no IPv6_rpfilter=yes IndividualCalls=no LogDenied=all AutomaticHelpers=system AllowZoneDrifting=yes " > /etc/firewalld/firewalld.conf firewall-cmd --reload echo -e "#rsyslog_firewal logging config for Wonder Cohen 23-jun-2021 :msg,contains,"_DROP" /var/log/firewall-droppd.log :msg,contains,"_REJECT" /var/log/firewall-droppd.log & stop " > /etc/rsyslog.d/firewalld-droppd.conf systemctl restart rsyslog.service fi } function firewall_rules(){ echo "*** Starting firewall_rules function ***" if test -f "$DEB_OS"; then ufw allow proto tcp from $MY_IP ufw allow proto tcp from $SOURCE_CONNECTION ufw allow proto tcp from 1/24 ufw default deny incoming ufw reload else firewall-cmd --set-log-denied=all firewall-cmd --get-log-denied firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public firewall-cmd --permanent --remove-service=cockpit --zone=public firewall-cmd --permanent --remove-service=ssh --zone=public firewall-cmd --zone=drop --permanent --add-service=http firewall-cmd --zone=drop --permanent --add-service=https firewall-cmd --zone=drop --permanent --add-service=samba-client firewall-cmd --zone=drop --permanent --add-service=dhcpv6-client firewall-cmd --zone=drop --permanent --add-service=cockpit firewall-cmd --zone=drop --permanent --add-service=ssh firewall-cmd --zone=trusted --permanent --add-source=$MY_IP firewall-cmd --zone=trusted --permanent --add-source=$SOURCE_CONNECTION firewall-cmd --reload fi } function fail2ban(){ echo "*** Starting Fail2ban function ***" systemctl enable fail2ban && sudo systemctl start fail2ban echo -e " [DEFAULT] # Ban IP/hosts for 24 hour ( 24h*3600s = 86400s): bantime = 86400 # An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 5 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. For example, add your # static IP address that you always use for login such as 103.1.2.3 #ignoreip = 127.0.0.1/8 ::1 103.1.2.3 # Call iptables to ban IP address banaction = iptables-multiport # Enable sshd protection [sshd] enabled = true " > /etc/fail2ban/jail.local systemctl restart fail2ban } function network_setting(){ echo "*** Starting Network function ***" if test -f "$DEB_OS"; then SET_IP=$(ip -4 a show ens3|grep inet|cut -d "." -f4|cut -d "/" -f1) HOSTNAME=$(hostname -f|cut -d "." -f1|cut -d "-" -f4) if [ "$HOSTNAME" -ge 99 ] && [ "$HOSTNAME" -le 200 ]; then echo -e " network: version: 2 renderer: networkd ethernets: ens8: dhcp4: yes optional: true dhcp6: no addresses: - else echo -e " network: version: 2 renderer: networkd ethernets: ens8: dhcp4: yes optional: true dhcp6: no addresses: - fi netplan apply else SET_IP=$(ip -4 a show eth0 |grep inet|cut -d "." -f4|cut -d "/" -f1) HOSTNAME=$(hostname -f|cut -d "." -f1|cut -d "-" -f4) if [ "$HOSTNAME" -ge 99 ] && [ "$HOSTNAME" -le 200 ]; then echo -e " DEVICE=eth1\n ONBOOT=yesn\n NETBOOT=yes\n BOOTPROTO=static\n IPADDR=1\n NETMASK=255.255.255.0\n ZONE=public\n " >/etc/sysconfig/network-scripts/ifcfg-eth1 else echo -e " DEVICE=eth1 ONBOOT=yes NETBOOT=yes BOOTPROTO=static IPADDR=1....$SET_IP NETMASK=255.255.255.0 ZONE=public\n " >/etc/sysconfig/network-scripts/ifcfg-eth1 fi systemctl restart network.service fi } #https://kifarunix.com/install-and-configure-aide-on-ubuntu-20-04/ function aide(){ echo "*** Starting aide function ***" apt -y install aide aideinit cp /var/lib/aide/aide.db{.new,} cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf aide -c /etc/aide/aide.conf -C echo "0 0 * * * root /usr/sbin/aide -c /etc/aide/aide.conf -C" >> /etc/crontab } function main(){ HOSTNAME_VAR=$(hostname -f|cut -d "." -f1|cut -d "-" -f4) if [ "$HOSTNAME_VAR" -ge 99 ]; then install_software issue_motd sshd_config shell_sh firewall firewall_rules fail2ban network_setting tooling #aide else echo "Please set a valid hostname" fi } main 2>&1 | tee /root/$(hostname)_$(date +%Y%m%d%H%M).log