bunchc/userdata-hardening-ufw

## userdata-hardening-ufw
#!/bin/bash
# user-data-hardening.sh
# Authors: Cody Bunch (bunchc@gmail.com)
#
# Script intended to be supplied as userdata to a cloud of some flavor.
# Enables some sane sysctl defaults, turns up iptables, and
# installs a HIDS / NIDS package

# Supply your email here
email_address="userdata@mailinator.com"

# Other things worth verifying / changing:
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
MODPROBE=/sbin/modprobe

INT_INTF=eth1
EXT_INTF=eth0
INT_NET=$(ifconfig $INT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
EXT_NET=$(ifconfig $EXT_INTF | awk '/inet addr/ {split ($2,A,":"); print A[2]}')

export DEBIAN_FRONTEND=noninteractive
sudo apt-get -qq update
sudo DEBIAN_FRONTEND=noninteractive apt-get -qqy -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
sudo apt-get install -y ufw

# Sysctl
sudo echo "
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
" tee -a /etc/sysctl.conf

sudo sysctl -p

# Firewall
## Deny incoming
ufw default deny incoming
## Allow outgoing
ufw default allow outgoing
## Allow ssh
ufw allow ssh
## Enable ufw
ufw --force enable

# Fail2Ban
sudo apt-get install -y fail2ban

# Postfix
myHostname=$(hostname -f)
cat > /var/cache/debconf/postfix.preseed <<EOF
postfix postfix/chattr  boolean false
postfix postfix/mailname    string  $myHostname
postfix postfix/main_mailer_type    select  Internet Site
EOF

sudo debconf-set-selections /var/cache/debconf/postfix.preseed
sudo apt-get install -f postfix

# NIDS - psad
sudo apt-get install -y psad

# HIDS - Aide
sudo apt-get install -y aide
sudo aideinit
sudo aide -u

# Log Reporting
sudo apt-get install -y logwatch

sudo echo "
/usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
" >> /etc/cron.daily/00logwatch
	#!/bin/bash
	# user-data-hardening.sh
	# Authors: Cody Bunch (bunchc@gmail.com)
	#
	# Script intended to be supplied as userdata to a cloud of some flavor.
	# Enables some sane sysctl defaults, turns up iptables, and
	# installs a HIDS / NIDS package

	# Supply your email here
	email_address="userdata@mailinator.com"

	# Other things worth verifying / changing:
	IPTABLES=/sbin/iptables
	IP6TABLES=/sbin/ip6tables
	MODPROBE=/sbin/modprobe

	INT_INTF=eth1
	EXT_INTF=eth0
	INT_NET=$(ifconfig $INT_INTF \| awk '/inet addr/ {split ($2,A,":"); print A[2]}')
	EXT_NET=$(ifconfig $EXT_INTF \| awk '/inet addr/ {split ($2,A,":"); print A[2]}')

	export DEBIAN_FRONTEND=noninteractive
	sudo apt-get -qq update
	sudo DEBIAN_FRONTEND=noninteractive apt-get -qqy -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
	sudo apt-get install -y ufw

	# Sysctl
	sudo echo "
	# IP Spoofing protection
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Ignore ICMP broadcast requests
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Disable source packet routing
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Ignore send redirects
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Block SYN attacks
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 2048
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_syn_retries = 5

	# Log Martians
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ignore ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Ignore Directed pings
	net.ipv4.icmp_echo_ignore_all = 1
	" tee -a /etc/sysctl.conf

	sudo sysctl -p

	# Firewall
	## Deny incoming
	ufw default deny incoming
	## Allow outgoing
	ufw default allow outgoing
	## Allow ssh
	ufw allow ssh
	## Enable ufw
	ufw --force enable

	# Fail2Ban
	sudo apt-get install -y fail2ban

	# Postfix
	myHostname=$(hostname -f)
	cat > /var/cache/debconf/postfix.preseed <<EOF
	postfix postfix/chattr boolean false
	postfix postfix/mailname string $myHostname
	postfix postfix/main_mailer_type select Internet Site
	EOF

	sudo debconf-set-selections /var/cache/debconf/postfix.preseed
	sudo apt-get install -f postfix

	# NIDS - psad
	sudo apt-get install -y psad

	# HIDS - Aide
	sudo apt-get install -y aide
	sudo aideinit
	sudo aide -u

	# Log Reporting
	sudo apt-get install -y logwatch

	sudo echo "
	/usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
	" >> /etc/cron.daily/00logwatch