Hey,
A while ago I was working on a guide and script to automate installing and securing servers on Centos6. Since Centos6 does not cut it anymore for me and Centos7 is not supported, I want to help people who still use Centos6 or want to have a simple guide how to secure their server.
Hint: I use several e-mail addresses in my production. Depending of the content of the automated e-mails I send them to a monitoring mailbox, alarm mailbox, or other. This way, I'm always up-to-date with my systems through mail.
Software to install: Lynis (a hardening check tool. This tool will tell you where possible security risks are). NCDU (a handy tool to check how big directories are, comparable with treesize for windows) RKHunter (Rootkithunter looks for file integrity and possible rootkits on your system) LMD (Linux Mallware Detect looks for malicious softwar eon your system. Very useful for webservers!) Fail2Ban (Bans brute force attempts for various systems) tcpdump (a tool like wireshark, to review network traffic) csf & lfd (scripts that block and ban intrusions)
Here we go:
Step1 Install repositories:
mkdir /tmp/epel cd /tmp/epel wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -ivh epel-release-6-8.noarch.rpm
Step 2: Install some basic security tools and update the system:
yum update -y yum install -y fail2ban
vim /etc/fail2ban/jail.local
enter following:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 5
Do not forget to alter the destination and the sender.
Start fail2ban automatically:
chkconfig --level 23 fail2ban on
service fail2ban start
You can also add other jails for other systems (mail, apache, ...). To learn more, there's a lot on google.
Setup rkhunter:
yum install -y rkhunter rkhunter --update rkhunter --propupd vim /etc/cron.daily/rkhunter.sh
Enter the following:
#!/bin/sh ( rkhunter --versioncheck rkhunter --update rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (SERVERNAME)' destinationmail@example.com
Don't forget to set the e-mail address.
Change the chmod.
chmod 755 /etc/cron.daily/rkhunter.sh
Install NCDU, lynis and tcpdump
yum install -y ncdu lynis tcpdump
Install LMD:
mkdir /tmp/lmd cd /tmp/lmd wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xfz maldetect-current.tar.gz cd maldetect-* ./install.sh vim /usr/local/maldetect/conf.maldet Enable e-mail alertuser enable quar_hits
You can change some rules in this document to search deeper and harder, but watch out not to set this to strong. It has a tendency to detect virtualmin files as malicious (backup scripts).
Add a user for yourself:
useradd username passwd username vim /etc/sudoers
Somewhere in the code of the sudoers file, you will find the following root user defined:
## Allow root to run any commands anywhere root ALL=(ALL) ALL
Add under it a line like:
username ALL=(ALL) ALL
Configure SSH:
vim /etc/ssh/sshd_config
Change or add the following:
Protocol 2 Port 6000 LoginGraceTime 30 MaxAuthTries 3 PermitRootLogin no AllowUsers username
Restart sshd
service sshd restart
At this point you should change your root password to a LONG string and save it somewhere in your password safe. In normal circumstances you will not need it anymore. You will from now on login with your username. If you need to access as root, you can use the command "sudo su" followed by your username's password.
Logout completely and login again over ssh. Mind the port you set to 6000.
After logging in, change user to root:
sudo su
Let's set-up some IP tables:
vim ~/firewall.sh
Enter the following rules. Please read the comments to see if you need the rule.
