chapmanjacobd/ctf_insects.sh

## ctf_insects.sh
#!/bin/bash
# create new user
adduser -m --disabled-password --gecos "" bluehat
usermod -aG sudo bluehat
#usermod -aG wheel bluehat
echo "bluehat  ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
su bluehat
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
#generate your RSA keys: ssh-keygen -t rsa -b 4096 -f cinsects
#before: ssh root@172.17.121.2 -p 22 -o PreferredAuthentications=password -o PubkeyAuthentication=no
#after:  ssh bluehat@172.17.121.2 -p 22 -o "IdentitiesOnly=yes" -i ~/.ssh/cinsects
cat <<EOT >> ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAMk1QNDGipHOweLKZUuaMDwKiTPS5ZWXboniwDkOK17GvMr2OoGVw0fCvvR69m/yhzuMbfTCo/yNONBb8rN28B+Q7PJJfXXYhumT6Vly/TBfMZP9iw2BVyYWhOAoMhUZd80RfQjAxrUxg3DoB1rgFt2kes8OcaSqTu51GSlpGfL1UPVViiCRyWoSk1q8kR8iLdaCT8tbbAuvDjziEdckLc2MtoMOq67KoNcZc+flykv+Ek+wH02NpnRBkaSbxu0qVsrKNTwKdThds944j/jDUzlCO0y3KumMc+WoA9jPuZ7a6JlwPm335SYR8E6XSPPWrsFTzim1YqGNQfSlmBY+nOMv9EUO3Ipu4NmJxG5mSPNPyAv7aIbRlM4rEnUpar19AMJVlESg0jnFYGxwAMaEPdSN5DxxOxhmIQ4sFpMootz2YkqSxX6z5pRla9X88fPOLJIBa+LxmaLDYfG9Uv0bznJEQZdEx/+Tb8Aq/zKTHJaZ3CmfPCOJ6SiKPJiBHl7HB1HWWAGwJD/PzNJ1oTm5BIppe9xie2t2tqLxSumNOY2807PpBcllJV2OLluFzoIOm0KUIU7jNWeRjIebMaVglQWYdhEj9riOPnzrA1uyGoL0A6NO+m3haQbQzeLGd7wqU6evf8bvZX5aGt/SFW4sANtg2XOQU852APpIyaTaD4Q== xk@localhost.localdomain
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoYx+drzeCeaxjXPT5fOXyhoyeJmAuSW1O/PEjvkTIgJtBKVkDgxizm7sBX3YnDvO6B9o8zXO4dhmZOYoIQU1qItrZa7USM6hHpwcRBf0/7ACV4o3PBB/8+8kWjKV9nzq8szcAsBLzZjbl1GD7HS1m3LHz7T/DCNuvZnrpdHyF+W5s9Rv6iPhZO9uBTbnP/PQn4MBsrdUgRuzUZAYXDsx5H/NFXagRnG0eZAP/gvAydPCC3z5cUsimktKzBgE2u8OGA533xUxEyFhVN7xGltiJgdy2XxaY3cLLfcwy/hUoJaBN8phHZ6+++zZfyql3gmWUuLeRYFn7Ibo+Dc/ZS2uqXxwYZ6y6ISmOCHfgJgWx4fONCNeV6zrbTOyNYmPRk+O99AwQFuElocnxQfn7WdBIjpsohTv6BkUyeedFAXBLjVK26Est+FAzOWn8UwLmyo12uJOgDeFMylay2wKHQEk0XA9nxBlsD75BvbbTDVT6UmrQH9l6n8GPTvZ4uVUQ09SVVpZjrU4q/DMfS1Iw5Tyd5MNNunI+QZX3gZlX2Ir62VY6anR0jwuAy+j7Hr7zywa1Y1Oa/A+RmwPpyLtJek+XN7NAkYpxdAYyuDb7s2nhOU3joFfaO/Mc8N9gr7yjLvS3jeJmkDkGVc3nh63DrwsVj4eYLp78xXNmz3kXfcNSAQ== narendra@narendra-Latitude-3490
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYnHLXczUhXp28T1+6wlWqvtGOv9tjbAONbnd9pAjzPtkd4d1DNqVLNfaiMnAenZEXAysxEesrABwRVgTHQTGJ+qiTzpFoEXmguiKa46nvcKHPlMWtLKtatHoWZaj6ZU2+SXaoBDYylMrZfA0uCYugZv0kSOmm6sG4RtxwSjPcOtTlRIFc3I6qRlC51G43ydG41bw1ixawudWgb5eIbaODEj3Hzhc3StGjdop2s52L4XemBYmM3rfr7FT56JS/oPAvoCiH0eeBPF0iUDo2/wGJMesMJOwhA4u7e0O6Vv5qwUWUcBsJRuLhE574H199jD40g0JquyRiUg7g/bf2tl5G5rSn5gzwzin1z6Le0eXZxLjzPVsp7h4TQw3ABPbaKZ26mItd8Y+XY6fhjMtDSWJzvcyyYzLVK9wZAdJ+syjT2a9IQzVGoj87drc5y2xY4RmfQZQQaiL/azkJcsc1c9W8tMV4FhfdOQgQ9/67RzZ8NI4HDqHhmyjc3CkeWIS7vd7ZIf9zLrpearGoMXMzaENONZs63c5p8qEzOqvowMXaWvkqlxytHmCfgs+Iz6Ju6RfaELAL61NIQDj0dLhQj+mqTzT3Dn9YkBovJwj4gNnSz83rpCLVPz8MsbA3JtzxmD2CR8bi4FhNQGhiKXmwd1jsOxFJI3Gl/R6atxC5GlbiRQ== root@parrot
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlpEikpopt3WiasRETEEy3sZojtEmrhUVC78zOM+6NcQ+Bl7tdK/yp4So1B7mF33uQfJsHXUxRyo665STyXbgYxNy63sgyFsdUYvGDCBk8srqXRxqoB9V4qI68EofWULr69uUCVny/q92dRoEG13R/+F+l4I8dPmjrajJ7sPxIXkA7x1c2riRE7cyIzZZbgbIvJjbQqr1w3JNz/6dGlBK6M5NbGBD8BtHb84z54k0lDHrPL8GrK1m06q8foUaYgNpA4F1RFuKgrl49z00yj4KhJ5kpM6QxDXy1w6Cr3MS2T/BI22xvb8iyIr4LlB+fpEzi6kaP7QqelEBaOeuBsjWLT5kkEedWW4SARd+K1wdl+hp1XKLs6YqXV14gKdtRKQCkDQTjkIW3x9hFq5wpXubnO+IhG8VO1kfVeVvODxNYwbbrvXaoYjjJY5rnCpxj7yvl6hZ2e0YYIGeuZGpkQOjnH+muM6YKPeiy3kRZN6gW33Kavy3dlJojpgw2cxKY/ZTEkCnXJ1/9dEGb6I+RuYzTt4dlrtn4915Xxk7MhJ4P04FxuQ13mxO+Ev8pKt9ZyH1Ak83uLuGrqFVzZAkQ1FirIjCos3rnAKTXCxxxT6tTLr+m7XfqUcYq+m+8FHSRx8SfVIfAdtMt6HlzBP0wUqoYit8k+y/5XPGRVMmYw3dMiQ== andry@tapakila01
EOT

