#! /bin/bash
#CYBERPATRIOT DEBIAN-DETOX MERCER ISLAND RED TEAM SCRIPT v0.2

sudo apt update
sudo apt upgrade



#removing packages that match keyword, asking user for confirmation just in case
sudo dpkg --get-selections | grep -i 'shark\|hydra\|nginx\|Samba\|snmp\|Nfs\|sendmail\|Xinetd\|crack\|telnet\|apache' | tr -d "[:blank:]" | sed 's/install//g' | 
while read -r CURRENT_LINE
do
    echo "purge this package $CURRENT_LINE?"
    read response < /dev/tty
    if [[ $response =~ ^[Yy]$ ]]
    then
    	echo "$CURRENT_LINE" >> removedapps.txt
        yes | sudo apt purge $CURRENT_LINE
    else 
        echo "skipped removal"
    fi

done

#prints out packages that don't adhere to default ubuntu install
LINEA=1
LINEB=1

while read -r CURRENT_LINEA
	do
        MATCH=0
        while read -r CURRENT_LINEB
            do
            if [ "$CURRENT_LINEA" == "$CURRENT_LINEB" ]
            then
            ((MATCH++))
            fi
            ((LINEB++))
        done < "packnorm.txt"
        if [ $MATCH -eq 0 ]
		then
			echo "$CURRENT_LINEA is sus"
		fi
    ((LINEA++))
done <<< "$( sudo dpkg --get-selections | tr -d "[:blank:]" | sed 's/install//g')"

#installs ufw and enables it
sudo apt install ufw
sudo ufw enable

#changes the password settings for all the users to be more secure
sudo sed -i "s/\(^PASS_MAX_DAYS* *\).*/\1 15/" /etc/login.defs
sudo sed -i "s/\(^PASS_MIN_DAYS* *\).*/\1 1/" /etc/login.defs
sudo sed -i "s/\(^PASS_WARN_AGE* *\).*/\1 5/" /etc/login.defs

#turns on cookie protection or some shit idk
sudo sed -i "s/\(^net.ipv4.tcp_syncookies*=*\).*/\11/" /etc/sysctl.conf

#turns off root login in ssh
sudo sed -i "s/\(^PermitRootLogin* *\).*/\1 no/" /etc/ssh/sshd_config

#Turns on autoupdate
sudo sed -i 's/\(^APT::Periodic::Update-Package-Lists* *\).*/\1 "1";/' /etc/apt/apt.conf.d/10periodic

#removes all bad users
LINEA=1
LINEB=1

while read -r CURRENT_LINEA
	do
        MATCH=0
        while read -r CURRENT_LINEB
            do
            if [ "$CURRENT_LINEA" == "$CURRENT_LINEB" ]
            then
            ((MATCH++))
            fi
            ((LINEB++))
        done < "usersnorm.txt"
        if [ $MATCH -eq 0 ]
	then
		echo "kill the user $CURRENT_LINEA?"
    		read response < /dev/tty
		if [[ $response =~ ^[Yy]$ ]]
		then
			echo "$CURRENT_LINEA" >> removedusers.txt
				yes | sudo deluser "$CURRENT_LINEA"
				echo "user $CURRENT_LINEA combusted"
			else 
				echo "skipped removal"
			fi
	fi
    ((LINEA++))
done <<< "$(awk -F':' '{ print $1}' /etc/passwd)"

#removes all non admins
LINEA=1
LINEB=1

while read -r CURRENT_LINEA
	do
        MATCH=0
        while read -r CURRENT_LINEB
            do
            if [ "$CURRENT_LINEA" == "$CURRENT_LINEB" ]
            then
            ((MATCH++))
            fi
            ((LINEB++))
        done < "sudonorm.txt"
        if [ $MATCH -eq 0 ]
	then
		echo "kill the user $CURRENT_LINEA?"
    		read response < /dev/tty
		if [[ $response =~ ^[Yy]$ ]]
		then
			echo "$CURRENT_LINEA" >> removedusers.txt
				yes | sudo deluser "$CURRENT_LINEA" sudo
				echo "user $CURRENT_LINEA has been un-sudoed"
			else 
				echo "skipped removal"
			fi
	fi
    ((LINEA++))
done <<< "$(grep '^sudo:.*$' /etc/group | cut -d: -f4)"