Paste the below code to a file and run the file.
#!/usr/bin/env bash
csfinstall () {
cd /usr/local/src
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.cpanel.sh
rm -rfv /usr/local/src/csf.tgz /usr/local/src/csf/
}
csfupdateonly() {
#CSF Update
/usr/sbin/csf -x
/scripts/perlinstaller –force URI
/usr/sbin/csf -e
/usr/sbin/csf -u
}
csftweak() {
cp /etc/csf/csf.conf /etc/csf/csf.conf.beforetweak
sed -i ‘s/TESTING = “1”/TESTING = “0”/’ /etc/csf/csf.conf
sed -i ‘s/RESTRICT_SYSLOG = “0”/RESTRICT_SYSLOG = “3”/’ /etc/csf/csf.conf
sed -i ‘s/FASTSTART = “0”/FASTSTART = “1”/’ /etc/csf/csf.conf
sed -i ‘s/SYSLOG_CHECK = “0”/SYSLOG_CHECK = “3600”/’ /etc/csf/csf.conf
sed -i ‘s/PT_USERMEM = “200”/PT_USERMEM = “500”/’ /etc/csf/csf.conf
sed -i ‘s/PT_ALL_USERS = “0”/PT_ALL_USERS = “1”/’ /etc/csf/csf.conf
sed -i ‘s/PS_INTERVAL = “300”/PS_INTERVAL = “3600”/’ /etc/csf/csf.conf
sed -i ‘s/PS_LIMIT = “10”/PS_LIMIT = “20”/’ /etc/csf/csf.conf
sed -i ‘s/SMTP_BLOCK = “0”/SMTP_BLOCK = “1”/’ /etc/csf/csf.conf
sed -i ‘s/CT_LIMIT = “0”/CT_LIMIT = “1000”/’ /etc/csf/csf.conf
sed -i ‘s/UDPFLOOD = “0”/UDPFLOOD = “1”/’ /etc/csf/csf.conf
sed -i ‘s/SYNFLOOD = “0”/SYNFLOOD = “1”/’ /etc/csf/csf.conf
sed -i ‘s/PT_LIMIT = “60”/PT_LIMIT = “0”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SCRIPT_LIMIT = “0”/LF_SCRIPT_LIMIT = “100”/’ /etc/csf/csf.conf
sed -i ‘s/LF_MODSEC_PERM = “1”/LF_MODSEC_PERM = “180”/’ /etc/csf/csf.conf
sed -i ‘s/LF_FTPD = “1”/LF_FTPD = “20”/’ /etc/csf/csf.conf
sed -i ‘s/LF_FTPD_PERM = “1”/LF_FTPD_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/LF_POP3D = “1”/LF_POP3D = “20”/’ /etc/csf/csf.conf
sed -i ‘s/LF_POP3D_PERM = “1”/LF_POP3D_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/LF_IMAPD = “1”/LF_IMAPD = “20”/’ /etc/csf/csf.conf
sed -i ‘s/LF_IMAPD_PERM = “1”/LF_IMAPD_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SMTPAUTH = “1”/LF_SMTPAUTH = “20”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SMTPAUTH_PERM = “1”/LF_SMTPAUTH_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/LF_HTACCESS = “1”/LF_HTACCESS = “20”/’ /etc/csf/csf.conf
sed -i ‘s/LF_HTACCESS_PERM = “1”/LF_HTACCESS_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/LF_PERMBLOCK_INTERVAL = “86400”/LF_PERMBLOCK_INTERVAL = “12000”/’ /etc/csf/csf.conf
sed -i ‘s/LF_PERMBLOCK_COUNT = “4”/LF_PERMBLOCK_COUNT = “20”/’ /etc/csf/csf.conf
#sed -i ‘s/LF_ALERT_TO = “”/LF_ALERT_TO = “root@”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SYMLINK = “0”/LF_SYMLINK = “2”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SYMLINK_PERM = “1”/LF_SYMLINK_PERM = “5”/’ /etc/csf/csf.conf
