#!/bin/bash
install_prerequisities() {
echo -e "\nBefore we install any prerequisities, this script will remove many rpm groups and packages to make the system \"cleaner\"."
read -p "Are you sure you want to remove them? Y/N:" -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]
then
yum groupremove "E-mail server" "Graphical Administration Tools" "Perl Support" "Network file system client" "Web Server" "PHP Support" "PostgreSQL Database server" "MySQL Database server"
yum remove epel* rpmforge* webmin* virtualmin* php* perl* mysql* postgre* http*
fi
yum install wget mlocate subversion perl at git man
}
set_repos() {
if [ ! -f /etc/yum.repos.d/rpmforge.repo ]
then echo -e "RPMForge"
yum -q localinstall --nogpgcheck http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
else echo -e "RPMForge repository already set"
fi
if [ ! -f /etc/yum.repos.d/epel.repo ]
then echo -e "EPEL"
yum -q localinstall --nogpgcheck http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
else echo -e "EPEL repository already set"
fi
if [ ! -f /etc/yum.repos.d/rpmfusion-free-updates.repo ]
then echo -e "RPMFusion"
yum -q localinstall --nogpgcheck http://download1.rpmfusion.org/free/el/updates/6/i386/rpmfusion-free-release-6-1.noarch.rpm
yum -q localinstall --nogpgcheck http://download1.rpmfusion.org/nonfree/el/updates/6/i386/rpmfusion-nonfree-release-6-1.noarch.rpm
else echo -e "RPMFusion repository already set"
fi
if [ ! -f /etc/yum.repos.d/atomic.repo ]
then echo -e "Atomic"
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
else echo -e "Atomic repository already set"
fi
echo -e "Disabling added repositories"
sed -i "s@^enabled.*@enabled=0@" /etc/yum.repos.d/atomic*.repo
sed -i "s@^enabled.*@enabled=0@" /etc/yum.repos.d/epel*.repo
sed -i "s@^enabled.*@enabled=0@" /etc/yum.repos.d/rpmforge*.repo
sed -i "s@^enabled.*@enabled=0@" /etc/yum.repos.d/rpmfusion*.repo
echo -e "Done."
}
update_install() {
echo -e "Install common packages"
yum --enablerepo=atomic,epel,rpmforge install php-mcrypt php-pecl-apc php-pecl-memcache phpMyAdmin memcached htop mytop optipng
echo -e "Adjust Memcached setting and enable start on boot"
sed -i "s@CACHESIZE.*@CACHESIZE=\"1024\"@g" /etc/sysconfig/memcached
sed -i "s@OPTIONS.*@OPTIONS=\"-l localhost\"@g" /etc/sysconfig/memcached
chkconfig memcached on
service memcached restart
if [ ! -f /etc/yum.repos.d/mod-pagespeed.repo ]
then echo -e "\nInstall of mod_pagespeed"
rpm --import https://dl-ssl.google.com/linux/linux_signing_key.pub
yum -q -y localinstall https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_$(uname -i).rpm
else echo -e "\nmod_pagespeed repository already set"
fi
echo -e "Updating system"
yum update
echo -e "Update PHP and MySQL from Atomic repository"
yum --enablerepo=atomic update php mysql
echo -e "MySQL upgrade"
mysql_upgrade -u root -p
}
system_settings() {
#################################################
## ##
## These settings are taken from CentOS wiki: ##
## ##
## http://wiki.centos.org/HowTos/OS_Protection ##
## ##
#################################################
##########################
# Basic System behaviour #
##########################
echo -e "Disable the key check for interactive mode"
sed -i "s@^PROMPT.*@PROMPT=no@" /etc/sysconfig/init
echo -e "Limit number of TTYs"
sed -i "s@\[1-6\]@\[1\]@" /etc/sysconfig/init
echo -e "Prompt for password on single-user mode"
sed -i "s@^SINGLE.*@SINGLE=/sbin/sulogin@" /etc/sysconfig/init
echo -e "Disable shutdown via Ctrl+Alt+Del"
sed -i "s@^start@#start@" /etc/init/control-alt-delete.conf
echo -e "Change default password length requirement"
sed -i "s@pam_cracklib.so try@pam_cracklib.so minlen=9 try@" /etc/pam.d/system-auth
echo -e "Use sha512 instead of md5 for password protection"
authconfig --passalgo=sha512 --update
