-
Notifications
You must be signed in to change notification settings - Fork 1
/
Easy-Linux-Security.sh
3677 lines (3602 loc) · 156 KB
/
Easy-Linux-Security.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/sh
#
# Copyright (C) 2005-2007 Martynas Bendorius and Richard Gannon. All Rights Reserved.
#
# Author: Martynas Bendorius <[email protected]> and Richard Gannon <[email protected]>
#
# For questions, comments, and support, please visit:
# www.servermonkeys.com
#
# Easy Linux Security (ELS), v. 3.0.0.0
#
##################################################################
# Easy Linux Security (ELS) is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version
#
# This program is distributed in the hope that it will be useful
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
#
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
##################################################################
##
##################################################################
## Set common variables
##################################################################
. variables.sh
if [ -e /usr/local/bin/php ]; then
PHPBINARY=/usr/local/bin/php
elif [ -e /usr/bin/php ]; then
PHPBINARY=/usr/bin/php
else
PHPBINARY=php
fi
##################################################################
## Define shared functions
##################################################################
## Ensures an RPM is installed. If not, try to install it with up2date, apt-get or yum
ensurerpm() {
if [ "`${RPM} -q $1`" = "package $1 is not installed" ]; then
echo "Trying to install $1..."
if [ -f ${YUM} ]; then
${YUM} -y install $1
elif [ -f ${UP2DATE} ]; then
${UP2DATE} -uf $1
else
echo "Unable to install $1."
export $2=1
fi
fi
}
ensuredeb(){
if [ "`${DPKG} -S $1`" = "dpkg: *$1* not found." ]; then
if [ -f ${APTGET} ]; then
${APTGET} -y install $1
else
echo "Unable to install $1."
export $2=1
fi
fi
}
## Our proceed prompt function
proceedfunc() {
echo -n "Proceed? (y/n): "
read PROCEEDASK
until [ "${PROCEEDASK}" = "y" ] || [ "${PROCEEDASK}" = "n" ]; do
echo -n "Please enter 'y' or 'n': "
read PROCEEDASK
done
}
##################################################################
## Define main program functions
##################################################################
## Make sure the script is being executed as root
rootcheck() {
if [ "${UID}" != "0" ]; then
echo "This program must be run as root. Exiting."
exit 0
fi
}
## Make sure the necessary binaries are present
binarycheckfunc() {
if [ ! -f $1 ]; then
echo " >>> $1 NOT FOUND! Aborting."
exit
fi
}
docheckall(){
binarycheckfunc ${WGET}
binarycheckfunc ${GREP}
binarycheckfunc ${TAR}
binarycheckfunc ${CAT}
binarycheckfunc ${TAIL}
if [ -e /etc/debian_version ]; then
binarycheckfunc ${DPKG}
else
binarycheckfunc ${RPM}
fi
binarycheckfunc ${HEAD}
binarycheckfunc ${MD5SUM}
binarycheckfunc ${RM}
binarycheckfunc ${MKDIR}
if [ "${SKIPMKE2FS}" != "1" ]; then
binarycheckfunc ${MKE2FS}
fi
## Make sure the directories required for ELS are present
if [ ! -d ${INSTALLDIR} ]; then
echo "${INSTALLDIR} does not exist. Creating."
${MKDIR} ${INSTALLDIR}
fi
if [ ! -d ${INSTALLDIR}/src ]; then
echo "${INSTALLDIR}/src does not exist. Creating."
${MKDIR} ${INSTALLDIR}/src
fi
if [ ! -d ${INSTALLDIR}/bakfiles ]; then
echo "${INSTALLDIR}/bakfiles does not exist. Creating."
${MKDIR} ${INSTALLDIR}/bakfiles
fi
## Let's put a link to the ELS binary in the user's PATH to make it easier to call
if [ ! -e /usr/local/bin/els ]; then
ln -s /usr/local/els/els.sh /usr/local/bin/els
NEWBINSYM=1
fi
echo "If you got no errors then everything is okay."
}
supporteddistros(){
## Make sure this is a supported distribution
if [ -e /etc/redhat-release ]; then
if [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $3, $7 }'`" = "Red Hat Enterprise 3" ]; then
DISTRO=RHEL3
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $3, $7 }'`" = "Red Hat Enterprise 4" ]; then
DISTRO=RHEL4
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 3" ]; then
DISTRO=CENTOS3
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 4" ]; then
DISTRO=CENTOS4
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 5" ]; then
DISTRO=CENTOS5
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2 }'`" = "Fedora Core" ]; then
DISTRO=FC`${CAT} /etc/redhat-release | ${AWK} '{ print $4 }'`
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2 }'`" = "Fedora release" ]; then
DISTRO=FC`${CAT} /etc/redhat-release | ${AWK} '{ print $3 }'`
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $5 }'`" = "Red Hat 9" ]; then
DISTRO=RH9
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $5 }' | ${CUT} -d '.' -f1`" = "Red Hat 7" ]; then
DISTRO=RH7
fi
elif [ -e /etc/debian_version ]; then
if [ "`${CAT} /etc/debian_version`" = "3.1" ] || [ "`${CAT} /etc/debian_version`" = "3.0" ]; then
DISTRO=DEBIAN3
fi
elif [ ! -e /etc/redhat-release ] || [ ! -e /etc/debian_version ]; then
echo "FAILED"
echo "Can not determine your Linux distribution."
