diff --git a/Set_User.xml b/Set_User.xml new file mode 100644 index 0000000..394071b --- /dev/null +++ b/Set_User.xml @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/commandWrapSafe b/commandWrapSafe new file mode 100644 index 0000000..246c0b9 --- /dev/null +++ b/commandWrapSafe @@ -0,0 +1,29 @@ +#!/bin/bash +#Wrapper for various items which play traffic. +#tcpreplay,tomahawk,isic suite +#Check for presence of eth0 in passed arguments and abort/alert + +OPTIONS="$@" + +function ABORT() +{ +#red bg 0;41 +#white text 1;37 +chmod 400 $0.real +chmod 400 $0 + +MESSAGE="You have attempted to execute an action which will result in harm to the system. The system is now terminating all shell sessions on this host and alerting support personnel. You will lose any unsaved work." +echo -e "\e[0;41m$MESSAGE\e[1;37" +mailsend -q -smtp RELAYHOST -t PAGEREMAIL -f ALERTFROMEMAIL -sub "$0 using eth0 activity on $(hostname)" -M "$(hostname) attempted to play traffic using $0 out of eth0 at $(date)." +killall -g -9 bash +} + +ETH0_CHECK=$(echo $OPTIONS | grep eth0 -c) + +if [ $ETH0_CHECK -gt 0 ]; +then +ABORT +fi + +#If all checks pass, go ahead and execute the invoking program +$0.real $OPTIONS diff --git a/config-iLO b/config-iLO new file mode 100644 index 0000000..1c6498e --- /dev/null +++ b/config-iLO @@ -0,0 +1,141 @@ +#!/bin/bash +#Script for configuring iLO - modified version, works with hponcfg-4.2.0-0.i386.rpm + +#set -x + +function configure-ilo() +{ +echo "Now running $FUNCNAME...." + + +#Install hponcfg +#yum install -y hponcfg + +#Reset to factory defaults (just in case) +hponcfg -r + +#Dynamic values for the generated XML +ILONAME="$(hostname -s)-iLO" +ILOIP="$(dig -x @DNS_SERVER_IP $ILONAME.$TLD +short)" + +#VLAN verification and configuration +case $ILOIP in +172.16.10*.*) +GATEWAY=172.16.103.254 +NETMASK=255.255.252.0 +ENABLEV=Y +VLAN=101 +;; +172.16.11*.*) +GATEWAY=172.16.115.254 +NETMASK=255.255.252.0 +ENABLEV=Y +VLAN=112 +;; +172.17.1.*) +GATEWAY=0.0.0.0 +NETMASK=255.255.252.0 +ENABLEV=N +VLAN=243 +;; +172.17.2.*) +GATEWAY=0.0.0.0 +NETMASK=255.255.252.0 +ENABLEV=N +VLAN=243 +;; +esac + +#Build xml config file for ILO +cat > /tmp/ilo.dat < + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +ENDILO + +#Apply config to the ILO card +hponcfg -f /tmp/ilo.dat + +echo "iLO configured on $ILONAME, IP: $ILOIP" +} + +#configure-ilo + +########################################################################################## +## Control logic for the script ## +########################################################################################## +main() +{ +echo "Configuring iLo on $ILONAME at $(date)" + +configure-ilo +} + +main diff --git a/disk_space/duc_automated.sh b/disk_space/duc_automated.sh new file mode 100644 index 0000000..2c08bfa --- /dev/null +++ b/disk_space/duc_automated.sh @@ -0,0 +1,23 @@ +#!/bin/bash + + + +#Create index +time duc index / --fs-exclude=nfs + + +#Produce report +cd /root +TODAY="$(date +%m-%d)" +REPORT_FILENAME="$(hostname).$TODAY.png" +duc graph / +mv duc.png $REPORT_FILENAME + + +#Send report to central server +scp -i /root/.ssh/duc_rsa $REPORT_FILENAME duc_user@txn04-slack-master.tplab.tippingpoint.com:/var/www/html/space/ + + + + + diff --git a/disk_space/install_duc.sh b/disk_space/install_duc.sh new file mode 100644 index 0000000..62261d3 --- /dev/null +++ b/disk_space/install_duc.sh @@ -0,0 +1,45 @@ +#!/bin/bash +#A script to install duc onto any KNEL managed system + + +duc-install() +{ +echo "Installing duc..." +wget --quiet https://github.com/zevv/duc/releases/download/1.4.1/duc-1.4.1.tar.gz -O /tmp/duc.tar.gz +cd /tmp +tar xfz duc.tar.gz +cd duc-1.4.1 +./configure +make +make install +cd /tmp +rm -rvf duc-1.4.1 +rm -rvf duc.tar.gz +echo "Installed duc" +} + +main-ubuntu() +{ +apt-get install -y tokyocabinet-bin libncursesw5-dev libcairo2-dev libpango1.0-dev build-essential libtokyocabinet-dev +duc-install +} + + +main-centos() +{ +yum -y install pango-devel cairo-devel tokyocabinet-devel gcc ncurses-devel +duc-install +} + + + +####################################################################################################################################################### +#Step 1: Figure out what distro we are, call the appropriate function which begins execution +####################################################################################################################################################### +wget --quiet https://dl.turnsys.com/bootstrap/bin/distro -O /usr/bin/distro +chmod +x /usr/bin/distro + + +DISTRO_TYPE="$(distro |awk -F '|' '{print $4}'|tr '[:upper:]' '[:lower:]')" +if [ $DISTRO_TYPE = "ubuntu" ] ; then main-ubuntu ; fi +if [ $DISTRO_TYPE = "centos" ] ; then main-centos ; fi diff --git a/generateComprehensiveInventory.sh b/generateComprehensiveInventory.sh new file mode 100644 index 0000000..ebb311c --- /dev/null +++ b/generateComprehensiveInventory.sh @@ -0,0 +1,8 @@ +#!/bin/bash +#A script to generate a comprehensive list of responsive hosts + +OUTPUT_FILE="/tmp/network-scan" + +for subnet in $(cat ../input/SubnetList); do +zmap -M icmp_echoscan -o $OUTPUT_FILE $subnet +done diff --git a/iLO-admin-priv b/iLO-admin-priv new file mode 100644 index 0000000..0444568 --- /dev/null +++ b/iLO-admin-priv @@ -0,0 +1,99 @@ +#!/bin/bash +#Standalone script for setting Administrator Privileges + +#set -x + +#Checks to see if the server is a HP +function server-check() +{ +SERVER_TYPE="$(dmidecode -t system|grep Manufacturer |grep HP -c)" + if [ $SERVER_TYPE -eq 0 ]; then + echo This is not a HP server, exiting. + exit + fi + + if [ $SERVER_TYPE -eq 1 ]; then + echo Server is a HP, checking admin privileges + #yum install -y hponcfg + ilo-check + fi +} + +#Checks the status of iLO on the server +function ilo-check() +{ + #Generates the XML file for checking iLO +cat > /tmp/ilo.check << ENDCHECK + + + + + + + +ENDCHECK + + #iLO Status variable + ILOSTATUS="$(hponcfg -f /tmp/ilo.check | grep ADMIN_PRIV |grep -i y -c)" + if [ $ILOSTATUS -eq 0 ]; then + echo Administrator does not have admin privileges. Enabling... + configure-ilo + fi + + if [ $ILOSTATUS -eq 1 ]; then + echo Administrator has admin privileges, exiting + fi +} + +function configure-ilo() +{ + +#Build xml config file for ILO +cat > /tmp/ilo.dat < + + + + + + + + + + + + + + + + + + + + + + + + + + +ENDILO + +#Apply config to the iLO card +hponcfg -f /tmp/ilo.dat + +echo "Admin Privileges enabled on $(hostname)" + +} + +########################################################################################## +## Control logic for the script ## +########################################################################################## +main() +{ +echo "iLO Admin Privilege checker initiated on $(hostname) at $(date)" + +server-check +} + +main diff --git a/ilo-password-changer b/ilo-password-changer new file mode 100644 index 0000000..ac856df --- /dev/null +++ b/ilo-password-changer @@ -0,0 +1,71 @@ + +#This is a test change +#!