server-shield/sshield at master · lxghost/server-shield · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
#!/bin/bash

#####################################################
###						  ###
### 	 Server Shield v1.0.9 by Brian Holt 	  ###
###						  ###
#####################################################

# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.

# Copyright (c) 2012 Brian Holt. All rights reserved.

### Firewall Hardening
### TCP Hardening
### ICMP/Ping Flood Protection
### DoS Protection
### Spoof Protection
### FTP/SSH Bruteforce Protection
### Automatic Security Updates
### Disables Bash History
### DNS Amplification Protection

# Automatic Updates
# 1: ipconfig, nmap, net-tools, sed, gawk, git, yum-security
# 2: sshield, ipconfig, nmap, net-tools, sed, gawk, git, yum-security
update=2

# Public Interface
int_if=$(ifconfig -a | grep -i "link[ ]*encap[ ]*:[ ]*ethernet" | awk 'BEGIN{ iface="z" }{ if( $1 ~ /^eth/ && iface > $1 ) iface=$1 } END{ print iface }')

# IP Address
int_ip=$(hostname -i)

# Open Ports
pub_serv=$(nmap --open $int_ip | sed '/report\|open/!d' | awk '/open/{print substr( $1, 0, length($1) - 4)}' | tr '\n' , | awk '{print substr( $1, 0, length($1) - 1)}')

# Don't edit below here unless you know what you're doing

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/sbin/iptables
NAME=sshield

test -x $DAEMON || exit 0

set -e

iptables=/sbin/iptables

function sshield_start {

	if grep "unset HISTFILE" /etc/profile >/dev/null 2>&1
	then
	    find / -iname '*.bash_history' -type f -exec rm -f {} \;
	else
	    echo "unset HISTFILE" >> /etc/profile
	    find / -iname '*.bash_history' -type f -exec rm -f {} \;
	fi

	# Protect against ICMP "Smurf"
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

	# Protect against TCP Time-Wait
	echo 1 > /proc/sys/net/ipv4/tcp_rfc1337

	# Don't bother logging bogus error responses
	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

	# Don't bother logging spoofed IP addresses
	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

	# Protect against Source Routed Packets
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

	# Just DROP, don't send error messages back
	$iptables -P INPUT   DROP
	$iptables -P FORWARD DROP
	$iptables -P OUTPUT  DROP

	# Block: Broadcasts
	$iptables -A INPUT  -i $int_if -d 255.255.255.255 -j DROP
	$iptables -A INPUT  -i $int_if -d 192.168.255.255 -j DROP
	$iptables -A INPUT  -i $int_if -d 192.168.1.255   -j DROP
	$iptables -A INPUT             -d 10.0.0.0/8      -j DROP
	$iptables -A INPUT             -d 169.254.0.0/16  -j DROP

	# Block: Spoofed Packets
	$iptables -A INPUT  -i $int_if -s $int_ip -m recent --set -j DROP

	# Accept: Loopback
	$iptables -A INPUT  -i lo -j ACCEPT
	$iptables -A OUTPUT -o lo -j ACCEPT

	# Limit: DNS Amplification Attack
	$iptables -A INPUT -p udp -m udp -m recent -i $int_if --dport 53 -j ACCEPT --set --name DNS --rsource
	$iptables -A INPUT -p udp -m udp -m recent -i $int_if --dport 53 --update --seconds 20 --hitcount 20 --name DNS --rsource -j DROP

	# Limit: ICMP Flood
	$iptables -A INPUT  -p icmp -m limit --limit 30/s --limit-burst 200 -j ACCEPT
	$iptables -A INPUT  -p icmp -j DROP

	# Accept: Established Connections
	$iptables -A OUTPUT -o $int_if -j ACCEPT
	$iptables -A INPUT  -i $int_if -m state --state ESTABLISHED,RELATED -j ACCEPT
	$iptables -A INPUT -i $int_if -p tcp -d $int_ip -m multiport --dports $pub_serv -j ACCEPT
	$iptables -A INPUT -i $int_if -p udp -d $int_ip -m multiport --dports $pub_serv -j ACCEPT

	# Limit: SSH Bruteforcing
	$iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
	$iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

	# Limit: FTP Bruteforcing
	$iptables -A INPUT -p tcp --dport 21 -m recent --update --seconds 60 --hitcount 5 --name FTP -j DROP
	$iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP -j ACCEPT

	# Finish: Log and Reject
	$iptables -A INPUT   -j LOG --log-prefix "IN "
	$iptables -A INPUT   -j REJECT --reject-with icmp-port-unreachable
	$iptables -A OUTPUT  -j LOG --log-prefix "OU "
	$iptables -A OUTPUT  -j REJECT --reject-with icmp-port-unreachable
	$iptables -A FORWARD -j LOG --log-prefix "FW "
	$iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable
}

function sshield_fallback_start {
	# Flush
	$iptables -F
	$iptables -F -t mangle
	$iptables -X -t mangle
	$iptables -F -t nat
	$iptables -X -t nat
	$iptables -X

	# Defaults
	$iptables -P INPUT   DROP
	$iptables -P FORWARD DROP
	$iptables -P OUTPUT  DROP

	# Accept: Loopback
	$iptables -A INPUT  -i lo -j ACCEPT
	$iptables -A OUTPUT -o lo -j ACCEPT

	# Accept: ICMP
	$iptables -A INPUT  -i $int_if -d $int_ip -p icmp -j ACCEPT

	# Accept: Established Connections
	$iptables -A OUTPUT -o $int_if -j ACCEPT
	$iptables -A INPUT  -i $int_if -m state --state ESTABLISHED,RELATED -j ACCEPT
	$iptables -A INPUT -i $int_if -p tcp -d $int_ip -m multiport --dports $pub_serv -j ACCEPT
	$iptables -A INPUT -i $int_if -p udp -d $int_ip -m multiport --dports $pub_serv -j ACCEPT

	# Finish: Log
	$iptables -A INPUT   -j LOG --log-prefix "IN "
	$iptables -A OUTPUT  -j LOG --log-prefix "OU "
	$iptables -A FORWARD -j LOG --log-prefix "FW "
}

function sshield_stop {
	# Flush
	$iptables -F
	$iptables -F -t mangle
	$iptables -X -t mangle
	$iptables -F -t nat
	$iptables -X -t nat
	$iptables -X

	# Default
	$iptables -P INPUT   ACCEPT
	$iptables -P FORWARD ACCEPT
	$iptables -P OUTPUT  ACCEPT
}

case "$1" in
  start)
	if [ "$update" -gt "0" ]
	then
	   echo -n "Updating $NAME: "
	   yum install -y net-tools nmap iptables sed gawk git yum-security >/dev/null 2>&1
	   yum --security update -y >/dev/null 2>&1
	fi
	if [ "$update" -gt "1" ]
	then
	   cd /tmp;git clone https://github.com/Brian-Holt/server-shield >/dev/null 2>&1
	   mv /tmp/server-shield/sshield /etc/init.d/sshield;chmod +x /etc/init.d/sshield
	   rm -rf /tmp/server-shield
	fi
	sshield_stop
	echo -n "Starting $NAME: "
	sshield_start || sshield_fallback_start
	echo "OK"
	;;
  stop)
	echo -n "Stopping $NAME: "
	sshield_stop
	echo "OK"
	;;
  *)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start|stop}" >&2
	exit 1
	;;
esac

exit 0