#!/bin/bash service iptables start iptables -F iptables -A INPUT -p tcp --dport 6000 -j ACCEPT #SSH if this port is closed, no ssh is possible. iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT #Home Set your home IP in here if it's a fixed IP. This will allow you to always connect to your server. iptables -A INPUT -p icmp --icmp-type 8 -s xx.xx.xx.xx -j ACCEPT #Ping is by default not allowed. If your datacenter (like ovh) forces you to open the port for monitoring reasons, you can allow it here. iptables -A INPUT -p tcp --dport 10055 -j ACCEPT #zabbix agent (monitoring server) iptables -A INPUT -p tcp --dport 10051 -j ACCEPT #zabbix agent(monitoring server) iptables -A INPUT -p tcp --dport 10050 -j ACCEPT #zabbix agent(monitoring server) iptables -A INPUT -p tcp --dport 443 -j ACCEPT #SSL iptables -A INPUT -p tcp --dport 80 -j ACCEPT #http iptables -A INPUT -p tcp --dport 161 -j ACCEPT #snmp iptables -A INPUT -p tcp --dport 995 -j ACCEPT #POP3 SSL iptables -A INPUT -p tcp --dport 30050 -j ACCEPT #virtualmin (I change the default virtualmin port to something not so default to avoid brute force. iptables -A INPUT -p tcp --dport 20000 -j ACCEPT #webmin iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #usermin iptables -A INPUT -p tcp --dport 10050 -j ACCEPT #usermin iptables -A INPUT -p tcp --dport 465 -j ACCEPT #SMTP SSL iptables -P INPUT DROP #all other ports will be dropped. iptables -P FORWARD DROP # we do not allow forwarding iptables -P OUTPUT ACCEPT # we allow all outgoing connections. You can tighten this. iptables -A INPUT -i lo -j ACCEPT #Accept the loopback interface iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #accept all connections that are already established or related /sbin/service iptables save #this line will save the iptables iptables -L -v #this line will show the iptables after saving
The iptables will work for all new connections, so it will not drop your SSH if you made a mistake. Change rights and run:
chmod 755 ~/firewall.sh ~/firewall.sh
At this point you should check if your ssh connection will still work for new connections. DO NOT CLOSE your current session, but open up a new one and try to connect to the server. If you get a connection refused, you did something wrong in the IP tables. the "iptables -F" command will remove all current iptables.
Hardening
vim /etc/sysconfig/init
change: SINGLE=/sbin/sulogin
vim /etc/inittab
add: ~:S:wait:/sbin/sulogin
vim /etc/named.conf
Set version to “none” in options
Install logwatch
yum install –y logwatch vim /usr/share/logwatch/default.conf/logwatch.conf change: • Mailto = yourlog@mail.com • Mailfrom = logwatch@SERVER.domain.com • Detail = Med • Disable Service = “-*” (remove all disabled services)
Final approach:
Run lynis
./lynis --check-all -Q
To check:
grep Warning /var/log/lynis.log grep Suggestion /var/log/lynis.log
Update the rkhunter database of current files on the system, run rkhunter and let maldet scan your system (this will take a while)
rkhunter --propupd rkhunter -c maldet --scan-all /
A final step: CSF and LFD
http://configserver.com/cp/csf.html
Install the script. There is a GUI in webmin available for this.
In case of problems. To check recently changed files:
find /var/www/ -type f -exec stat --format '%Y :%y %n' {} \; | sort -nr | cut -d: -f2- | head -100
After all this, you can start to install virtualmin on a secure server. I hope this small guide will help some people establish safer servers.
As a follow-up, here is the script I made.
IT IS NOT COMPLETE, IT DOES NOT work as it should. This is only for interested people looking to fix it, improve it and know what they are doing.