chmod go-w $HOME $HOME/.ssh
chmod 600 ~/.ssh/authorized_keys
exit

# harden sshd config
cat <<EOT >> /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers bluehat
EOT

/etc/init.d/sshd restart

# repair DNS(?)
echo nameserver 1.1.1.1 > /etc/resolv.conf
systemctl restart systemd-networkd

ping deb.debian.org
#ufw allow out 53,113,123/udp

chattr +i /etc/resolv.conf

apt install wget

wget https://download.configserver.com/csf.tgz
sha256sum csf.tgz
#check if match
echo dfb9318213a3e6be207ac6595b6743b0a5a5bf311508dfe0d8cf8d84ad110a87
echo "if different verify here: https://www.configserver.com/checksums.txt"

read -p "Proceed? (y/^c) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
  tar -xzf csf.tgz
fi

ufw disable

cd csf
sh install.sh
perl /usr/local/csf/bin/csftest.pl

apt upgrade

#watch the logs in real time
journalctl -f &
#also for each service that we need to maintain
tail -f /var/log/apache2/access.log &

# maybe we could use this to work together https://github.com/zolrath/wemux

# it would be good if we could setup `logwatch` to send a message to IRC or discord every couple of hours
apt install logwatch
logwatch --detail med --range Today --format text --output stdout