echo "To prevent complications, this script will stop now."
echo "Please contact an experienced adminstrator to do this for you."
exit
fi
}
dodistrocheck(){
if [ -e /etc/redhat-release ]; then
if [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $3, $7 }'`" = "Red Hat Enterprise 3" ]; then
echo "Your OS is: RedHat Enterprise Linux 3"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $3, $7 }'`" = "Red Hat Enterprise 4" ]; then
echo "Your OS is: RedHat Enterprise Linux 4"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 3" ]; then
echo "Your OS is: CentOS 3"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 4" ]; then
echo "Your OS is: CentOS 4"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $3 }' | ${CUT} -d '.' -f1`" = "CentOS 5" ]; then
echo "Your OS is: CentOS 5"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2 }'`" = "Fedora Core" ]; then
echo "Your OS is: Fedora Core `${CAT} /etc/redhat-release | ${AWK} '{ print $4 }'`"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2 }'`" = "Fedora release" ]; then
echo "Your OS is: Fedora Core `${CAT} /etc/redhat-release | ${AWK} '{ print $3 }'`"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $5 }'`" = "Red Hat 9" ]; then
echo "Your OS is: RedHat Linux 9"
elif [ "`${CAT} /etc/redhat-release | ${AWK} '{ print $1, $2, $5 }' | ${CUT} -d '.' -f1`" = "Red Hat 7" ]; then
echo "Your OS is: RedHat Linux 7"
elif [ "`${CAT} /etc/debian_version`" = "3.0" ]; then
echo "Your OS is: Debian linux 3.0"
fi
elif [ -e /etc/debian_version ]; then
if [ "`${CAT} /etc/debian_version`" = "3.1" ]; then
echo "Your OS is: Debian linux 3.1"
fi
fi
}
## Check to see if cPanel, Plesk, or DirectAdmin is installed
controlpanelcheck() {
if [ -f /usr/local/cpanel/cpanel ]; then
CONTROLPANEL=1
PHPINI=/usr/local/lib/php.ini
elif [ -f /usr/local/psa/version ]; then
CONTROLPANEL=2
PHPINI=/etc/php.ini
elif [ -f /usr/local/directadmin/conf/directadmin.conf ]; then
CONTROLPANEL=3
PHPINI=/usr/local/lib/php.ini
else
CONTROLPANEL=0
PHPINI=/etc/php.ini
fi
}
## Check to see if cPanel, Plesk, or DirectAdmin is installed
docontrolpanelvcheck() {
if [ -f /usr/local/cpanel/cpanel ]; then
echo "cPanel is installed. [ Version: `/usr/local/cpanel/cpanel -V` ]"
elif [ -f /usr/local/psa/version ]; then
PLESKVERS=`${CAT} /usr/local/psa/version`
echo "PLESK is installed. [ Version: ${PLESKVERS} ]"
elif [ -f /usr/local/directadmin/conf/directadmin.conf ]; then
echo "DirectAdmin is installed. [ `/usr/local/directadmin/directadmin v` ]"
else
echo "cPanel, Plesk, or DirectAdmin not detected."
fi
}
checkversionsdown(){
${WGET} -q --output-document=${INSTALLDIR}/versions ${MIRROR}/versions
if [ "`${GREP} els-core ${INSTALLDIR}/versions`" = "" ]; then
echo "Failed to download versions file."
echo "Aborting."
${RM} -f ${INSTALLDIR}/versions
exit
else
latestversionfunc LATESTVERSION els-core
fi
PHPINSTALLED=0
if [ "${SKIPCURRENTS}" != "1" ]; then
if [ "`${PHPBINARY} -v | ${HEAD} -1 | ${AWK} '{ print $1 }'`" = "PHP" ]; then
PHPINSTALLED=1
fi
fi
}
##################################################################
# End of checks
##################################################################
## Get the administrator's email address (used for several program installations)
adminemail() {
if [ "${ADMINEMAIL}" = "" ]; then
echo
echo "Admin (your) E-Mail Address (this should NOT be on this server):"
read ADMINEMAIL
if [ "${ADMINEMAIL}" = "" ]; then
echo "You entered no email address"
else
echo "You entered: ${ADMINEMAIL}"
fi
echo "Ensure this is correct."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo "Using ${ADMINEMAIL}."
else
adminemail
fi
fi
}
## Get that administrator's IP address (used for APF and BFD installations)
adminip() {
if [ "${ADMINIP}CHK" = "" ] || [ "$1" = "0" ]; then
echo
echo "If an admin attempts to login too many times with a bad password"
echo "BFD will ban the IP address, leaving the admin locked out of his/her"
echo "own server. To prevent this, please enter your home or work IP address."