#!/bin/bash # automatic attended install script #Colours ############ #ToDo ############ #make variables for to download files #add ossec agent #add ossec server #add zabbix server #add config for fail2ban #add logfile #complete virtualmin change port && restart services #mail to admin upon file completion # issue in if [ ${AddServerIPPort[$iserver]} != $Nullport ] ############ #Functions ############ # Check IP function (Thanks to Mitch Frazier) function valid_ip() { local ip=$1 local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then OIFS=$IFS IFS='.' ip=($ip) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] stat=$? fi return $stat } Blue='\e[0;34m' Red='\e[0;31m' Green='\e[0;32m' RedBold='\e[0;31m' GreenBold='\e[0;32m' LightGrey='\e[0;37m' Purple='\e[0;35m' Brown='\e[0;33m' NoColour='\e[0m' Yes=y if [ $(whoami) != 'root' ]; then echo "Must be root to run" exit 1; fi echo -e "------------------------------" echo -e "-----${Purple}New Server Install${NoColour}-------" echo -e "------------------------------" echo -e "Please note the following:" echo -e "There is no check if this system is running CentOS 6.5. \nIf it is not running CentOS 6.5 this install will not work." echo -e "\n${RedBold}Internet connectivity${NoColour} is required to run this script. \nIf you are behind a proxy or need to alter connectivity settings in order to connect to the internet \npress CTRL + C now to abort and set this first. \nIf you are not sure if you have internet press CTRL + C all the same and first do a ping." echo -e "${RedBold}No information is being collected or sent.${NoColour}" echo -e "${Green}press enter to continue${NoColour}" read empty echo -e "${Green}first a check for basic tools${NoColour}" yum install -y wget vim ############# #ask for basic info ############# #Initiating vars TopDomain="" ServerName="" ServerIpv4="" ServerIpv6="" AdminMail="" ZabAg="" VirtMin="" while [ -z "$TopDomain" ]; do echo -e "${Purple}Top Level Domain Name${NoColour}" read TopDomain done while [ -z "$ServerName" ]; do echo -e "Server ${Purple}Name${NoColour}" read ServerName done iploop="" while [[ ! "$iploop" =~ ^(n)$ ]]; do echo -e "Server ${Purple}IP v4${NoColour}" read ipvalue echo "$ipvalue" if valid_ip $ipvalue; then echo -e "IP is correct" ServerIpv4="$ipvalue" iploop="n" else echo -e "ip is wrong" fi done iploop="" echo -e "Server ${Purple}IP v6 (leave blank if not available)${NoColour}" read ServerIpv6 while [ -z "$AdminMail" ]; do echo -e "Administrator (working) ${Purple}Email Address ${NoColour}(for logs, warnings, errors, ...)" read AdminMail done while [[ ! "$VirtMin" =~ ^(y|n|Y|N)$ ]]; do echo -e "Install ${Purple}Virtualmin? ${NoColour}(y/n)" read VirtMin done while [[ ! "$ZabAg" =~ ^(y|n|Y|N)$ ]]; do echo -e "Install ${Purple}Zabbix Agent${NoColour} (Monitoring. Zabbix server required) (y/n)" read ZabAg done echo -e "${Purple}Top Level Domain is $TopDomain" echo -e "Server Name is $ServerName" echo -e "IP v4 is $ServerIpv4" echo -e "Server IP v6 is $ServerIpv6" echo -e "Admin Email is $AdminMail" echo -e "Installing Virtualmin: $VirtMin" echo -e "Installing Zabbix Agent: $ZabAg ${NoColour}" echo -e "Press enter if OK, CTRL + C if not" read empty ############# #ask for services, ports and protocols ############# echo -e "${Purple}Which services will run? ${NoColour}" echo -e "reminder: ssh (default 22), http (default 80), https (default 443), smtp (default 587, 465, 25), pop (default 110 995), zabbix (default 10050), snmp (default 161), webmin and virtualmin (default 10000), usermin (default 20000), dns (default 53, tcp and utp), whois (default 43), NTP (default 123)" echo -e "\n SSH This port information will be written in the config files of the services if you write the services in lower case, according to the service name (do not include the D for deamon)" echo -e "${Green}These ports will also be written in the firewall file made in /home/newuser/firewall.sh ${NoColour}" echo -e "the firewall file executes iptables." echo -e "if you make a mistake here, see the firewall file and the service config file" # Begin services declare -a ServicesList declare -a ServicesPortList declare -a ServicesProtList i="0" doloop="" while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]]; do echo -e "${Purple}Add Service?${NoColour} (y/n)" read doloop done if [ "$doloop" = "$Yes" ]; then while [ "$doloop" = "$Yes" ] do while [[ -z "${ServicesList[$i]}" ]]; do echo -e "${Purple}Name of Service${NoColour}" read ServicesList[$i] done while [[ ! "${ServicesPortList[$i]}" =~ ^[0-9]+$ ]]; do echo -e "${Purple}Port of Service${NoColour}" read ServicesPortList[$i] done while [[ ! "${ServicesProtList[$i]}" =~ ^(tcp|udp)$ ]]; do echo -e "${Purple}Protocol of Service ${NoColour}(tcp or udp) (lower case)" read ServicesProtList[$i] done i=$(( $i + 1 )) doloop="" while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]]; do echo -e "${Purple}Add another Service?${NoColour} (y/n)" read doloop done done else echo -e "${Red}no services will be added${NoColour}" #######MAKE SSH DEFAULT => for config file of ssh => make if array contains ssh fi ############# #ask for accept all from certain IP's ############# doloop="" echo -e "${Green}specific firewall ports open?${NoColour}" while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]]; do echo -e "${Purple}Add a server? ${NoColour}(y/n)" read doloop done iServer="0" declare -a AddServerIP declare -a AddServerIPDesc declare -a AddServerIPPort declare -a AddServerIPProt if [[ ! "$doloop" =~ ^(n|N)$ ]]; then while [[ ! "$doloop" =~ ^(n|N)$ ]] do while [[ -z "${AddServerIPDescr[$iServer]}" ]]; do echo -e "${Purple}Give Server description${NoColour}" read AddServerIPDescr[$iServer] done iploop="" while [[ ! "$iploop" =~ ^(n)$ ]]; do echo -e "${Purple}Give Server IP ${NoColour}(ipv4)" read ipvalue echo "$ipvalue" if valid_ip $ipvalue; then echo -e "${Green}IP is correct${NoColour}" AddServerIP[$iServer]="$ipvalue" echo -e "written to array=: $ipvalue " iploop="n" else echo -e "${Red}ip is wrong${NoColour}" fi done iploop="" while [[ ! "${AddServerIPPort[$iServer]}" =~ ^[0-9]+$ ]]; do echo -e "${Purple}Specific port ${NoColour}(enter 0 to open all ports)" read AddServerIPPort[$iServer] done if [ ${AddServerIPPort[$iServer]} != "0" ]; then while [[ ! "${AddServerIPProt[$iServer]}" =~ ^(tcp|udp)$ ]]; do echo -e "${Purple}specific protocol${NoColour} (tcp or udp)" read AddServerIPProt[$iServer] done fi iServer=$(( $iServer + 1 )) doloop="" while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]]; do echo -e "${Purple}Add another Server?${NoColour} (y/n)" read doloop done done fi ############# #setup users and root ############# echo -e "${Red}change root password${NoColour}" passwd root echo -e "${Purple}New User${NoColour} " read NewUser useradd $NewUser passwd $NewUser # Append after root line ##############Make sure to put a TAB sign after root! sed -i '/root ALL*/a '"$NewUser"' ALL=(ALL) ALL' /etc/sudoers #check if executed: if grep -q $NewUser "/etc/sudoers"; then echo -e "New User added to sudo" else echo -e "${Red}something went wrong. user was not added to sudoers file. Please abort.