UnixServerAdmin

Server Administration & Management

disk_speed.sh

###########################################################
## disk_speed.sh ##
###########################################################
## Make a Directory /REPORTS ##
## Make a file msg.txt under /REPORTS Directory ##
## Write Following in msg.txt file ##
###########################################################
## Hi, ##
## The Disk Speed of Hard Drive in the server has been done. ##
## For Disk Speed Report, please check the attachment. ##
## Thanks & Regards, ##
## Unixserveradmin.com Security Team ##
###########################################################
#! /bin/bash

/bin/echo “=================================” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo “THE Disk Speed Report of  Hard Drive in Server $(hostname) at $(date)” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo “=================================” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

/bin/echo ”      ” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

/bin/echo “Check Write Speed of Hard Drive”  >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo “——————————–”  >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

/bin/dd if=/dev/zero of=test bs=1048576 count=2048  2>&1 | tee -a /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

/bin/echo “Check Read Speed of Hard Drive”  >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo “——————————–”  >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

/bin/dd if=/dev/zero of=test bs=1048576 count=2048  2>&1 | tee -a /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/echo “=================================” >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt

#/bin/echo “Remove test file from Hard Drive”  >> /REPORTS/disk_speed.log_$(date +%d%m%y).txt
/bin/rm -rvdf test

mutt -s “Disk Speed Report of Server $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/disk_speed.log_$(date +%d%m%y).txt — unixserv@unixserveradmin.com   info@unixserveradmin.com < /REPORTS/msg.txt

March 10, 2014 Posted by | Shell Script | | 1 Comment

report-backup.sh

#############################################################
## report-backup.sh ##
#############################################################
## Script for Daily Backup Report of Servers ##
#############################################################
## Make a Directory /REPORTS ##
## Make a file msg.txt under /REPORTS Directory ##
## Write Folowing in msg.txt file ##
#############################################################
## Hi, ##
## The Daily Backup of All Servers have Done. ##
## The Daily Backup Report is attached with this mail. ##
## Thanks & Regards, ##
## Unixserveradmin.com Security Team ##
#############################################################
#!/bin/sh
set -x
set -v
standby=$1
BACKUPDIR=/datasrv/
BACKFILE1=`date ‘+%d-%b-%Y-‘`
BACKFILE2=`date –date=’yesterday’ ‘+%d-%b-%Y-‘`

/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “====================================” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “Daily Remote Backup Report of the Project on Today” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “====================================” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/usr/bin/du -hs /datasrv/*/*$BACKFILE1* >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt

/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “====================================” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “Daily Remote Backup Report of UPSRTC Project on Yesterday” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “====================================” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/usr/bin/du -hs /datasrv/*/*$BACKFILE2* >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo ”      ” >> /REPORTS/Backup.log_$(date +%d%m%y).txt
/bin/echo “====================================” >> /REPORTS/Backup.log_$(date +%d%m%y).txt

mutt -s “Daily Remote Backup Report of the Project” -a /REPORTS/Backup.log_$(date +%d%m%y).txt — unixserv@unixserveradmin.com  info@unixserveradmin.com  < /REPORTS/msg.txt
###################################################################

February 20, 2014 Posted by | Shell Script | | Leave a comment

zombie_process.sh

###########################################################
## zombie_process.sh ##
###########################################################
#!/bin/bash
x=0;
for x in `ps -ef | grep defunct | awk ‘{print $3}’` ; do
echo $x
kill -9 $x
done

