Created
August 20, 2017 15:40
-
-
Save bunchc/88ff359882548573d5fa138654f27385 to your computer and use it in GitHub Desktop.
UserData Hardening script with UFW
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# user-data-hardening.sh | |
# Authors: Cody Bunch (bunchc@gmail.com) | |
# | |
# Script intended to be supplied as userdata to a cloud of some flavor. | |
# Enables some sane sysctl defaults, turns up iptables, and | |
# installs a HIDS / NIDS package | |
# Supply your email here | |
email_address="userdata@mailinator.com" | |
# Other things worth verifying / changing: | |
IPTABLES=/sbin/iptables | |
IP6TABLES=/sbin/ip6tables | |
MODPROBE=/sbin/modprobe | |
INT_INTF=eth1 | |
EXT_INTF=eth0 | |
INT_NET=$(ifconfig $INT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}') | |
EXT_NET=$(ifconfig $EXT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}') | |
export DEBIAN_FRONTEND=noninteractive | |
sudo apt-get -qq update | |
sudo DEBIAN_FRONTEND=noninteractive apt-get -qqy -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade | |
sudo apt-get install -y ufw | |
# Sysctl | |
sudo echo " | |
# IP Spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Ignore ICMP broadcast requests | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Disable source packet routing | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv6.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv6.conf.default.accept_source_route = 0 | |
# Ignore send redirects | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# Block SYN attacks | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_max_syn_backlog = 2048 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_syn_retries = 5 | |
# Log Martians | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Ignore ICMP redirects | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Ignore Directed pings | |
net.ipv4.icmp_echo_ignore_all = 1 | |
" tee -a /etc/sysctl.conf | |
sudo sysctl -p | |
# Firewall | |
## Deny incoming | |
ufw default deny incoming | |
## Allow outgoing | |
ufw default allow outgoing | |
## Allow ssh | |
ufw allow ssh | |
## Enable ufw | |
ufw --force enable | |
# Fail2Ban | |
sudo apt-get install -y fail2ban | |
# Postfix | |
myHostname=$(hostname -f) | |
cat > /var/cache/debconf/postfix.preseed <<EOF | |
postfix postfix/chattr boolean false | |
postfix postfix/mailname string $myHostname | |
postfix postfix/main_mailer_type select Internet Site | |
EOF | |
sudo debconf-set-selections /var/cache/debconf/postfix.preseed | |
sudo apt-get install -f postfix | |
# NIDS - psad | |
sudo apt-get install -y psad | |
# HIDS - Aide | |
sudo apt-get install -y aide | |
sudo aideinit | |
sudo aide -u | |
# Log Reporting | |
sudo apt-get install -y logwatch | |
sudo echo " | |
/usr/sbin/logwatch --output mail --mailto ${email_address} --detail high | |
" >> /etc/cron.daily/00logwatch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment