diff --git a/firewall_off.sh b/firewall_off.sh
new file mode 100644
index 0000000..e5db99c
--- /dev/null
+++ b/firewall_off.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+echo "*filter"$'\n'"COMMIT" | iptables-restore
+rm /etc/network/if-pre-up.d/iptables > /dev/null 2>&1
+sync
+
+echo "Firewall is off and"
+echo "inactive at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/firewall_on.sh b/firewall_on.sh
new file mode 100644
index 0000000..89fbe3b
--- /dev/null
+++ b/firewall_on.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+if ! iptables -L > /dev/null 2>&1
+then
+ echo "The current Kernel doesn't support iptables/firewalling."
+ echo "Please fix that before running this script,"
+ echo "i.e. updating your MiSTer Linux and/or running security_fixes.sh."
+ exit 1
+fi
+
+if [ ! -f /media/fat/linux/iptables.up.rules ]
+then
+ IPTABLES_UP_RULES="*filter"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -i lo -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Accepts all established inbound connections"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows all outbound traffic"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# You could modify this to only allow certain traffic"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A OUTPUT -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows SSH connections"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# The --dport number is the same as in /etc/ssh/sshd_config"
+ if [ -f /etc/init.d/S50sshd ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows FTP connections"
+ if [ -f /etc/init.d/S50proftpd ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows Samba connections"
+ if [ -f /etc/init.d/S91smb ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p udp -m state --state NEW --dport 137 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p udp -m state --state NEW --dport 138 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 139 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 445 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p udp -m state --state NEW --dport 137 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p udp -m state --state NEW --dport 138 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 139 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 445 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Now you should read up on iptables rules and consider whether ssh access"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# for everyone is really desired. Most likely you will only allow access from certain IPs."
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allow ping"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# note that blocking other types of icmp packets is considered a bad idea by some"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# https://security.stackexchange.com/questions/22711"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# log iptables denied calls (access via 'dmesg' command)"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -m limit --limit 5/min -j LOG --log-prefix \"iptables denied: \" --log-level 7"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Reject all other inbound - default deny unless explicitly allowed policy:"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A FORWARD -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"COMMIT"
+ echo "$IPTABLES_UP_RULES" > /media/fat/linux/iptables.up.rules
+fi
+echo "#!/bin/bash"$'\n'"iptables-restore < /media/fat/linux/iptables.up.rules" > /etc/network/if-pre-up.d/iptables
+chmod +x /etc/network/if-pre-up.d/iptables
+sync
+/etc/network/if-pre-up.d/iptables
+
+echo "Firewall is on and"
+echo "active at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/ftp_off.sh b/ftp_off.sh
new file mode 100644
index 0000000..2a23df6
--- /dev/null
+++ b/ftp_off.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+/etc/init.d/S50proftpd stop
+mv /etc/init.d/S50proftpd /etc/init.d/_S50proftpd > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 21 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+
+echo "FTP is off and"
+echo "inactive at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/ftp_on.sh b/ftp_on.sh
new file mode 100644
index 0000000..09d6d00
--- /dev/null
+++ b/ftp_on.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+mv /etc/init.d/_S50proftpd /etc/init.d/S50proftpd > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 21 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+/etc/init.d/S50proftpd start
+
+echo "FTP is on and"
+echo "active at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/samba_off.sh b/samba_off.sh
new file mode 100644
index 0000000..c5a7ac0
--- /dev/null
+++ b/samba_off.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+/etc/init.d/S91smb stop
+mv /etc/init.d/S91smb /etc/init.d/_S91smb > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 137 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 138 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 139 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 445 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+
+echo "Samba is off and"
+echo "inactive at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/samba_on.sh b/samba_on.sh
new file mode 100644
index 0000000..3b9c4e6
--- /dev/null
+++ b/samba_on.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+mv /etc/init.d/_S91smb /etc/init.d/S91smb > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 137 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 138 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 139 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 445 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+/etc/init.d/S91smb start
+
+echo "Samba is on and"
+echo "active at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/security_fixes.sh b/security_fixes.sh
new file mode 100644
index 0000000..d470046
--- /dev/null
+++ b/security_fixes.sh
@@ -0,0 +1,367 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+echo ""
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+if [ "$SSH_CLIENT" == "" ]
+then
+ echo "This script must be run"
+ echo "from a SSH terminal"
+ echo "because it will ask"
+ echo "some questions."
