#!/bin/sh ############################################################# # declara as variaveis utilizadas pelo sistema ############################################################# VERSAO=0.0.1 INSTALLDIR=/usr/local/servidorgerenciado PHPINI=/usr/local/lib/php.ini MKDIR=/bin/mkdir GREP=/bin/grep if [ -e /etc/debian_version ]; then CUT=/usr/bin/cut else CUT=/bin/cut fi i=0 ############################################################# ## Funcao para confirmacao ############################################################# funcconfirma() { echo -n "Confirma? (y/n): " read CONFIRMA until [ "${CONFIRMA}" = "y" ] || [ "${CONFIRMA}" = "n" ]; do echo -n "Por favor, digite 'y' ou 'n': " read CONFIRMA done } ############################################################# ## Funcao para ler email ############################################################# leremail() { if [ "${EMAILADMIN}" = "" ]; then echo echo -n "Informe seu email para administrar (nao pode estar n este server): " read EMAILADMIN if [ "${EMAILADMIN}" = "" ]; then echo "Voce nao entrou com nenhum email." else echo "Voce digitou: ${EMAILADMIN}" fi echo "Verifique se este email esta correto." funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Usando ${EMAILADMIN}." else leremail fi fi } ############################################################# ## Funcao para ler porta ssh ############################################################# lersshport() { if [ "${SSHPORTA}" = "" ]; then echo echo -n "Informe a porta que sera usada para conexao no ssh: " read SSHPORTA if [ "${SSHPORTA}" = "" ]; then echo "Voce nao digitou a porta." else echo "Voce digitou: ${SSHPORTA}" fi echo "Voce quer usar esta porta?" funcconfirma if [ "${SSHPORTA}" = "y" ]; then echo "Usando ${SSHPORTA}." else lersshport fi fi } ############################################################# ## Funcao para ler onde esta a rede publica ############################################################# lereth() { if [ "${REDE}" = "" ]; then echo echo -n "Informe a rede publica (se eth0 / eth1): " read REDE if [ "${REDE}" = "" ]; then echo "Voce nao digitou a interface de rede publica." else echo "Voce digitou: ${REDE}" fi echo "Esta eh mesmo a rede publica?" funcconfirma if [ "${REDE}" = "y" ]; then echo "Usando ${REDE}." else lereth fi fi } ############################################################# ## forca o protocolo ssh 2 ############################################################# dosshd2() { let i++ echo echo "${i}. Configurando o ssh protocolo 2." if [ -f /etc/ssh/sshd_config ]&& [ "`${GREP} ^Protocol /etc/ssh/sshd_config`" = "Protocol 2" ]; then echo "Seu ssh já está usando o protocolo 2." else echo "Eu descobri que o seu ssh permite o uso do protocolo 1, que eh inseguro." echo "Deseja obrigar o uso do protocolo 2 para ssh? Eu posso fazer isto para voce!" funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Fazendo o backup do seu ssh..." cp /etc/ssh/sshd_config ${INSTALLDIR}/bakfiles/sshd_config.bak if [ -f ${INSTALLDIR}/bakfiles/sshd_config.bak ]; then echo "O backup foi gerado em ${INSTALLDIR}/bakfiles/sshd_config.bak!" else echo "O backup falhou." echo "Abortando operacao." exit fi echo "Modificando o arquivo de configuracao..." perl -pi -e "s/#Protocol 2,1/Protocol 2/" /etc/ssh/sshd_config if [ "`${GREP} Protocol /etc/ssh/sshd_config`" = "Protocol 2" ]; then echo "Editado com sucesso!" echo "Reiniciando o servico SSHd..." /etc/init.d/sshd restart echo "Pronto. SSH agora forcara o uso do protocolo 2." else echo "Falhou!" echo "Restaurando o backup..." mv --force ${INSTALLDIR}/bakfiles/sshd_config.bak /etc/ssh/sshd_config echo "Backup Restaurado." echo "Nao foi possivel forcar o uso do protocolo 2." fi else echo "Ok Man, voce quem manda. O seu ssh nao ira forcar o uso do protocolo 2." fi fi } ############################################################# ## desabilita o uso de register_globals no php.ini ############################################################# doregisterglobalsoff() { let i++ echo echo "${i}. Desabilitando register_globals no php.ini" if [ "`${GREP} \"^register_globals =\" ${PHPINI}`" = "register_globals = Off" ]; then echo echo "PHP Register Globals ja esta off." else echo "O seu php register_globals esta habilitado (On)." echo "Por seguranca eh recomendado desabilitar. Eu posso fazer isto para voce." funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Fazendo o backup do seu php.ini..." cp --force ${PHPINI} ${INSTALLDIR}/bakfiles/php.ini-register-globals.bak if [ -f ${INSTALLDIR}/bakfiles/php.ini-register-globals.bak ]; then echo "O backup foi salvo em ${INSTALLDIR}/bakfiles/php.ini-register-globals.bak!" else echo "O backup falhou." echo "Abortando instalacao." exit fi echo "Alterando php.ini..." GREPPED="`${GREP} \"^register_globals =\" ${PHPINI}`" perl -pi -e "s/${GREPPED}/register_globals = Off/" ${PHPINI} if [ "`${GREP} \"^register_globals =\" ${PHPINI}`" = "register_globals = Off" ]; then echo "Alterado com sucesso!" echo "Reiniciando o servico httpd ..." /etc/init.d/httpd restart echo "Pronto. register_globals esta desabilitado agora." else echo "A operacao Falhou!" echo "Restaurando o backup..." mv --force ${INSTALLDIR}/bakfiles/php.ini-register-globals.bak ${PHPINI} echo "Backup restaurado." echo "Nao fomos capazes de desabilitar o register_globals no php." fi else echo "Ok, ja que insiste, eu nao irei desabilitar o register_globals." fi fi } ############################################################# ## desabilita o uso da enable_dl no php.ini ############################################################# dodisabledl() { let i++ echo echo "${i}. Desabilitando o uso da funcao enable_dl no php.ini." if [ "`${GREP} \"^enable_dl =\" ${PHPINI}`" = "enable_dl = Off" ]; then echo echo "enable_dl ja esta off." else echo "O seu php enable_dl esta habilitado (On)." echo "Por seguranca eh recomendado desabilitar. " echo "Mas nao se preocupe, estou aqui para fazer isto para voce!" funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Fazendo o backup do seu php.ini..." cp --force ${PHPINI} ${INSTALLDIR}/bakfiles/php.ini-enable-dl.bak if [ -f ${INSTALLDIR}/bakfiles/php.ini-enable-dl.bak ]; then echo "O backup foi salvo em ${INSTALLDIR}/bakfiles/php.ini-enable-dl.bak!" else echo "O backup falhou." echo "Abortando instalacao." exit fi echo "Alterando php.ini..." GREPPED="`${GREP} \"^enable_dl =\" ${PHPINI}`" perl -pi -e "s/${GREPPED}/enable_dl = Off/" ${PHPINI} if [ "`${GREP} \"^enable_dl =\" ${PHPINI}`" = "enable_dl = Off" ]; then echo "Alterado com sucesso!" echo "Reiniciando o servico httpd ..." /etc/init.d/httpd restart echo "Pronto. enable_dl esta desabilitado agora." else echo "A operacao Falhou!" echo "Restaurando o backup..." mv --force ${INSTALLDIR}/bakfiles/php.ini-enable-dl.bak ${PHPINI} echo "Backup restaurado." echo "Nao fomos capazes de desabilitar o enable_dl no php." fi else echo "Tudo bem, por seguranca voce deveria mudar de ideia" echo "mas, eu nao irei desabilitar o enable_dl." fi fi } ############################################################# ## altera o upload maximo para 20mb ############################################################# domaxphpupload() { let i++ echo echo "${i}. Alterando o upload maximo via php para 20mb." if [ "`${GREP} \"^upload_max_filesize =\" ${PHPINI}`" = "upload_max_filesize = 20M" ]; then echo echo "O php ja permite upload de ate 20M." else echo "O seu php.ini permite envio de upload de somente 2mb." echo "Eh interessante aumentar este limite para 20mb. " echo "Se quiser ,eu altero para voce." funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Fazendo o backup do seu php.ini..." cp --force ${PHPINI} ${INSTALLDIR}/bakfiles/php.ini-upload-max.bak if [ -f ${INSTALLDIR}/bakfiles/php.ini-upload-max.bak ]; then echo "O backup foi salvo em ${INSTALLDIR}/bakfiles/php.ini-upload-max.bak!" else echo "O backup falhou." echo "Abortando instalacao." exit fi echo "Alterando php.ini..." GREPPED="`${GREP} \"^upload_max_filesize =\" ${PHPINI}`" perl -pi -e "s/${GREPPED}/upload_max_filesize = 20M/" ${PHPINI} if [ "`${GREP} \"^upload_max_filesize =\" ${PHPINI}`" = "upload_max_filesize = 20M" ]; then echo "Alterado com sucesso!" echo "Reiniciando o servico httpd ..." /etc/init.d/httpd restart echo "Pronto. Agora o seu php permite upload de ate 20mb." else echo "A operacao Falhou!" echo "Restaurando o backup..." mv --force ${INSTALLDIR}/bakfiles/php.ini-upload-max.bak ${PHPINI} echo "Backup restaurado." echo "Nao fomos capazes de definir para 20mb o limite de upload do php." fi else echo "Ok, o upload do php continuara o valor padrao." fi fi } ############################################################# ## desabilita o uso de diversas funcoes perigosas do php ############################################################# dodisablephpfunctions() { let i++ echo echo "${i}. Desabilitando funcoes perigosas no php." COUNT=`${GREP} -c -e ^disable_functions ${PHPINI}` if [ "`${GREP} ^disable_functions ${PHPINI}`" = "disable_functions = dl, system, exec, shell_exec, chown, chgrp, escapeshellcmd, putenv, popen, pclose, passthru, proc_open, proc_get_status, proc_nice, proc_close, proc_terminate, posix_ctermid, posix_get_last_error, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname" ]; then echo echo "As funcoes consideradas perigosas ao sistema" echo "ja estao desabilitadas." else echo echo "Observei que voce tem funcoes perigosas habilitadas no php, por padrao." echo "Se me pedir, eu desabilito elas para voce. O seu sistema ficara mais seguro." funcconfirma if [ "${CONFIRMA}" = "y" ]; then echo "Fazendo um backup do arquivo de configuracao..." cp --force ${PHPINI} ${INSTALLDIR}/bakfiles/php.ini-disable-functions.bak if [ -f ${INSTALLDIR}/bakfiles/php.ini-disable-functions.bak ]; then echo "Backup feito em ${INSTALLDIR}/bakfiles/php.ini-disable-functions.bak!" else echo "O backup falhou." echo "Abortando configuracao." exit fi if [ "$COUNT" = "0" ]; then echo "Nao encontrei a disable_function no arquivo de configuracao..." echo "Vou adicionar diretamente no arquivo ${PHPINI}" echo "" >> ${PHPINI} echo ";Mofificado por (servidorgerenciado.com.br)" >> ${PHPINI} echo "disable_functions = dl, system, exec, shell_exec, chown, chgrp, escapeshellcmd, putenv, popen, pclose, passthru, proc_open, proc_get_status, proc_nice, proc_close, proc_terminate, posix_ctermid, posix_get_last_error, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname" >> ${PHPINI} else echo "Encontrei o disable_functions no arquivo. Irei configura-lo..." GREPPED="`${GREP} \"^disable_functions\" ${PHPINI}`" perl -pi -e "s/${GREPPED}/disable_functions = dl, system, exec, shell_exec, chown, chgrp, escapeshellcmd, putenv, popen, pclose, passthru, proc_open, proc_get_status, proc_nice, proc_close, proc_terminate, posix_ctermid, posix_get_last_error, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname/" ${PHPINI} fi if [ "`${GREP} ^disable_functions ${PHPINI}`" = "disable_functions = dl, system, exec, shell_exec, chown, chgrp, escapeshellcmd, putenv, popen, pclose, passthru, proc_open, proc_get_status, proc_nice, proc_close, proc_terminate, posix_ctermid, posix_get_last_error, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname" ]; then echo "Alterado com sucesso!" echo "Reiniciando servico httpd..." /etc/init.d/httpd restart echo "Feito. Agora as funcoes perigosas do php estao desabilitadas." else echo "Falhou!" echo "Restaurando o backup..." mv --force ${INSTALLDIR}/bakfiles/php.ini-disable-functions.bak ${PHPINI} echo "Backup restaurado." echo "Nao fui capaz de desabilitar as funcoes perigosas do php." fi else echo "Voce eh quem manda. Nao irei desabilitar nenhuma funcao." fi #se confirma fi } ############################################################# ## Altera permissao de arquivos perigosos para root somente. ############################################################# domudarpermissao() { let i++ echo echo "${i}. Restringindo o acesso a arquivos de sistema." echo echo "Eu posso alterar a permissao de arquivos perigosos" echo "para serem