Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
UserData Hardening script with UFW
#!/bin/bash
# user-data-hardening.sh
# Authors: Cody Bunch (bunchc@gmail.com)
#
# Script intended to be supplied as userdata to a cloud of some flavor.
# Enables some sane sysctl defaults, turns up iptables, and
# installs a HIDS / NIDS package
# Supply your email here
email_address="userdata@mailinator.com"
# Other things worth verifying / changing:
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
MODPROBE=/sbin/modprobe
INT_INTF=eth1
EXT_INTF=eth0
INT_NET=$(ifconfig $INT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
EXT_NET=$(ifconfig $EXT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
export DEBIAN_FRONTEND=noninteractive
sudo apt-get -qq update
sudo DEBIAN_FRONTEND=noninteractive apt-get -qqy -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
sudo apt-get install -y ufw
# Sysctl
sudo echo "
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
" tee -a /etc/sysctl.conf
sudo sysctl -p
# Firewall
## Deny incoming
ufw default deny incoming
## Allow outgoing
ufw default allow outgoing
## Allow ssh
ufw allow ssh
## Enable ufw
ufw --force enable
# Fail2Ban
sudo apt-get install -y fail2ban
# Postfix
myHostname=$(hostname -f)
cat > /var/cache/debconf/postfix.preseed <<EOF
postfix postfix/chattr boolean false
postfix postfix/mailname string $myHostname
postfix postfix/main_mailer_type select Internet Site
EOF
sudo debconf-set-selections /var/cache/debconf/postfix.preseed
sudo apt-get install -f postfix
# NIDS - psad
sudo apt-get install -y psad
# HIDS - Aide
sudo apt-get install -y aide
sudo aideinit
sudo aide -u
# Log Reporting
sudo apt-get install -y logwatch
sudo echo "
/usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
" >> /etc/cron.daily/00logwatch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment