From 05754b54b0ffd2b7d0924c4d60e8f85a69a8333c Mon Sep 17 00:00:00 2001 From: louiscyphre Date: Sat, 2 Jun 2018 00:41:36 +0300 Subject: [PATCH 1/3] Some minor modificatons --- bckp.sh | 6 +- install.sh | 187 ++++++++++++++++++++++++++++++----------------------- 2 files changed, 108 insertions(+), 85 deletions(-) mode change 100644 => 100755 bckp.sh diff --git a/bckp.sh b/bckp.sh old mode 100644 new mode 100755 index f6004a9..9f7ca97 --- a/bckp.sh +++ b/bckp.sh @@ -5,7 +5,7 @@ usage="Usage: ./bckp.sh /path/directory_to_encrypt /path/destination_directory" user=$USER srcdir=$1 dstdir=$2 -tmpdir=/tmp +tmpdir=./tmp time=$(date +%d.%m.%y_%T) # Time of backup filename=backup-$time.tar.gz # Backup file name format. @@ -15,8 +15,8 @@ if [[ $# -eq 0 ]] ; then fi -if [ -d "$dstdir" ]; then - tar -cpzf $tmpdir/$filename $srcdir +if [ -d "$dstdir" ]; then + tar -cpjfW $tmpdir/$filename $srcdir openssl aes-256-cbc -in $tmpdir/$filename -out $tmpdir/$filename.enc rm -f $tmpdir/$filename mv $tmpdir/$filename.enc $dstdir/$filename.enc diff --git a/install.sh b/install.sh index 7d491e2..bcb3ccf 100755 --- a/install.sh +++ b/install.sh @@ -20,88 +20,98 @@ if echo "$answer" | grep -iq "^y" ;then /bin/echo '#! /bin/sh +### BEGIN INIT INFO +# Provides: firewall +# Required-Start: iptables +# Required-Stop: +# Default-Start: 34 2 3 4 5 . +# Default-Stop: +# Short-Description: Simple firewall setup +# Description: Simple firewall setup script. This script adding rules to firewall, stop icmp and turn off forwarding. +### END INIT INFO + +/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all +/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts +/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route +/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects +/bin/echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects +/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses +/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians +/bin/echo "0" > /proc/sys/net/ipv4/ip_forward + +for i in /proc/sys/net/ipv4/conf/*; do + /bin/echo "1" > $i/rp_filter +done + + +IPT=/sbin/iptables + + +# Flushing all rules,deleting all chains +$IPT -F +$IPT -X + +# Setting default rule to drop +$IPT -P INPUT DROP +$IPT -P FORWARD DROP +$IPT -P OUTPUT ACCEPT + + +$IPT -N invalid +$IPT -N attacks +$IPT -N allowed + + +$IPT -F invalid +$IPT -F attacks +$IPT -F allowed + + +$IPT -A invalid -p icmp -j DROP + +$IPT -A invalid -m state --state INVALID -j DROP +$IPT -A invalid -m state --state NEW -j DROP + + +# Log (currently off) and then drop strange packets +#$IPT -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 15/minute -j LOG --log-prefix "NMAP-XMAS:" +$IPT -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL ALL -m limit --limit 15/minute -j LOG --log-prefix "XMAS:" +$IPT -A attacks -p tcp --tcp-flags ALL ALL -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 15/minute -j LOG --log-prefix "XMAS-PSH:" +$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL NONE -m limit --limit 15/minute -j LOG --log-prefix "NULL-SCAN:" +$IPT -A attacks -p tcp --tcp-flags ALL NONE -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST -m limit --limit 15/minute -j LOG --log-prefix "SYN-RST:" +$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 15/minute -j LOG --log-prefix "SYN-FIN:" +$IPT -A attacks -p tcp --tcp-flags ALL SYN,FIN -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL FIN,RST -m limit --limit 15/minute -j LOG --log-prefix "FIN-RST:" +$IPT -A attacks -p tcp --tcp-flags ALL FIN,RST -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL FIN -m limit --limit 15/minute -j LOG --log-prefix "FIN-SCAN:" +$IPT -A attacks -p tcp --tcp-flags ALL FIN -j DROP +#$IPT -A attacks -p tcp --tcp-flags SYN,ACK SYN -m limit --limit 15/minute -j LOG --log-prefix "SYN-!ACK:" +$IPT -A attacks -p tcp --tcp-flags SYN,ACK SYN -j DROP +#$IPT -A attacks -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 15/minute -j LOG --log-prefix "FIN-!ACK:" +$IPT -A attacks -p tcp --tcp-flags FIN,ACK FIN -j DROP +#$IPT -A attacks -p tcp --tcp-flags ALL PSH -m limit --limit 15/minute -j LOG --log-prefix "PSH-SCAN:" +$IPT -A attacks -p tcp --tcp-flags ALL PSH -j DROP + +#Allowed incoming traffic is related and established connections +$IPT -A allowed -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A allowed -j RETURN + +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A INPUT -j attacks +$IPT -A INPUT -j invalid +$IPT -A INPUT -j allowed + +$IPT -A OUTPUT -p icmp -j DROP + +$IPT-save - /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all - /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route - /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects - /bin/echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects - /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses - /bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians - /bin/echo "0" > /proc/sys/net/ipv4/ip_forward - - for i in /proc/sys/net/ipv4/conf/*; do - /bin/echo "1" > $i/rp_filter - done - - - IPT=/sbin/iptables - - - # Flushing all rules,deleting all chains - $IPT -F - $IPT -X - - # Setting default rule to drop - $IPT -P INPUT DROP - $IPT -P FORWARD DROP - $IPT -P OUTPUT ACCEPT - - - $IPT -N invalid - $IPT -N attacks - $IPT -N allowed - - - $IPT -F invalid - $IPT -F attacks - $IPT -F allowed - - - $IPT -A invalid -p icmp -j DROP - - $IPT -A invalid -m state --state INVALID -j DROP - $IPT -A invalid -m state --state NEW -j DROP - - - # Log (currently off) and then drop strange packets - #$IPT -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 15/minute -j LOG --log-prefix "NMAP-XMAS:" - $IPT -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL ALL -m limit --limit 15/minute -j LOG --log-prefix "XMAS:" - $IPT -A attacks -p tcp --tcp-flags ALL ALL -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 15/minute -j LOG --log-prefix "XMAS-PSH:" - $IPT -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL NONE -m limit --limit 15/minute -j LOG --log-prefix "NULL-SCAN:" - $IPT -A attacks -p tcp --tcp-flags ALL NONE -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL SYN,RST -m limit --limit 15/minute -j LOG --log-prefix "SYN-RST:" - $IPT -A attacks -p tcp --tcp-flags ALL SYN,RST -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 15/minute -j LOG --log-prefix "SYN-FIN:" - $IPT -A attacks -p tcp --tcp-flags ALL SYN,FIN -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL FIN,RST -m limit --limit 15/minute -j LOG --log-prefix "FIN-RST:" - $IPT -A attacks -p tcp --tcp-flags ALL FIN,RST -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL FIN -m limit --limit 15/minute -j LOG --log-prefix "FIN-SCAN:" - $IPT -A attacks -p tcp --tcp-flags ALL FIN -j DROP - #$IPT -A attacks -p tcp --tcp-flags SYN,ACK SYN -m limit --limit 15/minute -j LOG --log-prefix "SYN-!ACK:" - $IPT -A attacks -p tcp --tcp-flags SYN,ACK SYN -j DROP - #$IPT -A attacks -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 15/minute -j LOG --log-prefix "FIN-!ACK:" - $IPT -A attacks -p tcp --tcp-flags FIN,ACK FIN -j DROP - #$IPT -A attacks -p tcp --tcp-flags