+ exit 2
+fi
+if (( $EUID != 0 )); then
+ echo "This script must be run as root."
+ exit 3
+fi
+
+if [ "$(cat /etc/shadow | grep -o "^root:[^:]*" | md5sum)" == "9104842aa3318a956e51a081d052d2ee -" ]
+then
+ echo "root password is the original one from"
+ echo "the SD-Installer; it should be changed."
+ read -p "Do you want me to fix it?? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ until passwd root
+ do
+ echo "Password not set, try again."
+ sleep 1
+ done
+ sync
+ echo "root password succesfully changed."
+ ;;
+ esac
+else
+ echo "root password has already been changed."
+fi
+
+echo ""
+curl -q https://google.com &>/dev/null
+case $? in
+ 0)
+ echo "CA certificates seem to work, no fix will be applied."
+ ;;
+ 60)
+ read -p "CA certificates need to be fixed, do you want me to fix them? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ if (( $(ls -A /etc/ssl/certs| wc -l) > 0 ))
+ then
+ echo "/etc/ssl/certs is not empty, please backup its content first and then empty it."
+ read -p "Do you want me to empty /etc/ssl/certs? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ rm /etc/ssl/certs/*
+ ;;
+ *)
+ exit 4
+ ;;
+ esac
+ fi
+ if ! which "openssl" &>/dev/null
+ then
+ echo "Downloading openssl"
+ curl http://security-cdn.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1t-1+deb8u10_armhf.deb -o /tmp/openssl_1.0.1t-1+deb8u10_armhf.deb
+ ar p /tmp/openssl_1.0.1t-1+deb8u10_armhf.deb data.tar.xz | tar xJ --strip-components=3 -C "/media/fat/linux" ./usr/bin/openssl
+ rm /tmp/openssl_1.0.1t-1+deb8u10_armhf.deb
+ fi
+ echo "Downloading and processing https://curl.haxx.se/ca/cacert.pem into /etc/ssl/certs;"
+ echo "this may take some time..."
+ curl -k "https://curl.haxx.se/ca/cacert.pem"|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {if(length($0) > 0) print > "/etc/ssl/certs/cert" n ".pem"}'
+ for PEM in /etc/ssl/certs/*.pem; do mv "$PEM" "$(dirname "$PEM")/$(cat "$PEM" | grep -m 1 '^[^#]').pem"; done
+ for PEM in /etc/ssl/certs/*.pem; do for HASH in $(openssl x509 -subject_hash_old -hash -noout -in "$PEM" 2>/dev/null); do ln -s "$(basename "$PEM")" "$(dirname "$PEM")/$HASH.0"; done; done
+ sync
+ echo "CA certificates have been successfully fixed."
+ ;;
+ esac
+ ;;
+ *)
+ echo "No Internet connection, please try again later."
+ ;;
+esac
+
+echo ""
+if [ "$(cat /etc/ssh/ssh_host_rsa_key.pub | md5sum)" == "79f59093c55740abc8bcf6aa8edc9577 -" ]
+then
+ echo "SSH host keys are the original ones which came"
+ echo "with the SD-Installer; they should be regenerated."
+ read -p "Do you want me to fix them? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ echo "Generating new SSH host keys."
+ echo "Next time you connect through SSH or SCP"
+ echo "your client will warn you MiSTer host keys"
+ echo "don't match to the cached ones: it's normal,"
+ echo "it's the whole point of the procedure."
+ echo "Please say YES to PuTTY, UPDATE to WinSCP or"
+ echo "run something like \"ssh-keygen -R MiSTer\""
+ echo "on your Linux/BSD/OSX machine."
+
+ rm /etc/ssh/ssh_host_*
+ echo "Creating new SSH host keys; this may take some time..."
+ ssh-keygen -A
+ sync
+ echo "SSH host keys have been successfully fixed."
+ ;;
+ esac
+else
+ echo "SSH host keys seem to be already regenerated, no fix will be applied."
+fi
+
+echo ""
+if [ -f /etc/init.d/S50sshd ];
+then
+ echo "SSH daemon is active at startup;"
+ echo "it should be inactive by default"
+ echo "and manually activated when needed"
+ echo "(i.e. using auxillary ssh_on.sh)."
