#!/bin/bash

   #########################################################
  # Written Jan 28, 2007 and released under the GNU/GPLv2 ##
 # by Jeff Schroeder (jeffschroeder@computer.org)        # #
#########################################################  #
#                                                       #  #
# lockdown-ubuntu.sh - a simple script to secure Ubuntu #  #
# a bit more than the default installation. This should #  #
# work with Ubuntu 6.06+                                #  #
#                                                       # # 
##########################################################

# A bit of sanity checking to start things off
if [ "`id -u`" != 0 ]; then
    echo "ERROR: You must be root to run this script" >&2
    echo "Try sudo $0" >&2
    exit 1
fi

if (! grep -qs "^Ubuntu" /etc/issue); then
    echo "ERROR: This script designed for Ubuntu Linux only!" >&2
    exit 1
fi

# Non-root system level accounts have normal shells. Disable them
for user in `awk -F: '{if ($3 < 1000 && $3 != 0) print $1}' /etc/passwd`; do
    usershell=$(grep "^$user" /etc/passwd | awk -F: '{print $NF}')
    if [ "$usershell" = '/bin/bash' -o "$usershell" = '/bin/sh' ]; then
      usermod -s /bin/false $user && echo "Disabled shell for user: $user"
    fi
done

# Disable unnecessary services. 
for service in ppp festival bluez-utils apmd brltty pppd-dns portmap xserver-xorg-input-wacom; do
    if [ -x /etc/init.d/$service ]; then
      /etc/init.d/$service stop 2>/dev/null
      update-rc.d -f $service remove 2>/dev/null
      echo
    fi
done

if (! /usr/sbin/laptop-detect); then
# A server should not be running laptop services
    for service in laptop-mode pcmcia pcmciautils bluetooth; do
        if [ -x /etc/init.d/$service ]; then
          /etc/init.d/$service stop 2>/dev/null
          update-rc.d -f $service remove 2>/dev/null
        fi
    done
fi

# Update the system
#echo "Updating the system, this might take a while..."
#apt-get -qq update && apt-get -q upgrade --yes --force-yes

# Firewalls are good, mmmm'kay? Firestarter works with no gui just fine
#apt-get install firestarter --yes --force-yes

# Uncomment this to make sudo insult you when you type the wrong password
if (! grep -q 'Defaults.*insults' /etc/sudoers); then
  sed -i -e '/^Defaults/s/$/,insults/' /etc/sudoers
fi

# Users shouldn't be able to see other users cron jobs
find /etc -maxdepth 1 -type d -name 'cron.*' | xargs chmod 750

# Users shouldn't be able to read other users files for paranoia reasons
find /home -maxdepth 1 -type d | egrep -v 'home$|lost\+found' | xargs chmod 750