sed -i ‘s/2095,2096″/2095,2096,30000:50000″/’ /etc/csf/csf.conf
#sed -i ‘s/X_ARF = “0”/X_ARF = “1”/’ /etc/csf/csf.conf
#sed -i ‘s/X_ARF_TO = “”/X_ARF_TO = “sample”/’ /etc/csf/csf.conf
sed -i ‘s/LF_SCRIPT_ALERT = “0”/LF_SCRIPT_ALERT = “1”/’ /etc/csf/csf.conf
sed -i ‘s/LF_DIRWATCH_DISABLE = “0”/LF_DIRWATCH_DISABLE = “1”/’ /etc/csf/csf.conf
echo “.googlebot.com” >> /etc/csf/csf.rignore
echo “.crawl.yahoo.net” >> /etc/csf/csf.rignore
echo “.search.msn.com” >> /etc/csf/csf.rignore
echo “.root-servers.net” >> /etc/csf/csf.rignore
echo “exe:/usr/bin/php” >> /etc/csf/csf.pignore
echo “exe:/usr/libexec/dovecot/auth” >> /etc/csf/csf.pignore
echo “exe:/usr/local/cpanel/3rdparty/bin/freshclam” >> /etc/csf/csf.pignore
echo “exe:/usr/bin/python” >> /etc/csf/csf.pignore
echo “exe:/usr/bin/ruby” >> /etc/csf/csf.pignore
sed -i ‘/exe:\/usr\/local\/cpanel\/3rdparty\/bin\/webalizer\_lang\/english/ d’ /etc/csf/csf.pignore ; echo “exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english” >> /etc/csf/csf.pignore
sed -i ‘/exe:\/usr\/local\/cpanel\/3rdparty\/perl\/514\/bin\/perl/ d’ /etc/csf/csf.pignore ; echo “exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl” >> /etc/csf/csf.pignore
sed -i ‘s/#SPAMEDROP/SPAMEDROP/’ /etc/csf/csf.blocklists
sed -i ‘s/#BOGON/BOGON/’ /etc/csf/csf.blocklists
sed -i ‘s/#HONEYPOT/HONEYPOT/’ /etc/csf/csf.blocklists
sed -i ‘s/#MAXMIND/MAXMIND/’ /etc/csf/csf.blocklists
sed -i ‘s/86400/3600/g’ /etc/csf/csf.blocklists
if ! grep “GREENSNOW” /etc/csf/csf.blocklists >/dev/null;then
echo “” >> /etc/csf/csf.blocklists
echo “# GreenSnow IP List” >> /etc/csf/csf.blocklists
echo “# Details at: http://greensnow.co” >> /etc/csf/csf.blocklists
echo “GREENSNOW|3600|0|test” >> /etc/csf/csf.blocklists
fi
/etc/init.d/csf restart
/etc/init.d/lfd restart
csf -r
}
cmcinstall() {
cd /usr/local/src
rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc/
sh install.sh
cd /usr/local/src
rm -rfv /usr/local/src/cmc.tgz /usr/local/src/cmc/
}
cmminstall() {
cd /usr/local/src
rm -fv cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh
cd /usr/local/src
rm -rfv /usr/local/src/cmm.tgz /usr/local/src/cmm
}
cmqinstall() {
cd /usr/local/src
rm -fv cmq.tgz
wget http://download.configserver.com/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh
cd /usr/local/src
rm -rfv /usr/local/src/cmq.tgz /usr/local/src/cmq
}
mysleep() {
MESSAGE=$1
pid=$!
