126 lines
4.0 KiB
Plaintext
126 lines
4.0 KiB
Plaintext
|
#!/bin/bash -e
|
||
|
#Set up iptables, disable root login and create unprivilaged user
|
||
|
#User info is displayed at end of script and also saved as auth.txt
|
||
|
#Usage: cp /usr/share/webmin/geoserver/scripts/secure-debian.txt /opt/secure-debian.sh
|
||
|
#Usage: cp /opt
|
||
|
#Usage: chmod +x secure-debian.sh
|
||
|
#Usage: ./secure-debian.sh
|
||
|
|
||
|
#Change user name below to something else!
|
||
|
|
||
|
UNPRIV_USER='helmin'
|
||
|
|
||
|
function install_iptables(){
|
||
|
#Set firewall rules
|
||
|
cat >/etc/iptables.save <<EOF
|
||
|
# Generated by iptables-save
|
||
|
*nat
|
||
|
:PREROUTING ACCEPT [0:0]
|
||
|
:POSTROUTING ACCEPT [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
COMMIT
|
||
|
# Generated by iptables-save
|
||
|
*mangle
|
||
|
:PREROUTING ACCEPT [0:0]
|
||
|
:INPUT ACCEPT [0:0]
|
||
|
:FORWARD ACCEPT [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
:POSTROUTING ACCEPT [0:0]
|
||
|
COMMIT
|
||
|
# Generated by iptables-save
|
||
|
*filter
|
||
|
:FORWARD ACCEPT [0:0]
|
||
|
:INPUT DROP [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
# Accept traffic from internal interfaces
|
||
|
-A INPUT ! -i eth0 -j ACCEPT
|
||
|
# Accept traffic with the ACK flag set
|
||
|
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
|
||
|
# Allow incoming data that is part of a connection we established
|
||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||
|
# Allow data that is related to existing connections
|
||
|
-A INPUT -m state --state RELATED -j ACCEPT
|
||
|
# Accept responses to DNS queries
|
||
|
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
|
||
|
# Accept responses to our pings
|
||
|
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
|
||
|
# Accept notifications of unreachable hosts
|
||
|
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
|
||
|
# Accept notifications to reduce sending speed
|
||
|
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
|
||
|
# Accept notifications of lost packets
|
||
|
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
|
||
|
# Accept notifications of protocol problems
|
||
|
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
|
||
|
# Allow connections to our SSH server
|
||
|
-A INPUT -p tcp -m tcp --dport 3824 -j ACCEPT
|
||
|
# Allow connections to our IDENT server
|
||
|
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
|
||
|
# Respond to pings
|
||
|
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
|
||
|
# Allow DNS zone transfers
|
||
|
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
||
|
# Allow DNS queries
|
||
|
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
|
||
|
# Allow connections to webserver
|
||
|
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
||
|
# Allow SSL connections to webserver
|
||
|
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
||
|
# Allow connections to mail server
|
||
|
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587
|
||
|
# Allow connections to FTP server
|
||
|
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
|
||
|
# Allow connections to POP3 server
|
||
|
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
|
||
|
# Allow connections to IMAP server
|
||
|
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
|
||
|
# Allow connections to Webmin
|
||
|
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
|
||
|
# Allow connections to Tomcat
|
||
|
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
|
||
|
# Allow connections to Usermin
|
||
|
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
|
||
|
# Allow connections to Postgres
|
||
|
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
|
||
|
# Allow connections to pgbouncer
|
||
|
-A INPUT -p tcp -m tcp --dport 6432 -j ACCEPT
|
||
|
# SSH
|
||
|
-A INPUT -p tcp -m tcp --dport 3838 -j ACCEPT
|
||
|
COMMIT
|
||
|
EOF
|
||
|
|
||
|
cat >/etc/network/if-pre-up.d/iptablesload <<EOF
|
||
|
#!/bin/sh
|
||
|
iptables-restore < /etc/iptables.rules
|
||
|
exit 0
|
||
|
EOF
|
||
|
iptables-restore < /etc/iptables.save
|
||
|
}
|
||
|
|
||
|
function secure_ssh(){
|
||
|
|
||
|
if [ $(grep -m 1 -c ${UNPRIV_USER} /etc/passwd) -eq 0 ]; then
|
||
|
useradd -m ${UNPRIV_USER}
|
||
|
fi
|
||
|
|
||
|
if [ $(grep -m 1 -c "${UNPRIV_USER} pass" /root/auth.txt) -eq 0 ]; then
|
||
|
USER_PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32);
|
||
|
echo "${UNPRIV_USER}:${USER_PASS}" | chpasswd
|
||
|
echo "${UNPRIV_USER} pass: ${USER_PASS}" >> /root/auth.txt
|
||
|
fi
|
||
|
|
||
|
sed -i.save 's/#\?Port [0-9]\+/Port 3824/' /etc/ssh/sshd_config
|
||
|
sed -i.save 's/#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
||
|
service ssh restart
|
||
|
}
|
||
|
|
||
|
touch /root/auth.txt
|
||
|
|
||
|
apt-get -y install iptables
|
||
|
install_iptables;
|
||
|
secure_ssh;
|
||
|
|
||
|
|
||
|
echo "Passwords saved in /root/auth.txt"
|
||
|
cat /root/auth.txt
|