+ read -p "Do you want me to fix it?? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ mv /etc/init.d/S50sshd /etc/init.d/_S50sshd > /dev/null 2>&1
+ if [ -f /media/fat/linux/iptables.up.rules ]
+ then
+ sed -e '/--dport 22 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ fi
+ sync
+ echo "Now SSH is inactive at startup."
+ ;;
+ esac
+else
+ echo "SSH daemon is correctly inactive at startup."
+fi
+
+echo ""
+if [ -f /etc/init.d/S50proftpd ];
+then
+ echo "FTP daemon is active at startup;"
+ echo "it should be inactive by default"
+ echo "and manually activated when needed"
+ echo "(i.e. using auxillary ftp_on.sh)."
+ read -p "Do you want me to fix it?? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ mv /etc/init.d/S50proftpd /etc/init.d/_S50proftpd > /dev/null 2>&1
+ if [ -f /media/fat/linux/iptables.up.rules ]
+ then
+ sed -e '/--dport 21 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ fi
+ sync
+ echo "Now FTP is inactive at startup."
+ ;;
+ esac
+else
+ echo "FTP daemon is correctly inactive at startup."
+fi
+
+echo ""
+if [ -f /etc/init.d/S91smb ];
+then
+ echo "Samba daemon is active at startup;"
+ echo "it should be inactive by default"
+ echo "and manually activated when needed"
+ echo "(i.e. using auxillary ssh_on.sh)."
+ read -p "Do you want me to fix it?? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ mv /etc/init.d/S91smb /etc/init.d/_S91smb > /dev/null 2>&1
+ if [ -f /media/fat/linux/iptables.up.rules ]
+ then
+ sed -e '/--dport 137 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 138 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 139 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ sed -e '/--dport 445 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+ fi
+ sync
+ echo "Now Samba is inactive at startup."
+ ;;
+ *)
+ if [ ! -f /media/fat/linux/samba.sh ]
+ then
+ echo "Samba will try to activate at startup, but it won't"
+ echo "because you have still to manually rename /media/fat/linux/_samba.sh"
+ echo "to /media/fat/linux/samba.sh and customize it."
+ fi
+ ;;
+ esac
+else
+ echo "Samba daemon is correctly inactive at startup."
+fi
+
+echo ""
+if { ! iptables -L > /dev/null 2>&1; } || [ ! -f /media/fat/linux/iptables.up.rules ] || [ ! -f /etc/network/if-pre-up.d/iptables ]
+then
+ FIREWALL_KERNEL="false"
+ echo "Firewall is not enabled and/or configured;"
+ echo "it should be active letting only active"
+ echo "daemons to be reached from the outside."
+ read -p "Do you want me to fix it?? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+ if iptables -L > /dev/null 2>&1
+ then
+ FIREWALL_KERNEL="true"
+ else
+ echo "The current Kernel doesn't support firewalling (iptables)."
+ read -p "Do you want me to download and install a Kernel with firewalling support? [y|n]" -n 1 -r
+ echo ""
+ case "$REPLY" in
+ y|Y)
+
+
+ curl -L "https://github.com/MiSTer-devel/Scripts_MiSTer/blob/master/firewall-kernel/zImage_dtb?raw=true" -o "/media/fat/linux/zImage_dtb.new"
+ case $? in
+ 0)
+ if md5sum /media/fat/linux/zImage_dtb.new | grep -q "^e8a1be0c17a0b6487f6291e5320fd410 "
+ then
+ mv /media/fat/linux/zImage_dtb /media/fat/linux/zImage_dtb.old
+ mv /media/fat/linux/zImage_dtb.new /media/fat/linux/zImage_dtb
+ sync
+ FIREWALL_KERNEL="true"
+ else
+ rm /media/fat/linux/zImage_dtb.new > /dev/null 2>&1
+ echo "Something went wrong with the Kernel download so it was deleted."
+ fi
+ ;;
+ 60)
+ echo "==============================================================="
+ echo "CA certificates need to be fixed before downloading the Kernel."
+ echo "Please run this script again to fix this."
+ echo "==============================================================="
+ ;;
+ *)
+ rm /media/fat/linux/zImage_dtb.new > /dev/null 2>&1
+ echo "No Internet connection, please try again later."
+ ;;
+ esac
+
+ ;;
+ *)
+ echo "You can't enable the Firewall withouth a Kernel supporting it."
