#!/bin/ksh
#
# Andy Welter
# www.the-welters.com
# 1/3/2001
# 
# This script is used to tighten up the security of a system's 
# inetd.conf file, which is used to control what services the inet daemon
# will start up on a system.
#
# Most Unix systems ship by default with some services that are better
# left disabled.  This script has 4 levels of tightening it can do:
# Default - Only the worst of the default services are turned off. 
#           Suitable for non-mission critical servers on a relatively 
#	    trustworthy internal network.
# medium  - Slightly more restrictive, internal servers would be a good
#           candidate for this level.
# high    - Much more restrictive.  Used for systems that are exposed to the
#           internet either directly, or within a DMZ.  Web servers, ftp
#	    servers, mail gateways, etc.
# max     - ???
#
# Usage:
USAGE='inetd_lockdown [-medium|-high|-max] [-install] [<inetd.conf filename>]'
#


#
# Check return codes, and exit if not zero.
rccheck () {
RC=$1
if [ $RC -ne 0 ]; then
	print "Error at $2"
	exit 1
fi
}
	
#
# Define services to disable for each level
# Services that have names are defined in the /etc/services file.  The services with numbers here
# are services that use remote procedure calls. (rpc).  Many rpc based services have a history 
# of buffer overrun security issues.
DEFLIST="comsat exec talk uucp tftp name finger systat netstat echo discard chargen rquotad walld rexed ruserd" 
MEDLIST="$DEFLIST shell login 100232 xaudio"
HIGHLIST="$MEDLIST rstatd printer kerbd ufsd timed dtspc 100068 100083 100235 100221 100229 100230"
MAXLIST="$HIGHLIST ftp"
LIST=$DEFLIST
FILE=/etc/inet/inetd.conf

while [ $# -ge 1 ]; do
    case $1 in 
	-medium) LIST=$MEDLIST
		;;
	-hi|-high) LIST=$HIGHLIST
		;;
	-m|-max) LIST=$MAXLIST
		;;
	-i|-install) INSTALL="yes"
		;;
	-v) VERBOSE="yes"
		;;
	-*) print "$USAGE"
		exit 1
		;;
	*) FILE=$1
		;;
    esac
    shift
done
	
if [ ! -r $FILE ]; then
	print "ERROR: No such file or file unreadable - $FILE"
	exit 1
fi

if [ $VERBOSE ]; then
	print "Disabling the following services:"
	print "$LIST"
    if [ $INSTALL ]; then
	print "The new $FILE will be installed automatically"
    fi
fi

TMPFILE=$FILE.tmp
NEWFILE=$FILE.new
BAKFILE=`date +"$FILE.%y%m%d"`
cp $FILE $BAKFILE
rccheck $? "backup"
cp $FILE $TMPFILE
cp $FILE $NEWFILE

#
# Loop through the list of services and use sed to comment the service out
for SVC in $LIST; do
	sed "s/^$SVC/#&/" < $TMPFILE > $NEWFILE
	rccheck $? "sed"
	cp $NEWFILE $TMPFILE
	rccheck $? "cp"
done
rm $TMPFILE


#
# Install the new file and make inetd re-read it's config file
if [ "$INSTALL" = "yes" ]; then
	if [ $VERBOSE ]; then
		print "Installing file now..."
	fi
	if [ -w $FILE ]; then 
		cp $NEWFILE $FILE
		rccheck $? "install"
		PID=`ps -eaf -o pid -o comm | grep -w "inetd" |\
			 (read pid cmd; echo $pid)`
		kill -HUP $PID
	fi
fi
if [ $VERBOSE ]; then
	print "Difference between old and new files:"
	diff $NEWFILE $BAKFILE
fi