/bin/bash +#iLO Password Updater script + +#set -x + +function iLO-password-updater() +{ + +#Build xml config file for ILO +cat << ENDILO > /tmp/ilo.pass + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +ENDILO + +#Apply new password to the iLO card +hponcfg -f /tmp/ilo.pass + +echo "iLO password changed on $(hostname)" +} + +########################################################################################## +## Control logic for the script ## +########################################################################################## + +main() +{ +echo -e "iLO password changer initiated on $(hostname) at $(date)\n" + +iLO-password-updater +} + +main \ No newline at end of file diff --git a/iloFwUp b/iloFwUp new file mode 100644 index 0000000..7824eaf --- /dev/null +++ b/iloFwUp @@ -0,0 +1,30 @@ +#!/bin/bash + +#Checks to see if the server is a HP, exit if not +SERVER_TYPE="$(dmidecode -t system|grep Manufacturer |grep HP -c)" + if [ $SERVER_TYPE -eq 0 ]; then + echo This is not a HP server, exiting. + exit + fi + +#FWDLURL="https://dl.server.domain/fwdir" + + +#Upgrade ILO firmware to latest version as of 02/10/2015 + +hponcfg -g +VERSION=$(hponcfg -g|grep type|awk -F 'type' '{print $2}'|awk '{print $3}') + +echo "Upgrading firmware...." + +if [ $VERSION -eq "4" ]; then + curl --silent $FWDLURL/ilo/HPILO4 > /tmp/HPILO4 + chmod +x /tmp/HPILO4 + /tmp/HPILO4 +fi + +if [ $VERSION -eq "2" ]; then + curl --silent $FWDLURL/ilo/HPILO2 > /tmp/HPILO2 + chmod +x /tmp/HPILO2 + /tmp/HPILO2 +fi diff --git a/iloUpdater.sh b/iloUpdater.sh new file mode 100644 index 0000000..3c32d95 --- /dev/null +++ b/iloUpdater.sh @@ -0,0 +1,90 @@ +#!/bin/bash +#Standalone iLO updater script - Jason Mak 6/25/2018 +#Defines the latest version of iLO +ilo2latest="2.33" +ilo4latest="2.61" +#Checks server type, only proceeds on HP servers +function server-check() +{ + ISHP=$(dmidecode -t System | grep Manufacturer | grep HP -c) + ISDELL=$(dmidecode -t System | grep Manufacturer | grep Dell -c) + if [ $ISDELL -eq 1 ]; then + echo "Server is a Dell, exiting" + server-cleanup + exit + fi + if [ $ISHP -eq 1 ]; then + echo "Server is an HP, proceeding" + ilogeneration=$(hponcfg | grep -i "ilo" | awk -F= '{print $3}' | awk '{print $2}') + iloversionraw=$(hponcfg | grep -i "ilo" | awk -F= '{print $2}' | awk '{print $1}') + iloversion=${iloversionraw//.} + ilo-versioncheck + fi +} + +#Checks iLO generation and version, updates as necessary +function ilo-versioncheck() +{ + if [ $ilogeneration -eq "2" ]; then + if [ $(echo $iloversion -lt ${ilo2latest//.}) ]; then + echo "iLO2 firmware:" $iloversionraw "latest version is:" $ilo2latest "updating..." + wget http://172.16.99.121/iLO/ilo2_${ilo2latest//.}.bin -O /tmp/iloFW.bin + update-ilo + server-cleanup + else + echo "iLO 2 is up to date, exiting" + server-cleanup + exit + fi + fi + + if [ $ilogeneration -eq "4" ]; then + if [ $(echo $iloversion -lt ${ilo4latest//.}) ]; then + echo "iLO4 firmware:" $iloversionraw "latest version is:" $ilo4latest "updating..." + wget http://172.16.99.121/iLO/ilo4_${ilo4latest//.}.bin -O /tmp/iloFW.bin + update-ilo + server-cleanup + else + echo "iLO 4 is up to date, exiting" + server-cleanup + exit + fi + fi +} + +#xml file that performs the update +function update-ilo() +{ +cat > /tmp/ilo_update.xml << EOF + + + + + + + + + + + + +EOF + +hponcfg -f /tmp/ilo_update.xml +} + +#Clean-up +function server-cleanup() +{ + rm -vf /tmp/iloFW.bin + rm -vf /tmp/ilo_update.xml + rm -vf /tmp/iloUpdater.sh +} + +#Control logic +main () +{ +server-check +} + +main diff --git a/ldif/genUser.sh b/ldif/genUser.sh new file mode 100644 index 0000000..b6e7acb --- /dev/null +++ b/ldif/genUser.sh @@ -0,0 +1,156 @@ +#!