#!/usr/bin/bash cipher_list='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!RC4:!DES:!3DES:!IDEA' tls_versions='TLSv1.2' combined_ciphers="$cipher_list:+TLSv1.2" force_ssl_ftp='2' exim_tls='+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1' block_3306=1 userdir_protection=1 #tcp_timestamps is a kernel config, wont work on VPS disable_tcp_timestamps=0 add_if(){ if [[ ! -f "$3" ]] then echo "Error: file not found $3" touch "$3" fi if grep -Pq "$1" "$3"; then echo "Changing existing directive in $3" sed -ri "s%$1%$2%" "$3" else if [[ "$3" == '/etc/exim.conf.local' ]] then sed -ri "s%(\@CONFIG\@)%\1\n$2%" "$3" echo "adding to exim conf $3" return elif [[ "$3" == '/var/cpanel/templates/dovecot2.2/main.local' ]] then sed -i "1s/^/$2\n/" "$3" "modifying dovecot conf $3" return fi echo "Creating new directive in $3" echo "$2" >> "$3" fi } if [[ $disable_tcp_timestamps == 1 ]]; then sysctl net.ipv4.tcp_timestamps=0 echo 'net.ipv4.tcp_timestamps = 0' >> /etc/sysctl.conf fi #Update Everything yum update -y /scripts/upcp # Dovecot and cPanel services /usr/local/cpanel/bin/set-tls-settings --all \ --cipher-suites="$cipher_list" \ --protocols="$tls_versions" if [[ $userdir_protection == 1 ]] then echo 'enabling mod_userdir protection (disabled temp urls)' sed -i 's%userdirprotect=0%userdirprotect=1%' "/var/cpanel/cpanel.config" fi #Dovecot file='/var/cpanel/templates/dovecot2.2/main.local' if [[ ! -f "$file" ]]; then cp -arf '/var/cpanel/templates/dovecot2.2/main.default' '/var/cpanel/templates/dovecot2.2/main.local' fi find='ssl *= *.*' replace='ssl = required' add_if "$find" "$replace" "$file" /scripts/builddovecotconf service dovecot restart # Apache Ciphers file='/var/cpanel/conf/apache/local' find='sslciphersuite: *[^ ]+.*' replace="sslciphersuite: $cipher_list" add_if "$find" "$replace" "$file" find='sslprotocol: *[^ ]+.*' replace="sslprotocol: $tls_versions" add_if "$find" "$replace" "$file" rm -f /var/cpanel/conf/apache/local.cache /scripts/rebuildhttpdconf service httpd restart # Sets FTP Ciphers file='/var/cpanel/conf/pureftpd/local' find='TLSCipherSuite *: *.*' replace="TLSCipherSuite: $combined_ciphers" add_if "$find" "$replace" "$file" find='TLS *: *[0-2]' replace="TLS: $force_ssl_ftp" add_if "$find" "$replace" "$file" rm -f /var/cpanel/conf/pureftpd/local.cache /scripts/setupftpserver pure-ftpd --force # Exim file='/etc/exim.conf.local' find='tls_require_ciphers *= *.*' replace="tls_require_ciphers = $combined_ciphers" add_if "$find" "$replace" "$file" find='openssl_options *=.*' replace="openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1" add_if "$find" "$replace" "$file" file='/etc/exim.conf.localopts' find='require_secure_auth *=.*' replace='require_secure_auth = 1' add_if "$find" "$replace" "$file" find='openssl_options *=.*' replace="openssl_options = $exim_tls" add_if "$find" "$replace" "$file" rm -f /etc/exim.conf.local.cache /scripts/buildeximconf service exim restart service cpanel restart #Firewall config if [[ $block_3306 == 1 ]] then echo 'Closing port 3306 in the firewall' if test -f /etc/csf/csf.conf then sed -ri 's%(^TCP_IN *= *"([0-9]{1,5},)*)3306,%\1%' /etc/csf/csf.conf service csf restart fi if test -f /etc/apf/conf.apf then sed -ri 's%(^IG_TCP_CPORTS *= *"([0-9]{1,5},)*)3306,%\1%' /etc/apf/conf.apf service apf restart fi fi output='' if [[ $block_3306 == 1 ]] then output+='-Blocked port 3306 in the Firewall\n' fi if [[ $disable_tcp_timestamps == 1 ]] then output+='-Disabled TCP Timestamps\n' fi if [[ $userdir_protection == 1 ]] then output+='-Disabled temp URLs (user enumeration vulnerabiliy)\n' fi disable_tcp_timestamps=0 block_3306=1 userdir_protection=1 echo -e -- "-Configuration Complete- Changes: -All system packages updated to the current version -Apache, Dovecot, Exim, cPanel Services, and FTP all restricted to: TLS Versions Supported : $tls_versions Cipher Suites Supported : $cipher_list -Exim plain text login disabled -Dovecot Encryption is required -FTP set to require SSL $output "