spin=’-\|/’
i=0
while kill -0 $pid 2>/dev/null
do
i=$(( (i+1) %4 ))
echo -ne “\r$MESSAGE ${spin:$i:1}”
sleep .1
done
}
maldetinstall() {
if [ ! -d /usr/local/maldetect ]; then
cd /usr/local/src/
rm -rv maldetect-current.tar.gz
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
maldet -d
maldet -u
cd /usr/local/src/
rm -rfv /usr/local/src/maldetect-current.tar.gz /usr/local/src/maldetect-*
fi
sed -i “s/email_alert=0/email_alert=1/” /usr/local/maldetect/conf.maldet
sed -i “s/you@domain.com/$CUSTOMEREMAIL/” /usr/local/maldetect/conf.maldet
}
lesinstall() {
cd /usr/local/src
wget http://www.rfxn.com/downloads/les-current.tar.gz
tar -zxvf les-current.tar.gz
cd les-*
./install.sh
les -sb on
cd /usr/local/src
rm -rf les-*
}
lsminstall() {
cd /usr/local/src
wget http://www.rfxn.com/downloads/lsm-current.tar.gz
tar xvfz lsm-current.tar.gz
cd lsm-*
./install.sh
cd /usr/local/src
rm -rf lsm-*
}
linuxtweak() {
sed -i ‘s/# kernel.tcp_syncookies = 0/kernel.tcp_syncookies = 1/’ /etc/sysctl.conf
sysctl -p
> /etc/cron.daily/logrotate
cd /usr/local/src/
wget http://techsware.in/downloads/logrotatefix.txt
cat logrotatefix.txt >> /etc/cron.daily/logrotate
mkdir -p /var/spool/logrotate/tmp
yum install logwatch -y
rm -f /etc/logwatch/conf/logwatch.conf
sed -i ‘s/Output =/Output = mail/’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i “s/MailTo = root/MailTo = $CUSTOMEREMAIL/” /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Print = Yes/Print = No/’ /usr/share/logwatch/default.conf/logwatch.conf
cp -p /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
logwatch
echo $CUSTOMEREMAIL > /root/.forward
}
disableunproc() {
yum install wget -y; cd /usr/local/src/ && wget http://nixtree.com/download/free/services_dis_vps.txt && for i in `cat services_dis_vps.txt`; do chkconfig $i off; service $i stop; done
rm -f /usr/local/src/services_dis_vps.txt
}
rkhunterinstall() {
cd /usr/local/src
wget http://ph.clarenne.name/rkhunter-1.4.2.tar.gz
tar -zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
sh installer.sh –install
rkhunter –update
cd /usr/local/src
rm -rfv rkhunter-1.4.2.tar.gz rkhunter-1.4.2
sed -i “s/#MAIL-ON-WARNING=me@mydomain root@mydomain/MAIL-ON-WARNING=$CUSTOMEREMAIL/” /etc/rkhunter.conf
sed -i ‘s/#ALLOW_SSH_ROOT_USER=no/ALLOW_SSH_ROOT_USER=unset/’ /etc/rkhunter.conf
echo “SCRIPTWHITELIST=/sbin/ifup” >> /etc/rkhunter.conf
echo “SCRIPTWHITELIST=/sbin/ifdown” >> /etc/rkhunter.conf
echo “SCRIPTWHITELIST=/usr/bin/GET” >> /etc/rkhunter.conf
echo “SCRIPTWHITELIST=/usr/bin/ldd” >> /etc/rkhunter.conf
echo “SCRIPTWHITELIST=/usr/bin/whatis” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/dev/.udev/queue.bin” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/bin/.ssh.hmac” >> /etc/rkhunter.conf
echo “ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac” >> /etc/rkhunter.conf
echo “ALLOWDEVFILE=/dev/.udev/queue.bin” >> /etc/rkhunter.conf
echo “ALLOWHIDDENDIR=/dev/.udev” >> /etc/rkhunter.conf
sed -i “s/DISABLE_TESTS/#DISABLE_TESTS/g” /etc/rkhunter.conf
echo “DISABLE_TESTS=loaded_modules suspscan hidden_ports hidden_procs deleted_files packet_cap_apps avail_modules loaded_modules” >> /etc/rkhunter.conf
echo “/usr/local/bin/rkhunter –cronjob” > /etc/cron.daily/rkhunterscan
chmod 755 /etc/cron.daily/rkhunterscan
rkhunter –propupdate
}
ftptweak() {
cp /etc/pure-ftpd.conf /etc/pure-ftpd.conf.beforetweak
sed -i “s/RootPassLogins: ‘yes’/RootPassLogins: ‘no’/g” /var/cpanel/conf/pureftpd/main
sed -i “s/AnonymousCantUpload: ‘no’/AnonymousCantUpload: ‘yes’/g” /var/cpanel/conf/pureftpd/main
sed -i “s/NoAnonymous: ‘no’/NoAnonymous: ‘yes’/g” /var/cpanel/conf/pureftpd/main
sed -i “s/MaxClientsPerIP: 8/MaxClientsPerIP: 15/” /var/cpanel/conf/pureftpd/main
sed -i ‘s/# PassivePortRange/PassivePortRange/’ /etc/pure-ftpd.conf
sed -i ‘s/MaxIdleTime: 15/MaxIdleTime: 25/’ /var/cpanel/conf/pureftpd/main
touch /var/cpanel/conf/pureftpd/root_password_disabled
cp /etc/proftpd.conf /etc/proftpd.conf.beforetweak
sed -i “s/TCPAccessFiles: ‘on’/TCPAccessFiles: ‘off’/” /var/cpanel/conf/proftpd/main
sed -i “s/cPanelAnonymousAccessAllowed: ‘yes’/cPanelAnonymousAccessAllowed: ‘no’/” /var/cpanel/conf/proftpd/main
echo “PassivePorts 30000 50000” >> /etc/proftpd.conf
/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration > /dev/null
/scripts/restartsrv ftp
}
cpaneltweak() {
##cPanel Tweak Settings
cp -p /var/cpanel/cpanel.config /var/cpanel/cpanel.config.beforetweak
echo “alwaysredirecttossl=1” >> /var/cpanel/cpanel.config
echo “referrerblanksafety=1” >> /var/cpanel/cpanel.config
echo “referrersafety=1” >> /var/cpanel/cpanel.config
echo “xsrftokens=1” >> /var/cpanel/cpanel.config
echo “maxemailsperhour=500” >> /var/cpanel/cpanel.config
echo “emailusersbandwidthexceed95=1” >> /var/cpanel/cpanel.config
echo “proxysubdomains=1” >> /var/cpanel/cpanel.config
echo “proxysubdomainsfornewaccounts=1” >> /var/cpanel/cpanel.config
echo “proxysubdomainsoverride=1” >> /var/cpanel/cpanel.config
echo “skipboxtrapper=1” >> /var/cpanel/cpanel.config
echo “use_apache_md5_for_htaccess=1” >> /var/cpanel/cpanel.config
echo “cookieipvalidation=strict” >> /var/cpanel/cpanel.config
echo “skiphttpauth=1” >> /var/cpanel/cpanel.config
echo “cpaddons_adminemail=$CUSTOMEREMAIL” >> /var/cpanel/cpanel.config
echo “cpaddons_notify_owner=always” >> /var/cpanel/cpanel.config
echo “cpaddons_notify_root=1” >> /var/cpanel/cpanel.config
echo “blockcommondomains=1” >> /var/cpanel/cpanel.config
echo “coredump=0” >> /var/cpanel/cpanel.config
echo “emailpasswords=0” >> /var/cpanel/cpanel.config
echo “jaildefaultshell=0” >> /var/cpanel/cpanel.config
echo “defaultmailaction=fail” >> /var/cpanel/cpanel.config
echo “email_send_limits_count_mailman=1” >> /var/cpanel/cpanel.config
echo “email_send_limits_max_defer_fail_percentage=30” >> /var/cpanel/cpanel.config
echo “phploader=ioncube” >> /var/cpanel/cpanel.config
echo “cgihidepass=1” >> /var/cpanel/cpanel.config
echo “SecurityPolicy::PasswordAge=1” >> /var/cpanel/cpanel.config
echo “SecurityPolicy::PasswordAge::maxage=365” >> /var/cpanel/cpanel.config
echo “SecurityPolicy::PasswordStrength=1” >> /var/cpanel/cpanel.config
echo “nobodyspam=1” >> /var/cpanel/cpanel.config
echo “permit_unregistered_apps_as_reseller=0” >> /var/cpanel/cpanel.config
echo “permit_appconfig_entries_without_acls=0” >> /var/cpanel/cpanel.config
echo “permit_appconfig_entries_without_features=0” >> /var/cpanel/cpanel.config
echo “SecurityPolicy::PasswordStrength=1” >> /var/cpanel/cpanel.config
echo “minpwstrength_sshkey=95” >> /var/cpanel/cpanel.config
echo “minpwstrength=85” >> /var/cpanel/cpanel.config
echo “minpwstrength_createacct=80” >> /var/cpanel/cpanel.config
echo “minpwstrength_pop=75” >> /var/cpanel/cpanel.config
echo “minpwstrength_ftp=75” >> /var/cpanel/cpanel.config
echo “minpwstrength_passwd=75” >> /var/cpanel/cpanel.config
echo “minpwstrength_mysql=75” >> /var/cpanel/cpanel.config
echo “minpwstrength_webdisk=70” >> /var/cpanel/cpanel.config
echo “minpwstrength_postgres=65” >> /var/cpanel/cpanel.config
echo “minpwstrength_bandmin=60” >> /var/cpanel/cpanel.config
echo “minpwstrength_cpaddons=55” >> /var/cpanel/cpanel.config
echo “minpwstrength_list=50” >> /var/cpanel/cpanel.config
echo “api_shell=0” >> /var/cpanel/features/default
echo “fantastico=0” >> /var/cpanel/features/default
echo “guest=0” >> /var/cpanel/features/default
/usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings
## Disable SMTP Tweak in cPanel – Enable it in CSF
rm -f /var/cpanel/smtpgidonlytweak
## Disable Compiler Access
chmod 750 /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc
chown root:compiler /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc
## Enable cpHulkd
/usr/local/cpanel/etc/init/startcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl –enable
mysqlcheck -r cphulkd
#BG Process Killer
cp /var/cpanel/killproc.conf /var/cpanel/killproc.conf.beforetweak
echo “services” > /var/cpanel/killproc.conf
echo “ptlink” >> /var/cpanel/killproc.conf
echo “psyBNC” >> /var/cpanel/killproc.conf
echo “ircd” >> /var/cpanel/killproc.conf
echo “guardservices” >> /var/cpanel/killproc.conf
echo “generic-sniffers” >> /var/cpanel/killproc.conf
echo “eggdrop” >> /var/cpanel/killproc.conf
echo “bnc” >> /var/cpanel/killproc.conf
echo “BitchX” >> /var/cpanel/killproc.conf
#Shell Bomb Fork Protection
if ! grep “cPanel Added Limit Protections” /etc/profile >/dev/null; then
cd /usr/local/src
wget http://techsware.in/downloads/disableshellbomb.txt
cat disableshellbomb.txt >> /etc/profile
rm -f disableshellbomb.txt
fi
sed -i ‘/mysql:1/ d’ /etc/chkserv.d/chkservd.conf; echo “mysql:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/httpd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “httpd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/lfd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “lfd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/sshd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “sshd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/exim:1/ d’ /etc/chkserv.d/chkservd.conf; echo “exim:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/ftpd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “ftpd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/imap:1/ d’ /etc/chkserv.d/chkservd.conf; echo “imap:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/pop:1/ d’ /etc/chkserv.d/chkservd.conf; echo “pop:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/cpdavd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “cpdavd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/syslogd:1/ d’ /etc/chkserv.d/chkservd.conf; echo “syslogd:1” >> /etc/chkserv.d/chkservd.conf
sed -i ‘/watchmysql:1/ d’ /etc/chkserv.d/chkservd.conf; echo “watchmysql:0” >> /etc/chkserv.d/chkservd.conf