# it would be good to install SELinux but I don't know how well Debian is supported
# this looks cool ansible-galaxy install dev-sec.os-hardening
wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz
tar -xzf lynis-2.7.5.tar.gz
./lynis audit system
	#!/bin/bash
	# create new user
	adduser -m --disabled-password --gecos "" bluehat
	usermod -aG sudo bluehat
	#usermod -aG wheel bluehat
	echo "bluehat ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
	su bluehat
	mkdir ~/.ssh
	touch ~/.ssh/authorized_keys
	#generate your RSA keys: ssh-keygen -t rsa -b 4096 -f cinsects
	#before: ssh root@172.17.121.2 -p 22 -o PreferredAuthentications=password -o PubkeyAuthentication=no
	#after: ssh bluehat@172.17.121.2 -p 22 -o "IdentitiesOnly=yes" -i ~/.ssh/cinsects
	cat <<EOT >> ~/.ssh/authorized_keys
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAMk1QNDGipHOweLKZUuaMDwKiTPS5ZWXboniwDkOK17GvMr2OoGVw0fCvvR69m/yhzuMbfTCo/yNONBb8rN28B+Q7PJJfXXYhumT6Vly/TBfMZP9iw2BVyYWhOAoMhUZd80RfQjAxrUxg3DoB1rgFt2kes8OcaSqTu51GSlpGfL1UPVViiCRyWoSk1q8kR8iLdaCT8tbbAuvDjziEdckLc2MtoMOq67KoNcZc+flykv+Ek+wH02NpnRBkaSbxu0qVsrKNTwKdThds944j/jDUzlCO0y3KumMc+WoA9jPuZ7a6JlwPm335SYR8E6XSPPWrsFTzim1YqGNQfSlmBY+nOMv9EUO3Ipu4NmJxG5mSPNPyAv7aIbRlM4rEnUpar19AMJVlESg0jnFYGxwAMaEPdSN5DxxOxhmIQ4sFpMootz2YkqSxX6z5pRla9X88fPOLJIBa+LxmaLDYfG9Uv0bznJEQZdEx/+Tb8Aq/zKTHJaZ3CmfPCOJ6SiKPJiBHl7HB1HWWAGwJD/PzNJ1oTm5BIppe9xie2t2tqLxSumNOY2807PpBcllJV2OLluFzoIOm0KUIU7jNWeRjIebMaVglQWYdhEj9riOPnzrA1uyGoL0A6NO+m3haQbQzeLGd7wqU6evf8bvZX5aGt/SFW4sANtg2XOQU852APpIyaTaD4Q== xk@localhost.localdomain
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoYx+drzeCeaxjXPT5fOXyhoyeJmAuSW1O/PEjvkTIgJtBKVkDgxizm7sBX3YnDvO6B9o8zXO4dhmZOYoIQU1qItrZa7USM6hHpwcRBf0/7ACV4o3PBB/8+8kWjKV9nzq8szcAsBLzZjbl1GD7HS1m3LHz7T/DCNuvZnrpdHyF+W5s9Rv6iPhZO9uBTbnP/PQn4MBsrdUgRuzUZAYXDsx5H/NFXagRnG0eZAP/gvAydPCC3z5cUsimktKzBgE2u8OGA533xUxEyFhVN7xGltiJgdy2XxaY3cLLfcwy/hUoJaBN8phHZ6+++zZfyql3gmWUuLeRYFn7Ibo+Dc/ZS2uqXxwYZ6y6ISmOCHfgJgWx4fONCNeV6zrbTOyNYmPRk+O99AwQFuElocnxQfn7WdBIjpsohTv6BkUyeedFAXBLjVK26Est+FAzOWn8UwLmyo12uJOgDeFMylay2wKHQEk0XA9nxBlsD75BvbbTDVT6UmrQH9l6n8GPTvZ4uVUQ09SVVpZjrU4q/DMfS1Iw5Tyd5MNNunI+QZX3gZlX2Ir62VY6anR0jwuAy+j7Hr7zywa1Y1Oa/A+RmwPpyLtJek+XN7NAkYpxdAYyuDb7s2nhOU3joFfaO/Mc8N9gr7yjLvS3jeJmkDkGVc3nh63DrwsVj4eYLp78xXNmz3kXfcNSAQ== narendra@narendra-Latitude-3490
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYnHLXczUhXp28T1+6wlWqvtGOv9tjbAONbnd9pAjzPtkd4d1DNqVLNfaiMnAenZEXAysxEesrABwRVgTHQTGJ+qiTzpFoEXmguiKa46nvcKHPlMWtLKtatHoWZaj6ZU2+SXaoBDYylMrZfA0uCYugZv0kSOmm6sG4RtxwSjPcOtTlRIFc3I6qRlC51G43ydG41bw1ixawudWgb5eIbaODEj3Hzhc3StGjdop2s52L4XemBYmM3rfr7FT56JS/oPAvoCiH0eeBPF0iUDo2/wGJMesMJOwhA4u7e0O6Vv5qwUWUcBsJRuLhE574H199jD40g0JquyRiUg7g/bf2tl5G5rSn5gzwzin1z6Le0eXZxLjzPVsp7h4TQw3ABPbaKZ26mItd8Y+XY6fhjMtDSWJzvcyyYzLVK9wZAdJ+syjT2a9IQzVGoj87drc5y2xY4RmfQZQQaiL/azkJcsc1c9W8tMV4FhfdOQgQ9/67RzZ8NI4HDqHhmyjc3CkeWIS7vd7ZIf9zLrpearGoMXMzaENONZs63c5p8qEzOqvowMXaWvkqlxytHmCfgs+Iz6Ju6RfaELAL61NIQDj0dLhQj+mqTzT3Dn9YkBovJwj4gNnSz83rpCLVPz8MsbA3JtzxmD2CR8bi4FhNQGhiKXmwd1jsOxFJI3Gl/R6atxC5GlbiRQ== root@parrot
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlpEikpopt3WiasRETEEy3sZojtEmrhUVC78zOM+6NcQ+Bl7tdK/yp4So1B7mF33uQfJsHXUxRyo665STyXbgYxNy63sgyFsdUYvGDCBk8srqXRxqoB9V4qI68EofWULr69uUCVny/q92dRoEG13R/+F+l4I8dPmjrajJ7sPxIXkA7x1c2riRE7cyIzZZbgbIvJjbQqr1w3JNz/6dGlBK6M5NbGBD8BtHb84z54k0lDHrPL8GrK1m06q8foUaYgNpA4F1RFuKgrl49z00yj4KhJ5kpM6QxDXy1w6Cr3MS2T/BI22xvb8iyIr4LlB+fpEzi6kaP7QqelEBaOeuBsjWLT5kkEedWW4SARd+K1wdl+hp1XKLs6YqXV14gKdtRKQCkDQTjkIW3x9hFq5wpXubnO+IhG8VO1kfVeVvODxNYwbbrvXaoYjjJY5rnCpxj7yvl6hZ2e0YYIGeuZGpkQOjnH+muM6YKPeiy3kRZN6gW33Kavy3dlJojpgw2cxKY/ZTEkCnXJ1/9dEGb6I+RuYzTt4dlrtn4915Xxk7MhJ4P04FxuQ13mxO+Ev8pKt9ZyH1Ak83uLuGrqFVzZAkQ1FirIjCos3rnAKTXCxxxT6tTLr+m7XfqUcYq+m+8FHSRx8SfVIfAdtMt6HlzBP0wUqoYit8k+y/5XPGRVMmYw3dMiQ== andry@tapakila01
	EOT

