-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuBuntuLockDown.sh
124 lines (107 loc) · 3.4 KB
/
uBuntuLockDown.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#
# uBuntuLockDown.sh
# Fetch the status of all services
# Author: substance
# Date: 12/31/23 / 4am
# ########################## [ Work in Progress ] ###########################
# The goal of this work in progress (feel free to fork and add if you have ideas) is to basically take a
# freetier/core ubunbu typical LAMP stack box and check the services, disable any unnecessary and check for
# apache2, making sure that ServerSignatures is off to not disclose version, etc.
# thats it for now
# see example output below
#!/bin/bash
mapfile -t services < <(service --status-all 2>&1)
# Initialize arrays for enabled and disabled services
enabled_services=()
disabled_services=()
services=(acpid console-setup.sh apparmor apport chrony cron irqbalance multipath-tools plymouth plymouth-log unattended-upgrades cryptdisks cryptdisks-early hibagent keyboard-setup.sh rsync screen-cleanup uuidd apache2 squid ntpd mysqld mariadb tor haproxy darkstat)
# Categorize services based on their status
for svc in "${services[@]}"; do
if [[ $svc =~ \[\ \+\ \]\ (.*) ]]; then
enabled_services+=("${BASH_REMATCH[1]}")
elif [[ $svc =~ \[\ \-\ \]\ (.*) ]]; then
disabled_services+=("${BASH_REMATCH[1]}")
fi
done
# Function to display services side by side
display_services() {
# Get terminal width
local cols=$(tput cols)
local mid=$((cols / 2))
printf "%-${mid}s%-${mid}s\n" "Enabled Services:" "Disabled Services:"
local max_lines=$((${#enabled_services[@]} > ${#disabled_services[@]} ? ${#enabled_services[@]} : ${#disabled_services[@]}))
for ((i=0; i<max_lines; i++)); do
printf "%-${mid}s%-${mid}s\n" "${enabled_services[i]:-}" "${disabled_services[i]:-}"
done
}
# Display services
display_services
# Ask the user to disable non-critical services
echo "Do you want to disable any non-critical enabled services? (yes/no)"
read -r answer
to_disable=()
if [[ $answer == "yes" ]]; then
echo "Enter the names of the services to disable, separated by spaces (e.g., 'mariadb apache2'): "
read -ra services_to_disable
for svc in "${services_to_disable[@]}"; do
if [[ " ${enabled_services[@]} " =~ " $svc " ]]; then
to_disable+=("$svc")
sudo service "$svc" stop
sudo update-rc.d "$svc" disable
echo "$svc has been disabled."
else
echo "Service $svc is not enabled or not found."
fi
done
fi
# List services to be disabled
if [ ${#to_disable[@]} -ne 0 ]; then
echo "Services disabled:"
printf '%s\n' "${to_disable[@]}"
else
echo "No services were disabled."
fi
# ------------- OUTPUT EXAMPLE FREETIER AWS -------------- #
./lockdown.sh
Enabled Services: Disabled Services:
Do you want to disable any non-critical enabled services? (yes/no)
YES
No services were disabled.
Enabled Services:
acpid
apache-htcacheclean
apparmor
apport
chrony
cron
dbus
kmod
openvpn
plymouth
plymouth-log
procps
ssh
ubuntu-fan
udev
ufw
unattended-upgrades
uuidd
Disabled Services:
apache2
console-setup.sh
cryptdisks
cryptdisks-early
docker
grub-common
hibagent
hwclock.sh
irqbalance
iscsid
keyboard-setup.sh
lvm2
lvm2-lvmpolld
open-iscsi
open-vm-tools
rsync
screen-cleanup
# Not only does the script stop the service, it stops it at boot with update-rc.d