/usr/local/cpanel/bin/updatephpmyadmin –force
}
apachetweak() {
APACHEMINVER=`/usr/local/apache/bin/httpd -V | grep “Server version” | awk -F”/” {‘print $2’} | awk -F”.” {‘print $2’}`
if [ -f /var/cpanel/conf/apache/local ]; then
cp /var/cpanel/conf/apache/local /var/cpanel/conf/apache/local.beforetweak
sed “s/’/#/g” /var/cpanel/conf/apache/local | sed ‘s/ceenable”: #On#/ceenable”: #Off#/g’ | sed ‘s/ersignature”: #On#/ersignature”: #Off#/g’ | sed ‘s/ertokens”: #.*#/ertokens”: #ProductOnly#/g’| sed ‘s/leetag”: #.*#/leetag”: #None#/g’ | sed ‘s/nksIfOwnerMatch”: 0/nksIfOwnerMatch”: 1/g’ | sed “s/#/’/g” > /var/cpanel/conf/apache/local.tmp
cat /var/cpanel/conf/apache/local.tmp > /var/cpanel/conf/apache/local
rm -f /var/cpanel/conf/apache/local.tmp
else
cat << ‘EOF’ > /var/cpanel/conf/apache/local
—
“main”:
“serversignature”:
“item”:
“serversignature”: ‘Off’
“servertokens”:
“item”:
“servertokens”: ‘ProductOnly’
“traceenable”:
“item”:
“traceenable”: ‘Off’
“fileetag”:
“item”:
“fileetag”: ‘None’
EOF
fi
/usr/local/cpanel/bin/build_apache_conf
/scripts/restartsrv http
}
mysqltweak() {
if grep local-infile /etc/my.cnf /dev/null; then
sed -i ‘s/local-infile=1/local-infile0/’ /etc/my.cnf
else
echo “local-infile=0” > /usr/local/src/mysqltweak.txt
sed -i “/\[mysqld\]/ r /usr/local/src/mysqltweak.txt” /etc/my.cnf
rm -f /usr/local/src/mysqltweak.txt
fi
mysql -u root -e “drop database test”
/scripts/restartsrv mysql
cd /usr/local/src
wget http://download.ndchost.com/watchmysql/latest-watchmysql
sh latest-watchmysql
rm -f latest-watchmysql
}
phptweak() {
cp /usr/local/lib/php.ini /usr/local/lib/php.ini.beforetweak
sed -i ‘s/max_execution_time = [0-9]*/max_execution_time = 300/’ /usr/local/lib/php.ini
sed -i ‘s/max_input_time = [0-9]*/max_input_time = 600/’ /usr/local/lib/php.ini
sed -i ‘s/post_max_size = 8M/post_max_size = 128M/’ /usr/local/lib/php.ini
sed -i ‘s/max_file_uploads = 20/max_file_uploads = 32/’ /usr/local/lib/php.ini
sed -i ‘s/enable_dl = On/enable_dl = Off/g’ /usr/local/lib/php.ini
sed -i ‘s/allow_url_fopen = On/allow_url_fopen = Off/g’ /usr/local/lib/php.ini
sed -i ‘s/display_errors = On/display_errors = Off/g’ /usr/local/lib/php.ini
sed -i ‘s/display_startup_errors = On/display_startup_errors = Off/g’ /usr/local/lib/php.ini
sed -i ‘s/;safe_mode = On/safe_mode = On/g’ /usr/local/lib/php.ini
sed -i ‘s/expose_php = On/expose_php = Off/g’ /usr/local/lib/php.ini
sed -i ‘s/disable_functions =/disable_functions = eval, show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, symlink/’ /usr/local/lib/php.ini
/scripts/restartsrv http
}
sshtweak() {
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.beforetweak
sed -i ‘s/#UseDNS yes/UseDNS no/’ /etc/ssh/sshd_config
sed -i ‘s/#Protocol 2,1/Protocol 2/’ /etc/ssh/sshd_config
sed -i ‘s/#LoginGraceTime 2m/LoginGraceTime 30s/’ /etc/ssh/sshd_config
/scripts/restartsrv ssh
}
######################################
#Main Function Starts Here
######################################
red=’\e[0;31m’
green=’\e[0;32m’
notice=’\e[0;35m’
NC=’\e[0m’
CUSTOMEREMAIL=$1
if [ “$#” -ne 1 ]; then
echo -ne “${red}Usage: $0 <Email Address>${NC}”
echo -ne ‘\n’
exit
fi
if [ -f /usr/local/cpanel/cpdavd ]; then
sleep 1 > /dev/null &
mysleep “Checking for cPanel..”