	chmod go-w $HOME $HOME/.ssh
	chmod 600 ~/.ssh/authorized_keys
	exit

	# harden sshd config
	cat <<EOT >> /etc/ssh/sshd_config
	PermitRootLogin no
	AllowUsers bluehat
	EOT

	/etc/init.d/sshd restart

	# repair DNS(?)
	echo nameserver 1.1.1.1 > /etc/resolv.conf
	systemctl restart systemd-networkd

	ping deb.debian.org
	#ufw allow out 53,113,123/udp

	chattr +i /etc/resolv.conf

	apt install wget

	wget https://download.configserver.com/csf.tgz
	sha256sum csf.tgz
	#check if match
	echo dfb9318213a3e6be207ac6595b6743b0a5a5bf311508dfe0d8cf8d84ad110a87
	echo "if different verify here: https://www.configserver.com/checksums.txt"

	read -p "Proceed? (y/^c) " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	tar -xzf csf.tgz
	fi

	ufw disable

	cd csf
	sh install.sh
	perl /usr/local/csf/bin/csftest.pl

	apt upgrade

	#watch the logs in real time
	journalctl -f &
	#also for each service that we need to maintain
	tail -f /var/log/apache2/access.log &

	# maybe we could use this to work together https://github.com/zolrath/wemux

	# it would be good if we could setup `logwatch` to send a message to IRC or discord every couple of hours
	apt install logwatch
	logwatch --detail med --range Today --format text --output stdout

	# it would be good to install SELinux but I don't know how well Debian is supported
	# this looks cool ansible-galaxy install dev-sec.os-hardening
	wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz
	tar -xzf lynis-2.7.5.tar.gz
	./lynis audit system