echo -e "Use timestamps within History"
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' > /etc/profile.d/history.sh
########################
# Restrict cron and at #
########################
echo -e "Restrict 'cron' and 'at' to root only"
if [ ! -f /etc/cron.allow ]
then touch /etc/cron.allow
fi
chmod 600 /etc/cron.allow
awk -F: '{ print $1 }' /etc/passwd | grep -v root > /etc/cron.deny
if [ ! -f /etc/at.allow ]
then touch /etc/at.allow
fi
chmod 600 /etc/at.allow
awk -F: '{ print $1 }' /etc/passwd | grep -v root > /etc/at.deny
##################################
# Directory and file permissions #
##################################
echo -e "Set up important directory and file permissions"
chmod 700 /root
chmod 600 /etc/rsyslog.conf
chmod 640 /etc/security/access.conf
chmod 600 /etc/sysctl.conf
chmod -R 700 /etc/skel
chmod 740 /etc/rc.d/init.d/iptables
chmod 740 /sbin/iptables
chmod 700 /var/log/audit
################
# Delete users #
################
echo -e "User clean-up"
for USER in shutdown\
halt\
games\
operator\
gopher
do userdel ${USER}
done
############################
# Blacklist kernel modules #
############################
echo -e "Blacklisting SCSI fcoe kernel modules"
for FCOE in $(find /lib/modules/`uname -r`/kernel/drivers/scsi/fcoe -name "*.ko" -type f)
do
echo blacklist ${FCOE} >> /etc/modprobe.d/blacklist-fcoe.conf
done
echo -e "Blacklisting USB Mass Storage modules"
for USBS in $(find /lib/modules/`uname -r`/kernel/drivers/usb/storage -name "*.ko" -type f)
do
echo blacklist ${USBS} >> /etc/modprobe.d/blacklist-usbstorage.conf
done
echo -e "Blacklisting Wireless kernel modules"
for WIFI in $(find /lib/modules/$(uname -r)/kernel/drivers/net/wireless -name "*.ko" -type f)
do
echo blacklist ${WIFI} >> /etc/modprobe.d/blacklist-wireless.conf
done
###########################
# Sysctl network security #
###########################
echo -e "Hardening Sysctl network settings"
# Packet forwarding
sysctl -w net.ipv4.ip_forward=0
# ICMP redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
# SYN backlog size - double the size
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
# PING broadcasts
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# Source routing ability
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
# Log Martian packets
sysctl -w net.ipv4.conf.all.log_martians=1
# Ignore bogus ICMP error responses
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# SYN flood attacks protection
sysctl -w net.ipv4.tcp_syncookies=1
# Drop packets from wrong interface (will be logged as Martian)
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
# No timestamps
sysctl -w net.ipv4.tcp_timestamps=0
##########################
# TCP wrapper - SSH only #
##########################
echo -e "Permit SSH only using TCP wrapper"
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
##########################################
# Disconnect idle users after 15 minutes #
##########################################
echo -e "\nDisconnect idle users after 15 minutes"
cat > /etc/profile.d/idle-users.sh << EOF
readonly TMOUT=900
readonly HISTFILE
EOF
chmod +x /etc/profile.d/idle-users.sh
############################################
# Install ConfigServer Security & Firewall #
############################################
echo -e "Installation of ConfigServer Security & Firewall"
wget http://configserver.com/free/csf.tgz -O - | tar xzf -
cd csf && ./install.sh && cd .. && rm -rf csf csf.tgz
echo -e "\n#########################################"
echo -e "#"
echo -e "# IMPORTANT!!!"
echo -e "#"
echo -e "# Please navigate to Virtualmin GPL UI,"
echo -e "# install CSF Webmin module, enable it,"
echo -e "# disable 'testing mode' and set the"
echo -e "# Firewall level (e.g. 'low')."