echo -ne “\r${notice}Detected cPanel/WHM on the server${NC}”
echo -ne ‘\n’
else
echo -ne “${red}Cound not detect cPanel on your server${NC}”
echo -ne ‘\n’
fi
read -p “Need to install and configure CSF? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
if [ -f /usr/sbin/csf ]; then
echo -ne ‘\n’
echo -ne “${notice}CSF installed already on this server${NC}”
echo -ne ‘\n’
csfupdateonly > /dev/null 2>&1 &
mysleep “Updating CSF/LFD”
echo -ne “\r${green}CSF/LFD has been updated${NC}”
echo -ne ‘\n’
else
csfinstall > /dev/null 2>&1 &
echo -ne ‘\n’
mysleep “Installing CSF”
if [ -f /usr/sbin/csf ]; then
echo -ne “\r${green}CSF has been installed successfully${NC}”
else
echo -ne “\r${red}CSF installation error${NC}”
fi
fi
csftweak > /dev/null 2>&1 &
mysleep “Tweaking CSF”
echo -ne “\r${green}CSF has been Tweaked${NC}”
echo -ne ‘\n’
else
echo -ne ‘\n’
echo -ne “${red}Entered option other than Yes..Skipping CSF installation and configuration${NC}\n”
fi
cmminstall > /dev/null 2>&1 &
mysleep “Installing ConfigServers Mail Manage”
echo -ne “\r${green}ConfigServers Mail Manage has been installed${NC}”
echo -ne ‘\n’
cmqinstall > /dev/null 2>&1 &
mysleep “Installing ConfigServers Mail Queue Manage”
echo -ne “\r${green}ConfigServers Mail Queue Manage has been installed${NC}”
echo -ne ‘\n’
cmcinstall > /dev/null 2>&1 &
mysleep “Installing ConfigServers Mod_Sec Manage”
echo -ne “\r${green}ConfigServers Mod_Sec Manage has been installed${NC}”
echo -ne ‘\n’
cpaneltweak > /dev/null 2>&1 &
mysleep “Tweaking cPanel”
echo -ne “\r${green}cPanel/WHM Settings has been tweaked${NC}”
echo -ne ‘\n’
maldetinstall > /dev/null 2>&1 &
mysleep “Installing Maldet”
echo -ne “\r${green}RFXN MalDet has been installed and enabled${NC}”
echo -ne ‘\n’
lesinstall > /dev/null 2>&1 &
mysleep “Installing Linux Environment Security”
echo -ne “\r${green}RFXN Linux Environment Security has been installed${NC}”
echo -ne ‘\n’
lsminstall > /dev/null 2>&1 &
mysleep “Installing Linux Socket Monitor”
echo -ne “\r${green}RFXN Linux Socket Monitor has been installed${NC}”
echo -ne ‘\n’
rkhunterinstall > /dev/null 2>&1 &
mysleep “Installing rkhunter”
echo -ne “\r${green}RkHunter has been installed and configured${NC}”
echo -ne ‘\n’
rkhunter -c -sk > /dev/null 2>&1 &
mysleep “Running rkhunter scan”
echo -ne “\r${green}RkHunter scan has been completed. You will receive an email if it has detected any issues${NC}”
echo -ne ‘\n’
read -p “Would you like to secure /tmp and /var/tmp? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
if [ -f /var/cpanel/version/securetmp_disabled ]; then
echo -ne ‘\n’
echo -ne “\r${red}cPanel securetmp is disabled on this server${NC}”
echo -ne ‘\n’
else
/scripts/securetmp –auto > /dev/null 2>&1 &
echo -ne ‘\n’
echo -ne “\r${green}/tmp and /var/tmp have been secured on this server${NC}”
echo -ne ‘\n’
fi
else
echo -ne “${red}/tmp and /var/tmp securing is skipped${NC}”
fi
disableunproc > /dev/null 2>&1 &
mysleep “Disabling unwanted processes”
echo -ne “\r${green}Unwanted processes have been disabled. ${notice}Check website for the list of processes that are disabled${NC}”
echo -ne ‘\n’
ftptweak > /dev/null 2>&1 &
mysleep “Twaeking FTP”
echo -ne “\r${green}FTP Server has been tweaked and restarted${NC}”
echo -ne ‘\n’
read -p “Would you like to do basic security hardening for MySQL? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
cp -p /etc/my.cnf /etc/my.cnf.beforetweak
mysqltweak > /dev/null 2>&1 &
echo -ne ‘\n’
mysleep “MySQL tweaking..”