echo "Allowed IP Address (blank for none):"
read ADMINIP
ADMINIPCHK=1
if [ "${ADMINIP}" = "" ]; then
echo "You entered no IP address"
else
echo "You entered: ${ADMINIP}"
fi
echo "Ensure this is correct."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo "Using ${ADMINIP} for Admin IP."
else
adminip 0
fi
fi
}
doversioncheck(){
if [ "${CURRENTVERSION}" = "${LATESTVERSION}" ]; then
echo "ELS version is ${CURRENTVERSION}. It is the latest release, there is no need to update."
else
echo "ELS version is: ${CURRENTVERSION}. The latest version is ${LATESTVERSION}."
fi
}
## See if we want to modify up2date's configuration file
up2dateconfig() {
if [ "${CONTROLPANEL}" = "1" ] || [ "${CONTROLPANEL}" = "3" ] && [ -f $UP2DATE ]; then
echo
if [ "`${GREP} "Modified by ELS" /etc/sysconfig/rhn/up2date`" = "" ]; then
echo "Several packages from Red Hat Network may not be compatable or may cause"
echo "problems with DirectAdmin or cPanel. To help prevent complications, ELS can add special"
echo "packages to be skipped when running up2date."
echo "These packages can still be updated using the force '-f' option with up2date."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
GREPPED="`${GREP} pkgSkipList= /etc/sysconfig/rhn/up2date`"
perl -pi -e "s/${GREPPED}/pkgSkipList=kernel*;php*;*httpd*;perl*;mysql*;mod_*;imap*;squirrelmail*;spamassassin*;caching-nameserver*;/" /etc/sysconfig/rhn/up2date
echo 'Done.'
echo "#Modified by ELS" >> /etc/sysconfig/rhn/up2date
else
echo "Skipping up2date configuration editor."
fi
else
echo "up2date configuration already modified by ELS."
fi
fi
}
## See if we want to modify yum's configuration file
yumconfig() {
if [ "${CONTROLPANEL}" = "1" ] || [ "${CONTROLPANEL}" = "3" ] && [ -f $YUM ]; then
echo
if [ "`${GREP} "Modified by ELS" /etc/yum.conf`" = "" ]; then
echo "Several packages installed by yum may not be compatable or may cause"
echo "problems with DirectAdmin or cPanel. To help prevent complications, ELS can add special"
echo "packages to be skipped when running yum."
echo "These packages can still be updated manually with yum."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
if [ "`${GREP} exclude= /etc/yum.conf`" = "" ]; then
perl -pi -e "s/\[main]/\[main]\nexclude=kernel* php* exim* courier* httpd* perl* mysql* mod_* imap* squirrelmail* spamassassin* caching-nameserver*/" /etc/yum.conf
else
GREPPED="`${GREP} exclude= /etc/yum.conf`"
perl -pi -e "s/${GREPPED}/exclude=kernel* php* exim* courier* apache* httpd* perl* mysql* mod_* imap* squirrelmail* spamassassin* caching-nameserver*/" /etc/yum.conf
fi
echo "Done."
echo "#Modified by ELS" >> /etc/yum.conf
else
echo "Skipping yum configuration editor."
fi
else
echo "yum configuration already modified by ELS."
fi
fi
}
doupdateda(){
if [ "${CONTROLPANEL}" = "3" ]; then
echo
echo "This feature can update your DirectAdmin version."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
if [ -f /usr/local/directadmin/conf/directadmin.conf ]; then
echo "[ `/usr/local/directadmin/directadmin v` ] found"
else
echo "DirectAdmin not found!"
exit 0
fi
if [ -f /usr/local/directadmin/scripts/setup.txt ]; then
echo "Downloading a new version of DirectAdmin..."
cd /usr/local/directadmin
${WGET} -O update.tar.gz https://www.directadmin.com/cgi-bin/daupdate?uid=`${GREP} uid= /usr/local/directadmin/scripts/setup.txt | ${CUT} -d= -f2`\&lid=`${GREP} lid= /usr/local/directadmin/scripts/setup.txt | ${CUT} -d= -f2`
echo "Extracting a new version of DirectAdmin..."
tar xzf update.tar.gz
${RM} -rf update.tar.gz
./directadmin p
cd scripts
./update.sh
echo "Restarting DirectAdmin..."
service directadmin restart
echo "Update done."
else
echo "/usr/local/directadmin/scripts/setup.txt not found."
fi
else
echo "Not updating DirectAdmin."
fi
else
echo "DirectAdmin is not installed."
fi
}
## Uninstall LAuS if installed (Thanks to chirpy on the cPanel forums for the instructions)
doremovelaus() {
if [ "${SKIPCURRENTS}" != "1" ]; then
if [ "${DISTRO}" != "DEBIAN3" ]; then
if [ "`${RPM} -q laus`" != "package laus is not installed" ]; then
LAUSINSTALL=1
fi
fi
fi
if [ "${CONTROLPANEL}" = "1" ] && [ "${LAUSINSTALL}" = "1" ]; then
echo
echo "LAuS often causes an excessive amount of audit logs on a cPanel server."
echo "This can sometimes cause high CPU usage and large usage of space in /var."
echo "This feature will uninstall LAuS for you."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo "Uninstalling LAuS..."
