improved script

server_hardening.sh

@@ -1,88 +1,108 @@
-wq#!/bin/bash
-
-# User and Group Audits
-echo "Running User and Group Audits..."
-echo "Listing all users and groups:"
-cut -d: -f1 /etc/passwd
-cut -d: -f1 /etc/group
-
-echo "Checking for users with UID 0 (root privileges):"
-awk -F: '($3 == "0") {print}' /etc/passwd
-
-echo "Identifying users without passwords:"
-awk -F: '($2 == "" ) { print $1 }' /etc/shadow
-
-# File and Directory Permissions
-echo "Checking File and Directory Permissions..."
-echo "Finding world-writable files and directories:"
-find / -type f -perm -o+w -exec ls -l {} \; 2>/dev/null
-find / -type d -perm -o+w -exec ls -ld {} \; 2>/dev/null
-
-echo "Checking for .ssh directories with secure permissions:"
-find / -type d -name ".ssh" -exec ls -ld {} \;
-
-echo "Finding files with SUID and SGID bits set:"
-find / -perm /6000 -type f -exec ls -l {} \; 2>/dev/null
-
-# Service Audits
-echo "Running Service Audits..."
-echo "Listing all running services:"
-service --status-all 2>&1 | grep '+'
-
-echo "Ensuring critical services like SSHD and iptables are running:"
-systemctl status sshd | grep "active (running)"
-systemctl status iptables | grep "active (running)"
-
-# Firewall and Network Security
-echo "Checking Firewall and Network Security..."
-echo "Checking if a firewall (iptables or ufw) is active:"
-ufw status || iptables -L
-
-echo "Reporting open ports and their associated services:"
-netstat -tuln
-
-echo "Checking for IP forwarding settings:"
-sysctl net.ipv4.ip_forward
-
-# IP and Network Configuration Checks
-echo "Performing IP and Network Configuration Checks..."
-echo "Identifying public vs. private IP addresses:"
-ip -o -4 addr show | awk '{print $2,$4}' | while read int ip; do
-  if [[ $ip =~ ^10\. ]] || [[ $ip =~ ^192\.168\. ]] || [[ $ip =~ ^172\.1[6-9]\. ]] || [[ $ip =~ ^172\.2[0-9]\. ]] || [[ $ip =~ ^172\.3[0-1]\. ]]; then
-    echo "$int has a private IP address $ip"
-  else
-    echo "$int has a public IP address $ip"
-  fi
-done
-
-# Security Updates and Patching
-echo "Checking Security Updates and Patching..."
-echo "Checking for available security updates:"
-sudo apt update && sudo apt list --upgradable
-
-echo "Configuring automatic security updates:"
-sudo apt install -y unattended-upgrades
-sudo dpkg-reconfigure --priority=low unattended-upgrades
-
-# Log Monitoring
-echo "Monitoring Logs..."
-echo "Checking for suspicious log entries:"
-grep -i "failed" /var/log/auth.log | tail -n 10
-
-# Server Hardening Steps
-echo "Executing Server Hardening Steps..."
-echo "Configuring SSH for key-based authentication and disabling password-based login for root."
-# Additional SSH hardening steps can be added here
-
-echo "Disabling IPv6 if not needed:"
-sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
-
-echo "Securing the bootloader:"
-sudo grub-mkpasswd-pbkdf2 # Follow the prompts to set a password
-
-echo "Configuring the firewall:"
-sudo ufw default deny incoming
-sudo ufw default allow outgoing
-sudo ufw enable
-
-echo "Security Audit and Hardening Completed."
+#!/bin/bash
+
+
+# Function to check if running as root
+check_root() {
+    if [ "$(id -u)" != "0" ]; then
+        echo "This script must be run as root" 1>&2
+        exit 1
+    fi
+}
+
+# Function to log messages
+log_message() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# Main function
+main() {
+    check_root
+
+    log_message "Starting server hardening process..."
+
+    # Update and upgrade system
+    log_message "Updating and upgrading system..."
+    apt update && apt upgrade -y
+
+    # Install necessary packages
+    log_message "Installing necessary packages..."
+    apt install -y ufw fail2ban unattended-upgrades
+
+    # Configure firewall
+    log_message "Configuring firewall..."
+    ufw default deny incoming
+    ufw default allow outgoing
+    ufw allow ssh
+    ufw allow http
+    ufw allow https
+    ufw --force enable
+
+    # Configure fail2ban
+    log_message "Configuring fail2ban..."
+    systemctl enable fail2ban
+    systemctl start fail2ban
+
+    # Secure SSH
+    log_message "Securing SSH..."
+    sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
+    sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
+    systemctl restart sshd
+
+    # Configure automatic updates
+    log_message "Configuring automatic updates..."
+    echo 'APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";' > /etc/apt/apt.conf.d/20auto-upgrades
+
+    # Disable unnecessary services
+    log_message "Disabling unnecessary services..."
+    systemctl disable avahi-daemon
+    systemctl disable cups
+    systemctl disable rpcbind
+
+    # Set secure file permissions
+    log_message "Setting secure file permissions..."
+    chmod 700 /root
+    chmod 700 /home/*
+    chmod 644 /etc/passwd
+    chmod 644 /etc/group
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
+
+    # Configure system logging
+    log_message "Configuring system logging..."
+    sed -i 's/^#FileCreateMode/FileCreateMode/' /etc/rsyslog.conf
+    sed -i 's/^#FileCreateMode 0640/FileCreateMode 0640/' /etc/rsyslog.conf
+    systemctl restart rsyslog
+
+    # Enable process accounting
+    log_message "Enabling process accounting..."
+    apt install -y acct
+    /etc/init.d/acct start
+
+    # Secure GRUB bootloader
+    log_message "Securing GRUB bootloader..."
+    grub-mkpasswd-pbkdf2 | tee /tmp/grub_password.txt
+    GRUB_PASSWORD=$(tail -n 1 /tmp/grub_password.txt | awk '{print $NF}')
+    echo "set superusers=\"root\"
+password_pbkdf2 root $GRUB_PASSWORD" > /etc/grub.d/40_custom
+    update-grub
+    rm /tmp/grub_password.txt
+
+    # Disable IPv6 if not needed
+    log_message "Disabling IPv6..."
+    echo "net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
+    sysctl -p
+
+    # Final system update
+    log_message "Performing final system update..."
+    apt update && apt upgrade -y
+
+    log_message "Server hardening completed. Please review the changes and reboot the system."
+}
+
+# Run the main function
+main

