#!/bin/bash clear echo "Creator: Ayden Bottos" echo "Universal password: CyberTaipan123!" echo "Current time: $(date)" echo "Operating system: $(lsb_release -is)" echo "Kernel info: $(uname -a)" echo "Hostname: $(hostname)" echo "Main user: $(stat -c "%U" .)" echo "Current directory: $(pwd)" mainUser=$(stat -c "%U" .) wget https://raw.github.com/tdulcet/Linux-System-Information/master/info.sh -qO - | bash -s | tee systeminfo.log read -p "Press enter to begin script" clear if [[ $EUID -ne 0 ]] then echo "This script must be run as root." exit fi echo "Script is being run as root." if [[ "$PWD" != *"Desktop"* ]] then echo "The script must be run in the Desktop directory." exit fi echo "Script is being run in the correct directory." pw=CyberTaipan123! echo "Universal password set." clear mkdir -p /home/scriptuser/ touch /home/scriptuser/badfiles.log echo > /home/scriptuser/badfiles.log chmod 777 /home/scriptuser/badfiles.log echo "Important files and directories created." mkdir -p /home/scriptuser/backups chmod 777 /home/scriptuser/backups echo "Backups folder created on the Desktop." apt update apt install tripwire -y tripwire -m i tripwire -m c > tripwire.log 2>&1 echo "Ran Tripwire to check file integrity." wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/stat chmod +x stat originaltime=$(./stat -c '%w' /etc/gai.conf | sed -r 's/^([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}).*/\1/') find / -type f -exec ./stat -c '%n : %w' {} + | grep -v "$originaltime:\|: -\|cache\|dpkg\|mozilla\|app-info\/icons\|src\/linux\|mime\|man\|icons\|linux\-gnu\|modules\|doc\|include\|python\|zoneinfo\|lib" > tempresult ( export LC_ALL=C comm -23 <(sort -u tempresult) \ <(sort -u /var/lib/dpkg/info/*.list) ) >> potentiallynewfiles.log echo "Returned files that are potentially manually created." clear if echo $(lsb_release -is) | grep -qi Debian; then # Reset Debian sources.list to default echo "deb http://ftp.au.debian.org/debian/ $(lsb_release -cs) main contrib non-free" > /etc/apt/sources.list echo "deb-src http://ftp.au.debian.org/debian/ $(lsb_release -cs) main contrib non-free" >> /etc/apt/sources.list echo "deb http://ftp.au.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free" >> /etc/apt/sources.list echo "deb-src http://ftp.au.debian.org/debian/ $(lsb_release -cs)-updates main contrib non-free" >> /etc/apt/sources.list echo "deb http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free" >> /etc/apt/sources.list echo "deb-src http://security.debian.org/ $(lsb_release -cs)/updates main contrib non-free" >> /etc/apt/sources.list apt update # Reset update settings using apt purge apt purge unattended-upgrades apt-config-auto-update -y apt install unattended-upgrades apt-config-auto-update -y apt install firefox-esr -y else printf 'deb http://archive.ubuntu.com/ubuntu %s main universe\n' "$(lsb_release -sc)"{,-security}{,-updates} > /etc/apt/sources.list sed -i "/security-updates/d" /etc/apt/sources.list apt update apt-get remove --purge update-notifier-common unattended-upgrades -y apt-get install update-notifier-common unattended-upgrades update-manager -y apt install firefox -y fi echo "Reset sources and update settings to defaults." apt list --installed >> /home/scriptuser/allInstalledPackages.log echo "Listed all installed packages, not just manual ones." wget https://github.com/tclahr/uac/releases/download/v2.2.0/uac-2.2.0.tar.gz tar -xf uac-2.2.0.tar.gz pushd uac-2.2.0 chmod +x uac mkdir results ./uac -p full results &>/dev/null & popd echo "Ran UAC - check its folder for results." clear apt install curl -y comm -23 <(apt-mark showmanual | sort -u) <(curl -s -- https://old-releases.ubuntu.com/releases/$(grep -oP 'VERSION_CODENAME=\K.+' /etc/os-release)/ubuntu-$(grep -oP 'VERSION="\K[0-9\.]+' /etc/os-release)-desktop-amd64.manifest | cut -f1 | cut -d: -f1 | sort -u) >> newpackagesubuntu.log echo "Listed all manually installed packages - for Ubuntu." clear comm -23 <(apt-mark showmanual | sort -u) <(curl -s -- https://cdimage.debian.org/mirror/cdimage/archive/$(grep -oP 'VERSION="\K[0-9\.]+' /etc/os-release).0.0-live/amd64/iso-hybrid/debian-live-$(grep -oP 'VERSION="\K[0-9\.]+' /etc/os-release).0.0-amd64-gnome.packages | cut -f1 | cut -d: -f1 | sort -u) >> newpackagesubuntu.log echo "Listed all manually installed packages - for Debian." apt install p7zip debsums -y mkdir thor pushd thor wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/thor10.7lite-linux-pack.7z wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/a2d7f9a1734943f3ca8665d40e02f29a_b28a6f0ae1ee88438421feed7186c8d2.lic p7zip -d thor10.7lite-linux-pack.7z ./thor-lite-linux &>/dev/null & popd echo "Ran THOR IOC and YARA scanner." touch differences.log pushd /tmp for FILE in $(debsums -ca); do echo $FILE >> /home/$mainUser/Desktop/differences.log; PKG=$(dpkg -S $FILE | cut -d: -f1); diff <(apt-get download $PKG;dpkg-deb --fsys-tarfile $PKG*.deb | tar xOf - .$FILE) $FILE | tee -a /home/$mainUser/Desktop/differences.log; echo "" >> /home/$mainUser/Desktop/differences.log done popd echo "Outputted every change on the system since installation - this log is a must-check." clear sudo gnome-terminal test -f "Forensics Question 1.txt" && gedit "Forensics Question 1.txt" test -f "Forensics Question 2.txt" && gedit "Forensics Question 2.txt" test -f "Forensics Question 3.txt" && gedit "Forensics Question 3.txt" test -f "Forensics Question 4.txt" && gedit "Forensics Question 4.txt" test -f "Forensics Question 5.txt" && gedit "Forensics Question 5.txt" test -f "Forensics Question 6.txt" && gedit "Forensics Question 6.txt" echo "Opened forensics questions." sed -i '/AllowUnauthenticated/d' /etc/apt/** echo "Forced digital signing on APT." echo "APT::Sandbox::Seccomp \"true\"\;" >> /etc/apt/apt.conf.d/40sandbox echo "Enabled APT sandboxing." apt-get update echo "Ran apt-get update." apt-get install apt-transport-https dirmngr vlock rng-tools deborphan ntp fwupd secureboot-db sysstat ufw git logwatch binutils aide aide-common tcpd libpam-apparmor haveged chkrootkit net-tools iptables libpam-cracklib apparmor apparmor-utils apparmor-profiles-extra clamav clamav-freshclam clamav-daemon auditd audispd-plugins cryptsetup unhide psad fail2ban ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications libopenscap8 -y echo "Installed all necessary software." wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/packages.txt while read package; do apt show "$package" 2>/dev/null | grep -qvz 'State:.*(virtual)' && echo "$package" >>packages-valid && echo -ne "\r\033[K$package"; done > /etc/apt/apt.conf.d/50unattended-upgrades echo "Configured APT to remove unused packages." cp /etc/group /home/scriptuser/backups/ cp /etc/passwd /home/scriptuser/backups/ echo "/etc/group and /etc/passwd files backed up." passwd -l root echo "Locked root account." if test -f "users.txt" then awk -F: '$6 ~ /\/home/ {print}' /etc/passwd | cut -d: -f1 | while read line || [[ -n $line ]]; do if grep -qiw "$line" users.txt; then echo -e "$pw\n$pw" | passwd "$line" echo "$line has been given the password '$pw'." passwd -x30 -n3 -w7 $line usermod -U $line chage -M 30 $line chage -m 3 $line chage -E `date -d "30 days" +"%Y-%m-%d"` $line chage -W `date -d "7 days" +"%Y-%m-%d"` $line echo "$line's password has been given a maximum age of 30 days, minimum of 3 days, and warning of 7 days." else if [ $line == $mainUser ] then echo "Watch out, we were going to delete the main user!" line=dummy fi deluser --remove-home $line echo "Deleted unauthorised user $line." fi done readmeusers="$(cat users.txt | cut -d ' ' -f1)" echo "$readmeusers" | while read readmeusersfor || [[ -n $line ]]; do useradd -m $readmeusersfor echo Created missing user from ReadMe. passwd -x30 -n3 -w7 $readmeusersfor echo -e "$pw\n$pw" | passwd "$readmeusersfor" usermod -U $readmeusersfor echo "$readmeusersfor's password has been given a maximum age of 30 days, minimum of 3 days, and warning of 7 days." done readmeusers2="$(grep -i "Admin" users.txt | cut -d ' ' -f1)" awk -F: '$6 ~ /\/home/ {print}' /etc/passwd | cut -d: -f1 | while read line || [[ -n $line ]]; do if echo $readmeusers2 | grep -qiw "$line"; then gpasswd -a $line sudo gpasswd -a $line adm gpasswd -a $line lpadmin gpasswd -a $line sambashare gpasswd -a $line root echo "$line has been made a standard user." else gpasswd -d $line sudo gpasswd -d $line adm gpasswd -d $line lpadmin gpasswd -d $line sambashare echo "$line has been made an administrator." fi done while IFS= read -r line; do groupadd $(echo $line | head -n1 | awk '{print $1;}') groupname=$(echo $line | head -n1 | awk '{print $1;}') cut -d "-" -f2 <<< $line | IFS=',' read -ra my_array for i in "${my_array[@]}" do useradd -g $groupname $i done done < groups.txt sambaYN=no ftpYN=no sshYN=no telnetYN=no mailYN=no printYN=no dbYN=no httpsYN=no dnsYN=no mediaFilesYN=no vpnYN=no phpYN=no if grep -qi 'smb\|samba' services.txt; then sambaYN=yes fi if grep -qi ftp services.txt; then ftpYN=yes fi if grep -qi ssh services.txt; then sshYN=yes fi if grep -qi telnet services.txt; then telnetYN=yes fi if grep -qi mail services.txt; then mailYN=yes fi if grep -qi print services.txt; then printYN=yes fi if grep -qi 'db\|sql' services.txt; then dbYN=yes fi if grep -qi 'web\|apache\|http' services.txt; then httpsYN=yes phpYN=yes fi if grep -qi 'bind9\|dns' services.txt; then dnsYN=yes fi if grep -qi 'vpn' services.txt; then vpnYN=yes fi if grep -qi 'alternate-ftp' services.txt; then ftpYN=alternate fi else find $(pwd) -iname 'README.desktop' | xargs grep -oE "https:\/\/(.*).aspx" | xargs wget -O readme.aspx awk -F: '$6 ~ /\/home/ {print}' /etc/passwd | cut -d: -f1 | while read line || [[ -n $line ]]; do if grep -qiw "$line" readme.aspx; then echo -e "$pw\n$pw" | passwd "$line" echo "$line has been given the password '$pw'." passwd -x30 -n3 -w7 $line usermod -U $line chage -E `date -d "30 days" +"%Y-%m-%d"` $line chage -W `date -d "7 days" +"%Y-%m-%d"` $line echo "$line's password has been given a maximum age of 30 days, minimum of 3 days, and warning of 7 days." else if [ $line == $mainUser ] then echo "Watch out, we were going to delete the main user!" line=dummy fi deluser --remove-home $line echo "Deleted unauthorised user $line." fi done clear readmeusers="$(sed -n '/
/,/<\/pre>/p' readme.aspx | sed -e "/password:/d" | sed -e "/
/d" | sed -e "/<\/pre>/d" | sed -e "//d" | sed -e "s/ //g" | sed -e "s/[[:blank:]]//g" | sed -e 's/[[:space:]]//g' | sed -e '/^$/d' | sed -e 's/(you)//g' | cat)"