November 20, 2013 Posted by | Security, Shell Script, Tips & Tricks, Unix/Linux | , , , , , | Leave a comment

service_server.sh

#################################
# Stop unwanted services ################
# service_server.sh ####################
################################
#!/bin/bash
echo “Task Start Now !!!”
chkconfig cups off –level 24
chkconfig rhnsd off –level 24
chkconfig gssd off –level 24
chkconfig rpcgssd off –level 24
chkconfig rpcidmapd off –level 24
chkconfig idmapd off –level 24
chkconfig acpid off –level 24
chkconfig iscsi off –level 24
chkconfig iscsid off –level 24
chkconfig kdump off –level 24
chkconfig cpuspeed off –level 24
chkconfig mcstrans off –level 24
chkconfig mdmonitor off –level 24
chkconfig microcode_ctl off –level 24
chkconfig multipathd off –level 24
chkconfig ntpd off –level 24
chkconfig avahi-daemon off –level 24
chkconfig httpd off –level 24
chkconfig mysqld off –level 24
chkconfig sshd off –level 24
chkconfig ipsec off –level 24
chkconfig lm_sensors off –level 24
chkconfig irqbalance off –level 24
chkconfig restorecond off –level 24
chkconfig yum-updatesd off –level 24
chkconfig xinetd off –level 24
chkconfig isdn off
chkconfig anacron off
chkconfig sendmail off
chkconfig autofs off
chkconfig portmap off
chkconfig readahead_early off
chkconfig readahead_later off
chkconfig nfs off
chkconfig ip6tables off
chkconfig smartd off
chkconfig kudzu off
chkconfig netfs off
chkconfig nfslock off
chkconfig xfs off
chkconfig apmd off
chkconfig bluetooth off
chkconfig gpm off
chkconfig hidd off
chkconfig pcscd off
chkconfig setroubleshoot off
chkconfig dovecot off
chkconfig haldaemon off
chkconfig chargen off
chkconfig ypbind off
chkconfig atd off
chkconfig canna off
chkconfig FreeWnn off
chkconfig iiim off
chkconfig mDNSResponder off
chkconfig rpcimpad off
chkconfig acpi off
echo “Task Successful Done !!!”

July 21, 2013 Posted by | Security, Shell Script | , | Leave a comment

What is the difference between MD5 and SHA

MD5: 128-bit/16-byte digest. Somewhat faster than SHA.
SHA: 160-bit/20-byte digest. More secure because stronger against brute force attacks.

MD5 was developed by Professor Rivest (1994).
SHA (actually SHA-1) was developed by NIST (1994).

The MD5 algorithm is slightly cheaper to compute, however MD5 is currently very vulnerable to collision attacks. Similarly SHA1 will most likely be very vulnerable to collision attacks in a few years since there are now some attacks, security experts consider SHA1 broken since collision attacks are feasible.

The MD5 hashing algorithm uses a hash code which is 16 bytes long whereas SHA1 uses a hash code which is 20 bytes long.

This means that MD5 executes faster but is less secure than SHA1.

However, the security of both these algorithms has been compromised in recent years.

Cryptography Research has received many inquiries about the hash collision attacks that were recently announced at the CRYPTO 2004 conference. This document attempts to address these questions.

(This document was updated on February 16, 2005 to reflect new collision results reported against the SHA-1 algorithm.)

Q: What hash functions are now broken?
A: Collisions were announced in SHA-0, MD4, MD5, HAVAL-128, and RIPEMD. Antoine Joux presented the collision in SHA-0. The collisions against MD4, MD5, HAVAL-128, and RIPEMD were found by the Chinese researcher Xiaoyun Wang with co-authors Dengguo Feng, Xuejia Lai, and Hongbo Yu. (See http://eprint.iacr.org/2004/199.pdf.) In February 2005, an (as-yet unimplemented) attack against SHA-1 was reported by Xiaoyun Wang, Lisa Yiqun Yin, and Hongbo Yu that can find collisions in SHA-1 with an estimated effort of 2^69 hash computations.

Q: What is a collision attack and a preimage attack?
A: A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can’t pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.

Q: What is the connection between digital signatures and hash functions?
A: All major digital signature signing techniques (including DSA and RSA) involve first hashing the data then signing the hash. Raw message data is not signed because of both performance and security reasons.

Q: How might an attacker exploit a collision attack?
A: To exploit a collision attack, an adversary would typically begin by constructing two messages with the same hash where one message appears legitimate or innocuous. For example, suppose the attacker (Charlie) discovers that the message “I, Bob, agree to pay Charlie $ 5000.00 on 4/12/2005.” has the same hash as “I, Bob, agree to pay Charlie $18542841.54 on 9/27/2012.” Charlie could then try to get Bob (the victim) to digitally sign the first message (e.g., by purchasing $5000 of goods). Charlie would then claim that Bob actually signed the second message, and “prove” this assertion by showing that Bob’s signature matches the second message.

Q: What are the implications of collision attacks for code signing systems?
A: Collisions can be a problem for systems that involve signed code. In particular, a collision attack can enable adversaries to construct an innocuous program and a malicious program with the same hash. For example, a trusted compiler/verifier might accept and sign the innocuous program, which could then be substituted for the malicious one. Collision attacks do not allow tampering with arbitrary programs; this would require a preimage attack. (Note: Java accepts MD5 hashes in signatures on JAR files, e.g. see http://www.hmug.org/man/1/jarsigner.html.)

Q: What are the implications for certificate authorities, such as those issuing SSL web server certificates containing MD5 or SHA-1 hashes?
A: Collision attacks do not enable tampering with existing certificates. There is, however, a concern that an adversary might be able to construct a valid certificate request that had a corresponding hash collision with a certificate conferring greater or different powers. For example, a devastating attack would be one that enabled adversaries to obtain a legitimate server certificate with a collision to one containing a wildcard for the domain name and an expiration date far in the future. The use of unpredictable serial numbers early in the certificate data structure may prevent such attacks, but further research is required. From a cryptographic perspective, the best solution to this problem is to transition away from MD5, but this is difficult since many CAs and software programs currently support MD5.

Q: Are all hash functions broken?
A: No. The new attacks affect specific hash functions which happen to share a related class of vulnerabilities. In particular, these attacks are all based on the neutral bit technique of Biham and Chen (see http://eprint.iacr.org/2004/146.ps). There is no evidence suggesting that strong hash functions cannot be constructed.

Q: How hard would it be to find collisions in SHA-1?
A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations. While this is well beyond what is currently feasible using a normal computer, this is potentially feasible for attackers who have specialized hardware. For example, with 10,000 custom ASICs that can each perform 2 billion hash operations per second, the attack would take about one year. Computing improvements predicted by Moore ‘s Law will make the attack more practical over time, e.g. making it possible for a wide-spread Internet virus to use compromised computers to mount such attacks as well. Once a collision has been found, additional collisions can be found trivially by concatenating data to the matching messages.

Q: Do these attacks break HMAC using MD5 or SHA-1?
A: No. Because of the way hash functions are used in the HMAC construction, the techniques used in these recent attacks do not apply.

Q: Do these attacks allow somebody to break tools that use MD5 or SHA-1 to check for malicious binaries?
A: Not usually, as this would require a preimage attack. It would, however, be possible for someone to construct an innocuous program and a malicious program with the same hash. If this adversary could get the innocuous version on the “good” list (e.g. by having a trusted authority sign the hash value), the malicious program would also be accepted.

Q: What is the difference between SHA-0 and SHA-1? Is SHA-0 widely used?
A: SHA-0 was initially proposed in FIPS 180 (May 1993) as hashing standard by the U.S. government, but was replaced by SHA-1 in FIPS 180-1 (April 1995). SHA-1 adds an additional circular shift operation that appears to have been specifically intended to address the weaknesses found in SHA-0. SHA-0 is not widely used and should not be used in new systems. In light of the new attacks, careful consideration should be made before using SHA-1 in new systems.

Q: Is SSL 3.0/TLS affected by these results?
A: The SSL 3.0 protocol (which was co-authored by Cryptography Research President & Chief Scientist Paul Kocher) uses MD5 and SHA-1 in a redundant fashion in the handshake protocol and also supports MD5 HMAC. Neither use is affected by these attacks. While there is also some concern that signing authorities could be affected (see the question above on certificate authorities), certificate formats and procedures are beyond the scope of the SSL/TLS protocol.

