-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathA:nginx.sh
149 lines (131 loc) · 4 KB
/
A:nginx.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/bin/bash
echo
echo -e "\e[1;95m-------------------------[nginx audit in progress]-------------------------"
installed=$(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed")
if [ $installed -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking nginx installation\t\t\t\t\t\t\t\t$status"
signature=$(grep -cP '\s+server_tokens\soff;$' /etc/nginx/nginx.conf)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if nginx version is hidden\t\t\t\t\t\t\t$status"
signature=$(grep -cP '^etag\soff;$' /etc/nginx/nginx.conf)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if ETags is removed\t\t\t\t\t\t\t$status"
indexmod=$(cat /var/www/html/index.html|wc -w)
if [ $indexmod -ne 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if index.html is empty\t\t\t\t\t\t\t$status"
signature=$(grep -cP '^ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;$' /etc/nginx/nginx.conf)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if strong cipher suites are enabled\t\t\t\t\t$status"
signature=$(grep -cP '^ssl_session_timeout 5m;$' /etc/nginx/nginx.conf)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if ssl session timeout is set\t\t\t\t\t\t$status"
signature=$(grep -cP '^ssl_session_cache shared:SSL:10m;$' /etc/nginx/nginx.conf)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if ssl session cache is set\t\t\t\t\t\t$status"
signature=$(grep -cP '^proxy_cookie_path / \"/; secure; HttpOnly\";$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if HttpOnly and Secure flags are enabled\t\t\t\t\t$status"
signature=$(grep -cP '^add_header X-Frame-Options DENY;$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if Clickjacking Attack Protection is enabled\t\t\t\t$status"
signature=$(grep -cP '^add_header X-XSS-Protection \"1; mode=block\";$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if XSS Protection is enabled\t\t\t\t\t\t$status"
signature=$(grep -cP '^add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains;\";$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if Enforce secure connections is enabled\t\t\t\t\t$status"
signature=$(grep -cP '^add_header X-Content-Type-Options nosniff;$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if MIME sniffing Protection is enabled\t\t\t\t\t$status"
signature=$(grep -cP "^add_header Content-Security-Policy \"default-src 'self';\";$" /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if Cross-site scripting and injections Protection is enabled\t\t$status"
signature=$(grep -cP '^add_header X-Robots-Tag none;$' /etc/nginx/sites-available/default)
if [ $signature -eq 0 ];
then
status="\e[91m[ BAD ]"
#exit
else
status="\e[92m[ GOOD ]"
fi
echo -e "\e[39m[*] Checking if X-Robots-Tag is set\t\t\t\t\t\t\t$status"
echo -e "\033[0m"
echo [SUCCESS] nginx audit ran by $USER on $(date -u) | tee -a /bin/lib/sh/MK3S/data/MK3S.log