	echo "$readmeusers" | while read readmeusersfor || [[ -n $line ]];
	do
		if grep -qiw "$readmeusersfor" /etc/passwd; then
			echo "User already exists"
		else
			useradd -m $readmeusersfor
			echo -e "$pw\n$pw" | passwd "$readmeusersfor"
			echo Created missing user from ReadMe.
			passwd -x30 -n3 -w7 $readmeusersfor
			usermod -U $readmeusersfor
			echo "$readmeusersfor's password has been given a maximum age of 30 days, minimum of 3 days, and warning of 7 days."
		fi
	done

	readmeusers2="$(sed -n '/
/,/<\/pre>/p' readme.aspx | sed -e "/password:/d" | sed -e "/
/d" | sed -e "/<\/pre>/d" | sed -e "s/ //g" | sed -e "s/[[:blank:]]//g" | sed -e 's/[[:space:]]//g' | sed -e '/^$/d' | sed -e 's/(you)//g' | awk -vN=2 '/<\/b>/{++n} n>=N' - | sed -e "//d" | cat)"

	awk -F: '$6 ~ /\/home/ {print}' /etc/passwd | cut -d: -f1 | while read line || [[ -n $line ]];
	do
		if echo $readmeusers2 | grep -qiw "$line"; then
			gpasswd -d $line sudo
			gpasswd -d $line adm
			gpasswd -d $line lpadmin
			gpasswd -d $line sambashare
			gpasswd -d $line root
			echo "$line has been made a standard user."
		else
			gpasswd -a $line sudo
			gpasswd -a $line adm
			gpasswd -a $line lpadmin
			gpasswd -a $line sambashare
			echo "$line has been made an administrator."
		fi
	done

	sambaYN=no
	ftpYN=no
	sshYN=no
	telnetYN=no
	mailYN=no
	printYN=no
	dbYN=no
	httpsYN=no
	dnsYN=no
	mediaFilesYN=no
	vpnYN=no
	phpYN=no

	services=$(cat readme.aspx | sed -e '/
    /,/<\/ul>/!d;/<\/ul>/q' | sed -e "/
      /d" | sed -e "/<\/ul>/d" |  sed -e "s/ //g" | sed -e "s/[[:blank:]]//g" | sed -e 's/[[:space:]]//g' | sed -e '/^$/d' | sed -e "s/
    • //g" | sed -e "s/<\/li>//g" | cat)
	echo $services >> services

	if grep -qi 'smb\|samba' services; then
		sambaYN=yes
	fi
	if grep -qi vsftpd services; then
		ftpYN=yes
	fi
	if grep -qi ssh services; then
		sshYN=yes
	fi
	if grep -qi telnet services; then
		telnetYN=yes
	fi
	if grep -qi mail services; then
		mailYN=yes
	fi
	if grep -qi print services; then
		printYN=yes
	fi
	if grep -qi 'db\|sql' services; then
		dbYN=yes
	fi
	if grep -qi 'web\|apache\|http' services; then
		httpsYN=yes
		phpYN=yes
	fi
	if grep -qi 'bind9\|dns' services; then
		dnsYN=yes
	fi
	if grep -qi 'vpn' services; then
		dnsYN=yes
	fi
	if grep -qi 'ftp' services && ! grep -qi 'vsftpd' services; then
		ftpYN=alternate
	fi	
	
fi

clear
echo "mesg n" >> /etc/skel/.profile
profileFiles=$(find /home -type f -name .profile)
for f in $profileFiles; do cp /etc/skel/.profile $f; done

echo "mesg n" >> /etc/skel/.bashrc
bashrcFiles=$(find /home -type f -name .bashrc)
for f in $bashrcFiles; do cp /etc/skel/.bashrc $f; done

logoutFiles=$(find /home -type f -name .bash_logout)
for f in $logoutFiles; do cp /etc/skel/.bash_logout $f; done
clear
echo "Replaced .bash files with originals."

echo "ulimit -c 0" >> /etc/profile
echo -e "ProcessSizeMax=0\nStorage=none" >> /etc/systemd/coredump.conf
echo "Disabled core dumps using ulimits and systemd."

clear
echo "Functions:" > FunctionsAndVariables.txt
declare -F >> FunctionsAndVariables.txt
echo "Saved functions"

clear
echo "" >> FunctionsAndVariables.txt
echo "Variables:" >> FunctionsAndVariables.txt
printenv >> FunctionsAndVariables.txt
mv FunctionsAndVariables.txt /home/scriptuser/
echo "Saved environment variables."

clear
usermod -L root
passwd -dl root
echo "Root account has been locked. Use 'usermod -U root' to unlock it."

clear
chmod 640 .bash_history
echo "Bash history file permissions set."

clear
chmod 604 /etc/shadow
echo "Read/Write permissions on shadow have been set."

clear
ls -a /home/ >> /home/scriptuser/badfiles.log
echo "Outputted all files and directories in the /home folder."

clear
echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install dccp /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install sctp /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install rds /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install tipc /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install n-hdlc /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install ax25 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install netrom /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install x25 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install rose /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install decnet /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install econet /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install af_802154 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install ipx /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install appletalk /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install psnap /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install p8023 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install p8022 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install can /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install atm /bin/false" >> /etc/modprobe.d/CIS.conf
echo "Disabled unused filesystems and network protocols."

clear
useradd -D -f 35
echo "Set expiry for inactive accounts."

clear
rm /etc/sudoers.d/*
echo "Deleted all files in the sudoers.d directory."

clear
find / -type d -perm -002 ! -perm -1000
echo "Listed any public directories without sticky bit."

clear
echo "TMOUT=600" > /etc/profile.d/99-terminal_tmout.sh
echo "Set session timeout."

clear
sed -i 's/Defaults \!noauthenticate/d' /etc/sudoers
sed -i 's/\!noauthenticate//g' /etc/sudoers
sed -i 's/NOPASSWD\://g' /etc/sudoers
sed -i 's/\%users/d' /etc/sudoers
echo "Sudoers file secured."

echo -e "Defaults use_pty\nDefaults logfile=/var/log/sudo.log\nDefaults !pwfeedback\nDefaults !visiblepw\nDefaults passwd_timeout=1\nDefaults timestamp_timeout=5" >> /etc/sudoers
echo "PTY and logfile set up for sudo."

systemctl mask apport
systemctl mask motd-news.timer
systemctl mask motd-news.service
echo "Masked various services."

clear
cp /etc/rc.local /home/scriptuser/backups/
echo > /etc/rc.local
echo 'exit 0' >> /etc/rc.local
echo "Any startup scripts have been removed."

clear
iptables -F
iptables -X
iptables -Z

clear
echo -e "[Journal]\nStorage=persistent\nForwardToSyslog=yes\nCompress=yes" > /etc/systemd/journald.conf
cat << EOF > /etc/logrotate.conf
daily
{% if ansible_distribution == 'Ubuntu' %}
su root syslog
{% endif %}
rotate 7
create
dateext
compress
compresscmd /usr/bin/xz
uncompresscmd /usr/bin/unxz
compressext .xz
include /etc/logrotate.d
EOF
echo "/usr/sbin/logrotate /etc/logrotate.conf" > /etc/cron.daily/logrotate
echo "Set journal configuration."

clear
echo "HRNGDEVICE=/dev/urandom" | tee -a /etc/default/rng-tools
systemctl restart rng-tools
echo "Secured random entropy pool."

echo "ALL: PARANOID" > /etc/hosts.deny
echo "ALL: localhost" > /etc/hosts.allow
echo "root" > /etc/at.allow
echo "root" > /etc/cron.allow
echo "Allow and deny files configured."

systemctl mask atd
echo "Masked atd."

find / -name ".rhosts" -delete
find / -name "hosts.equiv" -delete
echo "Removed any rhosts or hosts.equiv files."

ufw enable
ufw default deny incoming
ufw default deny forward
ufw status verbose
ufw limit in on $(route | grep '^default' | grep -o '[^ ]*$')
ufw logging on
echo "UFW Firewall enabled and all ports blocked."
    
# Iptables specific
    
# Block null packets (DoS)
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
# Block syn-flood attacks (DoS)
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Drop incoming packets with fragments
iptables -A INPUT -f -j DROP

# Block XMAS packets (DoS)
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Allow internal traffic on the loopback device
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections
iptables -P OUTPUT ACCEPT

#Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP

#Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP

#Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP

#Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP

#Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP

# Deny outside packets from internet which claim to be from your loopback interface.
sudo iptables -A INPUT -p all -s localhost  -i eth0 -j DROP

clear
env i='() { :;}; echo vulnerable >> test' bash -c "echo this is a test"
if test -f "test"; then
	apt-get install --only-upgrade bash -y
fi
echo "Shellshock Bash vulnerability has been fixed."

echo "netcat backdoors:" > backdoors.txt
netstat -ntlup | grep -e "netcat" -e "nc" -e "ncat" >> backdoors.txt

#goes and grabs the PID of the first process that has the name netcat. Kills the executable, doesn’t go and kill the item in one of the crons. Will go through until it has removed all netcats.
a=0;
for i in $(netstat -ntlup | grep -e "netcat" -e "nc" -e "ncat"); do
	if [[ $(echo $i | grep -c -e "/") -ne 0  ]]; then
		badPID=$(ps -ef | pgrep $( echo $i  | cut -f2 -d'/'));
		realPath=$(ls -la /proc/$badPID/exe | cut -f2 -d'>' | cut -f2 -d' ');
		cp $realPath $a
		echo "$realPath $a" >> backdoors.txt;
		a=$((a+1));
		rm $realPath;
		kill $badPID;
	fi
done
echo "" >> backdoors.txt
echo "Removed any netcat backdoors."

clear
chmod 777 /etc/hosts
cp /etc/hosts /home/scriptuser/backups/
echo > /etc/hosts
echo -e "127.0.0.1 localhost\n127.0.1.1 $mainUser\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters" >> /etc/hosts
chmod 644 /etc/hosts
echo "HOSTS file has been set to defaults."

mawk -F: '$1 == "sudo"' /etc/group >> sudousers.log
mawk -F: '$2 == ""' /etc/passwd >> emptypasswordusers.log


clear
apt purge *tftpd* -y
echo "TFTP has been removed."

clear
echo -e "# GDM configuration storage\n\n[daemon]\n\n[security]\n\n[xdmcp]\n\n[chooser]\n\n[debug]\n" > /etc/gdm3/custom.conf
xhost +SI:localuser:gdm
sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true;
sudo -u gdm gsettings set org.gnome.desktop.screensaver lock-enabled true;
xhost -
echo "User list has been hidden and autologin has been disabled."

clear
chmod 777 /etc/lightdm/lightdm.conf
cp /etc/lightdm/lightdm.conf /home/scriptuser/Desktop/backups/
sudo touch /etc/lightdm/lightdm.conf.d/myconfig.conf
echo "[SeatDefaults]"                   | tee /etc/lightdm/lightdm.conf > /dev/null
echo "allow-guest=false"                | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "greeter-hide-users=true"          | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "greeter-show-manual-login=true"   | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "greeter-allow-guest=false"        | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "autologin-guest=false"            | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "AutomaticLoginEnable=false"       | tee -a /etc/lightdm/lightdm.conf > /dev/null
echo "xserver-allow-tcp=false"          | tee -a /etc/lightdm/lightdm.conf > /dev/null
chmod 644 /etc/lightdm/lightdm.conf
echo "LightDM has been secured."

clear
find /bin/ -name "*.sh" -type f -delete
echo "badfiles in bin have been removed."

clear
cp /etc/default/irqbalance /home/scriptuser/backups/
echo > /etc/default/irqbalance

echo -e "#Configuration for the irqbalance daemon\n\n#Should irqbalance be enabled?\nENABLED=\"0\"\n#Balance the IRQs only once?\nONESHOT=\"0\"" >> /etc/default/irqbalance
echo "IRQ Balance has been disabled."

find /boot/ -type f -name '*.cfg' -exec chmod 0400 {} \;
echo "Secured any config files in boot."

wget https://raw.githubusercontent.com/konstruktoid/hardening/master/misc/suid.list
if ! [ -f suid.list ]; then
    echo "The list with SUID binaries can't be found."
else
    while read -r suid; do
      file=$(command -v "$suid")
      if [ -x "$file" ]; then
          if stat -c "%A" "$file" | grep -qi 's'; then
            echo "$file SUID bit removed."
          fi
          chmod -s "$file"
          oct=$(stat -c "%A" "$file" | sed 's/s/x/g')
          ug=$(stat -c "%U %G" "$file")
          dpkg-statoverride --remove "$file" 2> /dev/null
          dpkg-statoverride --add "$ug" "$oct" "$file" 2> /dev/null
      fi
    done <<< "$(grep -E '^[a-zA-Z0-9]' suid.list)"
fi
echo "Removed SUID bit from known culprits."

clear
update-rc.d bluetooth remove
echo 'alias net-pf-31 off' >> /etc/modprobe.conf
echo "Bluetooth disabled."

clear
aideinit &
aide.wrapper --check
echo "Initiated AIDE."

clear
cp /etc/sysctl.conf /home/scriptuser/backups/
rm /etc/sysctl.d/*
dpkg --purge --force-depends procps
apt install procps
echo "Sysctl and Procps configuration set to defaults"

echo -e "[Resolve]\nDNS=8.8.8.8#dns.google\nDomains=~.\nDNSSEC=yes\nDNSOverTLS=yes" > /etc/systemd/resolved.conf
systemctl enable --now systemd-resolved
systemctl start systemd-resolved
ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
echo "Correct nameserves and DNS settings set."

lsattr -a -R 2>/dev/null | grep -P "(?<=-)i(?=-).* " | tee immutablefiles.log
echo "Listed immutable files."

# Add these configs
echo kernel.dmesg_restrict=1            | tee /etc/sysctl.conf > /dev/null # Scored
echo fs.suid_dumpable=0                 | tee -a /etc/sysctl.conf > /dev/null # Core dumps # Scored
echo kernel.msgmnb=65536                | tee -a /etc/sysctl.conf > /dev/null
echo kernel.msgmax=65536                | tee -a /etc/sysctl.conf > /dev/null
echo kernel.sysrq=0                     | tee -a /etc/sysctl.conf > /dev/null
echo dev.tty.ldisc_autoload=0           | tee -a /etc/sysctl.conf > /dev/null
echo fs.protected_fifos=2               | tee -a /etc/sysctl.conf > /dev/null
echo kernel.maps_protect=1              | tee -a /etc/sysctl.conf > /dev/null
echo kernel.unprivileged_bpf_disabled=1 | tee -a /etc/sysctl.conf > /dev/null
echo kernel.core_uses_pid=1             | tee -a /etc/sysctl.conf > /dev/null
echo kernel.shmmax=68719476736          | tee -a /etc/sysctl.conf > /dev/null
echo kernel.shmall=4294967296           | tee -a /etc/sysctl.conf > /dev/null
echo kernel.exec_shield=1               | tee -a /etc/sysctl.conf > /dev/null
echo vm.mmap_min_addr = 65536           | tee -a /etc/sysctl.conf > /dev/null
echo vm.mmap_rnd_bits = 32              | tee -a /etc/sysctl.conf > /dev/null
echo vm.mmap_rnd_compat_bits = 16            | tee -a /etc/sysctl.conf > /dev/null
echo kernel.pid_max = 65536             | tee -a /etc/sysctl.conf > /dev/null
echo kernel.panic=10                    | tee -a /etc/sysctl.conf > /dev/null
echo kernel.kptr_restrict=2             | tee -a /etc/sysctl.conf > /dev/null
echo vm.panic_on_oom=1                  | tee -a /etc/sysctl.conf > /dev/null
echo net.core.bpf_jit_harden=2		| tee -a /etc/sysctl.conf > /dev/null
echo fs.protected_hardlinks=1           | tee -a /etc/sysctl.conf > /dev/null
echo fs.protected_symlinks=1            | tee -a /etc/sysctl.conf > /dev/null
echo kernel.randomize_va_space=2        | tee -a /etc/sysctl.conf > /dev/null # Scored ASLR; 2 = full; 1 = semi; 0 = none
echo kernel.unprivileged_userns_clone=0 | tee -a /etc/sysctl.conf > /dev/null # Scored
echo kernel.ctrl-alt-del=0              | tee -a /etc/sysctl.conf > /dev/null # Scored CTRL-ALT-DEL disable
echo kernel.perf_event_paranoid = 3     | tee -a /etc/sysctl.conf > /dev/null
echo kernel.perf_event_max_sample_rate = 1   | tee -a /etc/sysctl.conf > /dev/null
echo kernel.perf_cpu_time_max_percent = 1    | tee -a /etc/sysctl.conf > /dev/null
echo kernel.yama.ptrace_scope = 3 | tee -a /etc/sysctl.conf > /dev/null
echo kernel.kexec_load_disabled = 1 | tee -a /etc/sysctl.conf > /dev/null
echo fs.protected_regular = 2 | tee -a /etc/sysctl.conf > /dev/null
echo vm.unprivileged_userfaultfd = 0 | tee -a /etc/sysctl.conf > /dev/null

sysctl --system
clear
echo "Sysctl system settings set."

# IPv4 TIME-WAIT assassination protection
echo net.ipv4.tcp_rfc1337=1 | tee -a /etc/sysctl.conf > /dev/null

echo net.ipv4.ip_forward = 0 | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_fin_timeout = 30 | tee -a /etc/sysctl.conf > /dev/null

# IP Spoofing protection, Source route verification  
# Scored
echo net.ipv4.conf.all.rp_filter=1      | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.default.rp_filter=1  | tee -a /etc/sysctl.conf > /dev/null

# Ignore ICMP broadcast requests
echo net.ipv4.icmp_echo_ignore_broadcasts=1 | tee -a /etc/sysctl.conf > /dev/null

# Ignore Directed pings
echo net.ipv4.icmp_echo_ignore_all=1 | tee -a /etc/sysctl.conf > /dev/null

# Log Martians
echo net.ipv4.conf.all.log_martians=1               | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.icmp_ignore_bogus_error_responses=1   | tee -a /etc/sysctl.conf > /dev/null

# Disable source packet routing
echo net.ipv4.conf.all.accept_source_route=0        | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.default.accept_source_route=0    | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.all.accept_source_route=0        | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.accept_source_route=0    | tee -a /etc/sysctl.conf > /dev/null

# Block SYN attacks
echo net.ipv4.tcp_syncookies=1          | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_max_syn_backlog=2048  | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_synack_retries=2      | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_max_orphans=256       | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_window_scaling = 0    | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.tcp_timestamps=0          | tee -a /etc/sysctl.conf > /dev/null

    
# Ignore ICMP redirects
echo net.ipv4.conf.all.send_redirects=0         | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.default.send_redirects=0     | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.all.accept_redirects=0       | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.default.accept_redirects=0   | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.all.secure_redirects=0       | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv4.conf.default.secure_redirects=0   | tee -a /etc/sysctl.conf > /dev/null

echo net.ipv6.conf.all.send_redirects=0         | tee -a /etc/sysctl.conf > /dev/null # ignore ?
echo net.ipv6.conf.default.send_redirects=0     | tee -a /etc/sysctl.conf > /dev/null # ignore ?
echo net.ipv6.conf.all.accept_redirects=0       | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.accept_redirects=0   | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.all.secure_redirects=0       | tee -a /etc/sysctl.conf > /dev/null # ignore ?
echo net.ipv6.conf.default.secure_redirects=0   | tee -a /etc/sysctl.conf > /dev/null # ignore ?

# Note disabling ipv6 means you dont need the majority of the ipv6 settings

# General options
echo net.ipv6.conf.default.router_solicitations=0   | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.accept_ra_rtr_pref=0     | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.accept_ra_pinfo=0        | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.accept_ra_defrtr=0       | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.autoconf=0               | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.dad_transmits=0          | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.default.max_addresses=1          | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.all.disable_ipv6=1               | tee -a /etc/sysctl.conf > /dev/null
echo net.ipv6.conf.lo.disable_ipv6=1                | tee -a /etc/sysctl.conf > /dev/null
echo -e "net.ipv4.tcp_sack=0\nnet.ipv4.tcp_dsack=0\nnet.ipv4.tcp_fack=0" >> /etc/sysctl.conf

# Reload the configs 
sysctl --system
sysctl -w net.ipv4.route.flush=1
echo "Reloaded sysctl and flushed route."

clear
# Disable IPV6
sed -i "s/IPV6=yes/IPV6=no/g" /etc/default/ufw
echo "blacklist ipv6" | tee -a /etc/modprobe.d/blacklist > /dev/null
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
clear
echo "Sysctl network settings set."

ip -a
echo "IP info logged."

netstat -pnola
echo "All active ports logged."

chmod -f 0700 /etc/cron.monthly/*
chmod -f 0700 /etc/cron.weekly/*
chmod -f 0700 /etc/cron.daily/*
chmod -f 0700 /etc/cron.hourly/*
chmod -f 0700 /etc/cron.d/*
chmod -f 0400 /etc/cron.allow
chmod -f 0400 /etc/cron.deny
chmod -f 0400 /etc/crontab
chmod -f 0400 /etc/at.allow
chmod -f 0400 /etc/at.deny
chmod -f 0700 /etc/cron.daily
chmod -f 0700 /etc/cron.weekly
chmod -f 0700 /etc/cron.monthly
chmod -f 0700 /etc/cron.hourly
chmod -f 0700 /var/spool/cron
chmod -f 0600 /var/spool/cron/*
chmod -f 0700 /var/spool/at
chmod -f 0600 /var/spool/at/*
chmod -f 0400 /etc/anacrontab
chmod -f 1777 /tmp
chown -f root:root /var/crash
chown -f root:root /var/cache/mod_proxy
chown -f root:root /var/lib/dav
chown -f root:root /usr/bin/lockfile
chown -f rpcuser:rpcuser /var/lib/nfs/statd
chown -f adm:adm /var/adm
chmod -f 0600 /var/crash
chown -f root:root /bin/mail
chmod -f 0700 /sbin/reboot
chmod -f 0700 /sbin/shutdown
chmod -f 0600 /etc/ssh/ssh*config
chown -f root:root /root
chmod -f 0700 /root
chmod -f 0500 /usr/bin/ypcat
chmod -f 0700 /usr/sbin/usernetctl
chmod -f 0700 /usr/bin/rlogin
chmod -f 0700 /usr/bin/rcp
chmod -f 0640 /etc/pam.d/system-auth*
chmod -f 0640 /etc/login.defs
chmod -f 0750 /etc/security
chmod -f 0600 /etc/audit/audit.rules
chown -f root:root /etc/audit/audit.rules
chmod -f 0600 /etc/audit/auditd.conf
chown -f root:root /etc/audit/auditd.conf
chmod -f 0600 /etc/auditd.conf
chmod -f 0744 /etc/rc.d/init.d/auditd
chown -f root /sbin/auditctl
chmod -f 0750 /sbin/auditctl
chown -f root /sbin/auditd
chmod -f 0750 /sbin/auditd
chmod -f 0750 /sbin/ausearch
chown -f root /sbin/ausearch
chown -f root /sbin/aureport
chmod -f 0750 /sbin/aureport
chown -f root /sbin/autrace
chmod -f 0750 /sbin/autrace
chown -f root /sbin/audispd
chmod -f 0750 /sbin/audispd
chmod -f 0444 /etc/bashrc
chmod -f 0444 /etc/csh.cshrc
chmod -f 0444 /etc/csh.login
chmod -f 0600 /etc/cups/client.conf
chmod -f 0600 /etc/cups/cupsd.conf
chown -f root:sys /etc/cups/client.conf
chown -f root:sys /etc/cups/cupsd.conf
chmod -f 0600 /etc/grub.conf
chown -f root:root /etc/grub.conf
chmod -f 0600 /boot/grub2/grub.cfg
chown -f root:root /boot/grub2/grub.cfg
chmod -f 0600 /boot/grub/grub.cfg
chown -f root:root /boot/grub/grub.cfg
chown -f root:root /etc/hosts
chmod -f 0600 /etc/inittab
chown -f root:root /etc/inittab
chmod -f 0444 /etc/mail/sendmail.cf
chown -f root:bin /etc/mail/sendmail.cf
chmod -f 0600 /etc/ntp.conf
chmod -f 0640 /etc/security/access.conf
chmod -f 0600 /etc/security/console.perms
chmod -f 0600 /etc/security/console.perms.d/50-default.perms
chmod -f 0600 /etc/security/limits
chmod -f 0444 /etc/services
chmod -f 0444 /etc/shells
chmod -f 0644 /etc/skel/.*
chmod -f 0600 /etc/skel/.bashrc
chmod -f 0600 /etc/skel/.bash_profile
chmod -f 0600 /etc/skel/.bash_logout
chmod -f 0440 /etc/sudoers
chown -f root:root /etc/sudoers
chmod -f 0600 /etc/sysctl.conf
chown -f root:root /etc/sysctl.conf
chown -f root:root /etc/sysctl.d/*
chmod -f 0700 /etc/sysctl.d
chmod -f 0600 /etc/sysctl.d/*
chmod -f 0600 /etc/syslog.conf
chmod -f 0600 /var/yp/binding
chown -f root:$AUDIT /var/log
chown -Rf root:$AUDIT /var/log/*
chmod -Rf 0640 /var/log/*
chmod -Rf 0640 /var/log/audit/*
chmod -f 0755 /var/log
chmod -f 0750 /var/log/syslog /var/log/audit
chmod -f 0600 /var/log/lastlog*
chmod -f 0600 /var/log/cron*
chmod -f 0600 /var/log/btmp
chmod -f 0660 /var/log/wtmp
chmod -f 0444 /etc/profile
chmod -f 0700 /etc/rc.d/rc.local
chmod -f 0400 /etc/securetty
chmod -f 0700 /etc/rc.local
chmod -f 0750 /usr/bin/wall
chown -f root:tty /usr/bin/wall
chown -f root:users /mnt
chown -f root:users /media
chmod -f 0644 /etc/.login
chmod -f 0644 /etc/profile.d/*
chown -f root /etc/security/environ
chown -f root /etc/xinetd.d
chown -f root /etc/xinetd.d/*
chmod -f 0750 /etc/xinetd.d
chmod 440 /etc/ers
chmod -f 0640 /etc/xinetd.d/*
chmod -f 0640 /etc/selinux/config
chmod -f 0750 /usr/bin/chfn
chmod -f 0750 /usr/bin/chsh
chmod -f 0750 /usr/bin/write
chmod -f 0750 /sbin/mount.nfs
chmod -f 0750 /sbin/mount.nfs4
chmod -f 0700 /usr/bin/ldd #0400 FOR SOME SYSTEMS
chmod -f 0700 /bin/traceroute
chown -f root:root /bin/traceroute
chmod -f 0700 /usr/bin/traceroute6*
chown -f root:root /usr/bin/traceroute6
chmod -f 0700 /bin/tcptraceroute
chmod -f 0700 /sbin/iptunnel
chmod -f 0700 /usr/bin/tracpath*
chmod -f 0644 /dev/audio
chown -f root:root /dev/audio
chmod -f 0644 /etc/environment
chown -f root:root /etc/environment
chmod -f 0600 /etc/modprobe.conf
chown -f root:root /etc/modprobe.conf
chown -f root:root /etc/modprobe.d
chown -f root:root /etc/modprobe.d/*
chmod -f 0700 /etc/modprobe.d
chmod -f 0600 /etc/modprobe.d/*
chmod -f o-w /selinux/*

chmod -f 0755 /etc
chmod -f 0644 /usr/share/man/man1/*
chmod -Rf 0644 /usr/share/man/man5
chmod -Rf 0644 /usr/share/man/man1
chmod -f 0600 /etc/yum.repos.d/*
chmod -f 0640 /etc/fstab
chmod -f 0755 /var/cache/man
chmod -f 0755 /etc/init.d/atd
chmod -f 0750 /etc/ppp/peers
chmod -f 0755 /bin/ntfs-3g
chmod -f 0750 /usr/sbin/pppd
chmod -f 0750 /etc/chatscripts
chmod -f 0750 /usr/local/share/ca-certificates
chmod -f 0755 /bin/csh
chmod -f 0755 /bin/jsh
chmod -f 0755 /bin/ksh
chmod -f 0755 /bin/rsh
chmod -f 0755 /bin/sh
chmod -f 0640 /dev/kmem
chown -f root:sys /dev/kmem
chmod -f 0640 /dev/mem
chown -f root:sys /dev/mem
chmod -f 0666 /dev/null
chown -f root:sys /dev/null
chmod -f 0755 /etc/csh
chmod -f 0755 /etc/jsh
chmod -f 0755 /etc/ksh
chmod -f 0755 /etc/rsh
chmod -f 0755 /etc/sh
chmod -f 0644 /etc/aliases
chown -f root:root /etc/aliases
chmod -f 0640 /etc/exports
chown -f root:root /etc/exports
chmod -f 0640 /etc/ftpusers
chown -f root:root /etc/ftpusers
chmod -f 0664 /etc/host.lpd
chmod -f 0440 /etc/inetd.conf
chown -f root:root /etc/inetd.conf
chmod -f 0644 /etc/mail/aliases
chown -f root:root /etc/mail/aliases
chmod -f 0644 /etc/passwd
chown -f root:root /etc/passwd
chmod -f 0400 /etc/shadow
chown -f root:root /etc/shadow
chmod -f 0600 /etc/uucp/L.cmds
chown -f uucp:uucp /etc/uucp/L.cmds
chmod -f 0600 /etc/uucp/L.sys
chown -f uucp:uucp /etc/uucp/L.sys
chmod -f 0600 /etc/uucp/Permissions
chown -f uucp:uucp /etc/uucp/Permissions
chmod -f 0600 /etc/uucp/remote.unknown
chown -f root:root /etc/uucp/remote.unknown
chmod -f 0600 /etc/uucp/remote.systems
chmod -f 0600 /etc/uccp/Systems
chown -f uucp:uucp /etc/uccp/Systems
chmod -f 0755 /sbin/csh
chmod -f 0755 /sbin/jsh
chmod -f 0755 /sbin/ksh
chmod -f 0755 /sbin/rsh
chmod -f 0755 /sbin/sh
chmod -f 0755 /usr/bin/csh
chmod -f 0755 /usr/bin/jsh
chmod -f 0755 /usr/bin/ksh
chmod -f 0755 /usr/bin/rsh
chmod -f 0755 /usr/bin/sh
chmod -f 1777 /var/mail
chmod -f 1777 /var/spool/uucppublic
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*

chmod o= /etc/ftpusers 
chmod o= /etc/group
chmod o= /etc/hosts.allow 
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd 
chmod o= /etc/inetd.conf
chmod o= /etc/login.access 
chmod o= /etc/login.conf 
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf 
chmod o= /etc/ssh/sshd_config 
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf 
chmod o= /etc/ttys 
chmod o= /etc/fstab

chown root:root /etc/anacrontab
chmod og-rwx /etc/anacrontab
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
chown root:root /etc/passwd-
chmod og-rwx /boot/grub/grub.cfg  		
chown root:shadow /etc/shadow-	
chmod o-rwx,g-rw /etc/shadow-	
chown root:shadow /etc/gshadow-	
chmod o-rwx,g-rw /etc/gshadow-	
chgrp syslog /var/log	
chown root /var/log	
chmod 0750 /var/log	
chgrp adm /var/log/syslog	
chown syslog /var/log/syslog	
chmod 0640 /var/log/syslog	
chmod 04755 /usr/bin/su	
chmod 04755 /usr/bin/newgrp	
chmod 04755 /usr/bin/mount
chown root:root /etc/group-
chmod 600 /etc/gshadow-            	
chmod 600 /etc/group-             	
chmod 600 /etc/passwd-   
chown root:root /etc/grub.conf
chown root:root /etc/fstab
chmod og-rwx /etc/grub.conf
chmod 700 /root
chmod o= /var/log 
chmod 644 /etc/passwd
chown root:root /etc/passwd
chmod 644 /etc/group
chown root:root /etc/group
chmod 600 /etc/shadow
chown root:root /etc/shadow
chmod 600 /etc/gshadow
chown root:root /etc/gshadow		
chmod 700 /var/log/audit
chmod 740 /etc/rc.d/init.d/iptables
chmod 740 /sbin/iptables
chmod 600 /etc/rsyslog.conf
chmod 640 /etc/security/access.conf
chmod 600 /etc/sysctl.conf

chown root:root /etc/anacrontab
chmod og-rwx /etc/anacrontab
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg

chown root:root /etc/cron*
chmod og-rwx /etc/cron*
#Ensure at/cron is restricted to authorized users 

touch /etc/cron.allow
touch /etc/at.allow

chmod og-rwx /etc/cron.allow /etc/at.allow
chown root:root /etc/cron.allow /etc/at.allow
chmod -R g-wx,o-rwx /var/log/*

chown root:root /etc/cron

if [[ -d /usr/local/share/clamav ]]; then
  passwd -l clamav 2>/dev/null
  usermod -s /sbin/nologin clamav 2>/dev/null
  chmod -f 0755 /usr/local/share/clamav
  chown -f root:clamav /usr/local/share/clamav
  chown -f root:clamav /usr/local/share/clamav/*.cvd
  chmod -f 0664 /usr/local/share/clamav/*.cvd
  mkdir -p /var/log/clamav
  chown -f root:$AUDIT /var/log/clamav
  chmod -f 0640 /var/log/clamav
fi
if [[ -d /var/clamav ]]; then
  passwd -l clamav 2>/dev/null
  usermod -s /sbin/nologin clamav 2>/dev/null
  chmod -f 0755 /var/clamav
  chown -f root:clamav /var/clamav
  chown -f root:clamav /var/clamav/*.cvd
  chmod -f 0664 /var/clamav/*.cvd
  mkdir -p /var/log/clamav
  chown -f root:$AUDIT /var/log/clamav
  chmod -f 0640 /var/log/clamav
fi

find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 {} \;
find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root {} \;
find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root {} \;
find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 {} \;
find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root {} \;
find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec chgrp root {} \;

find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 {} \;
find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 {} \;
find /lib /usr/lib /lib64 ! -user root -type f -exec chown root {} \;
find /lib /usr/lib /lib64 ! -user root -type d -exec chown root {} \;
find /lib /usr/lib /lib64 ! -group root -type f -exec chgrp root {} \;
find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root {} \;

echo "Finished changing permissions."

clear
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user dir; do
  	if [ ! -d "$dir" ]; then
		echo "The home directory \"$dir\" of user \"$user\" does not exist."
	else
		for file in "$dir"/.[A-Za-z0-9]*; do
			if [ ! -h "$file" ] && [ -f "$file" ]; then
				fileperm="$(ls -ld "$file" | cut -f1 -d" ")"
				if [ "$(echo "$fileperm" | cut -c6)" != "-" ]; then
					echo "Group Write permission set on file $file"
				fi
				if [ "$(echo "$fileperm" | cut -c9)" != "-" ]; then
					echo "Other Write permission set on file \"$file\""
				fi
			fi
		done
	fi
done
echo "Checked that all users have home directories."

clear
awk -F: '{print $4}' /etc/passwd | while read -r gid; do
	if ! grep -E -q "^.*?:[^:]*:$gid:" /etc/group; then
		echo "The group ID \"$gid\" does not exist in /etc/group"
	fi
done
echo "Confirmed that all groups in /etc/passwd are also in /etc/group"

clear
awk -F: '{print $3}' /etc/passwd | sort -n | uniq -c | while read -r uid; do
	[ -z "$uid" ] && break
	set - $uid
	if [ $1 -gt 1 ]; then
		users=$(awk -F: '($3 == n) { print $1 }' n="$2" /etc/passwd | xargs)
		echo "Duplicate UID \"$2\": \"$users\""
	fi
done
echo "Confirmed that all users have a unique UID."

clear
cut -d: -f3 /etc/group | sort | uniq -d | while read x ; do
	echo "Duplicate GID ($x) in /etc/group"
done
echo "Confirmed that all groups have a unique GID."

clear
cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r usr; do
	echo "Duplicate login name \"$usr\" in /etc/passwd"
done
echo "Confirmed that all users have a unique name."

clear
cut -d: -f1 /etc/group | sort | uniq -d | while read -r grp; do
	echo "Duplicate group name \"$grp\" exists in /etc/group"
done
echo "Confirmed that all groups have a unique name."

clear
grep "^shadow:[^:]*:[^:]*:[^:]+" /etc/group
echo "If any users are printed above this, they are part of the shadow group and need to be removed from the group IMMEDIATELY!"

clear
touch /zerouidusers
touch /uidusers

cut -d: -f1,3 /etc/passwd | egrep ':0$' | cut -d: -f1 | grep -v root > /zerouidusers

if [ -s /zerouidusers ]
then
	echo "There are Zero UID Users! I'm fixing it now!"

	while IFS='' read -r line || [[ -n "$line" ]]; do
		thing=1
		while true; do
			rand=$(( ( RANDOM % 999 ) + 1000))
			cut -d: -f1,3 /etc/passwd | grep -E ":$rand$" | cut -d: -f1 > /uidusers
			if [ -s /uidusers ]
			then
				echo "Couldn't find unused UID. Trying Again... "
			else
				break
			fi
		done
		sed -i "s/$line:x:0:0/$line:x:$rand:$rand/g" /etc/passwd
		echo "ZeroUID User: $line"F
		echo "Assigned UID: $rand"
	done < "/zerouidusers"
	update-passwd
	cut -d: -f1,3 /etc/passwd | grep -E ':0$' | cut -d: -f1 | grep -v root > /zerouidusers

	if [ -s /zerouidusers ]
	then
		echo "WARNING: UID CHANGE UNSUCCESSFUL!"
	else
		echo "Successfully Changed Zero UIDs!"
	fi
else
	echo "No Zero UID Users"
fi

clear
if [ $sambaYN == no ]
then
	ufw deny netbios-ns
	ufw deny netbios-dgm
	ufw deny netbios-ssn
	ufw deny microsoft-ds
	apt-get purge samba -y
	apt-get purge samba-common -y
	apt-get purge samba-common-bin -y
	apt-get purge samba4 -y
	clear
	echo "netbios-ns, netbios-dgm, netbios-ssn, and microsoft-ds ports have been denied. Samba has been removed."
else
	ufw allow netbios-ns
	ufw allow netbios-dgm
	ufw allow netbios-ssn
	ufw allow microsoft-ds
	apt-get install samba -y
	systemctl start smbd
	systemctl status smbd
	cp /etc/samba/smb.conf /home/scriptuser/backups/
	if [ "$(grep '####### Authentication #######' /etc/samba/smb.conf)" == 0 ]
	then
		sed -i 's/####### Authentication #######/####### Authentication #######\nsecurity = user/g' /etc/samba/smb.conf
	fi
        echo "restrict anonymous = 2"       | tee -a /etc/samba/smb.conf > /dev/null
        echo "encrypt passwords = True"     | tee -a /etc/samba/smb.conf > /dev/null # Idk which one it takes
        echo "encrypt passwords = yes"      | tee -a /etc/samba/smb.conf > /dev/null
        echo "read only = Yes"              | tee -a /etc/samba/smb.conf > /dev/null
        echo "ntlm auth = no"               | tee -a /etc/samba/smb.conf > /dev/null
        echo "obey pam restrictions = yes"  | tee -a /etc/samba/smb.conf > /dev/null
        echo "server signing = mandatory"   | tee -a /etc/samba/smb.conf > /dev/null
        echo "smb encrypt = mandatory"      | tee -a /etc/samba/smb.conf > /dev/null
        echo "min protocol = SMB2"          | tee -a /etc/samba/smb.conf > /dev/null
        echo "protocol = SMB2"              | tee -a /etc/samba/smb.conf > /dev/null
        echo "guest ok = no"                | tee -a /etc/samba/smb.conf > /dev/null
        echo "max log size = 24"            | tee -a /etc/samba/smb.conf > /dev/null
	echo "netbios-ns, netbios-dgm, netbios-ssn, and microsoft-ds ports have been opened. Samba config file has been configured."
	
	shares=$(ls -l /var/lib/samba/usershares | awk '{print "/var/lib/samba/usershares/"$8}')
        for i in $shares
        do
                cat $i | grep path >> /home/scriptuser/smbshares.log
        done
	
	while read line; do
                [[ "$line" =~ ^\[ ]] && name="$line"
                [[ "$line" =~ ^[[:space:]]*path ]] && echo -e "$name\t$line" >> /home/scriptuser/smbshares.log
        done < /etc/samba/smb.conf
	clear
fi
echo "Samba is complete."

clear
if [ $ftpYN == no ]
then
	ufw deny ftp 
	ufw deny sftp 
	ufw deny saft 
	ufw deny ftps-data 
	ufw deny ftps
	apt-get purge vsftpd proftpd *ftpd* -y
	echo "vsFTPd has been removed. ftp, sftp, saft, ftps-data, and ftps ports have been denied on the firewall."
elif [ $ftpYN == yes ]
then
    ufw allow ftp 
    ufw allow sftp 
    ufw allow saft 
    ufw allow ftps-data 
    ufw allow ftps
    apt-get install vsftpd -y
    cp /etc/vsftpd.conf /home/scriptuser/backups/
    config_file="/etc/vsftpd.conf"
    
    cat << EOF > /etc/fail2ban/jail.local
    [vsftpd]
    enabled = true
    port = ftp,ftp-data,ftps,ftps-data
    logpath = %(vsftpd_log)s
EOF
    
    cat << EOF > /etc/fail2ban/filter.d/vsftpd.conf
    [INCLUDES]
    before = common.conf
    [Definition]
    __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
    _daemon = vsftpd
    failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$
    ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,)
    ^ \[pid \d+\] \[root\] FAIL LOGIN: Client ""(?:\s*$|,)
    ignoreregex =
EOF
    systemctl restart fail2ban

    # Jail users to home directory (user will need a home dir to exist)
    echo "chroot_local_user=YES"                        | sudo tee $config_file > /dev/null
    echo "chroot_list_enable=YES"                       | sudo tee -a $config_file > /dev/null
    echo "chroot_list_file=/etc/vsftpd.chroot_list"     | sudo tee -a $config_file > /dev/null
    echo "allow_writeable_chroot=YES"                   | sudo tee -a $config_file > /dev/null # Only enable if you want files to be editable

    # Allow or deny users
    echo "userlist_enable=YES"                  | sudo tee -a $config_file > /dev/null
    echo "userlist_file=/etc/vsftpd.userlist"   | sudo tee -a $config_file > /dev/null
    echo "userlist_deny=NO"                     | sudo tee -a $config_file > /dev/null

    # General config
    echo "anonymous_enable=NO"          | sudo tee -a $config_file > /dev/null # disable  anonymous login
    echo "local_enable=YES"             | sudo tee -a $config_file > /dev/null # permit local logins
    echo "write_enable=YES"             | sudo tee -a $config_file > /dev/null # enable FTP commands which change the filesystem
    echo "local_umask=022"              | sudo tee -a $config_file > /dev/null # value of umask for file creation for local users
    echo "dirmessage_enable=YES"        | sudo tee -a $config_file > /dev/null # enable showing of messages when users first enter a new directory
    echo "xferlog_enable=YES"           | sudo tee -a $config_file > /dev/null # a log file will be maintained detailing uploads and downloads
    echo "connect_from_port_20=YES"     | sudo tee -a $config_file > /dev/null # use port 20 (ftp-data) on the server machine for PORT style connections
    echo "xferlog_std_format=YES"       | sudo tee -a $config_file > /dev/null # keep standard log file format
    echo "listen=NO"                    | sudo tee -a $config_file > /dev/null # prevent vsftpd from running in standalone mode
    echo "pam_service_name=vsftpd"      | sudo tee -a $config_file > /dev/null # name of the PAM service vsftpd will use
    echo "userlist_enable=YES"          | sudo tee -a $config_file > /dev/null # enable vsftpd to load a list of usernames
    echo "tcp_wrappers=YES"             | sudo tee -a $config_file > /dev/null # turn on tcp wrappers

    echo "ascii_upload_enable=NO"   | sudo tee -a $config_file > /dev/null 
    echo "ascii_download_enable=NO" | sudo tee -a $config_file > /dev/null
    systemctl restart vsftpd
    systemctl status vsftpd
    echo "ftp, sftp, saft, ftps-data, and ftps ports have been allowed on the firewall. vsFTPd systemctl has been restarted."
else
	echo "Alternate FTP server not configured."
fi
echo "FTP is complete."


clear
if [ $sshYN == no ]
then
	ufw deny ssh
	apt-get purge openssh-server -y
	rm -R ../.ssh
	echo "SSH port has been denied on the firewall. Open-SSH has been removed."
else
	apt-get install openssh-server -y
	ufw allow ssh
	cp /etc/ssh/sshd_config /home/scriptuser/backups/
	
	cat << EOF >> /etc/fail2ban/jail.local
	[sshd]
	enabled = true
	port = 22
	filter = sshd
	logpath = /var/log/auth.log
	maxretry = 3
EOF
	systemctl restart fail2ban
	echo "Fail2Ban configured for SSH."

	echo -e "# Package generated configuration file\n# See the sshd_config(5) manpage for details\n\n# What ports, IPs and protocols we listen for\nPort 223\n# Use these options to restrict which interfaces/protocols sshd will bind to\n#ListenAddress ::\n#ListenAddress 0.0.0.0\nProtocol 2\n# HostKeys for protocol version \nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n#Privilege Separation is turned on for security\nUsePrivilegeSeparation yes\n\n# Lifetime and size of ephemeral version 1 server key\nKeyRegenerationInterval 3600\nServerKeyBits 1024\n\n# Logging\nSyslogFacility AUTH\nLogLevel VERBOSE\n\n# Authentication:\nLoginGraceTime 30\nPermitRootLogin no\nStrictModes yes\n\nRSAAuthentication yes\nPubkeyAuthentication yes\n#AuthorizedKeysFile	$(pwd)/../.ssh/authorized_keys\n\n# Don't read the user's /home/scriptuser/.rhosts and /home/scriptuser/.shosts files\nIgnoreRhosts yes\n# For this to work you will also need host keys in /etc/ssh_known_hosts\nRhostsRSAAuthentication no\n# similar for protocol version 2\nHostbasedAuthentication no\n# Uncomment if you don't trust /home/scriptuser/.ssh/known_hosts for RhostsRSAAuthentication\n#IgnoreUserKnownHosts yes\n\n# To enable empty passwords, change to yes (NOT RECOMMENDED)\nPermitEmptyPasswords no\n\n# Change to yes to enable challenge-response passwords (beware issues with\n# some PAM modules and threads)\nChallengeResponseAuthentication no\n\n# Change to no to disable tunnelled clear text passwords\nPasswordAuthentication no\n\n# Kerberos options\n#KerberosAuthentication no\n#KerberosGetAFSToken no\n#KerberosOrLocalPasswd yes\n#KerberosTicketCleanup yes\n\n# GSSAPI options\n#GSSAPIAuthentication no\n#GSSAPICleanupCredentials yes\n\nX11Forwarding no\nX11DisplayOffset 10\nPrintMotd no\nPrintLastLog yes\nTCPKeepAlive no\n#UseLogin no\n\nMaxStartups 2\n#Banner /etc/issue.net\n\n# Allow client to pass locale environment variables\nAcceptEnv LANG LC_*\n\nSubsystem sftp /usr/lib/openssh/sftp-server\n\n# Set this to 'yes' to enable PAM authentication, account processing,\n# and session processing. If this is enabled, PAM authentication will\n# be allowed through the ChallengeResponseAuthentication and\n# PasswordAuthentication.  Depending on your PAM configuration,\n# PAM authentication via ChallengeResponseAuthentication may bypass\n# the setting of \"PermitRootLogin without-password\".\n# If you just want the PAM account and session checks to run without\n# PAM authentication, then enable this but set PasswordAuthentication\n# and ChallengeResponseAuthentication to 'no'.\nUsePAM yes\nRhostsAuthentication no\nClientAliveInterval 300\nClientAliveCountMax 1\nVerifyReverseMapping yes\nAllowTcpForwarding no\nUseDNS no\nPermitUserEnvironment no\nMaxAuthTries 3\nGatewayPorts no\nAllowAgentForwarding no\nMaxSessions 2\nCompression no\nMaxStartups 10:30:100\nAllowStreamLocalForwarding no\nPermitTunnel no" > /etc/ssh/sshd_config
	echo "Banner /etc/issue.net" | tee -a /etc/ssh/sshd_config > /dev/null
	echo "CyberTaipan Team Mensa" | tee /etc/issue.net > /dev/null
        echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' | tee -a /etc/ssh/sshd_config > /dev/null
	echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' | tee -a /etc/ssh/sshd_config > /dev/null
	echo 'KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256' >> /etc/ssh/sshd_config
	systemctl restart sshd
	systemctl status sshd
	mkdir ../.ssh
	chmod -R 700 ../.ssh
	echo "SSH port has been allowed on the firewall. SSH config file has been configured."
fi
echo "SSH is complete."

clear
if [ $telnetYN == no ]
then
	ufw deny telnet 
	ufw deny rtelnet 
	ufw deny telnets
	apt-get purge telnet -y
	apt-get purge telnetd -y
	apt-get purge inetutils-telnetd -y
	apt-get purge telnetd-ssl -y
	echo "Telnet port has been denied on the firewall and Telnet has been removed."
else
	ufw allow telnet 
	ufw allow rtelnet 
	ufw allow telnets
	apt-get install telnetd -y
	echo "Telnet port has been allowed on the firewall."
fi
echo "Telnet is complete."

clear
if [ $mailYN == no ]
then
	ufw deny smtp 
	ufw deny pop2 
	ufw deny pop3
	ufw deny imap2 
	ufw deny imaps 
	ufw deny pop3s
	systemctl stop postfix
	systemctl disable postfix
	apt purge dovecot exim4 opensmtpd -y
	echo "smtp, pop2, pop3, imap2, imaps, and pop3s ports have been denied on the firewall."
else
	ufw allow smtp 
	ufw allow pop2 
	ufw allow pop3
	ufw allow imap2 
	ufw allow imaps 
	ufw allow pop3s
	apt-get install postfix dovecot -y
	postconf -e disable_vrfy_command=yes
	postconf -e inet_interfaces=loopback-only
	postconf -e mynetworks="127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
	postconf -e smtpd_helo_required=yes
	postconf -e smtp_tls_loglevel=1
	postconf -e smtpd_delay_reject=yes
	postconf -e default_process_limit=100
	postconf -e smtpd_client_connection_count_limit=10
	postconf -e smtpd_client_connection_rate_limit=30
	postconf -e queue_minfree=20971520
	postconf -e header_size_limit=51200
	postconf -e message_size_limit=10485760
	postconf -e smtpd_recipient_limit=100
	echo "smtp, pop2, pop3, imap2, imaps, and pop3s ports have been allowed on the firewall."
fi
echo "Mail is complete."



clear
if [ $printYN == no ]
then
	ufw deny ipp 
	ufw deny printer 
	ufw deny cups
	echo "ipp, printer, and cups ports have been denied on the firewall."
else
	ufw allow ipp 
	ufw allow printer 
	ufw allow cups
	echo "ipp, printer, and cups ports have been allowed on the firewall."
fi
echo "Printing is complete."

clear
if [ $dbYN == no ]
then
	ufw deny ms-sql-s 
	ufw deny ms-sql-m 
	ufw deny mysql 
	ufw deny mysql-proxy
	apt-get purge mysql* -y
	apt-get purge mariadb* -y
	apt-get purge postgresql*
	echo "ms-sql-s, ms-sql-m, mysql, and mysql-proxy ports have been denied on the firewall. MySQL has been removed."
else
	ufw allow ms-sql-s 
	ufw allow ms-sql-m 
	ufw allow mysql 
	ufw allow mysql-proxy
	apt-get install mariadb-server-1* -y
	mysql_secure_installation
	cp /etc/mysql/my.cnf /home/scriptuser/backups/ 

	#Sets group
	echo "[mariadb]" | tee -a /etc/mysql/my.cnf
        
	#Disables LOCAL INFILE
        echo "local-infile=0" | tee -a /etc/mysql/my.cnf

        #Lowers database privileges
        echo "skip-show-database" | tee -a /etc/mysql/my.cnf

        # Disable remote access
        echo "bind-address=127.0.0.1" | tee -a /etc/mysql/my.cnf
        sed -i '/bind-address/ c\bind-address = 127.0.0.1' /etc/mysql/my.cnf

        #Disables symbolic links
        echo "symbolic-links=0" | tee -a /etc/mysql/my.cnf
	echo "secure_file_priv" | tee -a /etc/mysql/my.cnf
	echo "old_passwords=0" | tee -a /etc/mysql/my.cnf
	echo "safe-user-create=1" | tee -a /etc/mysql/my.cnf
	echo "allow-suspicious-udfs" | tee -a /etc/mysql/my.cnf
        #Sets root account password
        echo "[mysqladmin]" | tee -a /etc/mysql/my.cnf
        echo "user = root" | tee -a /etc/mysql/my.cnf
        echo "password = CyberTaipan123!" | tee -a /etc/mysql/my.cnf

        #Sets packet restrictions
        echo "key_buffer_size         = 16M" | tee -a /etc/mysql/my.cnf
        echo "max_allowed_packet      = 16M" | tee -a /etc/mysql/my.cnf
	
	chown -R root:root /etc/mysql/
	chmod 0644 /etc/mysql/my.cnf

	systemctl restart mariadb
	echo "ms-sql-s, ms-sql-m, mysql, and mysql-proxy ports have been allowed on the firewall. MySQL has been installed. MySQL config file has been secured. MySQL systemctl has been restarted."
fi
echo "MySQL is complete."

clear
if [ $httpsYN == no ]
then
	ufw deny https
	ufw deny https
	apt-get purge apache2 nginx -y
	rm -r /var/www/*
	echo "https and https ports have been denied on the firewall. Apache2 has been removed. Web server files have been removed."
else
	apt-get install apache2 -y
	ufw allow https 
	ufw allow http
	ufw allow apache
	apt-get install libapache2-mod-security2 -y
	a2enmod headers
	a2enmod rewrite
	cp /etc/apache2/apache2.conf /home/scriptuser/backups/
	if [ -e /etc/apache2/apache2.conf ]
	then
  	    echo "HostnameLookups Off"              | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "LogLevel warn"                    | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "ServerTokens Prod"                | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "ServerSignature Off"              | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "Options all -Indexes"             | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "Header unset ETag"                | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "Header always unset X-Powered-By" | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "FileETag None"                    | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "TraceEnable off"                  | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "Timeout 60"                       | tee -a /etc/apache2/apache2.conf > /dev/null

	    echo "RewriteEngine On"                         | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo 'RewriteCond %{THE_REQUEST} !HTTP/1\.1$'   | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo 'RewriteRule .* - [F]'                     | tee -a /etc/apache2/apache2.conf > /dev/null

	    echo ''                         | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo '    Header set X-XSS-Protection 1;'               | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo ''                                      | tee -a /etc/apache2/apache2.conf > /dev/null

	    # Secure /
	    echo ""            | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    Options -Indexes"     | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    AllowOverride None"   | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    Order Deny,Allow"     | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    Options None"         | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    Deny from all"        | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo ""             | tee -a /etc/apache2/apache2.conf > /dev/null

	    # Secure /var/www/html
	    echo ""    | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo "    Options -Indexes"         | tee -a /etc/apache2/apache2.conf > /dev/null
	    echo ""                 | tee -a /etc/apache2/apache2.conf > /dev/null

	    # security.conf
	    # Enable HTTPOnly and Secure Flags
	    echo 'Header edit Set-Cookie ^(.*)\$ \$1;HttpOnly;Secure'                                   | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo 'ServerTokens Prod'                                                                    | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo 'TraceEnable Off'                                                                      | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    # Clickjacking Attack Protection
	    echo 'Header always append X-Frame-Options SAMEORIGIN'                                      | tee -a /etc/apache2/conf-available/security.conf > /dev/null

	    # XSS Protection
	    echo 'Header set X-XSS-Protection "1; mode=block"'                                          | tee -a /etc/apache2/conf-available/security.conf > /dev/null

	    # Enforce secure connections to the server
	    echo 'Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"'    | tee -a /etc/apache2/conf-available/security.conf > /dev/null  

	    # MIME sniffing Protection
	    echo 'Header set X-Content-Type-Options: "nosniff"'                                         | tee -a /etc/apache2/conf-available/security.conf > /dev/null

	    # Prevent Cross-site scripting and injections
	    echo 'Header set Content-Security-Policy "default-src '"'self'"';"'                         | tee -a /etc/apache2/conf-available/security.conf > /dev/null

		# Secure root directory
	    echo ""            | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Options -Indexes"       | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  AllowOverride None"     | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Order Deny,Allow"       | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Deny from all"          | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo ""             | tee -a /etc/apache2/conf-available/security.conf > /dev/null

	    # Secure html directory
	    echo ""        | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Options -Indexes -Includes"     | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  AllowOverride None"             | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Order Allow,Deny"               | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo "  Allow from All"                 | tee -a /etc/apache2/conf-available/security.conf > /dev/null
	    echo ""                     | tee -a /etc/apache2/conf-available/security.conf > /dev/null

	    # ssl.conf
	    # TLS only
	    sed -i "s/SSLProtocol.*/SSLProtocol –ALL +TLSv1 +TLSv1.1 +TLSv1.2/" /etc/apache2/mods-available/ssl.conf
	    # Stronger cipher suite
	    sed -i "s/SSLCipherSuite.*/SSLCipherSuite HIGH:\!MEDIUM:\!aNULL:\!MD5:\!RC4/" /etc/apache2/mods-available/ssl.conf
	    
	    echo "LimitExcept GET" >> /etc/apache2/conf-available/hardening.conf

	    chown -R root:root /etc/apache2
	    chown -R root:root /etc/apache 2> /dev/null
	    
	    cat << EOF >> /etc/fail2ban/jail.local
	    [apache]
	    enabled = true
	    port = http,https
	    filter = apache-auth
	    logpath = /var/log/apache2/*error.log
	    maxretry = 4
	    findtime = 500
	    ignoreip = 10x.12x.1xx.xx7
EOF
	    systemctl restart fail2ban
	    echo "Fail2Ban configured for Apache."
	
	    systemctl start apache2
	fi
	echo "https and https ports have been allowed on the firewall. Apache2 config file has been configured. Only root can now access the Apache2 folder."
fi
echo "Web Server is complete."

if [ $phpYN == no ]
then
	apt-get purge *php* -y
	echo "PHP has been purged."
else
	apt-get install php -y
	PHPCONFIG=/etc/php/7.*/apache2/php.ini

        # Disable Global variables
        echo 'register_globals = Off' | tee -a $PHPCONFIG

        # Disable tracking, HTML, and display errors
        sed -i "s/^;\?html_errors.*/html_errors = Off/" $PHPCONFIG
        sed -i "s/^;\?display_errors.*/display_errors = Off/" $PHPCONFIG
        sed -i "s/^;\?expose_php.*/expose_php = Off/" $PHPCONFIG
        sed -i "s/^;\?mail\.add_x_header.*/mail\.add_x_header = Off/" $PHPCONFIG

        # Disable Remote File Includes
        sed -i "s/^;\?allow_url_fopen.*/allow_url_fopen = Off/" $PHPCONFIG

        # Restrict File Uploads
        sed -i "s/^;\?file_uploads.*/file_uploads = Off/" $PHPCONFIG

        # Control POST/Upload size
        sed -i "s/^;\?post_max_size.*/post_max_size = 1K/" $PHPCONFIG
        sed -i "s/^;\?upload_max_filesize.*/upload_max_filesize = 2M/" $PHPCONFIG

        # Protect sessions
        sed -i "s/^;\?session\.cookie_httponly.*/session\.cookie_httponly = 1/" $PHPCONFIG

        # General
        sed -i "s/^;\?session\.use_strict_mode.*/session\.use_strict_mode = On/" $PHPCONFIG
 
        sed -i "s/^;\?disable_functions.*/disable_functions = php_uname, getmyuid, getmypid, passthru,listen, diskfreespace, tmpfile, link, ignore_user_abort, shell_exec, dl, set_time_limit, exec, system, highlight_file, show_source, fpassthru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo/" $PHPCONFIG
        sed -i "s/^;\?max_execution_time.*/max_execution_time = 30/" $PHPCONFIG
        sed -i "s/^;\?max_input_time.*/max_input_time = 30/" $PHPCONFIG
        sed -i "s/^;\?memory_limit.*/memory_limit = 40M/" $PHPCONFIG
        sed -i "s/^;\?open_basedir.*/open_basedir = \"c:inetpub\"/" $PHPCONFIG
	
	echo "PHP is configured."
fi
echo "PHP is complete."

clear
if [ $dnsYN == no ]
then
	ufw deny domain
	apt-get purge bind9 -y
	echo "domain port has been denied on the firewall. DNS name binding has been removed."
else
	apt-get install bind9 -y
	ufw allow domain
	ufw allow 53
	echo "Domain port has been allowed on the firewall and bind9 installed."
	chsh -s /sbin/nologin bind
	passwd -l bind
	wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/named.conf.options
	cp named.conf.options /etc/bind/named.conf.options
	systemctl start bind9
	systemctl status bind9
fi
echo "DNS is complete."

clear
if [ $vpnYN == no ]
then
	apt purge *vpn* -y
	echo "All vpn-related packages deleted."
else
	apt install openvpn -y
	echo "OpenVPN server installed."
fi

clear
mv $(pwd)/../Pictures/Wallpapers/CyberTaipan_Background_WIDE.jpg /
find /home -regextype posix-extended -regex '.*\.(midi|mid|mod|mp3|mp2|mpa|abs|mpega|au|snd|wav|aiff|aif|sid|mkv|flac|ogg)$' -delete
clear
echo "All audio files has been listed."

find /home -regextype posix-extended -regex '.*\.(mpeg|mpg|mpe|dl|movie|movi|mv|iff|anim5|anim3|anim7|avi|vfw|avx|fli|flc|mov|qt|spl|swf|dcr|dir|dxr|rpm|rm|smi|ra|ram|rv|wmv|asf|asx|wma|wax|wmv|wmx|3gp|mov|mp4|flv|m4v|xlsx|pptx|docx|csv)$' -delete
find /home -iname "*.txt" >> /home/scriptuser/badfiles.log
clear
echo "All video files have been listed."
	
find /home -regextype posix-extended -regex '.*\.(tiff|tif|rs|iml|gif|jpeg|exe|torrent|pdf|run|bat|jpg|jpe|png|rgb|xwd|xpm|ppm|pbm|pgm|pcx|ico|svg|svgz|pot|xml|pl)$' -delete
mv /CyberTaipan_Background_WIDE.jpg $(pwd)/../Pictures/Wallpapers/CyberTaipan_Background_WIDE.jpg
clear
echo "All image files have been listed."
echo "Media files are complete."

find / -type f -perm /700 >> /home/scriptuser/badfiles.log
echo "All files with perms 700-777 have been logged."

clear
apt install mawk -y
for i in $(mawk -F: '$3 > 999 && $3 < 65534 {print $1}' /etc/passwd); do [ -d /home/${i} ] && chmod -R 750 /home/${i}/; done
chmod -R 700 /root
echo "Home directory permissions set."

clear
for i in $(mawk -F: '$3 > 999 && $3 < 65534 {print $1}' /etc/passwd); do [ -d /home/${i} ] && chown -R ${i}:${i} /home/${i}/; done
chown -R root /root
echo "Home directory owner set."

clear
find / -iname "*.php" -type f >> /home/scriptuser/badfiles.log
echo "All PHP files have been listed. ('/var/cache/dictionaries-common/sqspell.php' is a system PHP file)"

clear
find / -iname "*.sh" -type f >> /home/scriptuser/badfiles.log
echo "All shell scripts have been listed. Note: there are a lot of system ones too."

find / -iname "*.pl" -type f >> /home/scriptuser/badfiles.log

clear
find / -perm -4000 >> /home/scriptuser/badfiles.log

find / -perm -2000 >> /home/scriptuser/badfiles.log
echo "All files with perms 4000 and 2000 have been logged."

clear
find / -nogroup -nouser >> /home/scriptuser/badfiles.log
echo "All files with no owner have been logged."

clear
apt install tree -y
tree >> /home/scriptuser/directorytree.txt
echo "Directory tree saved to file."

clear
apt install acct -y
touch /var/log/wtmp
echo 'ENABLED="true"' > /etc/default/sysstat
systemctl start sysstat
systemctl enable --now sysstat
echo "Enabled process accounting."

clear
apt install -y arpwatch
systemctl enable --now arpwatch
systemctl start arpwatch
echo "Installed ARPWatch."

clear
echo "By accessing this system, you agree that this is for authorised use only, and understand that your activity is monitored meaning that your communications and data are not private." > /etc/issue
echo "By accessing this system, you agree that this is for authorised use only, and understand that your activity is monitored meaning that your communications and data are not private." > /etc/motd
echo "Issue and MOTD set."

clear
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
echo "Disabled CUPS"

# Remediation is applicable only in certain platforms

if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then

# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set
# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then
    
    sed -i 's/Enable[^(\n)]*/Enable=false/' '/etc/gdm/custom.conf'
elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then
    sed -i '/[[:space:]]*\[xdmcp]/a Enable=false' '/etc/gdm/custom.conf'
else
    if test -d "/etc/gdm"; then
        printf '%s\n' '[xdmcp]' 'Enable=false' >> '/etc/gdm/custom.conf'
    else
        echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
echo "Disabled XDMCP in GDM."

clear
echo -e "[org/gnome/settings-daemon/plugins/media-keys]\nlogout=\'\'" >> /etc/dconf/db/local.d/00-disable-CAD
dconf update
systemctl mask ctrl-alt-del.target
systemctl daemon-reload
echo "Disabled CTRL-ALT-DELETE reboot in Gnome."

getcap -r / 2>/dev/null | tee binarieswithcapabilities.log
echo "Listed all files with kernel capabilities. Refer to GTFOBins to check if any are vulnerable."

clear
lsof -Pnl +M -i > /home/scriptuser/runningProcesses.log
## Removing the default running processes
sed -i '/avahi-dae/ d' /home/scriptuser/runningProcesses.log
sed -i '/cups-brow/ d' /home/scriptuser/runningProcesses.log
sed -i '/dhclient/ d' /home/scriptuser/runningProcesses.log
sed -i '/dnsmasq/ d' /home/scriptuser/runningProcesses.log
sed -i '/cupsd/ d' /home/scriptuser/runningProcesses.log
echo "All running processes listed."

if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults.*\brequiretty\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option requiretty
        echo "Defaults requiretty" >> /etc/sudoers
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi
echo "Configured sudo to require a TTY."

clear
echo -e "$pw\n$pw" | passwd
echo "Root password set."

clear
systemctl >> /home/scriptuser/systemctlUnits.log
echo "All systemctl services listed."

apt install nmap -y
nmap -oN nmap.log localhost 
apt purge nmap -y
clear
echo "Logged ports with Nmap then deleted it again."

echo "needs_root_rights = no" >> /etc/X11/Xwrapper.config
echo "Enabled rootless Xorg."

clear
ls /etc/init/ >> /home/scriptuser/initFiles.log

ls /etc/init.d/ >> /home/scriptuser/initFiles.log
echo "Listed all files in the init directory."

clear
echo '' > /etc/securetty
echo "Removed any TTYs listed in /etc/securetty."

clear
logwatch >> logwatch.report
echo "Created a report from all logs using LogWatch."

find / -depth -type d -name '.john' -exec rm -r '{}' \;
ls -al ~/.john/*
clear
echo "John the Ripper files have been removed."

wget https://raw.githubusercontent.com/bcoles/linux-audit/master/linux-audit.sh
chmod a+x linux-audit.sh
./linux-audit.sh
clear
echo "Ran Linux auditing tools."

( chkrootkit -q >> ChkrootkitOutput.txt; echo "Finished ChkRootKit" ) &
disown; sleep 2;
echo "Started ChkRootKit."

clear
cp /etc/login.defs /home/scriptuser/backups/
sed -ie "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\\t30/" /etc/login.defs
sed -ie "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\\t10/" /etc/login.defs
sed -ie "s/PASS_WARN_AGE.*/PASS_WARN_AGE\\t7/" /etc/login.defs
sed -ie "s/FAILLOG_ENAB.*/FAILLOG_ENAB\\tyes/" /etc/login.defs
sed -ie "s/LOG_UNKFAIL_ENAB.*/LOG_UNKFAIL_ENAB\\tyes/" /etc/login.defs
sed -ie "s/LOG_OK_LOGINS.*/LOG_OK_LOGINS\\tyes/" /etc/login.defs
sed -ie "s/SYSLOG_SU_ENAB.*/SYSLOG_SU_ENAB\\tyes/" /etc/login.defs
sed -ie "s/LOGIN_RETRIES.*/LOGIN_RETRIES\\t5/" /etc/login.defs
sed -ie "s/ENCRYPT_METHOD.*/ENCRYPT_METHOD\\tSHA512/" /etc/login.defs
sed -i 's/USERGROUPS_ENAB.*/USERGROUPS_ENAB no/' /etc/login.defs
sed -ie "s/LOGIN_TIMEOUT.*/LOGIN_TIMEOUT\\t60/" /etc/login.defs
sed -i 's/^#.*SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 10000/' /etc/login.defs
sed -i 's/^#.*SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 65536/' /etc/login.defs
sed -i 's/^UMASK.*/UMASK 077/' /etc/login.defs
echo "Login settings set in login.defs"

prelink -ua
apt purge prelink -y
echo "Undid prelinking and purged if it was installed."

echo "umask 027" >> /etc/bash.bashrc
echo "umask 027" >> /etc/profile
echo "Set a very strict umask."


awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd

for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
    # the permission is already defined as expected, therefore not impacting in possible integrity
    # check systems that also check inodes timestamps.
    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
done
echo "Repaired home directory permissions."