Q: Can the problem be solved by updating hash function implementations to detect the messages that produce collisions?
A: No. The attack methods are general and enable the construction of additional collisions.

June 16, 2013 Posted by | Shell Script, Tips & Tricks, Unix/Linux | , , | Leave a comment

shutdown.bat

shutdown -t 120

# Shutdown within 2 Minutes.

June 11, 2013 Posted by | Shell Script, Windows | , | Leave a comment

open-browser.bat

cd c:\
cd Program Files\Internet Explorer
start IEXPLORE.EXE

cd c:\
cd Program Files
cd Mozilla Firefox
start firefox.exe

June 6, 2013 Posted by | Shell Script, Windows | , | Leave a comment

backup_via_system.bat

@echo off

REM ———
REM BACKUP
REM ———
ECHO ——————————————————-
ECHO CLOSE ALL PROGRAMS and APPLICATIONS NOW!!
ECHO ——————————————————-
ECHO.
ECHO Your hard drive is about to be searched for Documents,
ECHO Databases, Spreadsheets, and Email storage files.
ECHO.
ECHO All files of these types will be saved to
ECHO your REMOVABLE DEVICE in their original
ECHO directories\folders.
ECHO.
ECHO This will replace any previous backup on the
ECHO removable drive.
ECHO.

pause

echo %computername%
cd c:\
set mm=%date:~4,2%
set dd=%date:~7,2%
set yy=%date:~10,4%
mkdir e:\datasrv\%dd%-%mm%-%yy%
xcopy d:\datasrv\* e:\datasrv\%dd%-%mm%-%yy% /e /s /y

June 1, 2013 Posted by | Shell Script, Windows | , | 2 Comments

backup_via_network.bat

@echo off

REM ———
REM BACKUP
REM ———
ECHO ——————————————————-
ECHO CLOSE ALL PROGRAMS and APPLICATIONS NOW!!
ECHO ——————————————————-
ECHO.
ECHO Your hard drive is about to be searched for Documents,
ECHO Databases, Spreadsheets, and Email storage files.
ECHO.
ECHO All files of these types will be saved to
ECHO your REMOVABLE DEVICE in their original
ECHO directories\folders.
ECHO.
ECHO This will replace any previous backup on the
ECHO removable drive.
ECHO.

pause

set mm=%date:~4,2%
set dd=%date:~7,2%
set yy=%date:~10,4%
net use \\192.168.1.2
md \\192.168.0.2\backup\%mm%-%dd%-%yy%
xcopy c:\backup\data\* \\backup\datasrv\%mm%-%dd%-%yy% /e

May 27, 2013 Posted by | Shell Script, Windows | , | Leave a comment

backup_via_date.bat

cd c:\
set mm=%date:~4,2%
set dd=%date:~7,2%
set yy=%date:~10,4%
md e:\backup\%mm%-%dd%-%yy%
xcopy c:\backup\* e:\backup\%mm%-%dd%-%yy% /E /F /H

May 22, 2013 Posted by | Shell Script, Windows | , | Leave a comment

backup_all_drive.bat

set mm=%date:~4,2%
set dd=%date:~7,2%
set yy=%date:~10,4%
md e:\backup\%mm%-%dd%-%yy%
xcopy c:\backup\data\*   e:\backup\%mm%-%dd%-%yy% /e

May 17, 2013 Posted by | Shell Script, Windows | , | Leave a comment

Protected: backup_script_encrypt.sh (in bzip2 format)

This content is password protected. To view it please enter your password below:

March 18, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

Protected: backup_script_encrypt.sh (in tar.gz format)

This content is password protected. To view it please enter your password below:

March 13, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

Protected: backup_dump_encrypt.sh (in tar.gz format)

