chmod o= /etc/fstab
chmod o= /etc/ftpusers
chmod o= /etc/group
chmod o= /etc/hosts
chmod o= /etc/hosts.allow
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd
chmod o= /etc/inetd.conf
chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin
chmod ugo= /usr/bin/rlogin
chmod ugo= /usr/bin/rsh
chmod o= /usr/local/bin/nmap
chmod o= /usr/local/bin/nessus
echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
chmod 700 /root
chmod 751 /
chmod 751 /home/
chmod 700 /home/*
chmod 650 /etc/rc.*
chmod 600 /etc/master.passwd
chmod o= /var/log
chflags schg /bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*
echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf
echo 'kern_securelevel="3"' >> /etc/rc.conf
echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
echo 'icmp_log_redirect="YES"' >> /etc/rc.conf
echo 'tcp_drop_synfin=â€YESâ€' >> /etc/rc.conf
echo 'log_in_vain="YES"' >> /etc/rc.conf
echo 'nfs_server_enable="NO"' >> /etc/rc.conf
echo 'nfs_client_enable="NO"' >> /etc/rc.conf
echo 'portmap_enable="NO"' >> /etc/rc.conf
echo 'icmp_bmcastecho="NO"' >>/etc/rc.conf
echo 'icmp_bandlim="YES"' >> /etc/rc.conf
echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf
echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf
echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'syslogd_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf
echo 'update_motd="NO"' >> /etc/rc.conf
echo 'accounting_enable="YES"' >> /etc/rc.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf
echo 'net.inet.tcp.log_in_vain=1' >> /etc/sysctl.conf
echo 'net.inet.udp.log_in_vain=1' >> /etc/sysctl.conf
echo 'net.inet.ip.check_interface=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.recvspace=65535' >> /etc/sysctl.conf
echo 'net.inet.tcp.sendspace=65535' >> /etc/sysctl.conf
echo 'net.inet.ip.rtexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtminexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtmaxcache=256' >> /etc/sysctl.conf
echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.syncookies=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.icmplim=50' >> /etc/sysctl.conf
echo 'net.inet.icmp.drop_redirect=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.icmp_may_rst=0' >> /etc/sysctl.conf
echo 'kern.ipc.shmmax=134217728' >> /etc/sysctl.conf
echo 'kern.ipc.shmall=32768' >> /etc/sysctl.conf
echo 'kern.ipc.semmap=256' >> /etc/sysctl.conf
bryn1u said:I use this little script
Code:chmod o= /etc/fstab chmod o= /etc/ftpusers chmod o= /etc/group chmod o= /etc/hosts chmod o= /etc/hosts.allow chmod o= /etc/hosts.equiv chmod o= /etc/hosts.lpd chmod o= /etc/inetd.conf chmod o= /etc/login.access chmod o= /etc/login.conf chmod o= /etc/newsyslog.conf chmod o= /etc/rc.conf chmod o= /etc/ssh/sshd_config chmod o= /etc/sysctl.conf chmod o= /etc/syslog.conf chmod o= /etc/ttys chmod o= /usr/bin/users chmod o= /usr/bin/w chmod o= /usr/bin/who chmod o= /usr/bin/lastcomm chmod o= /usr/sbin/jls chmod o= /usr/bin/last chmod o= /usr/sbin/lastlogin chmod ugo= /usr/bin/rlogin chmod ugo= /usr/bin/rsh chmod o= /usr/local/bin/nmap chmod o= /usr/local/bin/nessus echo "root" > /var/cron/allow echo "root" > /var/at/at.allow chmod o= /etc/crontab chmod o= /usr/bin/crontab chmod o= /usr/bin/at chmod o= /usr/bin/atq chmod o= /usr/bin/atrm chmod o= /usr/bin/batch chmod 700 /root chmod 751 / chmod 751 /home/ chmod 700 /home/* chmod 650 /etc/rc.* chmod 600 /etc/master.passwd chmod o= /var/log chflags schg /bin/* chflags schg /sbin/* chflags schg /usr/sbin/* echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf echo 'kern_securelevel="3"' >> /etc/rc.conf echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf echo 'icmp_log_redirect="YES"' >> /etc/rc.conf echo 'tcp_drop_synfin=â€YESâ€' >> /etc/rc.conf echo 'log_in_vain="YES"' >> /etc/rc.conf echo 'nfs_server_enable="NO"' >> /etc/rc.conf echo 'nfs_client_enable="NO"' >> /etc/rc.conf echo 'portmap_enable="NO"' >> /etc/rc.conf echo 'icmp_bmcastecho="NO"' >>/etc/rc.conf echo 'icmp_bandlim="YES"' >> /etc/rc.conf echo 'sendmail_enable="NO"' >> /etc/rc.conf echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf echo 'sendmail_enable="NO"' >> /etc/rc.conf echo 'syslogd_enable="YES"' >> /etc/rc.conf echo 'syslogd_flags="-ss"' >> /etc/rc.conf echo 'update_motd="NO"' >> /etc/rc.conf echo 'accounting_enable="YES"' >> /etc/rc.conf echo 'clear_tmp_enable="YES"' >> /etc/rc.conf echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf echo 'net.inet.tcp.log_in_vain=1' >> /etc/sysctl.conf echo 'net.inet.udp.log_in_vain=1' >> /etc/sysctl.conf echo 'net.inet.ip.check_interface=1' >> /etc/sysctl.conf echo 'net.inet.tcp.recvspace=65535' >> /etc/sysctl.conf echo 'net.inet.tcp.sendspace=65535' >> /etc/sysctl.conf echo 'net.inet.ip.rtexpire=2' >> /etc/sysctl.conf echo 'net.inet.ip.rtminexpire=2' >> /etc/sysctl.conf echo 'net.inet.ip.rtmaxcache=256' >> /etc/sysctl.conf echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf echo 'net.inet.tcp.syncookies=0' >> /etc/sysctl.conf echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf echo 'net.inet.icmp.icmplim=50' >> /etc/sysctl.conf echo 'net.inet.icmp.drop_redirect=1' >> /etc/sysctl.conf echo 'net.inet.tcp.icmp_may_rst=0' >> /etc/sysctl.conf echo 'kern.ipc.shmmax=134217728' >> /etc/sysctl.conf echo 'kern.ipc.shmall=32768' >> /etc/sysctl.conf echo 'kern.ipc.semmap=256' >> /etc/sysctl.conf
# chmod 644 /etc/login*
# chmod o+rx /path/to/binaries
and to do it faster I would just do:# chmod o+rx /usr/bin/* /usr/sbin/* /usr/local/bin/* /usr/local/sbin/* /bin/* /sbin/*
and: # chmod o+r /path/to/file