A few of you may remember a few months back I started to learn Shell and Bash and made a script to automatically do some basic security things. Well lately, I have been puting some more time into it and here's what I came up with so far, although I usually add/edit a little something every once in a while to make it better (like all developers Smile ).
Updated: December 11, 2005
Current Version: 1.3.6
Anyway, here's what it does:
-Install RKHunter
-Install RKHunter Cronjob which emails a user-set email address nightly
-Install/update APF
-Import old APF rules in an upgrade
-Add SM/TP monitoring IPs (view information on these in Orbit)
-Install/update BFD
-Install CHKROOTKIT
-Install CHKROOTKIT Cronjob which emails a user-set email address nightly
-Disable Telnet
-Force SSH Protocol 2
-Secure /tmp
-Secure /var/tmp
-Secure /dev/shm
-Install/update Zend Optimizer
-Install/update eAccelerator
-MySQL 4.0 and 4.1 Configuration Optimization (cPanel only)
-Upgrade MySQL to 4.1 (cPanel only)
-Tweak WHM Settings for security and stability
-Configure RNDC if not already done (cPanel only)
-Change SSH port (also configure APF as necessary)
-Add wheel user and disable direct root login over SSH
-Optimize MySQL tables
-Install/update Libsafe
-Install/update ImageMagick (from latest source)
-Uninstall LAuS
-Harden sysctl.conf
-Install Chirpy's Free Exim Dictionary Attack ACL
And more!
You can also run it with the --updatesoftware option and it will automatically upgrade RKHunter, APF, and BFD to the latest version.
The downloaded tarballs of RKHunter, BFD, APF, and CHKROOTKIT are from my own repository, however they are unchanged from the original sites. You can confirm this with the MD5s if you wish.
RKHunter, APF, BFD, CHKROOTKIT, and other tarballs are checked for MD5 mismatches before extracting to ensure the downloads are not corrupted.
Better OS/binary checks are performed before any installing. If a necessary binary isn't present, it will stop before making any changes.
Backups of changed files are kept in /usr/local/els/bakfiles and all source files are are worked with in /usr/local/els/src to keep things more organized.
This script works best with Red Hat Enterprise Linux version 3 (Taroon Update 4 and 5) and with cPanel 10.x installed.
Please let me know if you have any problems with this script, or any additions you would like to see. I'm also not the best at coding so if you know how to code and you see a problem with it, please let me know.
You can download and execute this script by copying the following command:
Code:
wget --output-document=installer.sh
http://nsonetworks.com/request.php?1; chmod +x installer.sh; sh installer.sh
The installer script will automatically download and check the md5sum of the tarball (which is only another 2 scripts), as well as make the /usr/local/els directory and subdirectories.