executados somente pelo root." funcconfirma if [ "${CONFIRMA}" = "y" ]; then if [ -f /usr/bin/rcp ]; then chmod 750 /usr/bin/rcp echo "Permissao de /usr/bin/rcp alterada para 750." fi if [ -f /usr/bin/wget ]; then chmod 750 /usr/bin/wget echo "Permissao de /usr/bin/wget alterada para 750." fi if [ -f /usr/bin/lynx ]; then chmod 750 /usr/bin/lynx echo "Permissao de /usr/bin/lynx alterada para 750." fi if [ -f /usr/bin/links ]; then chmod 750 /usr/bin/links echo "Permissao de /usr/bin/links alterada para 750." fi if [ -f /usr/bin/scp ]; then chmod 750 /usr/bin/scp echo "Permissao de /usr/bin/scp alterada para 750." fi if [ -d /etc/httpd/proxy ]; then chmod 000 /etc/httpd/proxy/ echo "Permissao de /etc/httpd/proxy/ alterada para 000." fi if [ -d /var/spool/samba ]; then chmod 000 /var/spool/samba/ echo "Permissao de /var/spool/samba/ alterada para 000." fi if [ -d /var/mail/vbox ]; then chmod 000 /var/mail/vbox/ echo "Permissao de /var/mail/vbox/ alterada para 000." fi echo "Alterei todas permissoes de arquivos perigosos." else echo "Ok, porem isto deixa seu sistema inseguro." fi } ############################################################# ## Instalar APF ############################################################# doapf() { let i++ echo echo "${i}. Instalando o APF Firewall." echo echo "Todo sistema precisa de um firewall. " echo "Irei instalar para voce o APF. " funcconfirma if [ "${CONFIRMA}" = "y" ]; then cd ${INSTALLDIR}/src wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -zxzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf-* ./install.sh echo echo "APF instalado no seu sistema." #configurando echo echo "Posso aproveitar e usar a minha configuracao" echo "recomendada para ambientes cpanel." funcconfirma if [ "${CONFIRMA}" = "y" ]; then if [ "${SSHPORTA}" = "" ]; then lersshport fi #REDE="`${GREP} ETHDEV /etc/wwwacct.conf | ${CUT} -d ' ' -f 2`" #SSHPORTA="`${GREP} ^Port /etc/ssh/sshd_config | ${CUT} -d ' ' -f 2`" perl -pi -e "s/IFACE_IN=\"eth0\"/IFACE_IN=\"${REDE}\"/" /etc/apf/conf.apf perl -pi -e "s/IFACE_OUT=\"eth0\"/IFACE_OUT=\"${REDE}\"/" /etc/apf/conf.apf perl -pi -e "s/IG_TCP_CPORTS=\"22\"/IG_TCP_CPORTS=\"20,ssh-porta,21,25,26,53,80,110,143,161,443,465,623,993,995,2082,2083,2086,2087,2095,2096,3306,6666\"/" /etc/apf/conf.apf perl -pi -e "s/ssh-porta/${SSHPORTA}/" /etc/apf/conf.apf perl -pi -e "s/IG_UDP_CPORTS=\"\"/IG_UDP_CPORTS=\"21,53,161,465,623,873\"/" /etc/apf/conf.apf perl -pi -e "s/EGF=\"0\"/EGF=\"1\"/" /etc/apf/conf.apf perl -pi -e "s/EG_TCP_CPORTS=\"21,25,80,443,43\"/EG_TCP_CPORTS=\"21,22,25,26,27,37,43,53,80,110,113,161,443,465,623,873\"/" /etc/apf/conf.apf perl -pi -e "s/EG_UDP_CPORTS=\"20,21,5\"/EG_UDP_CPORTS=\"20,21,53,161,465,623,873\"/" /etc/apf/conf.apf perl -pi -e "s/DEVEL_MODE=\"1\"/DEVEL_MODE=\"0\"/" /etc/apf/conf.apf echo "Iniciando o apf..." apf -r chkconfig --level 2345 apf on echo echo "Apf esta agora configurado e definido para iniciar automaticamente." fi else echo "Inslatacao abortada" fi } ############################################################# ## inicio do script ############################################################# clear echo "#############################################################" echo " Script CpanelFacil" echo " Versao: 0.0.1" echo " Site: http://www.servidorgerenciado.com.br/cpanel-facil/" echo " Escrito e mantido por: Danival A. Souza " echo "#############################################################" echo echo echo echo echo echo echo echo echo echo echo echo ## Criando as pastas necessarias ao script if [ ! -d ${INSTALLDIR} ]; then echo "${INSTALLDIR} nao existe. Criando..." ${MKDIR} ${INSTALLDIR} fi if [ ! -d ${INSTALLDIR}/src ]; then echo "${INSTALLDIR}/src nao existe. Criando..." ${MKDIR} ${INSTALLDIR}/src fi if [ ! -d ${INSTALLDIR}/bakfiles ]; then echo "${INSTALLDIR}/bakfiles nao existe. Criando..." ${MKDIR} ${INSTALLDIR}/bakfiles fi #leremail #lersshport dosshd2 doregisterglobalsoff dodisabledl dodisablephpfunctions domaxphpupload domudarpermissao doapf exit 0;