${RPM} -ev laus
echo "alias char-major-10-224 off" >> /etc/modules.conf
echo "Done."
echo "Restarting the CRON deamon..."
/etc/init.d/crond stop
rmmod audit
/etc/init.d/crond start
echo "Done."
echo "Deleting old audit.d logs..."
sleep 1
${RM} -Rfv /var/log/audit.d/
echo "Done."
else
echo "Not uninstalling LAuS."
fi
fi
if [ "${DOALL}" != "1" ]; then
${RM} -f ${INSTALLDIR}/versions
fi
}
## Disable SELinux (for DirectAdmin or cPanel servers)
dodisableselinux() {
if [ "${CONTROLPANEL}" = "1" ] || [ "${CONTROLPANEL}" = "3" ] && [ -e /etc/sysconfig/selinux ]; then
echo
if [ ! -e /usr/sbin/sestatus ]; then
echo "Can not find /usr/sbin/sestatus"
elif [ "`/usr/sbin/sestatus -v | ${AWK} '{print $3}'`" != "disabled" ]; then
echo "SELinux is currently enabled. DirectAdmin and cPanel does not work well with"
echo "SELinux enabled. ELS can now disable SELinux so cPanel or DirectAdmin"
echo "and related programs can run properly."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo "Disabling SELinux..."
GREPPED1="`${GREP} 'SELINUX=' /etc/sysconfig/selinux | ${TAIL} -n1`"
GREPPED2="`${GREP} 'SELINUX=' /etc/selinux/config | ${TAIL} -n1`"
perl -pi -e "s/$GREPPED1/SELINUX=disabled/" /etc/sysconfig/selinux
perl -pi -e "s/$GREPPED2/SELINUX=disabled/" /etc/selinux/config
setenforce 0
echo "Done"
else
echo "Not disabling SELinux."
fi
else
echo "SELinux already disabled."
fi
fi
}
## See if we want to harden sysctl.conf
dohardensysctl() {
sysctldo() {
latestmd5func SYSCTLMD5 sysctl.conf
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
${WGET} -q --output-document=${INSTALLDIR}/src/sysctl.conf ${MIRROR}/sysctl/sysctl.conf
if [ "`${MD5SUM} ${INSTALLDIR}/src/sysctl.conf | ${CUT} -d ' ' -f 1`" = $SYSCTLMD5 ]; then
echo "Download Successful!"
echo "MD5 matches."
echo "Extracting..."
else
echo "Download Failed."
echo "Invalid MD5."
echo "Aborting."
exit
fi
if [ -f /etc/sysctl.conf ]; then
mv --force /etc/sysctl.conf ${INSTALLDIR}/bakfiles/sysctl.conf
fi
mv --force ${INSTALLDIR}/src/sysctl.conf /etc/sysctl.conf
chown root:root /etc/sysctl.conf
chmod 644 /etc/sysctl.conf
echo "Applying changes..."
/sbin/sysctl -p
echo "Done."
echo "Errors with 'unknown keys' can be ignored."
else
echo "Not hardening kernel with sysctl."
fi
}
echo
if [ -f /etc/sysctl.conf ]; then
echo "/etc/sysctl.conf exists."
if [ "`${GREP} nsobuild /etc/sysctl.conf`" != "" ]; then
echo "sysctl already hardened by ELS."
else
echo "sysctl is used to harden the kernel. If you have not hardened your"
echo "kernel with sysctl or do not know how to, it is recommended to have"
echo "ELS do it for you. Your current /etc/sysctl.conf will be backed up to"
echo "${INSTALLDIR}/bakfiles/sysctl.conf."
sysctldo
fi
else
echo "/etc/sysctl.conf does not exist. It is usually a"
echo "good idea to use sysctl to harden your kernel."
echo "I can import a commonly used and tested sysctl.conf"
echo "to harden and slightly optimize your kernel."
sysctldo
fi
if [ "${DOALL}" != "1" ]; then
${RM} -f ${INSTALLDIR}/versions
fi
}
## See if we want to run cPanel's update scripts
docpanelupdate() {
if [ "${CONTROLPANEL}" = "1" ]; then
echo
echo "This will only run cPanel's pre-installed scripts to update itself."
echo "updatenow, upcp, sysup, and serveral other software updaters will be executed."
if [ "$MYSQL41UPDATE" = "1" ]; then
PROCEEDASK=y
else
proceedfunc
fi
if [ "${PROCEEDASK}" = "y" ]; then
/scripts/upcp
else
echo "Skipping cPanel updates."
fi
fi
}
## Fix RNDC if not already configured
dofixrndc() {
if [ "${CONTROLPANEL}" = "1" ]; then
echo
echo "Checking rndc..."
if [ "`${GREP} 'key \"rndckey\" {' /etc/named.conf`" = "" ] && [ "`${GREP} '/etc/rndc.key' /etc/named.conf`" = "" ]; then
echo "rndc is not configured, but I can fix that!"
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
/scripts/fixnamed
/scripts/fixndc
/etc/init.d/named restart
echo "Done."
echo "If still failed, run /scripts/fixndc manually."
else
echo "Not fixing RNDC."
fi
else
echo "rndc already configured."
fi
fi
}
## Tweak cPanel's Tweak Settings file
dotweakcpsettings() {
if [ "${CONTROLPANEL}" = "1" ]; then
echo
echo "ELS can tweak several cPanel/WHM settings for you to further"
echo "optimize and secure your server."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
if [ "`${GREP} defaultmailaction /var/cpanel/cpanel.config`" = "" ]; then
echo "Setting Default Mail Action to FAIL..."
echo "defaultmailaction=fail" >> /var/cpanel/cpanel.config
echo "Done."
elif [ "`${GREP} defaultmailaction /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "fail" ]; then
echo "Setting Default Mail Action to FAIL..."
GREPPED="`${GREP} defaultmailaction /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/defaultmailaction=fail/" /var/cpanel/cpanel.config
echo "Done."
else
echo "Default Mail Action already set to FAIL."
fi
if [ "`${GREP} cycle /var/cpanel/cpanel.config`" = "" ]; then
echo "Setting stats programs to run every 12 hours..."
echo "cycle=0.5" >> /var/cpanel/cpanel.config
echo "Done."
elif [ ! "`${GREP} cycle /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" = "0.5" ]; then
echo "Setting stats programs to run every 12 hours..."
GREPPED="`${GREP} cycle /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/cycle=0.5/" /var/cpanel/cpanel.config
echo "Done."
else
echo "Stats programs already set to run every 12 hours (or less)."
fi
if [ "`${GREP} jaildefaultshell /var/cpanel/cpanel.config`" = "" ]; then
echo "Setting jailshell as default shell..."
echo "jaildefaultshell=1" >> /var/cpanel/cpanel.config
echo "Done."
elif [ "`${GREP} jaildefaultshell /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "1" ]; then
echo "Setting jailshell as default shell..."
GREPPED="`${GREP} jaildefaultshell /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/jaildefaultshell=1/" /var/cpanel/cpanel.config
echo "Done."
else
echo "Jailshell already set as default shell."
fi
if [ "`${GREP} resetpass /var/cpanel/cpanel.config`" = "" ]; then
echo "Disabling ability for cPanel users to reser pass via email..."
echo "resetpass=0" >> /var/cpanel/cpanel.config
echo "Done."
elif [ "`${GREP} resetpass /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "0" ]; then
echo "Disabling ability for cPanel users to reser pass via email..."
GREPPED="`${GREP} resetpass /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/resetpass=0/" /var/cpanel/cpanel.config
echo "Done."
else
echo "cPanel password reset over email already disabled."
fi
if [ "`${GREP} maxmem /var/cpanel/cpanel.config`" = "" ]; then
echo "Setting max memory usage to 512MB..."
echo "maxmem=512" >> /var/cpanel/cpanel.config
echo "Done."
elif [ "`${GREP} maxmem /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" -lt "512" ]; then
echo "Setting max memory usage to 512MB..."
GREPPED="`${GREP} maxmem /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/maxmem=512/" /var/cpanel/cpanel.config
echo "Done."
else
echo "Max memory usage already set to 512 (or more) MB."
fi
if [ "`${GREP} dumplogs /var/cpanel/cpanel.config`" = "" ]; then
echo "Setting domain logs to be deleted after logrunner executes..."
echo "dumplogs=1" >> /var/cpanel/cpanel.config
echo "Done."
elif [ "`${GREP} dumplogs /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "1" ]; then
echo "Setting domain logs to be deleted after logrunner executes..."
GREPPED="`${GREP} dumplogs /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/dumplogs=1/" /var/cpanel/cpanel.config
echo "Done."
else
echo "Domain logs already set to be deleted after logrunner executes."
fi
if [ "`${GREP} phpopenbasedirhome /var/cpanel/cpanel.config`" = "" ]; then
echo "Enabling PHP open_basedir Protection..."
echo "phpopenbasedirhome=1" >> /var/cpanel/cpanel.config
/scripts/phpopenbasectl on
echo "Done."
elif [ "`${GREP} phpopenbasedirhome /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "1" ]; then
echo "Enabling PHP open_basedir Protection..."
GREPPED="`${GREP} phpopenbasedirhome /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/phpopenbasedirhome=1/" /var/cpanel/cpanel.config
/scripts/phpopenbasectl on
echo "Done."
else
echo "PHP open_basedir Protection already enabled."
fi
if [ "`${GREP} userdirprotect /var/cpanel/cpanel.config`" = "" ]; then
echo "Enabling mod_userdir Protection..."
echo "userdirprotect=1" >> /var/cpanel/cpanel.config
/scripts/userdirctl on
echo "Done."
elif [ "`${GREP} userdirprotect /var/cpanel/cpanel.config | ${CUT} -d '=' -f 2`" != "1" ]; then
echo "Enabling mod_userdir Protection..."