This content is password protected. To view it please enter your password below:

March 3, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

Protected: backup_dump_encrypt.sh (in Bzip2 format)

This content is password protected. To view it please enter your password below:

February 26, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

allow_mac.sh

#############################################################################
# MAC Address Allow File ####################### #######
#################################################
/sbin/iptables -F # Flush Iptables ####### ##################
#################################################
# Allow Incoming Connection from PArticular MAC Address ########
# iptables -A INPUT -j DROP ## Block all others Connection #######
#############################################################################

/sbin/iptables -A INPUT -m mac –mac-source 0A:0B:0C:0D:0E:0F -j ACCEPT ## Allow Traffic from MAC  0A:0B:0C:0D:0E:0F ##
/sbin/iptables -A INPUT -m mac –mac-source 1A:1B:1C:1D:1E:1F -j ACCEPT ## Allow Traffic from MAC  1A:1B:1C:1D:1E:1F ##
/sbin/iptables -A INPUT -m mac –mac-source 2A:2B:2C:2D:2E:2F -j ACCEPT ## Allow Traffic from MAC  2A:2B:2C:2D:2E:2F ##
/sbin/iptables -A INPUT -m mac –mac-source 3A:3B:3C:3D:3E:3F -j ACCEPT ## Allow Traffic from MAC  3A:3B:3C:3D:3E:3F ##
/sbin/iptables -A INPUT -m mac –mac-source 4A:4B:4C:4D:4E:4F -j ACCEPT ## Allow Traffic from MAC  4A:4B:4C:4D:4E:4F ##
/sbin/iptables -A INPUT -m mac –mac-source 5A:5B:5C:5D:5E:5F -j ACCEPT ## Allow Traffic from MAC  5A:5B:5C:5D:5E:5F ##
/sbin/iptables -A INPUT -j DROP    ##  Drop all Others Traffic ##
/sbin/service iptables save

#############################################################################

February 11, 2013 Posted by | Shell Script | | Leave a comment

Protected: How to send email on reboot the server

This content is password protected. To view it please enter your password below:

February 6, 2013 Posted by | Shell Script, Tips & Tricks, Unix/Linux | , , , | Enter your password to view comments.

yum_update.sh

#######################################################
# yum_update.sh ##
#######################################################
# Make a Directory /REPORTS ##
# Make a file msg6.txt under /REPORTS Directory ##
# Write Following in msg6.txt file ##
#######################################################
# Hi, ##
# The Operating and Patch Update process of the server has been completed. ##
# For Server update Report, Please check the attached yum_update Report. ###
# Thanks & Regards, ##
# Unixserveradmin.com Security Team ##
#######################################################
#! /bin/bash
/bin/mkdir /REPORTS 2> /dev/null
/bin/echo “####################################” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo “– MONTHLY SERVER UPDATE REPORT FOR $(/bin/hostname | tr ‘a-z’ ‘A-Z’) –” > /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo “– DATE : $(date) –” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo “#################################” >> /REPORTS/Yum_Update_$(date +%d%m%y).txts
/usr/bin/yum update -y >>  /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo “Thanks & Regards” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo “Unixserveradmin.com Security Team” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt
/bin/echo ”                                                            ” >> /REPORTS/Yum_Update_$(date +%d%m%y).txt

mutt -s “SERVER UPDATE REPORT $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/Yum_Update_$(date +%d%m%y).txt unixserv@unixserveradmin.com info@unixserveradmin.com < /REPORTS/msg6.txt

September 24, 2012 Posted by | Shell Script | | Leave a comment

How to check duplicate IP adderss in your subnet

Create and execute a script as shown below to check for duplicate IP in example: 192.168.1.0/24 subnet.