task1_monitor.sh

@@ -1,81 +1,51 @@
 #!/bin/bash
 
-# Function to display top 10 applications by CPU and memory usage
-display_cpu_memory() {
-    echo "Top 10 Applications by CPU and Memory Usage:"
-    ps -eo pid,user,%cpu,%mem,command --sort=-%cpu | head -n 11
-}
-
-# Function to display memory usage
-display_memory_usage() {
-    echo "Memory Usage:"
-    free -h
-}
-
-# Function to display network statistics
-display_network_stats() {
-    echo "Network Statistics:"
-    echo "Concurrent Connections: $(netstat -an | grep ESTABLISHED | wc -l)"
-    echo "Packet Drops:"
-    ifstat -t 1 1 | tail -n 1 | awk '{print "Packets In: "$6" Packets Out: "$8}'
-}
-
-# Function to display disk usage by mounted partitions
-display_disk_usage() {
-    echo "Disk Usage by Mounted Partitions:"
-    df -h | grep '^/dev/'
-}
-
-# Function to display system load
-display_system_load() {
-    echo "System Load:"
-    uptime
-    mpstat -P ALL 1 1
-}
-
-# Function to display active processes
-display_active_processes() {
-    echo "Active Processes: $(ps aux | wc -l)"
-}
-
-# Function to monitor essential services
-monitor_services() {
-    echo "Service Monitoring:"
-    for service in sshd nginx iptables; do
-        if systemctl list-unit-files | grep -q "^${service}.service"; then
-            status=$(systemctl is-active $service)
-            echo "$service: $status"
-        else
-            echo "$service: not installed"
-        fi
-    done
-}
-
-# Handle command-line arguments to display specific dashboard sections
-case "$1" in
-    --cpu)
-        display_cpu_memory
-        ;;
-    --memory)
-        display_memory_usage
-        ;;
-    --network)
-        display_network_stats
-        ;;
-    --disk)
-        display_disk_usage
-        ;;
-    --load)
-        display_system_load
-        ;;
-    --processes)
-        display_active_processes
-        ;;
-    --services)
-        monitor_services
-        ;;
-    *)
-        echo "Usage: $0 {--cpu|--memory|--network|--disk|--load|--processes|--services}"
-        ;;
-esac
-
+echo "Top 10 Applications by CPU and Memory Usage:"
+ps aux --sort=-%cpu,-%mem | head -n 11
+
+echo "Memory Usage:"
+free -m
+
+echo "Network Statistics:"
+if command -v ss &> /dev/null; then
+    echo "Concurrent Connections:"
+    ss -s | grep "TCP:"
+else
+    echo "ss command not found. Install iproute2 package for network statistics."
+fi
+
+echo "Packet Drops:"
+if command -v ifconfig &> /dev/null; then
+    ifconfig | grep -i "RX packets" | awk '{print $6 " " $7 " " $8 " " $9 " " $10}'
+elif command -v ip &> /dev/null; then
+    ip -s link | grep -A 1 "RX:" | grep -v "RX:" | awk '{print $4 " drops"}'
+else
+    echo "Neither ifconfig nor ip command found. Install net-tools or iproute2 package."
+fi
+
+echo "Disk Usage by Mounted Partitions:"
+df -h
+
+echo "System Load:"
+uptime
+
+echo "CPU Utilization:"
+if command -v mpstat &> /dev/null; then
+    mpstat 1 1
+else
+    echo "mpstat command not found. Install sysstat package for CPU utilization."
+fi
+
+echo "Active Processes:" $(ps -e | wc -l)
+
+echo "Service Monitoring:"
+services=("sshd" "nginx" "iptables")
+for service in "${services[@]}"; do
+    if systemctl is-active --quiet $service; then
+        echo "$service: active"
+    elif systemctl is-enabled --quiet $service; then
+        echo "$service: enabled but not active"
+    else
+        echo "$service: not installed or not enabled"
+    fi
+done