echo -e "#"
echo -e "#########################################"
}
ssh_settings() {
#######################################################
## ##
## These settings are taken from CentOS wiki: ##
## ##
## http://wiki.centos.org/HowTos/Network/SecuringSSH ##
## ##
#######################################################
# echo -e "\nDisable Root logins"
# sed -i "s@^#PermitRootLogin.*@PermitRootLogin no@" /etc/ssh/sshd_config
# echo -e "\nLimit user logins"
# sed -i "s@.*AllowUsers.*@AllowUsers admin@" /etc/ssh/sshd_config
echo -e "Disable Protocol 1"
sed -i "s@.*Protocol.*@Protocol 2@" /etc/ssh/sshd_config
# echo -e "Use a Non-Standard Port"
# PORT=$(shuf -i 40000-65000 -n 1)
# sed -i "s@#Port.*@Port ${PORT}@" /etc/ssh/sshd_config
# echo -e "Open port ${PORT} in the firewall"
# if [ -f /etc/sysconfing/iptables ]
# then
# sed -i "/dport ssh/d" /etc/sysconfig/iptables
# sed -i "s@dport 22@dport ${PORT}@" /etc/sysconfig/iptables
# echo -e "Apply IPTables settings"
# service iptables restart
# else
# echo -e "\n#######################################"
# echo -e "#"
# echo -e "# IPTables configuration file not found!"
# echo -e "#"
# echo -e "# Verify correct settings in Virtualmin!"
# echo -e "#"
# echo -e "# Check Option \"Linux Firewall\""
# echo -e "#"
# echo -e "#######################################"
# fi
# echo -e "Disable password authentication forcing use of keys"
# sed -i "s@.*PasswordAuthentication yes.*@PasswordAuthentication no@" /etc/ssh/sshd_config
echo -e "Create network login banner - /etc/issue"
cat > /etc/issue << EOF
STOP:
ACCESS TO THIS COMPUTER IS PROHIBITED UNLESS AUTHORIZED.
USE OF THIS COMPUTER SYSTEM CONSTITUTES CONSENT TO MONITORING
OF THIS SYSTEM. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING
MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER
ADVERSE ACTION.
IF YOU ARE NOT AUTHORIZED DISCONNECT NOW. ACCESS FOR ANY OTHER
REASON IS AN ILLEGAL ACT AND MAY BE SUBJECT TO CIVIL RIGHT
ACTIONS!
EOF
echo -e "Enable network login banner in SSH"
sed -i "s@^#Banner.*@Banner /etc/issue@" /etc/ssh/sshd_config
echo -e "Enable agent forwarding"
sed -i "s@^#AllowAgentForwarding.*@AllowAgentForwarding yes@" /etc/ssh/sshd_config
echo -e "Enable TCP forwarding"
sed -i "s@^#AllowTcpForwarding.*@AllowTcpForwarding yes@" /etc/ssh/sshd_config
echo -e "Server key bits bigger"
sed -i "s@^#ServerKeyBits.*@ServerKeyBits 2048@" /etc/ssh/sshd_config
echo -e "Remove old server keys\n"
rm -vf /etc/ssh/ssh_host*
echo -e "Enable TCPKeepAlive"
sed -i "s@^#TCPKeepAlive.*@TCPKeepAlive yes@" /etc/ssh/sshd_config
echo -e "Set ClientAliveInterval"
sed -i "s@^#ClientAliveInterval.*@ClientAliveInterval 30@" /etc/ssh/sshd_config
echo -e "Permit tunneling"
sed -i "s@^#PermitTunnel.*@PermitTunnel yes@" /etc/ssh/sshd_config
echo -e "Restrict max number of retries"
sed -i "s@^#MaxAuthTries.*@MaxAuthTries 3@" /etc/ssh/sshd_config
echo -e "Disable UseDNS"
sed -i "s@^#UseDNS.*@UseDNS no@" /etc/ssh/sshd_config
echo -e "Restart sshd to apply changes\n"
service sshd restart
################################
# Print connection information #
################################
IP_ADDR=$(ip a s eth0 | grep 'inet ' | cut -d/ -f1 | awk '{ print $2 }')
