UML-Cyber-Security · rohan-ap457 · Dec 3, 2024 · Jan 16, 2025 · Jan 16, 2025 · Jan 20, 2025
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# Variables
+GRAYLOG_VERSION="4.5.6" # Update to the desired Graylog version
+OPENSEARCH_VERSION="2.9.0" # Update to the desired OpenSearch version
+MONGO_VERSION="6.0" # Update to the desired MongoDB version
+MONGO_BACKUP_PATH="/backup/mongo_$(date +%Y%m%d_%H%M%S)"
+CONFIG_BACKUP_PATH="/backup/graylog_config_$(date +%Y%m%d_%H%M%S)"
+OPENSEARCH_SNAPSHOT_PATH="/backup/opensearch_snapshot_$(date +%Y%m%d_%H%M%S)"
+LOG_FILE="/var/log/graylog_opensearch_mongo_upgrade.log"
+
+# Functions
+log() {
+    echo "$(date +%Y-%m-%d_%H:%M:%S) - $1" | tee -a $LOG_FILE
+}
+
+# Step 1: Stop Graylog Services
+log "Stopping Graylog service..."
+sudo systemctl stop graylog-server
+
+# Step 2: Backup MongoDB
+log "Backing up MongoDB..."
+mkdir -p $MONGO_BACKUP_PATH
+mongodump --db graylog --out $MONGO_BACKUP_PATH
+if [[ $? -ne 0 ]]; then
+    log "Error during MongoDB backup. Aborting!"
+    exit 1
+fi
+
+# Step 3: Backup Graylog Configuration
+log "Backing up Graylog configuration..."
+mkdir -p $CONFIG_BACKUP_PATH
+cp /etc/graylog/server/server.conf $CONFIG_BACKUP_PATH
+if [[ $? -ne 0 ]]; then
+    log "Error during configuration backup. Aborting!"
+    exit 1
+fi
+
+# Step 4: Backup OpenSearch Data
+log "Creating an OpenSearch snapshot..."
+mkdir -p $OPENSEARCH_SNAPSHOT_PATH
+curl -XPUT "http://localhost:9200/_snapshot/my_backup" -H 'Content-Type: application/json' -d '{
+  "type": "fs",
+  "settings": {
+    "location": "'$OPENSEARCH_SNAPSHOT_PATH'",
+    "compress": true
+  }
+}'
+
+curl -XPUT "http://localhost:9200/_snapshot/my_backup/snapshot_$(date +%Y%m%d)" -H 'Content-Type: application/json'
+if [[ $? -ne 0 ]]; then
+    log "Error during OpenSearch snapshot creation. Aborting!"
+    exit 1
+fi
+
+# Step 5: Stop OpenSearch and MongoDB
+log "Stopping OpenSearch and MongoDB services..."
+sudo systemctl stop opensearch
+sudo systemctl stop mongod
+
+# Step 6: Upgrade MongoDB
+log "Upgrading MongoDB to version $MONGO_VERSION..."
+# Update the MongoDB repository to point to the new version
+wget -qO - https://www.mongodb.org/static/pgp/server-$MONGO_VERSION.asc | sudo apt-key add -
+echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/$MONGO_VERSION multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-$MONGO_VERSION.list
+
+sudo apt update && sudo apt install -y mongodb-org
+if [[ $? -ne 0 ]]; then
+    log "Error during MongoDB upgrade. Aborting!"
+    exit 1
+fi
+
+# Step 7: Upgrade OpenSearch
+log "Upgrading OpenSearch to version $OPENSEARCH_VERSION..."
+sudo apt update && sudo apt install -y opensearch=$OPENSEARCH_VERSION
+if [[ $? -ne 0 ]]; then
+    log "Error during OpenSearch upgrade. Aborting!"
+    exit 1
+fi
+
+# Step 8: Upgrade Graylog
+log "Upgrading Graylog to version $GRAYLOG_VERSION..."
+sudo apt update && sudo apt install -y graylog-server=$GRAYLOG_VERSION
+if [[ $? -ne 0 ]]; then
+    log "Error during Graylog upgrade. Aborting!"
+    exit 1
+fi
+
+# Step 9: Start Services
+log "Starting MongoDB, OpenSearch, and Graylog services..."
+sudo systemctl start mongod
+sudo systemctl start opensearch
+sudo systemctl start graylog-server
+
+# Step 10: Verify Services
+log "Verifying MongoDB service..."
+sudo systemctl status mongod | tee -a $LOG_FILE
+
+log "Verifying OpenSearch service..."
+sudo systemctl status opensearch | tee -a $LOG_FILE
+
+log "Verifying Graylog service..."
+sudo systemctl status graylog-server | tee -a $LOG_FILE
+
+log "Upgrade completed successfully!"
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Apply security-hardening sysctl settings
+
+echo "Applying security-hardening sysctl settings..."