###############################################################
# /bin/bash #######################################################
# duplicate.sh #####################################################
##############################################################
for i in $(seq 1 254);
do
echo “arping -q -D -I eth0 -c 2 172.16.1.${i}”; [ $? -ne 0 ] && echo “172.16.1.${i} duplicate”;
done
##############################################################

September 9, 2012 Posted by | Security, Shell Script, Tips & Tricks, Unix/Linux | , , , , | Leave a comment

sysctl-tunner-update.sh

##############################################################################
# sysctl is an interface that allows you to make changes to a running Linux kernel.    ####################### ####################
# With /etc/sysctl.conf you can configure various Linux networking and system settings such as: ########################################
###############################################################################
## 1. Limit network-transmitted configuration for IPv4 ################################################################
## 2. Limit network-transmitted configuration for IPv6 ################################################################
## 3. Turn on execshield protection ###########################################################################
## 4. Prevent against the common ‘syn flood attack’ ##################################################################
## 5. Turn on source IP address verification ######################################################################
## 6. Prevents a cracker from using a spoofing attack against the IP address of the server. ############################################
## 7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets & redirects. ###################################
##############################################################################
# The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. ##
#!/bin/bash

function sysctlw {
if [ `grep -c $1 /etc/sysctl.conf` -eq 0 ]; then
echo “$1=$2“ >> /etc/sysctl.conf
echo “Added sysctl preference ‘$1‘=’$2‘”
fi
}

echo “Tuning network stack..”

# Controls IP packet forwarding
sysctlw    “net.ipv4.ip_forward”                “0“
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Controls the System Request debugging functionality of the kernel
sysctlw    “kernel.sysrq”                    “0“
sysctlw    “kernel.core_uses_pid”                “0“
sysctlw    “net.ipv4.ipfrag_time”                “30“
sysctlw    “net.core.rmem_default”                “262141“
sysctlw    “net.core.rmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_rmem”                “10240 87380 12582912“
sysctlw    “net.core.wmem_default”                “262141“
sysctlw    “net.core.wmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_wmem”                “10240 87380 12582912“
sysctlw    “net.ipv4.tcp_mem”                “195584 196096 196608“
sysctlw    “net.core.optmem_max”                “20480“
sysctlw    “net.ipv4.tcp_max_tw_buckets”            “360000“
sysctlw    “net.core.hot_list_length”            “256“

#Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them
sysctlw    “net.core.netdev_max_backlog”            “262144“
sysctlw    “net.core.somaxconn”                “262144“
sysctlw    “net.ipv4.tcp_reordering”            “3“

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
sysctlw    “net.ipv4.icmp_echo_ignore_broadcasts”        “1“
sysctlw    “net.ipv4.icmp_ignore_bogus_error_responses”    “1“

# Controls the use of TCP syncookies
sysctlw    “net.ipv4.tcp_synack_retries”            “2“
sysctlw    “net.ipv4.tcp_syn_retries”            “3“

# Prevent against the common ‘syn flood attack’
sysctlw    “net.ipv4.tcp_syncookies”            “1“

#Enable timestamps as defined in RFC1323
sysctlw    “net.ipv4.tcp_timestamps”            “1“

#Enable select acknowledgments
sysctlw    “net.ipv4.tcp_sack”                “1“

#By default, TCP saves various connection metrics in the route cache when the connection closes,
#so that connections established in the near future can use these to set initial conditions. Usually,
#this increases overall performance, but may sometimes cause performance degradation.
#If set, TCP will not cache metrics on closing connections
sysctlw       “net.ipv4.tcp_no_metrics_save“     “1“

#Turn on window scaling which can be an option to enlarge the transfer window
sysctlw    “net.ipv4.tcp_window_scaling”            “1“
sysctlw    “net.ipv4.tcp_keepalive_time”            “1200“
sysctlw    “net.ipv4.tcp_fin_timeout”            “15“
sysctlw    “net.ipv4.tcp_tw_recycle”            “1“
sysctlw    “net.ipv4.conf.default.log_martians”        “1“

# Log packets with impossible addresses to kernel log? yes
sysctlw    “net.ipv4.conf.all.log_martians”        “1“
sysctlw    “net.ipv4.conf.default.accept_redirects”    “0“