ALL PSH -m limit --limit 15/minute -j LOG --log-prefix "PSH-SCAN:" - $IPT -A attacks -p tcp --tcp-flags ALL PSH -j DROP - - #Allowed incoming traffic is related and established connections - $IPT -A allowed -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPT -A allowed -j RETURN - - $IPT -A INPUT -i lo -j ACCEPT - $IPT -A INPUT -j attacks - $IPT -A INPUT -j invalid - $IPT -A INPUT -j allowed - - $IPT -A OUTPUT -p icmp -j DROP - - $IPT-save - - exit 0' > /etc/init.d/firewall +exit 0 + ' > /etc/init.d/firewall chown root /etc/init.d/firewall chmod 750 /etc/init.d/firewall @@ -179,7 +189,20 @@ if echo "$answer" | grep -iq "^y" ;then printer-driver-pxljr printer-driver-sag-gdi printer-driver-splix \ samba-common samba-common-bin smbclient telepathy-salut toshset \ virtuoso-minimal virtuoso-opensource-6.1-bin0 \ - virtuoso-opensource-6.1-common gufw hexchat pidgin + virtuoso-opensource-6.1-common gufw hexchat pidginasymptote-doc \ + bluez-obexd brackets cabextract cheese cheese-common ompiz compiz-core \ + compiz-gnome compiz-mate compiz-plugins compiz-plugins-default compton \ + cups-client cups-common cups-core-drivers cups-daemon \ +cups-filters cups-filters-core-drivers cups-pk-helper cups-ppdc cups-server-common \ +deja-dup-backend-cloudfiles deja-dup-backend-gvfs deja-dup-backend-s3 \ +deja-dup-caja dia dia-common dia-libs dia-shapes evolution-data-server-common \ +exfat-fuse exfat-utils fcrackzip ffmpegthumbnailer gnome-icon-theme-symbolic \ +gnome-orca gvfs-backends ideviceinstaller inxi libcheese-gtk25 libcheese8 \ +libcompizconfig0 libebackend-1.2-10 libebook-1.2-16 libebook-contacts-1.2-2 \ +libedata-book-1.2-25 libedataserver-1.2-21 libpurple-bin libpurple0 libsmbclient lynx \ +lynx-common mate-netbook mate-netbook-common \ +mate-tweak octave-info octave-nlopt pidgin-data pidgin-otr potrace rarian-compat \ +rhythmbox-data rtorrent samba-libs ttf-mscorefonts-installer ubuntu-mate-welcome fi echo -n "Would you like to install any .deb packages from folder ~/Programs (if any) ? (y/n)? " From e2ab48feacd6c0205c5acc7a2a5f364681f2f3ca Mon Sep 17 00:00:00 2001 From: louiscyphre Date: Sat, 2 Jun 2018 00:53:42 +0300 Subject: [PATCH 2/3] Added forgotten (pseudo)random iv --- bckp.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bckp.sh b/bckp.sh index 9f7ca97..40548ee 100755 --- a/bckp.sh +++ b/bckp.sh @@ -16,10 +16,19 @@ fi if [ -d "$dstdir" ]; then + tar -cpjfW $tmpdir/$filename $srcdir - openssl aes-256-cbc -in $tmpdir/$filename -out $tmpdir/$filename.enc + + # random iv to keep along with encrypted file + echo $RANDOM | md5sum | cut -d' ' -f1 > $dstdir/iv + + openssl aes-256-cbc -md sha256 -iv $(cat $dstdir/iv) -in $tmpdir/$filename -out $tmpdir/$filename.enc + rm -f $tmpdir/$filename + mv $tmpdir/$filename.enc $dstdir/$filename.enc + + sha512sum $dstdir/$filename.enc > $dstdir/$filename.enc.sha512 else echo "$dstdir not a directory." echo $usage From cf2fdd0fd2ccc95a00d6dc5aea9819d9276d3c37 Mon Sep 17 00:00:00 2001 From: louiscyphre Date: Mon, 4 Jun 2018 01:30:58 +0300 Subject: [PATCH 3/3] Added comment for decryption --- bckp.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bckp.sh b/bckp.sh index 40548ee..0827b6e 100755 --- a/bckp.sh +++ b/bckp.sh @@ -24,6 +24,9 @@ if [ -d "$dstdir" ]; then openssl aes-256-cbc -md sha256 -iv $(cat $dstdir/iv) -in $tmpdir/$filename -out $tmpdir/$filename.enc + # to decrypt: + # openssl aes-256-cbc -d -md sha256 -iv $dstdir/iv -in $tmpdir/$filename.enc -out $tmpdir/$filename + rm -f $tmpdir/$filename mv $tmpdir/$filename.enc $dstdir/$filename.enc