+
+# Set sysctl parameters
+sysctl -w net.ipv4.conf.all.log_martians=1
+sysctl -w net.ipv4.icmp_ignore_broadcasts=1
+sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+sysctl -w net.ipv4.conf.all.rp_filter=1
+sysctl -w net.ipv4.conf.default.rp_filter=1
+sysctl -w net.ipv4.tcp_syncookies=1
+sysctl -w kernel.randomize_va_space=2
+sysctl -w kernel.panic=10
+sysctl -w fs.protected_hardlinks=1
+sysctl -w fs.protected_symlinks=1
+
+# Persist settings across reboots
+cat << EOF > /etc/sysctl.d/security_hardening.conf
+net.ipv4.conf.all.log_martians=1
+net.ipv4.icmp_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.tcp_syncookies=1
+kernel.randomize_va_space=2
+kernel.panic=10
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+EOF
+
+# Reload sysctl settings
+sysctl --system
+
+echo "Security-hardening sysctl settings applied."
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# Backup existing SSH configuration files
+echo "Backing up /etc/ssh/sshd_config to /etc/ssh/sshd_config.bak..."
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+cp -r /etc/ssh/sshd_config.d /etc/ssh/sshd_config_bak.d
+
+# Create backup directory if it doesn't exist
+mkdir -p /etc/ssh/sshd_config_bak.d
+mkdir -p /etc/ssh/sshd_config_bak_danger.d
+
+# SSH Configurations - Apply the hardening settings
+echo "Applying SSH hardening configurations..."
+
+# Disable root login
+sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+
+# Use only Protocol 2
+sed -i 's/^#Protocol.*/Protocol 2/' /etc/ssh/sshd_config
+
+# Set log level to verbose
+sed -i 's/^#LogLevel.*/LogLevel VERBOSE/' /etc/ssh/sshd_config
+
+# Set MaxAuthTries to 4
+sed -i 's/^#MaxAuthTries.*/MaxAuthTries 4/' /etc/ssh/sshd_config
+
+# Ignore Rhosts
+sed -i 's/^#IgnoreRhosts.*/IgnoreRhosts yes/' /etc/ssh/sshd_config
+
+# Disable host-based authentication
+sed -i 's/^#HostBasedAuthentication.*/HostBasedAuthentication no/' /etc/ssh/sshd_config
+
+# Disable PermitUserEnvironment
+sed -i 's/^#PermitUserEnvironment.*/PermitUserEnvironment no/' /etc/ssh/sshd_config
+
+# Disable empty passwords
+sed -i 's/^#PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
+
+# Set ClientAliveInterval to 300 seconds
+sed -i 's/^#ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
+
+# Set ClientAliveCountMax to 0
+sed -i 's/^#ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config
+
+# Set LoginGraceTime to 60 seconds
+sed -i 's/^#LoginGraceTime.*/LoginGraceTime 60/' /etc/ssh/sshd_config
+
+# Set MaxStartups to 10:30:60
+sed -i 's/^#MaxStartups.*/MaxStartups 10:30:60/' /etc/ssh/sshd_config
+
+# Set MaxSessions to 10
+sed -i 's/^#MaxSessions.*/MaxSessions 10/' /etc/ssh/sshd_config
+
+# Configure Ciphers for secure SSH
+sed -i 's/^#Ciphers.*/Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
+
+# Configure MACs for secure SSH
+sed -i 's/^#MACs.*/MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
+
+# Configure KEX algorithms for secure SSH
+sed -i 's/^#KexAlgorithms.*/KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config
+
+# Disable TCP forwarding
+sed -i 's/^#AllowTcpForwarding.*/AllowTcpForwarding no/' /etc/ssh/sshd_config
+
+# Disable X11 forwarding
+sed -i 's/^#X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
+
+# Restart SSH service again to apply changes
+echo "Restarting SSH service again to apply forwarding changes..."
+systemctl restart sshd
+
+echo "SSH hardening and configurations are complete."
@@ -0,0 +1,146 @@
+#!/bin/bash
+
+# Backup existing SSH configuration files
+echo "Backing up /etc/ssh/sshd_config to /etc/ssh/sshd_config.bak..."
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+cp -r /etc/ssh/sshd_config.d /etc/ssh/sshd_config_bak.d
+
+# Create backup directory if it doesn't exist
+mkdir -p /etc/ssh/sshd_config_bak.d
+mkdir -p /etc/ssh/sshd_config_bak_danger.d
+
+# SSH Configurations - Apply the hardening settings
+echo "Applying SSH hardening configurations..."
+
+# Write out the custom sshd_config based on the provided template
+
+cat <<EOL > /etc/ssh/sshd_config
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+Protocol 2
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication:
+
+LoginGraceTime 60
+PermitRootLogin no
+#StrictModes yes
+MaxAuthTries 4
+MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+AuthorizedKeysFile     .ssh/authorized_keys  #.ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+AllowTcpForwarding no
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 300
+ClientAliveCountMax 0
+#UseDNS no
+#PidFile /run/sshd.pid
+MaxStartups 10:30:60
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+EOL
+
+# Restart SSH service to apply changes
+echo "Restarting SSH service to apply changes..."
+systemctl restart sshd
+
+echo "SSH hardening and configurations are complete."