/bin/bash +#A script to generate a LDIF file of random users and associated organizational units +#supports emitting ldif files for: Active Directory, eDirectory, OpenLDAP + +################################################################################ +#Change these variables as needed # +################################################################################ +#Number of users to generate +#Valid range is from 1 to 10,000 +NUMUSERS="11" + +#Type of directory server to generate ldif for +#Valid types (case sensitive): +#OPENLDAP +#ACTIVEDIRECTORY +#EDIRECTORY +DIRSERVERTYPE="OPENLDAP" + +################################################################################ +#!!!!!!!!!!!!!!!!!!!!DO NOT CHANGE ANYTHING BEYOND THIS LINE!!!!!!!!!!!!!!!!!!!# +################################################################################ + + + +USERCOUNTER="1" +NAMESOURCEFILE="./names.txt" +OUSOURCEFILE="./ou.txt" +OUTPUTFILE="bulkUserLoad-$DIRSERVERTYPE-$(date +%m%d%Y).ldif" + +function ldifEmit-OpenLDAP() +#Code to emit an OpenLDAP compliant ldif +#Bits and bobs sourced from: +# +# +# + +{ + +cat<>$OUTPUTFILE + $FIRSTNAME + $LASTNAME + $OU +OpenLDAP + +} + + +function ldifEmit-ActiveDirectory() +#Code to emit an Active Directory compliant ldif +#Bits and bobs sourced from: +# +# +# + +{ + +echo "Emitting ActiveDirectory ldif..." + +cat<>$OUTPUTFILE + $FIRSTNAME + $LASTNAME $OU + ActiveDirectory +ActiveDirectory + +} + + +function ldifEmit-eDirectory() +#Code to emit an eDirectory compliant ldif +#Bits and bobs sourced from: +# +# +# + +{ + +echo "Emitting eDirectory ldif..." + +cat<>$OUTPUTFILE + $FIRSTNAME $LASTNAME $OU + eDirectory +eDirectory + +} + +function main() +{ +#Range / value check on user supplied variables + +if [ $NUMUSERS -lt 1 -o $NUMUSERS -gt 50000 ]; then +echo "Number of users not correctly specified" +echo "Valid range is from 1 to 10,000" +echo "Exiting now...." +exit 1 +fi + +echo "Number of user range is ok..." + +if [ -z $NUMUSERS ]; then +echo "Number of users not specified." +echo "A value of 1 to 10,000 must be specififed." +echo "Exiting now...." +exit 1 +fi + +if [ -z $DIRSERVERTYPE ]; then +echo "Directory server type not specified." +echo "Exiting now...." +exit 1 +fi + +rm -f $OUTPUTFILE + +cat <0){print$0}}';fi; +echo -e "\e[1;34;47mrunning processes:\e[0m" ; ps faux|egrep -v 'init|watchdog|iscsi|cqueue|kmpath|iscsid|syslogd|kpsmoused|auditd|irqbalance|rpc.idmapd|hcid|kmpathd|ib_cm|rpciod|migration|kjournald|scsi_eh_0|scsi_eh_1|khubd|kswapd0|kedac|kauditd|udevd|named|mingetty|agetty|dbus|kacpid|kblockd|pdflush|ksoftirqd|khelper|kthread|kseriod|klogd|acpid|spamd|cpsrvd|pure-authd|/usr/sbin/courierlogger|/usr/lib/courier-imap';blockcount=$(ip ro |grep blackhole | wc -l); if [ $blockcount -gt 0 ]; then echo -e "\e[1;34;47mBlocked IP Addresses:\e[0m"; ip ro |grep blackhole; fi diff --git a/ssh-handlers/generic-authorized_keys b/ssh-handlers/generic-authorized_keys new file mode 100644 index 0000000..2d5d3db --- /dev/null +++ b/ssh-handlers/generic-authorized_keys @@ -0,0 +1 @@ +command="/home/user/restricted-handler.sh",from="ALLOWED_HOST_FQDN",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty PUBLICKEY \ No newline at end of file diff --git a/ssh-handlers/generic-restricted-handler.sh b/ssh-handlers/generic-restricted-handler.sh new file mode 100644 index 0000000..edd6feb --- /dev/null +++ b/ssh-handlers/generic-restricted-handler.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set $SSH_ORIGINAL_COMMAND + +case "$1" in + ls) + ;; + scp) + ;; + /bin/scp) + ;; + rm) + ;; + /path/to/custom/command) + ;; + *) + logger -s -t restricted-command -- "Invalid command $@" + exit 1 + ;; +esac + +logger -t restricted-command -- "Executing $@" +exec "$@" diff --git a/ssh-handlers/slack-authorized_keys b/ssh-handlers/slack-authorized_keys new file mode 100644 index 0000000..729c219 --- /dev/null +++ b/ssh-handlers/slack-authorized_keys @@ -0,0 +1 @@ +command="/home/slack-lab/bin/restricted-handler.sh" SSHPUBKEY diff --git a/ssh-handlers/slack-restricted-handler.sh b/ssh-handlers/slack-restricted-handler.sh new file mode 100644 index 0000000..8bc3266 --- /dev/null +++ b/ssh-handlers/slack-restricted-handler.