GREPPED="`${GREP} userdirprotect /var/cpanel/cpanel.config`"
perl -pi -e "s/${GREPPED}/userdirprotect=1/" /var/cpanel/cpanel.config
/scripts/userdirctl on
echo "Done."
else
echo "mod_userdir Protection already enabled."
fi
if [ -f /var/cpanel/smtpgidonlytweak ]; then
echo "SMTP Tweak already enabled."
else
echo "Enabling SMTP Tweak..."
/scripts/smtpmailgidonly --allowlocalhost on
echo "Done."
fi
if [ "`/scripts/compilers | ${GREP} disabled`" = "" ]; then
echo "Disabling compilers for unprivileged users..."
/scripts/compilers off
echo "Done."
else
echo "Compilers already disabled for unprivileged users."
fi
else
echo "Skipping WHM Tweak Settings tweaks."
fi
fi
}
## Add an alert for root login to /root/.bash_profile
dorootloginemail() {
echo
if [ "`${GREP} ALERT /root/.bash_profile`" = "" ]; then
if [ "${ADMINEMAIL}" != "" ]; then
echo "ELS can have an alert email sent to you each time someone logs in as root."
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
chattr -i /root/.bash_profile
echo >> /root/.bash_profile
echo "# Email admin when user logs in as root" >> /root/.bash_profile
echo "rootalert() {" >> /root/.bash_profile
echo " echo 'ALERT - Root Shell Login'" >> /root/.bash_profile
echo " echo" >> /root/.bash_profile
echo " echo 'Server: '\`hostname\`" >> /root/.bash_profile
echo " echo 'Time: '\`date\`" >> /root/.bash_profile
echo " echo 'User: '\`who | awk '{ print \$1 }'\`" >> /root/.bash_profile
echo " echo 'TTY: '\`who | awk '{ print \$2 }'\`" >> /root/.bash_profile
echo " echo 'Source: '\`who | awk '{ print \$5 }' | ${CUT} -d '(' -f 2 | ${CUT} -d ')' -f 1\`" >> /root/.bash_profile
echo " echo" >> /root/.bash_profile
echo " echo" >> /root/.bash_profile
echo " echo 'This email is an alert automatically created by your server telling you that someone, even if it is you, logged into SSH as the root user. If you or someone you know and trust logged in as root, disregard this email. If you or someone you know and trust did not login to the server as root, then you may have a hack attempt in progress on your server.'" >> /root/.bash_profile
echo "}" >> /root/.bash_profile
echo "rootalert | mail -s \"Alert: Root Login [\`hostname\`]\" ${ADMINEMAIL}" >> /root/.bash_profile
chattr +i /root/.bash_profile
echo "Root login alerts enabled."
else
echo "Not enabling root login alerts."
fi
else
echo "Must provide Admin Email Address to enable Root Login Alerts."
fi
else
echo "Root login alerts already enabled."
fi
}
## Install/Update RKHunter
dorkhunter() {
echo
if [ "${SKIPCURRENTS}" != "1" ]; then
latestversionfunc LATESTRKH rkh-latest
latestmd5func RKHMD5 rkh-latest
if [ -f /usr/local/bin/rkhunter ]; then
CURRENTRKH=`/usr/local/bin/rkhunter --version | ${AWK} '{ print $3 }'`
fi
fi
if [ "${CURRENTRKH}" != "${LATESTRKH}" ]; then
if [ -d /usr/local/rkhunter ]; then
echo "RKHunter is out of date. Installed: ${CURRENTRKH} Latest: ${LATESTRKH}"
echo "ELS can now update RKHunter."
else
echo "ELS can now install RKHunter."
fi
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
cd ${INSTALLDIR}/src
${RM} -rf rkhunter*
echo "Downloading RKHunter..."
${WGET} -q ${MIRROR}/rkhunter/rkhunter-${LATESTRKH}.tar.gz
if [ "`${MD5SUM} rkhunter-${LATESTRKH}.tar.gz | ${CUT} -d ' ' -f 1`" = "${RKHMD5}" ]; then
echo "Download Successful!"
echo "MD5 matches."
echo "Extracting..."
else
echo "Download Failed."
echo "Invalid MD5."
echo "Aborting."
exit
fi
${TAR} xzf rkhunter-${LATESTRKH}.tar.gz
${RM} -f rkhunter-${LATESTRKH}.tar.gz
cd rkhunter-${LATESTRKH}
if [ -f ./installer.sh ]; then
echo "Extraction Successful!"
else
echo "Extraction failed."
echo "Aborting."
exit
fi
echo "Installing..."
./installer.sh --layout /usr/local --install
cd ${INSTALLDIR}/src
${RM} -rf rkhunter*
echo "RKHunter Install Completed Successfully!"
echo "Updating databases..."
