Automated security script

[Blue|Fusion]

Well, out of mostly boredom and an interest in security and shell scripting (just learned the shell scripting last weekend), I started writing a script to automatically take care of many of the simple security tasks of a linux system.

It is only recommended to be used on freshly installed OSes as it may overwrite your own configs (however everything that gets modified does get backed up).

Currently, this script does the following:
-Install APF
-Install BFD
-Install RKHunter
-Download an optimized and more secure my.cnf depending on MySQL version (4.0 or 4.1, no 3.x)
-Secure /tmp and /dev/shm in /etc/fstab, if /tmp is not in /etc/fstab and cPanel is present, /scripts/securetmp is executed
-Disable Telnet
-Force SSH 2 Protocol

It has an automatic updater, to ensure it runs the latest version. If cPanel is present, it uses an already cPanel ready conf.apf, however DEVMODE IS ENABLED, so you will have to disable that once you ensure everything is properly configured.

It's still under some development. The script works very well, as reported by several people, and tested myself on RHEL3, CentOS4, and FC3. It has only been tested and is recommended for Red Hat base systems (RH9, RHEL3,4, CentOS3,4, FC1,2,3,4). All other linux distrobutions have not been tested yet, and if you would like to try it out, you have to enable devmode in the script otherwise it will stop when it can't find /etc/redhat-release.

You can download and execute the script with the following command (as root):

Code:

wget http://richgannon.net/securescript/secure.sh; chmod 700; sh secure.sh

NOTICE:
I am not responsible for any dataloss, or downtime you may experience withthe use of this script. So far, none was reported, however this is to be used at your own risk! Again, it is to be used to initially secure your RH based server (with or without cPanel).

If you have any questions, comments, or suggestions feel free to let me know (post here or PM is fine). As of currently, the site I am planning to use for the release and support of this script is under development, so email, or PM would be best way to get help with this script if necessary.

This script is not a 100% sure way to secure your server, either. There's always one more thing to do. Also, be sure to read the README file downloaded after running, or view it at:

Code:

http://richgannon.net/securescript/README.secure

Enjoy!

[haze]

I'm creating a similar program myself, i've written it in bash, but im porting it to perl so i can implement some of the nifty things i have planned. That said, do you really want to be modifying a users my.cnf and other such files ? That not only takes the script beyond a "security updater" to a general purpose.. something or other. Not to mention that a users my.cnf realy depends on many factors and not just what version of mysql they have.

[Blue|Fusion]

That's true. The my.cnf is the really not-so-important file edited. I think I'll keep it, however I'm going to make sure it is an official MySQL RPM, as opposed to the distro RPM. These modified my.cnf files have been working on Official MySQL RPMs for a while now so those should not be a problem, but you're right. Distro RPMs may have different options and can be problematic.

I was also thinking of porting it to Perl (although I know nothing in Perl, yet), however that may not happen for some time.

[qwerty]

If you're concerned about security I'd say don't just follow instructions from a stranger and execute a script he/she wrote, as root. Inspect the script first and only if you understand what it does completely, THEN execute it ..

2c

[Blue|Fusion]

I agree 100% with that. To view the script, you can download it, and view it first with wget http://richgannon.net/securescript/secure.sh or just view it in browser in plain text at http://richgannon.net/securescript/secure.sh

[fineline]

Please note that Rich's site is no longer active and this script is not available from his site anymore.

[Infopro]

I don't use this script and cannot tell you if it'll break your server or not, but the link for it is now here.
servermonkeys.com/els.php