ccdc-scripts/linuxzds

#!/bin/bash

# Backup configs
mkdir /var/zds
cp -r /etc /var/zds/etc_backup

if type apt-get &>/dev/null
then
    expected_dist=apt
    apt install curl openssh-server vim wget snmpd clamav nmap
else
    expected_dist=rpm
    if grep --quiet 'ID=\"centos\"' /etc/os-release; then
        yum install -y epel-release
    fi
    yum install -y wget vim openssh-server clamav curl net-snmp nmap
fi

# Set user passwords and sweep keys
mkdir -p /var/zds/bash_hist
mkdir -p /var/zds/auth_keys
mkdir -p /var/log/zds

if [[ -e /root ]]
then
    mv -f /root/.bash_history /var/zds/bash_hist/bash_history_ir_root 2> /dev/null
    mv -f /foot/.ssh/authorized_keys /var/zds/auth_keys/root.authorized_keys 2> /dev/null
fi
if [[ -e /home/sysadmin ]]
then
    admin_user="sysadmin"
    mv -f "/home/$admin_user/.bash_history" /var/zds/bash_hist/bash_history_ir 2> /dev/null
    mv -f "/home/$admin_user/.ssh/authorized_keys" "/var/zds/auth_keys/$admin_user.authorized_keys" 2> /dev/null
fi
if [[ -e /home/admin ]]
then
    admin_user="admin"
    mv -f "/home/$admin_user/.bash_history" /var/log/bash_hist/bash_history_ir 2> /dev/null
    mv -f "/home/$admin_user/.ssh/authorized_keys" "/var/zds/auth_keys/$admin_user.authorized_keys" 2> /dev/null
fi
if [[ -e /home/administrator ]]
then
    admin_user="administrator"
    mv -f "/home/$admin_user/.bash_history" /var/log/bash_hist/bash_history_ir 2> /dev/null
    mv -f "/home/$admin_user/.ssh/authorized_keys" "/var/zds/auth_keys/$admin_user.authorized_keys" 2> /dev/null
fi

chmod 700 /var/log/bash_hist
chmod 700 /var/log/auth_keys

# No root login ssh
sed -i 's/#\?\(PermitRootLogin\s*\).*$/\1 no/' /etc/ssh/sshd_config

# Set up firewall
cat << EOF > /etc/zdsfirewall.bash
#!/bin/bash 
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -F
iptables -t mangle -F
iptables -F
# iptables -X

iptables -A INPUT -i lo -j ACCEPT

# Both

iptables -A INPUT -p udp -m udp --dport 53   -j ACCEPT # DNS


iptables -A INPUT -p tcp -m tcp --dport 20   -j ACCEPT # FTP
iptables -A INPUT -p tcp -m tcp --dport 21   -j ACCEPT # FTP

iptables -A INPUT -p tcp -m tcp --dport 25   -j ACCEPT # SMTP

iptables -A INPUT -p tcp -m tcp --dport 80   -j ACCEPT # Web
iptables -A INPUT -p tcp -m tcp --dport 443  -j ACCEPT # Web


iptables -A INPUT -p udp        --sport 123  -j ACCEPT


iptables -A INPUT -p tcp -m tcp --dport 143  -j ACCEPT # IMAP

iptables -A INPUT -p tcp -m tcp --dport 7000 -j ACCEPT # Splunk (external for scoring)

iptables -A INPUT -p icmp                    -j ACCEPT # ICMP

# Internal only

iptables -A INPUT -p tcp -m tcp --dport 22   -j ACCEPT -s 172.20.0.0/16
# iptables -A INPUT -p tcp -m tcp --dport 135  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -s 172.20.0.0/16
iptables -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT -s 172.20.0.0/16
iptables -A INPUT -p tcp -m tcp --dport 8089 -j ACCEPT -s 172.20.0.0/16
iptables -A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT -s 172.20.0.0/16


# NTP
iptables -A INPUT -s 172.20.0.0/16 -m state --state NEW -p udp --dport 123 -j ACCEPT


# SNMP
iptables -A INPUT -s 172.20.0.0/16 -p udp --dport 161 -j ACCEPT
iptables -A INPUT -s 172.20.0.0/16 -p udp --dport 162 -j ACCEPT


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'FW DROP [in]: '
iptables -A INPUT -j DROP