/usr/local/bin/rkhunter --update
else
echo "Not installing/updating RKHunter"
fi
else
echo "RKHunter is up to date [ Version: ${CURRENTRKH} ]"
echo "Updating RKHunter database files..."
/usr/local/bin/rkhunter --update
fi
if [ "${DOALL}" != "1" ]; then
${RM} -f ${INSTALLDIR}/versions
fi
}
## Install a RKHunter cronjob (to run nightly)
dorkhuntercron() {
if [ -e /usr/local/bin/rkhunter ]; then
echo
if [ -f /etc/cron.daily/rkhunter.sh ]; then
echo "RKHunter Cronjob already installed."
else
if [ "${ADMINEMAIL}" != "" ]; then
echo "Would you like for RKHunter to run and send you scan details"
echo "to your admin email address nightly? (y/n):"
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo '#!/bin/bash'$'\n''(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details"' ${ADMINEMAIL}')' > /etc/cron.daily/rkhunter.sh
chmod 700 /etc/cron.daily/rkhunter.sh
else
echo "RKHunter will not run nightly. You can execute manually with"
echo "/usr/local/bin/rkhunter -c"
fi
else
echo "Must provide Admin Email Address to install RKHunter Cronjob."
fi
fi
fi
}
## Install/Update CHKROOTKIT
dochkrootkit() {
echo
if [ "${SKIPCURRENTS}" != "1" ]; then
latestversionfunc LATESTCRK chkrootkit-latest
latestmd5func CRKMD5 chkrootkit-latest
if [ -f /usr/local/chkrootkit/chkrootkit ]; then
CURRENTCRK=`${GREP} 'CHKROOTKIT_VERSION=' /usr/local/chkrootkit/chkrootkit | ${CUT} -d "'" -f 2`
fi
fi
if [ "${CURRENTCRK}" != "${LATESTCRK}" ]; then
if [ -d /usr/local/chkrootkit ]; then
echo "CHKROOTKIT is out of date. Installed: ${CURRENTCRK} Latest: ${LATESTCRK}"
echo "ELS can now update CHKROOTKIT."
else
echo "ELS can now install CHKROOTKIT."
fi
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
cd ${INSTALLDIR}/src
${RM} -rf chkrootkit*
echo "Downloading CHKROOTKIT..."
${WGET} -q ${MIRROR}/chkrootkit/chkrootkit-${LATESTCRK}.tar.gz
if [ "`${MD5SUM} chkrootkit-${LATESTCRK}.tar.gz | ${CUT} -d ' ' -f 1`" = ${CRKMD5} ]; then
echo "Download Successful!"
echo "MD5 matches."
echo "Extracting..."
else
echo "Download Failed."
echo "Invalid MD5."
echo "Aborting."
exit
fi
${TAR} xzf chkrootkit-${LATESTCRK}.tar.gz
${RM} -f chkrootkit-${LATESTCRK}.tar.gz
cd chkrootkit-*
if [ -f ./chkrootkit ]; then
echo "Extraction Successful!"
else
echo "Extraction failed."
echo "Aborting."
exit
fi
echo "Installing..."
${RM} -rf /usr/local/chkrootkit
${MKDIR} /usr/local/chkrootkit
mv ${INSTALLDIR}/src/chkrootkit*/* /usr/local/chkrootkit
cd /usr/local/chkrootkit
make sense > /dev/null
cd ${INSTALLDIR}/src
${RM} -rf chkrootkit*
echo "CHKROOTKIT Install Completed Successfully!"
else
echo "Not installing/updating CHKROOTKIT"
fi
else
echo "CHKROOTKIT is up to date [ Version: ${CURRENTCRK} ]"
fi
if [ "${DOALL}" != "1" ]; then
${RM} -f ${INSTALLDIR}/versions
fi
}
## Install a CHKROOTKIT cronjob (to run nightly)
dochkrootkitcron() {
if [ -d /usr/local/chkrootkit ]; then
echo
if [ -f /etc/cron.daily/chkrootkit.sh ]; then
echo "CHKROOTKIT Cronjob already installed."
else
if [ "${ADMINEMAIL}" != "" ]; then
echo "Would you like for CHKROOTKIT to run and send you scan details"
echo "to your admin email address nightly? (y/n):"
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
echo '#!/bin/bash'$'\n''(cd /usr/local/chkrootkit; ./chkrootkit 2>&1 | mail -s "CHKROOTKIT Scan Details"' ${ADMINEMAIL}')' > /etc/cron.daily/chkrootkit.sh
chmod 700 /etc/cron.daily/chkrootkit.sh
else
echo "CHKROOTKIT will not run nightly. You can execute manually with"
echo "/usr/local/chkrootkit/chkrootkit"
fi
else
echo "Must provide Admin Email Address to install CHKROOTKIT Cronjob."
fi
fi
fi
}
# Install/Update APF Firewall
doapf() {
echo
if [ "${SKIPCURRENTS}" != "1" ]; then
if [ -f /etc/apf/apf ]; then
CURRENTAPF=`${GREP} 'VER=' /etc/apf/apf | ${CUT} -d '"' -f 2`
fi
latestversionfunc LATESTAPF apf-latest
latestmd5func APFMD5 apf-latest
latestmd5func APFCONFIGSMD5 apfconfigs
fi
if [ "${CURRENTAPF}" != "${LATESTAPF}" ]; then
if [ -d /etc/apf ]; then
echo "APF is out of date. Installed: ${CURRENTAPF} Latest: ${LATESTAPF}"
echo "ELS can now update APF."