clear
cp /etc/pam.d/common-auth /home/scriptuser/backups/
cp /etc/pam.d/common-password /home/scriptuser/backups/
echo -e "#\n# /etc/pam.d/common-auth - authentication settings common to all systemctls\n#\n# This file is included from other systemctl-specific PAM config files,\n# and should contain a list of the authentication modules that define\n# the central authentication scheme for use on the system\n# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the\n# traditional Unix authentication mechanisms.\n#\n# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.\n# To take advantage of this, it is recommended that you configure any\n# local modules either before or after the default block, and use\n# pam-auth-update to manage selection of other modules.  See\n# pam-auth-update(8) for details.\n\n# here are the per-package modules (the \"Primary\" block)\nauth	[success=1 default=ignore]	pam_unix.so\n# here's the fallback if no module succeeds\nauth	requisite			pam_deny.so\n# prime the stack with a positive return value if there isn't one already; >> /dev/null\n# this avoids us returning an error just because nothing sets a success code\n# since the modules above will each just jump around\nauth	required			pam_permit.so\n# and here are more per-package modules (the \"Additional\" block)\nauth	optional			pam_cap.so \n# end of pam-auth-update config\nauth required pam_tally2.so deny=5 unlock_time=1800 onerr=fail audit even_deny_root_account silent\nauth required pam_faildelay.so delay=4000000" > /etc/pam.d/common-auth
echo -e "#\n# /etc/pam.d/common-password - password-related modules common to all systemctls\n#\n# This file is included from other systemctl-specific PAM config files,\n# and should contain a list of modules that define the systemctls to be\n# used to change user passwords.  The default is pam_unix.\n\n# Explanation of pam_unix options:\n#\n# The \"sha512\" option enables salted SHA512 passwords.  Without this option,\n# the default is Unix crypt.  Prior releases used the option \"md5\".\n#\n# The \"obscure\" option replaces the old \`OBSCURE_CHECKS_ENAB\' option in\n# login.defs.\n#\n# See the pam_unix manpage for other options.\n\n# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.\n# To take advantage of this, it is recommended that you configure any\n# local modules either before or after the default block, and use\n# pam-auth-update to manage selection of other modules.  See\n# pam-auth-update(8) for details.\n\n# here are the per-package modules (the \"Primary\" block)\npassword	[success=1 default=ignore]	pam_unix.so obscure sha512 rounds=6000\n# here's the fallback if no module succeeds\npassword	requisite			pam_deny.so\n# prime the stack with a positive return value if there isn't one already; >> /dev/null\n# this avoids us returning an error just because nothing sets a success code\n# since the modules above will each just jump around\npassword	required			pam_permit.so\npassword requisite pam_cracklib.so retry=3 minlen=14 difok=8 reject_username minclass=4 maxrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1\npassword requisite pam_pwhistory.so use_authtok remember=24 enforce_for_root\n# and here are more per-package modules (the \"Additional\" block)\npassword	optional	pam_gnome_keyring.so \n# end of pam-auth-update config" > /etc/pam.d/common-password
echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
echo "Password policies have been set with and /etc/pam.d."

clear
getent group nopasswdlogin && gpasswd nopasswdlogin -M ''
sed -i 's/sufficient/d' /etc/pam.d/gdm-password
echo "All users now need passwords to login"

clear
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP
echo "All outside packets from internet claiming to be from loopback are denied."

clear
cp /etc/init/control-alt-delete.conf /home/scriptuser/backups/
sed '/^exec/ c\exec false' /etc/init/control-alt-delete.conf
systemctl mask ctrl-alt-del.target
echo "Reboot using Ctrl-Alt-Delete has been disabled."

clear
clamscan --verbose --recursive >> clamav.log
systemctl stop clamav-freshclam
freshclam
systemctl start clamav-freshclam && systemctl start clamav-daemon
systemctl enable clamav-freshclam && systemctl enable clamav-daemon
if ! grep 'session.*pam_apparmor.so order=user,group,default' /etc/pam.d/*; then
  echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
fi
find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} \;
systemctl restart apparmor
echo "AppArmor and ClamAV has been installed."

clear
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done >> CronTabs.txt
echo "All crontabs have been listed."

clear
apt install usbguard -y
systemctl start usbguard
echo "USBGuard has been installed."

clear
systemctl enable haveged
systemctl start haveged
echo "/usr/local/sbin/haveged -w 1024" >> /etc/rc.local
echo "Enabled entropy generation daemon."

clear
pushd /etc/
/bin/rm -f cron.deny at.deny
echo root >cron.allow
echo root >at.allow
/bin/chown root:root cron.allow at.allow
/bin/chmod 400 cron.allow at.allow
popd
echo "Only root allowed in cron."

echo "chmod 400 /proc/kallsyms" >> /etc/rc.local
echo "Set permissions for kallsyms."

userdel -f games 2>/dev/null
userdel -f news 2>/dev/null
userdel -f gopher 2>/dev/null
userdel -f tcpdump 2>/dev/null
userdel -f shutdown 2>/dev/null
userdel -f halt 2>/dev/null
userdel -f sync 2>/dev/null
userdel -f ftp 2>/dev/null
userdel -f operator 2>/dev/null
userdel -f lp 2>/dev/null
userdel -f uucp 2>/dev/null
userdel -f irc 2>/dev/null
userdel -f gnats 2>/dev/null
userdel -f pcap 2>/dev/null
userdel -f netdump 2>/dev/null
echo "Disabled unused users."

if command -v gsettings 2>/dev/null 1>&2; then
    gsettings set com.ubuntu.update-notifier show-apport-crashes false
fi

if command -v ubuntu-report 2>/dev/null 1>&2; then
    ubuntu-report -f send no
fi

if [ -f /etc/default/apport ]; then
    sed -i 's/enabled=.*/enabled=0/' /etc/default/apport
    systemctl stop apport.service
    systemctl mask apport.service
fi

if dpkg -l | grep -E '^ii.*popularity-contest' 2>/dev/null 1>&2; then
    $APT purge popularity-contest
fi
systemctl daemon-reload
echo "Disabled polling software."

clear
apt-get update 
apt-get upgrade -y
echo "Ubuntu OS has checked for updates and has been upgraded."

killall firefox
pkexec --user $mainUser sh -c "DISPLAY=:0 firefox --preferences"
echo "Opened Firefox to ensure all settings have been applied."

clear
apt-get autoremove -y 
apt-get autoclean -y 
apt-get clean -y 
echo "All unused packages have been removed."

clear
export $(cat /etc/environment)
echo "PATH reset to normal."

for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
  if [ $user != "root" ]; then
    usermod -L $user
  if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then
    usermod -s /usr/sbin/nologin $user
  fi
  fi
done
echo "Ensured all system users have a nologin shell."

dpkg-reconfigure tzdata
echo "Configured timezone data."

usermod -g 0 root
echo "Set root's group."

clear
sed -i '1i\* hard maxlogins 10' /etc/security/limits.conf
echo "* hard core 0" >> /etc/security/limits.conf
echo "1000: hard cpu 180" >> /etc/security/limits.conf
echo "*	hard nproc 1024" >> /etc/security/limits.conf
echo "System limits set."

systemctl mask debug-shell
echo "Disabled debug shell."

find / -perm -u=s -type f 2>/dev/null | tee suidbinaries.log
echo "Listed SUID binaries"

systemctl unmask tmp.mount
systemctl start tmp.mount
systemctl enable --now tmp.mount
echo "tmp.mount enabled."

echo "proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0" >> /etc/fstab
mkdir -p /etc/systemd/system/systemd-logind.service.d/
echo "Hid processes not created by user in proc."

echo "tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0" >> /etc/fstab
echo "Secured shared memory."

clear
dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000
cp -Rpf /tmp /tmpbackup
mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp
chmod 1777 /tmp
cp -Rpf /tmpbackup/* /tmp/
rm -rf /tmpbackup/*
echo "/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0" >> /etc/fstab
mount -o remount /tmp
mv /var/tmp /var/tmpold
ln -s /tmp /var/tmp
cp -prf /var/tmpold/* /tmp/
echo "Secured tmp filesystem."

clear
apt install rsyslog -y
systemctl enable --now rsyslog
systemctl start rsyslog
echo -e "auth.*,authpriv.* /var/log/secure\ndaemon.* /var/log/messages" >> /etc/rsyslog.d/50-default.conf
systemctl restart rsyslog
echo "Installed rsyslog if it already wasn't installed and configured it."

clear
wget https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
mv audit.rules /etc/audit/audit.rules
echo "-e 2" >> /etc/audit/audit.rules
auditctl -e 1
auditd -s enable
systemctl --now enable auditd
systemctl start auditd
echo -e "max_log_file = 6\naction_mail_acct = root\nadmin_space_left_action = single\nmax_log_file_action = single" >> /etc/audit/auditd.conf
echo "Auditd and audit rules have been set and enabled."

wget http://ftp.us.debian.org/debian/pool/main/s/scap-security-guide/ssg-debderived_0.1.62-2_all.deb
apt install ./ssg-debderived_0.1.62-2_all.deb -y

wget http://ftp.au.debian.org/debian/pool/main/s/scap-security-guide/ssg-debian_0.1.62-2_all.deb
apt install ./ssg-debian_0.1.62-2_all.deb -y

wget https://raw.githubusercontent.com/aydenbottos/ayden-linux-script/master/ssg-ubuntu2004-ds-tailoring.xml

var1=$(lsb_release -is | awk '{print tolower($0)}')
var2=$(lsb_release -r | sed 's/[^0-9]*//g')
code=$var1$var2

oscap xccdf eval --remediate --verbose-log-file run1.log --verbose ERROR --tailoring-file ssg-ubuntu2004-ds-tailoring.xml --profile xccdf_org.teammensa_profile_hardening /usr/share/xml/scap/ssg/content/ssg-$code-ds.xml
oscap xccdf eval --remediate --results results.xml --report cisreport.html --verbose-log-file run2.log --verbose ERROR --tailoring-file ssg-ubuntu2004-ds-tailoring.xml --profile xccdf_org.teammensa_profile_hardening /usr/share/xml/scap/ssg/content/ssg-$code-ds.xml
echo "Ran OpenSCAP for CIS compliance."

apt install build-essential -y
wget https://www.openwall.com/signatures/openwall-offline-signatures.asc
gpg --import openwall-offline-signatures.asc
wget https://lkrg.org/download/lkrg-0.9.5.tar.gz.sign
wget https://lkrg.org/download/lkrg-0.9.5.tar.gz
gpg --verify lkrg-0.9.5.tar.gz.sign lkrg-0.9.5.tar.gz
tar -xf lkrg-0.9.5.tar.gz
pushd lkrg-0.9.5/
make
make install
systemctl start lkrg
systemctl enable lkrg
popd
apt purge build-essential -y
echo "Enabled Linux Kernel Runtime Guard."

echo "" > /etc/security/capability.conf
echo "Removed any capabilities of users."

clear
chmod 000 /usr/bin/as >/dev/null 2>&1
chmod 000 /usr/bin/byacc >/dev/null 2>&1
chmod 000 /usr/bin/yacc >/dev/null 2>&1
chmod 000 /usr/bin/bcc >/dev/null 2>&1
chmod 000 /usr/bin/kgcc >/dev/null 2>&1
chmod 000 /usr/bin/cc >/dev/null 2>&1
chmod 000 /usr/bin/gcc >/dev/null 2>&1
chmod 000 /usr/bin/*c++ >/dev/null 2>&1
chmod 000 /usr/bin/*g++ >/dev/null 2>&1
echo "Disabled compilers."

unhide -f procall sys
echo "Looked for hidden processes."

systemctl disable avahi-daemon
systemctl stop avahi-daemon
echo "Disabled Avahi daemon"

echo 'SUBSYSTEM=="usb", ENV{UDISKS_AUTO}="0"' >> /etc/udev/rules.d/85-no-automount.rules
systemctl disable autofs.service
systemctl restart udev
echo "Disabled automounter."

rfkill block all
echo "Disabled WiFi."

echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
echo "Disabled usb-storage."

sed -i 's/\/messages/syslog/g' /etc/psad/psad.conf
psad --sig-update
systemctl start psad
echo "PSAD started."

chmod 700 /boot /usr/src /lib/modules /usr/lib/modules
echo "Set kernel file permissions."

apt --autoremove purge $(deborphan) -y
echo "Removed orphaned packages."

clear
apt install ecryptfs-utils -y
echo "Script is complete. Log user out to enable home directory encryption. Once logged out, login to another administrator. Then, access terminal and run sudo ecryptfs-migrate-home -u . After that, follow the prompts."
apt install curl
url=$(curl -F 'sprunge=<-' http://sprunge.us < scriptlog.txt)
wget -O/dev/null --header 'Content-type: application/json' --post-data '{"text":"<'$url'|Linux script results>"}' $(echo aHR0cHM6Ly9ob29rcy5zbGFjay5jb20vc2VydmljZXMvVEg3U0pLNUg5L0IwMko0NENHQkFSL3hHeGFHVXdNdDZmTU5aWkViaDlmbDhOaA== | base64 --decode) > /dev/null 2>&1