+ echo "Please rerun rerunt this script if you want to enable the Firewall."
+ ;;
+ esac
+ fi
+ if [ $FIREWALL_KERNEL == "true" ]
+ then
+ if [ ! -f /media/fat/linux/iptables.up.rules ]
+ then
+ IPTABLES_UP_RULES="*filter"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -i lo -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Accepts all established inbound connections"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows all outbound traffic"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# You could modify this to only allow certain traffic"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A OUTPUT -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows SSH connections"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# The --dport number is the same as in /etc/ssh/sshd_config"
+ if [ -f /etc/init.d/S50sshd ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows FTP connections"
+ if [ -f /etc/init.d/S50proftpd ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allows Samba connections"
+ if [ -f /etc/init.d/S91smb ]
+ then
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p udp -m state --state NEW --dport 137 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p udp -m state --state NEW --dport 138 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 139 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p tcp -m state --state NEW --dport 445 -j ACCEPT"
+ else
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p udp -m state --state NEW --dport 137 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p udp -m state --state NEW --dport 138 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 139 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"#-A INPUT -p tcp -m state --state NEW --dport 445 -j ACCEPT"
+ fi
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Now you should read up on iptables rules and consider whether ssh access"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# for everyone is really desired. Most likely you will only allow access from certain IPs."
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Allow ping"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# note that blocking other types of icmp packets is considered a bad idea by some"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# https://security.stackexchange.com/questions/22711"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# log iptables denied calls (access via 'dmesg' command)"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -m limit --limit 5/min -j LOG --log-prefix \"iptables denied: \" --log-level 7"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"# Reject all other inbound - default deny unless explicitly allowed policy:"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A INPUT -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"-A FORWARD -j REJECT"
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'""
+ IPTABLES_UP_RULES=$IPTABLES_UP_RULES$'\n'"COMMIT"
+ echo "$IPTABLES_UP_RULES" > /media/fat/linux/iptables.up.rules
+ fi
+ if [ ! -f /etc/network/if-pre-up.d/iptables ]
+ then
+ echo "#!/bin/bash"$'\n'"iptables-restore < /media/fat/linux/iptables.up.rules" > /etc/network/if-pre-up.d/iptables
+ chmod +x /etc/network/if-pre-up.d/iptables
+ fi
+ sync
+ echo "Now Firewall is active at startup."
+ else
+ echo "Firewall is not active at startup since the current Kernel doesn't support it."
+ fi
+ ;;
+ esac
+else
+ echo "Firewall is correctly active and configured."
+fi
+
+echo ""
+echo "Done!"
+echo "You can reboot now for actually applying changes."
+exit 0
\ No newline at end of file
diff --git a/ssh_off.sh b/ssh_off.sh
new file mode 100644
index 0000000..b64707a
--- /dev/null
+++ b/ssh_off.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+/etc/init.d/S50sshd stop
+mv /etc/init.d/S50sshd /etc/init.d/_S50sshd > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 22 /s/^#*/#/g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+
+echo "SSH is off and"
+echo "inactive at startup."
+echo "Done!"
+exit 0
\ No newline at end of file
diff --git a/ssh_on.sh b/ssh_on.sh
new file mode 100644
index 0000000..8f5aad5
--- /dev/null
+++ b/ssh_on.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Copyright 2019 Alessandro "Locutus73" Miele
+
+# You can download the latest version of this script from:
+# https://github.com/MiSTer-devel/Scripts_MiSTer
+
+# Version 1.0 - 2019-02-02 - First commit
+
+
+
+if [ "$(uname -n)" != "MiSTer" ]
+then
+ echo "This script must be run"
+ echo "on a MiSTer system."
+ exit 1
+fi
+
+mv /etc/init.d/_S50sshd /etc/init.d/S50sshd > /dev/null 2>&1
+if [ -f /media/fat/linux/iptables.up.rules ]
+then
+ sed -e '/--dport 22 /s/^#//g' -i /media/fat/linux/iptables.up.rules
+fi
+sync
+if [ -f /etc/network/if-pre-up.d/iptables ]
+then
+ /etc/network/if-pre-up.d/iptables
+fi
+/etc/init.d/S50sshd start
+
+echo "SSH is on and"
+echo "active at startup."
+echo "Done!"
+exit 0
\ No newline at end of file