The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Automated security script

Discussion in 'Security' started by Blue|Fusion, Mar 19, 2005.

  1. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    Well, out of mostly boredom and an interest in security and shell scripting (just learned the shell scripting last weekend), I started writing a script to automatically take care of many of the simple security tasks of a linux system.

    It is only recommended to be used on freshly installed OSes as it may overwrite your own configs (however everything that gets modified does get backed up).

    Currently, this script does the following:
    -Install APF
    -Install BFD
    -Install RKHunter
    -Download an optimized and more secure my.cnf depending on MySQL version (4.0 or 4.1, no 3.x)
    -Secure /tmp and /dev/shm in /etc/fstab, if /tmp is not in /etc/fstab and cPanel is present, /scripts/securetmp is executed
    -Disable Telnet
    -Force SSH 2 Protocol

    It has an automatic updater, to ensure it runs the latest version. If cPanel is present, it uses an already cPanel ready conf.apf, however DEVMODE IS ENABLED, so you will have to disable that once you ensure everything is properly configured.

    It's still under some development. The script works very well, as reported by several people, and tested myself on RHEL3, CentOS4, and FC3. It has only been tested and is recommended for Red Hat base systems (RH9, RHEL3,4, CentOS3,4, FC1,2,3,4). All other linux distrobutions have not been tested yet, and if you would like to try it out, you have to enable devmode in the script otherwise it will stop when it can't find /etc/redhat-release.

    You can download and execute the script with the following command (as root):
    Code:
    wget http://richgannon.net/securescript/secure.sh; chmod 700; sh secure.sh
    NOTICE:
    I am not responsible for any dataloss, or downtime you may experience withthe use of this script. So far, none was reported, however this is to be used at your own risk! Again, it is to be used to initially secure your RH based server (with or without cPanel).

    If you have any questions, comments, or suggestions feel free to let me know (post here or PM is fine). As of currently, the site I am planning to use for the release and support of this script is under development, so email, or PM would be best way to get help with this script if necessary.

    This script is not a 100% sure way to secure your server, either. There's always one more thing to do. Also, be sure to read the README file downloaded after running, or view it at:
    Code:
    http://richgannon.net/securescript/README.secure
    Enjoy!
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I'm creating a similar program myself, i've written it in bash, but im porting it to perl so i can implement some of the nifty things i have planned. That said, do you really want to be modifying a users my.cnf and other such files ? That not only takes the script beyond a "security updater" to a general purpose.. something or other. Not to mention that a users my.cnf realy depends on many factors and not just what version of mysql they have.
     
  3. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    That's true. The my.cnf is the really not-so-important file edited. I think I'll keep it, however I'm going to make sure it is an official MySQL RPM, as opposed to the distro RPM. These modified my.cnf files have been working on Official MySQL RPMs for a while now so those should not be a problem, but you're right. Distro RPMs may have different options and can be problematic.

    I was also thinking of porting it to Perl (although I know nothing in Perl, yet), however that may not happen for some time.
     
  4. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    If you're concerned about security I'd say don't just follow instructions from a stranger and execute a script he/she wrote, as root. Inspect the script first and only if you understand what it does completely, THEN execute it ..

    2c
     
  5. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
  6. fineline

    fineline Active Member

    Joined:
    Apr 10, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    ---Update---

    Please note that Rich's site is no longer active and this script is not available from his site anymore.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I don't use this script and cannot tell you if it'll break your server or not, but the link for it is now here.
    servermonkeys.com/els.php
     
Loading...

Share This Page