${NoColour}" exit 1; fi ############# #Get Home IP ############# echo -e "${Green}local (home) IP ${NoColour}" echo -e "Adding a home IP to your security ensures you cannot lock yourself out of your server" iploop="" while [[ ! "$iploop" =~ ^(n)$ ]]; do echo -e "${Purple}Give home IP ${NoColour}(ipv4)" read ipvalue echo "$ipvalue" if valid_ip $ipvalue; then echo -e "${Green}IP is correct${NoColour}" LocalHomeIp="$ipvalue" iploop="n" else echo -e "${Red}ip is wrong${NoColour}" fi done iploop="" ############# #set hostname ############# echo -e "${Green} Changing Hostnames ${NoColour}" hostname $ServerName.$TopDomain sed -i 's/^HOSTNAME=*/HOSTNAME=$ServerName.$TopDomain/g' /etc/sysconfig/network echo $ServerIpv4 $ServerName.$TopDomain $ServerName >> /etc/hosts echo $ServerIpv6 $ServerName.$TopDomain $ServerName >> /etc/hosts ############# #Install EPEL ############# echo -e "${Green}Installing EPEL...${NoColour}" mkdir /tmp/epel cd /tmp/epel wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm if [ ! -f /etc/epel/epel-release-6-8.noarch.rpm]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm if [ ! -f /tmp/epel/epel-release-6-8.noarch.rpm]; then echo "File not found! cannot continue without EPEL. Aborting." exit 1; fi else rpm -ivh epel-release-6-8.noarch.rpm rm -fr /tmp/epel fi ############# #Update all packages ############# echo -e "${Green}Updating Packages...${NoColour}" yum update -y ############# #Install Fail2Ban ############# echo -e "${Green}Installing Fail2Ban...${NoColour}" yum install -y fail2ban sed -i 's/^ignoreip = 127.0.0.1*/ignoreip = 127.0.0.1 ${LocalHomeIp}/g' /etc/fail2ban/jail.conf sed -i 's/maxretry = 3/maxretry = 5/g' /etc/fail2ban/jail.conf ############# #Install RKHUNTER ############# echo -e "${Green}Installing RKHUNTER...${NoColour}" yum install -y rkhunter touch /etc/cron.daily/rkhunter.sh echo " #!/bin/sh ( rkhunter --versioncheck rkhunter --update rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run ($ServerName)' $AdminMail " > /etc/cron.daily/rkhunter.sh chmod 755 /etc/cron.daily/rkhunter.sh ############# #Install NCDU ############# echo -e "${Green}Installing NCDU...${NoColour}" yum install -y ncdu ############# #Install LMD ############# echo -e "${Green}Installing LMD...${NoColour}" mkdir /tmp/lmd cd /tmp/lmd wget http://www.rfxn.com/downloads/maldetect-current.tar.gz if [ ! -f /tmp/lmd/maldetect-current.tar.gz ]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://www.rfxn.com/downloads/maldetect-current.tar.gz if [ ! -f /tmp/lmd/maldetect-current.tar.gz]; then echo "File not found! continuing without Linux Malware Detect. To install later, please visit http://www.rfxn.com/downloads/maldetect-current.tar.gz" fi else tar xfz maldetect-current.tar.gz cd maldetect-* ./install.sh rm -fr /tmp/lmd sed -i 's/email_alert=0/email_alert=1/g' /usr/local/maldetect/conf.maldet sed -i 's/email_addr="you@domain.com"/email_addr="monitor@fraksken.be"/g' /usr/local/maldetect/conf.maldet sed -i 's/quar_hits=0/quar_hits=1/g' /usr/local/maldetect/conf.maldet fi ############# #SSH ############# echo -e "${Green}Configuring SSHD...