#!/bin/sh ###################################################################### # This script turns off all of the remotely-accessible services found # when checking over a couple of unix systems. The intention is to # create a configuration that someone can sit in front of and get work # done, using that machine's CPU (not like an X terminal). But it's supposed # to be MUCH more secure, and (side effect) much less useful remotely. That # is, you can't log into it (unless you turn on ssh, which isn't turned off # by this script) ###################################################################### ###################################################################### # revision history # 0.1 first "release" # 0.2 Added support for lpd and syslogd # 0.3 Added dtksh to list of shells, revised shell-picking failure # message a little # 0.4 Added Caldera support # 0.5 Added untested shot at HP-UX 10.2 support. Removed exec >&'s to # keep HPUX happy; makes things noisier on other platforms, like # solaris. Removed grep \<\> to keep HPUX happy; makes things # slightly less safe on other platforms. Added /usr/dt/bin/dtksh # to shell search. # 0.6 Changed removal of rc scripts to renaming of rc scripts ###################################################################### # set the path to keep things normal PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/bsd # I gather not all bournish shells understand this kind of filedescriptor # magic (like 2>&3). However, SunOS 4.1.x's /bin/sh does, and that's probably # about as old as we need to go - probably a little older. And actually, # anything that's old enough to grok a>&b is probably also too old to # grok shell functions, which probably means ya need to compile bash anyway. # However, on such a system (/bin/sh that doesn't grok a>&b and has /bin/bash) # it will probably be necessary to say "/bin/bash toaster" to get started. # # Anyway, I guess I should describe what's being done here :) # We're definining a shell function with errors turned off. Then we # try to run the shell function, and check to see if it actually got # run by testing for the presence of a file. On a shell that doesn't # understand shell functions, we get two "command not found"'s to /dev/null, # and no file. On a shell that does grok shell functions, we get no # "command not found"'s, and we get the file. Oh, and we turn errors # back on (exec 3>&2). # # The if test is so that a shell that doesn't understand shell functions # won't execute the touch anyway echo echo Do not worry if you see an error about '"function" and "foo"' on echo the next couple of lines. echo function foo { if [ "$1" = doit ] then touch /tmp/yup fi } rm -f /tmp/yup foo doit if [ -f /tmp/yup ] then echo Good, we are running with a shell that understands shell functions echo else echo This shell does not appear to understand shell functions. echo Hunting for a shell that does... for shell in bash dtksh /usr/dt/bin/dtksh ksh do if type $shell > /dev/null 2>&1 then echo Trying $shell... exec $shell "$0" "$@" fi done echo You do not appear to have a shell on your system that understands echo shell functions. I recommend installing bash, and saying echo \"bash toaster\". exit 1 fi toaster_version=0.6 echo This is toaster version "$toaster_version" sleep 1 os="`uname -s | tr -d '-'`-`uname -r`" case "$os" in Linux-*) # annoyance: I wish uname -s returned "redhat" or "debian" - this # would be more meaningful than just "Linux". Saying "Linux" is # is like saying "SysV" - it means something, but it's terribly # overgeneral if [ -f /etc/redhat-release ] then os=redhat-"`cat $ROOT/etc/redhat-release | \ sed 's/^.*release \([0-9\.]*\) .*$/\1/'`" elif [ -f /etc/debian_version ] then # this is a guess; I don't really know what kind of content # debian_version contains os=debian-"`cat /etc/debian_version`" elif [ -f /etc/.installed ] && grep -i caldera /etc/.installed > /dev/null then t="`sed -n 's/^.*Caldera OpenLinux \([0-9\.a-zA-Z][0-9\.a-zA-Z]*\) .*$/\1/p' \ < /etc/.installed`" os=caldera-"$t" else # unrecognized linux version : fi ;; IRIX64-*) # annoyance: some irix versions call themselves "IRIX64" os="IRIX-`uname -r`" ;; OSF1-V*) # annoyance: some osf1 versions identify their release number # starting with "V", some don't os="OSF1-`uname -r | sed 's/^V//'`" ;; *) : probably fine ;; esac echo I appear to be running on a "$os" system sleep 1 case "$os" in SunOS-4*|Linux-*|debian-*|IRIX-*|OSF1-*|caldera-*|HPUX-*) echo "I am aware of $os, but I am not tested on $os; I'll make" echo "some conservative guesses anyway." sleep 1 ;; SunOS-5*|redhat-*) echo "I am relatively well tested on this OS" sleep 1 ;; *) echo "I know very little about this OS; I will make some conservative" echo "guesses." os=unfamiliar sleep 1 ;; esac function contact_info { echo People on the UCI campus may report problems with this script echo to OAC. echo echo People from outside UCI may report problems with this script echo to Dan Stromberg directly. There is no guarantee of support to echo users outside of UCI. echo echo OAC can be contacted by e-mail to oac@uci.edu, or by calling echo x6116. echo echo Dan Stromberg can be contacted by e-mail to strombrg@nis.acs.uci.edu. } ###################################################################### # rename any rc file with $1 in it's name ###################################################################### function mv_by_name { cd "$rcdir" find . -name "*$1*" -print | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! fn="`basename $file`" dn="`dirname $file`" echo moving "$file" to "$dn/old.$fn"... echo in order to turn off "$1" mv "$file" "$dn/old.$fn" ;; esac done } ###################################################################### # rename any rc file containing $1 ###################################################################### function mv_by_content { cd "$rcdir" # alas, HPUX grep doesn't understand \<\> find . \( -type f -o -type l \) -print | \ xargs grep -l "$1" | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! fn="`basename $file`" dn="`dirname $file`" echo moving "$file" to "$dn/old.$fn"... echo in order to turn off "$1" mv "$file" "$dn/old.$fn" ;; esac done } ###################################################################### # remove any rc file with $1 in it's name ###################################################################### function rm_by_name { cd "$rcdir" find . -name "*$1*" -print | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! echo removing "$file" to turn off "$1" rm -f "$file" ;; esac done } ###################################################################### # remove any rc file containing $1 ###################################################################### function rm_by_content { cd "$rcdir" # alas, HPUX grep doesn't understand \<\> find . \( -type f -o -type l \) -print | \ xargs grep -l "$1" | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! echo removing "$file" to turn off "$1" rm -f "$file" ;; esac done } ###################################################################### # Inside of file $1, put a colon in front of any occurences of $2. # This comments out undesired functionality, more or less ###################################################################### function colon_out { # The daemon thinger is for redhat, really. They do things a little # different, tho in a good way (in this case) sed \ -e "s/^\([ ]*\)\([/a-zA-Z0-9]*$2\)/\1: \2/" \ -e "s/^\([ ]*\)\(daemon[ ][ ]*[/a-zA-Z0-9]*$2\)/\1: \2/" \ < "$1" > /tmp/foo # only copy of nonzero in length. It it is zero, odds are sed bombed # out if [ -s /tmp/foo ] then cat /tmp/foo > "$1" fi rm /tmp/foo } ###################################################################### # colon out occurences of $2 in any rc file with $1 in it's name # untested ###################################################################### function colon_by_name { cd "$rcdir" find . -name "*$1*" -print | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! echo coloning in "$file" to turn off "$2" colon_out "$file" "$2" ;; esac done } ###################################################################### # colon out occurences of $1 in all rc files ###################################################################### function colon_by_content { cd "$rcdir" # alas, HPUX grep doesn't understand \<\> find . \( -type f -o -type l \) -print | \ xargs grep -l "$1" | \ while read file do case "$file" in ./init.d/*|init.d/*) : leave this alone ;; ./rc?.d/S*|rc?.d/S*) # zot this! echo coloning in "$file" to turn off "$1" colon_out "$file" "$1" ;; esac done } ###################################################################### # sed something in place ###################################################################### function sed_in_place { sed "$1" < "$2" > /tmp/sed_in_place cat /tmp/sed_in_place > "$2" rm -f /tmp/sed_in_place } ###################################################################### # check out how the rc stuff is set up ###################################################################### if [ -d /etc/init.d ] && [ -d /etc/rc2.d ] && [ -d /etc/rc3.d ] then echo Great, you have really normal rc stuff. rcdir=/etc normal_rcdir=true elif [ -d /sbin/init.d ] && [ -d /sbin/rc2.d ] && [ -d /sbin/rc3.d ] then echo Ok, you have kind of normal rc stuff. We can work with this. rcdir=/sbin normal_rcdir=true elif [ -d /etc/rc.d/init.d ] && [ -d /etc/rc.d/rc2.d ] && [ -d /etc/rc.d/rc3.d ] then echo Ok, you have weird rc stuff, but we can work with this. rcdir=/etc/rc.d normal_rcdir=true else echo You appear to have bizarre/outdated rc stuff. I may not be able to echo help that much. normal_rcdir=false fi export rcdir case "`whoami`" in root) ;; *) echo You must run me as root. Please su and try again. echo Exiting prematurely. exit 1 ;; esac echo I am about to start doing real work. echo contact_info echo sleep 4 ###################################################################### # turn off inetd services ###################################################################### if [ -f /etc/inetd.conf ] then INDC=/etc/inetd.conf else case "$os" in unfamiliar) echo Wow. You have no /etc/inetd.conf. This machine is too echo weird for me to deal with. echo Terminating prematurely. exit 1 ;; *) echo You have no /etc/inetd.conf, but normally you should. echo ;; esac fi if [ "$INDC" ] && cat "$INDC" > /dev/null 2>&1 then echo Turning off inetd services # we have an /etc/inetd.conf. We turn off most things here. This is # the easy part :) sed 's/^\([^#].