# Output
iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A OUTPUT -p udp -m udp -m multiport --dports 123 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 80   -j ACCEPT -s 172.20.0.0/16
# iptables -A OUTPUT -p tcp --dport 443  -j ACCEPT -s 172.20.0.0/16
# iptables -A OUTPUT -p udp --dport 162  -j ACCEPT
# iptables -A OUTPUT -p udp --dport 161  -j ACCEPT
# iptables -A OUTPUT -p udp --dport 53   -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 8089 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 8088 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 7000 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 135  -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 22   -j ACCEPT 
# iptables -A OUTPUT -p tcp --dport 9997 -j ACCEPT

# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by firewall [out]: '
# iptables -A OUTPUT -j DROP

EOF

chmod 0744 /etc/zdsfirewall.bash

cat << EOF > /etc/systemd/system/zdsfirewall.service
[Unit]
Description=ZDSFirewall
After=syslog.target network.target

[Service]
Type=oneshot
ExecStart=/etc/zdsfirewall.bash
ExecStop=/sbin/iptables -F
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

cat << EOF > /usr/local/bin/weboff
#!/bin/bash
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -m udp -m multiport --dports 123 -m state --state NEW -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 80   -j ACCEPT -s 172.20.0.0/16 
iptables -A OUTPUT -p tcp --dport 443  -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p udp --dport 162  -j ACCEPT -s 172.20.0.0/16 
iptables -A OUTPUT -p udp --dport 161  -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p udp --dport 53   -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 8089 -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 8088 -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 7000 -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 135  -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 22   -j ACCEPT -s 172.20.0.0/16
iptables -A OUTPUT -p tcp --dport 9997 -j ACCEPT -s 172.20.0.0/16

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'FW DROP [out]: '
iptables -A OUTPUT -j DROP
EOF

cat << EOF > /usr/local/bin/webon
#!/bin/bash
iptables -F OUTPUT 
iptables -A OUTPUT -o lo -j ACCEPT
EOF

cat << EOF > /usr/local/bin/webdo
#!/bin/bash
webon
$@
weboff
EOF
chmod +x /usr/local/bin/webon
chmod +x /usr/local/bin/weboff
chmod +x /usr/local/bin/webdo

# Disable other firewalls
if [[ "$expected_dist" == "rpm" ]]; then
yum list installed firewalld && systemctl disable --now firewalld
elif [[ "$expected_dist" == "apt" ]]; then
service ufw status && systemctl disable --now ufw
fi

# Throw the switch
#systemctl enable --now zdsfirewall.service

# no red team bad red team
# chattr -i /etc/group /etc/shadow /etc/passwd
chown root:root /etc/group
if [ $(getent group shadow) ]; then
chown root:shadow /etc/shadow
else
chown root:root /etc/shadow
fi
chown root:root /etc/passwd
chown root:root /etc/sudoers

netstat -an | grep LISTEN | tee netstat.log
        
# Install splunk
if [ ! -d "/opt/splunk" ]; then
curl -ko /tmp/splunkforwarder.tgz 'https://download.splunk.com/products/universalforwarder/releases/8.2.4/linux/splunkforwarder-8.2.4-87e2dda940d1-Linux-x86_64.tgz'
tar xzvf /tmp/splunkforwarder.tgz -C /opt
echo "Enter the splunk forwarder username and password (yes twice)"
/opt/splunkforwarder/bin/splunk start --accept-license 
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0
/opt/splunkforwarder/bin/splunk add forward-server 172.20.241.20:9997
/opt/splunkforwarder/bin/splunk set deploy-poll 172.20.241.20:8089
/opt/splunkforwarder/bin/splunk restart
fi

# ClamAV
freshclam

echo running full system clamscan in the background, results stored at /var/log/zds/clamscan.log
clamscan --recursive / &> /var/log/zds/clamscan.log &

# RKHunter
curl -L https://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz -Ok
tar zxf rkhunter-1.4.6.tar.gz
pushd rkhunter-1.4.6
./installer.sh --install &> /var/log/zds/rkhunter.install.log
popd

rkhunter --propupd 
echo running rkhunter in the background results stored at /var/log/zds/rkhunter.log
rkhunter --check &> /var/log/zds/rkhunter.log &

echo Turning web off, use webon or webdo if you need to reach the outside world.
weboff