APFBAK=1
else
echo "ELS can now install APF."
fi
proceedfunc
if [ "${PROCEEDASK}" = "y" ]; then
cd ${INSTALLDIR}/src
${RM} -rf apf*
echo "Downloading APF..."
${WGET} -q ${MIRROR}/apf/apf-${LATESTAPF}.tar.gz
if [ "`${MD5SUM} apf-${LATESTAPF}.tar.gz | ${CUT} -d ' ' -f 1`" = "$APFMD5" ]; then
echo "Download Successful!"
echo "MD5 matches."
echo "Extracting..."
else
echo "Download Failed."
echo "Invalid MD5."
echo "Aborting."
exit
fi
${TAR} xzf apf-${LATESTAPF}.tar.gz
${RM} -f apf-${LATESTAPF}.tar.gz
cd apf*
if [ -f ./install.sh ]; then
echo "Extraction Successful!"
else
echo "Extraction failed."
echo "Aborting."
exit
fi
echo "Installing..."
./install.sh > /dev/null
if [ "$APFBAK" != "1" ]; then
if [ "${CONTROLPANEL}" = "1" ]; then
echo "cPanel installed. Using default configuration for cPanel."
echo "Downloading configuration tarball..."
cd ${INSTALLDIR}/src
${WGET} -q ${MIRROR}/apf/apfconfigs.tar.gz
if [ "`${MD5SUM} apfconfigs.tar.gz | ${CUT} -d ' ' -f 1`" = "${APFCONFIGSMD5}" ]; then
echo "Download Successful!"
echo "MD5 matches."
echo "Extracting..."
else
echo "Download Failed."
echo "Invalid MD5."
echo "Aborting."
exit
fi
cd ${INSTALLDIR}/src
${TAR} xzf apfconfigs.tar.gz > /dev/null
${RM} -f apfconfigs.tar.gz
echo "Done."
echo "Moving new configation to /etc/apf..."
cd ${INSTALLDIR}/src/apfconfigs
mv /etc/apf/conf.apf /etc/apf/conf.apf.default
cp conf.apf.cpanel.default /etc/apf
cp /etc/apf/conf.apf.cpanel.default /etc/apf/conf.apf
echo "Looking for primary ethernet interface..."
if [ "`${GREP} ETHDEV /etc/wwwacct.conf | ${CUT} -d ' ' -f 2`" = "" ] || [ "`${GREP} ethernet_dev /usr/local/directadmin/conf/directadmin.conf | ${CUT} -d= -f2`" = "eth0" ]; then
echo "Found primary ethernet device to be eth0."
elif [ -e /etc/wwwacct.conf ] && [ "`${GREP} ETHDEV /etc/wwwacct.conf | ${CUT} -d ' ' -f 2`" != "" ]; then
GREPPED="`${GREP} ETHDEV /etc/wwwacct.conf | ${CUT} -d ' ' -f 2`"
perl -pi -e "s/IFACE_IN=\"eth0\"/IFACE_IN=\"${GREPPED}\"/" /etc/apf/conf.apf
perl -pi -e "s/IFACE_OUT=\"eth0\"/IFACE_OUT=\"${GREPPED}\"/" /etc/apf/conf.apf
echo "Found primary ethernet device to be ${GREPPED}."
elif [ -e /etc/wwwacct.conf ] && [ "`${GREP} ethernet_dev /usr/local/directadmin/conf/directadmin.conf | ${CUT} -d= -f2`" != "eth0" ]; then
GREPPED="`${GREP} ethernet_dev /usr/local/directadmin/conf/directadmin.conf | ${CUT} -d= -f2`"
perl -pi -e "s/IFACE_IN=\"eth0\"/IFACE_IN=\"${GREPPED}\"/" /etc/apf/conf.apf
perl -pi -e "s/IFACE_OUT=\"eth0\"/IFACE_OUT=\"${GREPPED}\"/" /etc/apf/conf.apf
echo "Found primary ethernet device to be ${GREPPED}."
else
echo "Failed to find primary ethernet interface."
echo "This is not bad, just did not automatically set this in conf.apf."
echo "You must edit IFACE_IN and IFACE_OUT manually in /etc/apf/conf/apf as necessary."
fi
echo "Default configuration saved as /etc/apf/conf.apf.default"
echo "cPanel default config saved as /etc/apf/conf.apf.cpanel.default"