#!/bin/bash clear echo "--------------------------------------------" echo "AsteriskNow 1.7 Hardening script" echo "(C) 2010 Francois Harvey, gestion medsecure" echo "http://francoisharvey.ca - http://medsecure.ca" echo "Twitter : @FrancoisHarvey @medsecure" echo "--------------------------------------------" echo "This script is ONLY for kickstarting a NEW Installation" echo "Don't EVER try this script on a existing server (bad thing will happen!)" echo "--------------------------------------------" echo "Press any key to continue... (or Ctrl+C to stop now)" read echo "First, we need a new admin password (Choose a strong one !)" read -e -s -p "Admin password : " vPasswordAdminSSH PasswordManager=`cat /dev/urandom | tr -dc ._[:alnum:] | head -c12` PasswordRootSQL=`cat /dev/urandom | tr -dc ._[:alnum:] | head -c12` PasswordAstSQL=`cat /dev/urandom | tr -dc ._[:alnum:] | head -c12` echo echo "--------------------------------------------" echo "Before proceding please confirm (and write it down somewhere) :" echo "MySQL root password : $PasswordRootSQL (auto-generated)" echo "MySQL asteriskuser password : $PasswordAstSQL (auto-generated)" echo "Asterisk Manager password : $PasswordManager (auto-generated)" echo "Admin password (ssh/ari/gui): $vPasswordAdminSSH (user specified)" echo echo "Press any key to continue... (or Ctrl+C to stop now)" read echo "Desactivate non essential services..." chkconfig anacron off chkconfig atd off chkconfig cpuspeed off chkconfig netfs off chkconfig smartd off chkconfig pcscd off chkconfig cups off chkconfig mcstrans off chkconfig nfslock off chkconfig rpcgssd off chkconfig rpcidmapd off chkconfig portmap off chkconfig nfs off echo "Configuring and starting NTP" chkconfig --levels 235 ntpd on ntpdate 0.pool.ntp.org /etc/init.d/ntpd start echo "Stronger shell security and no more root remote login..." sed -i s/PASS_MIN_LEN.*/PASS_MIN_LEN\ 8/ /etc/login.defs sed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_config authconfig --passalgo=sha512 --update echo "readonly TMOUT=900" >> /etc/profile.d/bash-security.sh echo "readonly HISTFILE" >> /etc/profile.d/bash-security.sh chmod +x /etc/profile.d/bash-security.sh echo "tty1" > /etc/securetty chmod 700 /root # MOTD echo "" > /etc/motd echo "Creating the new SSH admin account..." adduser --comment "AsteriskNow Administrator" --groups wheel admin echo $vPasswordAdminSSH | passwd admin --stdin echo "Fixing Asterisk CDR issues (Installing asterisk16-addons-mysql)..." yum -y install asterisk16-addons-mysql echo "Stronger permission on asterisk manager configuration..." chmod 640 /etc/asterisk/manager.conf echo "Restricted mysql to localhost..." sed -i -e "/\[mysqld/a\skip-networking" /etc/my.cnf echo "Changing MySQL password..." mysqladmin -u root password $PasswordRootSQL echo "set password = password('$PasswordAstSQL')" | mysql -u freepbx -pfpbx sed -i -e "s/fpbx/$PasswordAstSQL/g" /etc/asterisk/manager.conf /etc/asterisk/phpagi.conf /etc/amportal.conf /etc/asterisk/cdr_mysql.conf echo "Changing Manager password..." sed -i -e "s/amp111/$PasswordManager/g" /etc/asterisk/manager.conf /etc/asterisk/phpagi.conf /etc/amportal.conf /etc/asterisk/cdr_mysql.conf echo "Changing ARI password..." echo "ARI_ADMIN_USERNAME=admin" >> /etc/amportal.conf echo "ARI_ADMIN_PASSWORD=$vPasswordAdminSSH" >> /etc/amportal.conf sed -i -e "s/ari_password/$vPasswordAdminSSH/g" /var/www/html/recordings/includes/main.conf.php echo "Changing FreePBX password..." echo "Update ampusers set password_sha1 = SHA1('$vPasswordAdminSSH') WHERE username = 'admin'" | mysql -u freepbx -p$PasswordAstSQL asterisk echo "Restarting services...." amportal stop echo "Stopping asterisk (amportal should have done it)..." /etc/init.d/asterisk stop amportal start echo "Installing all FreePBX packages..." /var/lib/asterisk/bin/module_admin installall /var/lib/asterisk/bin/module_admin installall echo "--------------------------------------------" echo "You should reboot you system now" echo "After login to the GUI and -apply config-" echo "--------------------------------------------"