echo -ne “\r${green}MySQL Tweak has been completed${NC}”
echo -ne ‘\n’
else
echo -ne ‘\n’
echo -ne “\r${red}MySQL Tweak is skipped by user selection${NC}”
echo -ne ‘\n’
fi
read -p “Would you like to do basic security hardening for PHP? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
phptweak > /dev/null 2>&1 &
echo -ne ‘\n’
mysleep “Tweaking PHP”
echo -ne “\r${green}PHP has been tweaked for better security${NC}”
echo -ne ‘\n’
else
echo -ne ‘\n’
echo -ne “\r${red}PHP Tweak is skipped by user selection${NC}”
echo -ne ‘\n’
fi
read -p “Would you like to do basic security hardening for SSH? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
sshtweak > /dev/null 2>&1 &
echo -ne ‘\n’
mysleep “Tweaking SSH”
echo -ne “\r${green}SSH has been tweaked for better security${NC}”
echo -ne ‘\n’
SSHPORT=`netstat -plan | grep ssh | grep LISTEN | awk -F” ” {‘print $4’} | head -1 | awk -F”:” {‘print $2’}`
if [ $SSHPORT -eq 22 ]; then
echo -ne “\r${red}SSH running on default port. It is strognly recommended to change it to a custom port${NC}”
echo -ne ‘\n’
fi
else
echo -ne ‘\n’
echo -ne “\r${red}SSH Tweak is skipped by user selection${NC}”
echo -ne ‘\n’
fi
read -p “Would you like to do basic security hardening for Apache? (y/n)” -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
apachetweak> /dev/null 2>&1 &
echo -ne ‘\n’
mysleep “Tweaking Apache”
echo -ne “\r${green}Apache Tweak is completed and restarted the service${NC}”
echo -ne ‘\n’
else
echo -ne ‘\n’
echo -ne “\r${red}Apache Tweak is skipped by user selection${NC}”
echo -ne ‘\n’
fi
echo -ne “\r${notice}Checking rDNS for server IP address${NC}”
echo -ne ‘\n’
MAINIP=`hostname -i`
RDNS=`dig +short -x $MAINIP`
if [ -z $RDNS ]; then
echo -ne “${notice}No rDNS found for the main IP address…checking in /etc/mailips file…${NC}”
if [ ! -s /etc/mailips ]; then
echo -ne “${red}/etc/mailips file is empty….set proper rDNS for main IP address for uninterrupted mail service${NC}”
else
for ip in `cat /etc/mailips| awk -F” ” {‘print $2’}`
do
RDNS=`dig +short -x $ip`
if [ -z $RDNS ]; then
echo -ne “${red}No rDNS found for IP address $ip${NC}”
else
echo -ne “${red}found rDNS for IP address $ip${NC}”
fi
done
fi
else
echo -ne “${green}Found rDNS for IP address $MAINIP${NC}”
fi
echo -ne ‘\n’