${NoColour}" ValueSSH="ssh" sshcounter="0" for sshname in "${ServicesList[@]}" do if [ "$sshname" = "$ValueSSH" ] ; then echo -e "${Green} Found ${NoColour}" echo "value in $sshcounter" endvalue=$sshcounter echo -e "${Green}The SSH port number is stored in $endvalue and is port ${ServicesPortList[$endvalue]} ${NoColour}" sed -i 's/"#Port 22"/"Port ${ServicesPortList[$endvalue]}"/g' /etc/ssh/sshd_config else echo "parsing" sshcounter=$(( $sshcounter + 1 )) echo "counting $sshcounter" fi done ####### does not work ####### sed -i 's/#LoginGraceTime 2m/LoginGraceTime 30/g' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/#MaxAuthTries 6/MaxAuthTries 5/g' /etc/ssh/sshd_config sed -i 's/MaxAuthTries 5/a AllowUsers $NewUser/' /etc/ssh/sshd_config echo -e "${Green}sshd config file changed.${NoColour}" ############# #firewall ############# echo -e "${Green}Creating IPTables Firewall...${NoColour}" touch /home/$NewUser/firewall.sh echo -n "#!/bin/bash service iptables start iptables -F" >> /home/$NewUser/firewall.sh i2="0" while [ "$i2" -lt "$i" ] do echo -n " iptables -A INPUT -p " >> /home/$NewUser/firewall.sh printf "%s" "${ServicesProtList[$i2]}" >> /home/$NewUser/firewall.sh echo -n "--dport " >> /home/$NewUser/firewall.sh printf "%s" "${ServicesPortList[$i2]}" >> /home/$NewUser/firewall.sh echo -n " -j ACCEPT #" >> /home/$NewUser/firewall.sh printf "%s\n" "${ServicesList[$i2]}" >> /home/$NewUser/firewall.sh i2=$(( $i2 + 1 )) done if [ -n "$LocalHomeIp" ]; then echo -n " iptables -A INPUT -s $LocalHomeIp -j ACCEPT #Home " >> /home/$NewUser/firewall.sh fi iServer2="0" while [ "$iServer2" -lt "$iServer" ] do echo -n " iptables -A INPUT -s " >> /home/$NewUser/firewall.sh if [ "${AddServerIPPort[$iServer2]}" = "0" ]; then echo -n " iptables -A INPUT -s " printf "%s" "${AddServerIP[$iServer2]}" >> /home/$NewUser/firewall.sh echo -n " -j ACCEPT #" printf "%s\n" "${AddServerIPDesc[$iServer2]}" >> /home/$NewUser/firewall.sh else echo -n " iptables -A INPUT -s " printf "%s" "${AddServerIP[$iServer2]}" >> /home/$NewUser/firewall.sh echo -n " -p " printf "%s" "${AddServerIPProt[$iServer2]}" >> /home/$NewUser/firewall.sh echo -n " --dport " printf "%s" "${AddServerIPPort[$iServer2]}" >> /home/$NewUser/firewall.sh echo -n " -j ACCEPT #" printf "%s\n" "${AddServerIPDesc[$iServer2]}" >> /home/$NewUser/firewall.sh fi iServer2=$(( $iServer2 + 1 )) done echo -n "iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/service iptables save iptables -L -v" >> /home/$NewUser/firewall.sh chmod 755 /home/$NewUser/firewall.sh /home/$NewUser/firewall.sh ############# #Disable Single User Mode ############# echo -e "${Green}Disabling Single User Mode...${NoColour}" sed -i 's/SINGLE=\/sbin\/sushell/SINGLE=\/sbin\/sulogin/' /etc/sysconfig/init touch /tmp/out echo "su:S:wait:/sbin/sulogin"|cat - /etc/inittab > /tmp/out && mv /tmp/out /etc/inittab ############# #Install LYNIS ############# echo -e "${Green}Installing LYNIS...${NoColour}" mkdir /tmp/lynis cd /tmp/lynis wget http://cisofy.com/files/lynis-1.5.2.tar.gz if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://cisofy.com/files/lynis-1.5.2.tar.gz if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz]; then echo "File not found! continuing without LYNIS. To install later, please visit http://cisofy.com/files/" fi else tar xvfvz lynis-*.tar.gz -C /opt rm -fr /tmp/lynis fi ############# #INSTALL LOGWATCH And TCPDUMP ############# echo -e "${Green}Installing LOGWATCH and TCPDUMP...${NoColour}" yum install –y logwatch tcpdump #### Asks anyway and halts sed -i 's/^MailTo*/MailTo = $AdminMail/g' /usr/share/logwatch/default.conf/logwatch.conf sed -i 's/^MailFrom*/MailFrom = Logwatch@$ServerName.