echo -e "\n#######################################"
echo -e "#"
echo -e "# To connect to system use following:"
echo -e "#"
echo -e "# ssh -p ${PORT} root@${IP_ADDR}"
echo -e "#"
echo -e "#######################################"
}
mysql_settings() {
echo -e "Use the newest configuration file"
if [ -f /etc/my.cnf.rpmnew ]
then
mv /etc/my.cnf /etc/my.cnf.rpmold
mv /etc/my.cnf.rpmnew /etc/my.cnf
else
echo -e "Already using the latest my.cnf"
fi
echo -e "Bind MySQL to localhost only"
BINDLOCAL=$(grep -c bind-address /etc/my.cnf)
if [ ${BINDLOCAL} = 0 ]
then sed -i '/\[mysqld\]/a \
bind-address=localhost' /etc/my.cnf
else sed -i "s@.*bind-address.*@bind-address=localhost@" /etc/my.cnf
fi
echo -e "Restart mysqld to apply changes"
service mysqld restart
}
apache_settings() {
echo -e "Set Server HTTP response header to Prod"
sed -i "s@^ServerTokens.*@ServerTokens Prod@" /etc/httpd/conf/httpd.conf
echo -e "Enable keep-alive connections"
sed -i "s@^KeepAlive O.*@KeepAlive On@" /etc/httpd/conf/httpd.conf
echo -e "Enable transfer compression"
cat > /etc/httpd/conf.d/deflate.conf << EOF
SetOutputFilter DEFLATE
EOF
echo -e "Enable expire headers"
cat > /etc/httpd/conf.d/expires.conf << EOF
ExpiresActive On
Header unset Etag
Header set Cache-control "public, max-age=2592000"
EOF
# echo -e ""
# echo -e ""
}
php_settings() {
echo -e "Do not expose PHP version"
sed -i "s@.*expose_php =.*@expose_php = Off@" /etc/php.ini
echo -e "Set correct timezone"
TIMEZONE=$(cat /etc/sysconfig/clock | cut -d\" -f2)
sed -i "s@.*date.timezone =.*@date.timezone = ${TIMEZONE}@" /etc/php.ini
#echo -e "Set correct cookie domain"
#sed -i "s@.*session.cookie_domain =.*@session.cookie_domain = ${HOSTNAME}@" /etc/php.ini
echo -e "Apply new settings"
service httpd restart
}
print_usage() {
cat << EOF
Usage: $0 [-IRUOSMAPG]
This script performs initial setting of the system and common services
after fresh install of CentOS minimal Linux distribution.
OPTIONS:
-I Install prerequisities
-R Set up repositories
-U Update system and instal additional packages
-O Harden Operating System settings
-S Secure OpenSSH server settings
-M Tweak MySQL server settings
-A Tweak Apache server settings
-P Tweak PHP settings
-G Optimize PNG images
EOF
exit 1
}
optimize_images() {
find /home/*/public_html \( -name "*.png" -o -name "*.PNG" \) -type f | xargs optipng -o7
}
## Run it ##
if [ $# -eq 0 ]
then print_usage
fi
OPTIONS="IRUOSMAPG"
while getopts ${OPTIONS} optname
do
case "${optname}" in
"I")
echo -e "\nInstalling prerequisities"
install_prerequisities
;;
"R")
echo -e "\nSetting up repositories"
set_repos
;;
"U")
echo -e "\nUpdate system and install additional packages"
update_install
;;
"O")
echo -e "\nHardening Operating system settings"
system_settings
;;
"S")
echo -e "\nSecuring OpenSSH server settings"
ssh_settings
;;
"M")
echo -e "\nMySQL server settings"
mysql_settings
;;
"A")
echo -e "\nApache server settings"
apache_settings
;;
"P")
echo -e "\nPHP settings"
php_settings
;;
"G")
echo -e "\nOptimize images"
optimize_images
;;
"?")
print_usage
;;
# ":")
# echo "No argument value for option $OPTARG"
# ;;
# *)
# Should not occur
# echo "Unknown error while processing options"
# ;;
esac
done