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set $SSH_ORIGINAL_COMMAND + +case "$1" in + rsync) + ;; + *) + logger -s -t restricted-command -- "Invalid command $@" + echo "An attempt was made to utilize the private key on a KNEL managed server to access control and execute the following command: $@" | mail -s "SECURITY BREACH ON control for slack account: $USER" BREACHPAGEEMAIL + exit 1 + ;; +esac + +exec "$@" + diff --git a/sslStackFromSource.sh b/sslStackFromSource.sh new file mode 100644 index 0000000..4fa6377 --- /dev/null +++ b/sslStackFromSource.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +#Made from instructions at https://www.tunetheweb.com/performance/http2/ + +OPENSSL_URL_BASE="https://www.openssl.org/source/" +OPENSSL_FILE="openssl-1.1.0h.tar.gz" + +NGHTTP_URL_BASE="https://github.com/nghttp2/nghttp2/releases/download/v1.31.0/" +NGHTTP_FILE="nghttp2-1.31.0.tar.gz" + +APR_URL_BASE="http://mirrors.whoishostingthis.com/apache/apr/" +APR_FILE="apr-1.6.3.tar.gz" + +APR_UTIL_URL_BASE="http://mirrors.whoishostingthis.com/apache/apr/" +APR_UTIL_FILE="apr-util-1.6.1.tar.gz" + +APACHE_URL_BASE="http://mirrors.whoishostingthis.com/apache/httpd/" +APACHE_FILE="httpd-2.4.33.tar.gz" + +CURL_URL_BASE="https://curl.haxx.se/download/" +CURL_FILE="curl-7.60.0.tar.gz" + + +#Download and install latest version of openssl +wget $OPENSSL_URL_BASE/$OPENSSL_FILE +tar xzf $OPENSSL_FILE +cd openssl-1.1.0h +./config enable-weak-ssl-ciphers shared zlib-dynamic -DOPENSSL_TLS_SECURITY_LEVEL=0 --prefix=/usr/local/custom-ssl/openssl-1.1.0h ; make ; make install +ln -s /usr/local/custom-ssl/openssl-1.1.0h /usr/local/openssl +cd - + +#Download and install nghttp2 (needed for mod_http2). +wget $NGHTTP_URL_BASE/$NGHTTP_FILE +tar xzf $NGHTTP_FILE +cd nghttp2-1.31.0 +./configure --prefix=/usr/local/custom-ssl/nghttp ; make ; make install +cd - + +#Updated ldconfig so curl build + +cat < /etc/ld.so.conf.d/custom-ssl.conf +/usr/local/custom-ssl/openssl-1.1.0h/lib +/usr/local/custom-ssl/nghttp/lib +custom-ssl + +ldconfig + +#Download and install curl +wget $CURL_URL_BASE/$CURL_FILE +tar xzf curl-7.60.0.tar.gz +cd curl-7.60.0 +./configure --prefix=/usr/local/custom-ssl/curl --with-nghttp2=/usr/local/custom-ssl/nghttp/ --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ ; make ; make install +cd - + + +#Download and install latest apr +wget $APR_URL_BASE/$APR_FILE +tar xzf $APR_FILE +cd apr-1.6.3 +./configure --prefix=/usr/local/custom-ssl/apr ; make ; make install +cd - + +#Download and install latest apr-util +wget $APR_UTIL_URL_BASE/$APR_UTIL_FILE +tar xzf apr-util-1.6.1.tar.gz +cd apr-util-1.6.1 +./configure --prefix=/usr/local/custom-ssl/apr-util --with-apr=/usr/local/custom-ssl/apr ; make; make install +cd - + +#Download and install apache +wget $APACHE_URL_BASE/$APACHE_FILE +tar xzf httpd-2.4.33.tar.gz +cd httpd-2.4.33 +cp -r ../apr-1.6.3 srclib/apr +cp -r ../apr-util-1.6.1 srclib/apr-util +./configure --prefix=/usr/local/custom-ssl/apache --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ --with-pcre=/usr/bin/pcre-config --enable-unique-id --enable-ssl --enable-so --with-included-apr --enable-http2 --with-nghttp2=/usr/local/custom-ssl/nghttp/ +make +make install +ln -s /usr/local/custom-ssl/apache /usr/local/apache +cd - +