$TopDomain/g' /usr/share/logwatch/default.conf/logwatch.conf sed -i 's/^Detail*/Detail = Med' /usr/share/logwatch/default.conf/logwatch.conf sed -i 's/Service = "-zz-network"/#Service = "-zz-network"/g' /usr/share/logwatch/default.conf/logwatch.conf sed -i 's/Service = "-zz-sys" /#Service = "-zz-sys"/g' /usr/share/logwatch/default.conf/logwatch.conf sed -i 's/Service = "-eximstats"/#Service = "-eximstats"/g' /usr/share/logwatch/default.conf/logwatch.conf #####Sed: -e expression #1, char 23: unterminated 's' command ############# #INSTALL Virtualmin ############# echo -e "${Green}Installing VirtualMin${NoColour}" if [[ ! "$VirtMin" =~ ^(n|N)$ ]]; then mkdir /tmp/virtmin cd /tmp/virtmin wget http://software.virtualmin.com/gpl/scripts/install.sh if [ ! -f /tmp/virtmin/install.sh]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://software.virtualmin.com/gpl/scripts/install.sh if [ ! -f /tmp/virtmin/install.sh]; then echo "File not found! continuing without VIRTUALMIN. To install later, please visit virtualmin.com" fi else chmod 777 /tmp/virtmin/install.sh /tmp/virtmin/install.sh echo -e "change VirtualMin ports" read VirtMinCh rm -fr /tmp/virtmin if [ "$VirtMinCh" = "$Yes" ]; then while [[ ! "$VirtMinPort" =~ ^[0-9]+$ ]]; do echo -e "New Virtualmin Port nr${NoColour}(y/n)" read VirtMinPort done sed -i 's/^port=*/port=$VirtMinPort/g' /etc/webmin/miniserv.conf sed -i 's/^listen=*/listen=$VirtMinPort/g' /etc/webmin/miniserv.conf # /etc/usermin/miniserv.conf fi fi fi ############ If installed virtualmin => set versions to empty ############The main port for Virtualmin/Webmin is in /etc/webmin/miniserv.conf, entry "port". The other entry with the default port 10000, "listen", applies to the UDP broadcast "search for Webmins" function. ############The port for Usermin is in /etc/usermin/miniserv.conf, entry "port". ############# #INSTALL ZABBIX Agent ############# echo -e "${Green}Installing Zabbix Agent ${NoColour}" if [[ ! "$ZabAg" =~ ^(n|N)$ ]]; then echo -e "prepairing packages for installing zabbix 2.2.5 agent" mkdir /tmp/zabbix cd /tmp/zabbix wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! cannot continue without file. Abort" fi else wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! cannot continue without file. Abort" fi else wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! Attempt download again. To cancel, press ctrl+c" wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm]; then echo "File not found! cannot continue without file. Abort" fi else echo -e "files successfully downloaded" echo -e "installing rpms" rpm -ivh zabbix-2.2.5-1.el6.x86_64.rpm zabbix-agent-2.2.5-1.el6.x86_64.rpm zabbix-get-2.2.5-1.el6.x86_64.rpm fi fi fi else echo -e "${Red}skipping Zabbix Agent Install${NoColour}" fi echo -e "${Green}finish${NoColour}" exit #At absolute end of script, before executing all securiçty checks: # if ssh = 1 sed -i ... #/etc/fail2ban/jail.conf #mailto monitor@fraksken.be #chkconfig --level 23 fail2ban on #service fail2ban start #FINAL SECURITY CHECK rkhunter --update rkhunter --propupd /opt/lynis-*/lynis --check-all -QHowdy,
That's a nice guide you have there! I just wanted to mention regarding your comment "CentOS 7 is not supported" -- Virtualmin does support CentOS 7 actually. You are welcome to use Virtualmin on that distro/version.
-Eric
Great! But since most commands are different, this guide cannot be blindly used.
Now I have to consider reinstalling my new server before it goes live...
My previous reply has a partly automated script inside, but it does not want to show. Did I do something wrong?
Thanks! Although it is an old post, i would like to thank you for it :)