# Accept Redirects? No, this is not router
sysctlw    “net.ipv4.conf.all.accept_redirects”        “0“
sysctlw    “net.ipv4.conf.all.secure_redirects“            “0“
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Accept packets with SRR option? No
sysctlw    “net.ipv4.conf.all.accept_source_route”        “0“

# Enable source validation by reversed path, as specified in RFC1812
sysctlw    “net.ipv4.conf.all.rp_filter”            “1“

# Controls source route verification
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Do not accept source routing
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Send redirects, if router, but this is just server
sysctlw    “net.ipv4.conf.default.send_redirects”        “0“
sysctlw    “net.ipv4.conf.default.mc_forwarding”        “0“
sysctlw    “net.ipv4.conf.default.forwarding”            “0“
sysctlw    “net.ipv4.conf.all.bootp_relay”                “0“
sysctlw    “net.ipv4.conf.all.proxy_arp”                “0“

#arp
sysctlw    “net.ipv4.neigh.default.gc_thresh3?        “2048“
sysctlw    “net.ipv4.neigh.default.gc_thresh2?        “1024“
sysctlw    “net.ipv4.neigh.default.gc_thresh1?        “32“
sysctlw    “net.ipv4.neigh.default.gc_interval”        “30“
sysctlw    “net.ipv4.neigh.default.proxy_qlen”        “96“
sysctlw    “net.ipv4.neigh.default.unres_qlen”        “6“

#tcp options
sysctlw    “net.ipv4.tcp_dsack”                    “0“
sysctlw    “net.ipv4.tcp_fack”                    “0“
sysctlw    “net.ipv4.tcp_ecn”                    “0“
sysctlw    “net.ipv4.tcp_max_syn_backlog”        “2048“
sysctlw    “net.ipv4.tcp_retries2?                “15“
sysctlw    “net.ipv4.tcp_retries1?                “3“
sysctlw    “net.ipv4.tcp_rfc1337?                “1“
sysctlw    “net.ipv4.netfilter.ip_conntrack_max”    “1048576“
sysctlw    “net.nf_conntrack_max”                “1048576“
sysctlw    “sunrpc.tcp_slot_table_entries”        “32“
sysctlw    “sunrpc.udp_slot_table_entries”        “32“
sysctlw    “net.unix.max_dgram_qlen”            “50“
sysctlw    “net.core.netdev_max_backlog”        “5000“
sysctlw    “net.core.dev_weight”                “64“

#Enable ExecShield protection
sysctlw       “kernel.exec-shield“      “1“
sysctlw       “kernel.randomize_va_space“        “1“

echo “Optimizing filesystem…”

sysctlw    “fs.file-max”                “209708“
sysctlw    “kernel.ctrl-alt-del”            “0“

echo “Optimizing kernel…”

sysctlw    “kernel.printk”                “4 4 1 7“
sysctlw    “kernel.maps_protect”            “1“
sysctlw    “vm.mmap_min_addr”            “65536“
sysctlw    “vm.page-cluster”            “6“
sysctlw    “kernel.shmmax”                “67108864“

echo “Setting up host.conf…”

cp /etc/host.conf /etc/host.conf.bak

cat <<HOSTCONF >/etc/host.conf
order bind,hosts
multi on
nospoof on
HOSTCONF

/sbin/sysctl -p &>/dev/null &
/sbin/sysctl -w net.ipv4.route.flush=1

echo “Disabling unneeded services…”

for i in acpid anacron auditd autofs avahi-daemon bluetooth cpuspeed \
gpm ip6tables irqbalance mcstrans netfs nfslock pcscd \
portmap rpcgssd rpcidmapd setroubleshoot xfs; do
service $i stop &>/dev/null
chkconfig –level 3 $i off &>/dev/null
done

August 10, 2012 Posted by | Security, Shell Script | , | Leave a comment