-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathsshield
234 lines (193 loc) · 7.38 KB
/
sshield
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#!/bin/bash
#####################################################
### ###
### Server Shield v1.1.5 ###
### ###
#####################################################
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
# Copyright (c) 2012. All rights reserved.
### Slowloris Protection
### Firewall Hardening
### ICMP/Ping Flood Resistance
### FTP/SSH Bruteforce Protection
### Automatic Security Updates
### Disables Bash History
### DNS Amplification Protection
#
# Automatic Updates
# 1: ipconfig, net-tools, sed, gawk, git, yum-security, mod_antiloris
# 2: sshield, ipconfig, net-tools, sed, gawk, git, yum-security, mod_antiloris
update=1
# Public Interfaces
iface=($(ifconfig | grep 'eth' | awk '{ print $1 }' | cut -d: -f1 | tr '\n' ' '))
# Public IP Addresses
ip=($(ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'))
# Open Ports
pub_serv=($(ss -ln | tail --lines=+2 | awk '{print $3}' | egrep -v "^(127\.|::1|fe80)" | sed -e 's/:/ /g' | awk '{print $NF}' | tr '\n' , | sort -u | sed '$s/.$//'))
# Don't edit below here unless you know what you're doing
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/sbin/iptables
NAME=sshield
test -x $DAEMON || exit 0
set -e
iptables=/sbin/iptables
function sshield_start {
if grep "unset HISTFILE" /etc/profile >/dev/null 2>&1
then
find / -iname '*.bash_history' -type f -exec rm -f {} \;
else
echo "unset HISTFILE" >> /etc/profile
find / -iname '*.bash_history' -type f -exec rm -f {} \;
fi
# Protect against taking part in an ICMP "Smurf"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Protect against TCP Time-Wait attacks
echo 1 > /proc/sys/net/ipv4/tcp_rfc1337
# Don't bother logging bogus error responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Don't bother logging spoofed IP addresses
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
# Protect against Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Just DROP, don't send error messages back
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
# Block: Spoofed
for i in "${!ip[@]}"; do
$iptables -A INPUT -i ${iface[$i]} -s ${ip[$i]} -m recent --set -j DROP
done
# Accept: Loopback
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# Limit: DNS Amplification Attack
for i in "${!iface[@]}"; do
$iptables -A INPUT -p udp -m udp -m recent -i ${iface[$i]} --dport 53 -j ACCEPT --set --name DNS --rsource
$iptables -A INPUT -p udp -m udp -m recent -i ${iface[$i]} --dport 53 --update --seconds 20 --hitcount 20 --name DNS --rsource -j DROP
done
# Limit: ICMP Flood
$iptables -A INPUT -p icmp -m limit --limit 30/s --limit-burst 200 -j ACCEPT
$iptables -A INPUT -p icmp -j DROP
# Accept: Established Connections
for i in "${!iface[@]}"; do
$iptables -A OUTPUT -o ${iface[$i]} -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -p tcp -d ${ip[$i]} -m multiport --dports $pub_serv -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -p udp -d ${ip[$i]} -m multiport --dports $pub_serv -j ACCEPT
done
# Limit: SSH Bruteforcing
$iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
$iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
# Limit: FTP Bruteforcing
$iptables -A INPUT -p tcp --dport 21 -m recent --update --seconds 60 --hitcount 5 --name FTP -j DROP
$iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP -j ACCEPT
# Finish: Log and Reject
$iptables -A INPUT -j LOG --log-prefix "IN "
$iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
$iptables -A OUTPUT -j LOG --log-prefix "OU "
$iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
$iptables -A FORWARD -j LOG --log-prefix "FW "
$iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable
}
function sshield_fallback_start {
# Flush
$iptables -F
$iptables -F -t mangle
$iptables -X -t mangle
$iptables -F -t nat
$iptables -X -t nat
$iptables -X
# Defaults
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
# Accept: Loopback
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# Accept: ICMP
for i in "${!iface[@]}"; do
$iptables -A INPUT -i ${iface[$i]} -d ${ip[$i]} -p icmp -j ACCEPT
done
# Accept: Established Connections
for i in "${!iface[@]}"; do
$iptables -A OUTPUT -o ${iface[$i]} -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -p tcp -d ${ip[$i]} -m multiport --dports $pub_serv -j ACCEPT
$iptables -A INPUT -i ${iface[$i]} -p udp -d ${ip[$i]} -m multiport --dports $pub_serv -j ACCEPT
done
# Finish: Log
$iptables -A INPUT -j LOG --log-prefix "IN "
$iptables -A OUTPUT -j LOG --log-prefix "OU "
$iptables -A FORWARD -j LOG --log-prefix "FW "
}
function sshield_stop {
# Flush
$iptables -F
$iptables -F -t mangle
$iptables -X -t mangle
$iptables -F -t nat
$iptables -X -t nat
$iptables -X
# Default
$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT
}
case "$1" in
start)
if [ "$update" -gt "0" ]; then
echo -n "Updating $NAME: "
yum install -y net-tools iptables sed gawk git yum-security >/dev/null 2>&1
yum --security update -y >/dev/null 2>&1
rm -rf /tmp/server-shield; cd /tmp
git clone https://github.com/bluedragonz/server-shield >/dev/null 2>&1
if test -e /usr/sbin/httpd; then
if httpd -M 2>&1 | grep antiloris > /dev/null
then
echo "" >/dev/null
else
cd /tmp/server-shield
tar -xvjf /tmp/server-shield/mod_antiloris-0.4.tar.bz2 >/dev/null 2>&1
if test -e /usr/sbin/apxs; then
apxs -a -i -c /tmp/server-shield/mod_antiloris-0.4/mod_antiloris.c >/dev/null 2>&1
service httpd restart >/dev/null 2>&1
fi
fi
fi
echo "OK"
fi
if [ "$update" -gt "1" ]
then
mv /tmp/server-shield/sshield /etc/init.d/sshield;chmod +x /etc/init.d/sshield
fi
sshield_stop
echo -n "Starting $NAME: "
sshield_start || sshield_fallback_start
echo "OK"
;;
stop)
echo -n "Stopping $NAME: "
sshield_stop
echo "OK"
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac
exit 0