*\)/#\1/' < /etc/inetd.conf > /tmp/inetd.conf # comment out all entries. if [ -s /tmp/inetd.conf ] then # cat > preserves hard links. Sometimes cp doesn't cat /tmp/inetd.conf > /etc/inetd.conf fi rm /tmp/inetd.conf else echo "You have no inetd.conf. This is unusual, but I will keep trying." fi echo ###################################################################### # turn off rpcbind ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off rpcbind colon_by_content rpcbind fi echo ###################################################################### # turn off portmap ###################################################################### case "$os" in SunOS-5*) : we know solaris does not do portmap ;; *) if [ "$normal_rcdir" = true ] then echo Attempting to turn off portmap colon_by_content portmap else case "$os" in SunOS-4*) echo Attempting to turn off portmap colon_out /etc/rc.local portmap ;; esac fi echo ;; esac ###################################################################### # turn off sendmail ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off sendmail mv_by_content sendmail else case "$os" in SunOS-4*) echo Attempting to turn off sendmail. colon_out /etc/rc.local sendmail ;; *) echo I do not know how to turn off sendmail on "$os". sleep 1 ;; esac fi echo ###################################################################### # turn off named ###################################################################### if [ "$normal_rcdir" = true ] then # to my knowledge, this is only a widespread problem on linux, which # to my knowledge, always has normal_rcdirs. At least debian and # redhat do echo Attempting to turn off named mv_by_name named fi echo ###################################################################### # turn off samba ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off samba mv_by_name smb mv_by_name samba fi echo ###################################################################### # turn off xdm ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off xdm mv_by_name xdm fi echo ###################################################################### # turn off httpd ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off httpd mv_by_content httpd fi echo ###################################################################### # turn off innd ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off innd mv_by_name innd fi echo ###################################################################### # turn off lpd ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off lpd mv_by_name lpd fi echo ###################################################################### # turn off syslogd ###################################################################### if [ "$normal_rcdir" = true ] then echo Attempting to turn off syslogd mv_by_name syslog fi echo ###################################################################### # caldera has amd trouble sometimes, give it an so boots don't hang ###################################################################### case "$os" in caldera-*) if cat /etc/rc.d/rc3.d/S30amd > /dev/null 2>&1 then echo Since this is Caldera OpenLinux, we want to tweak the echo invocation of amd a little bit... echo sed_in_place 's#\(/auto /etc/amd.localdev \$AMDMASTER\)$#\1 \&#' \ /etc/rc.d/rc3.d/S30amd # we want: #/auto /etc/amd.localdev $AMDMASTER & fi ;; esac ###################################################################### # It'd be nice to have some kind of identification, so we can tell this # isn't some microsoft box ###################################################################### echo Marking this machine as a '"toaster"' on the net, so we won\'t be echo mistaken for a microsoft OS ( echo "#!/bin/sh" echo "echo toaster" echo "echo $os" ) > /usr/sbin/identify-toaster chmod 755 /usr/sbin/identify-toaster if grep '^idtoaster 10010/tcp$' /etc/services > /dev/null 2>&1 then : # we're already in there else echo 'idtoaster 10010/tcp' >> /etc/services fi line="idtoaster stream tcp nowait root /usr/sbin/identify-toaster idtoaster" if grep "^$line\$" /etc/inetd.conf > /dev/null 2>&1 then : # we're already in there else echo "$line" >> /etc/inetd.conf fi echo echo The next time you reboot this computer, many services should echo no longer be turned on