Skip to content

Instantly share code, notes, and snippets.

@corporatepiyush

corporatepiyush/harden-linux.sh

Last active July 11, 2024 11:16
Show Gist options
  • Save corporatepiyush/061123b340babf28d51e568b44bf9ab3 to your computer and use it in GitHub Desktop.
Save corporatepiyush/061123b340babf28d51e568b44bf9ab3 to your computer and use it in GitHub Desktop.
Download ZIP
MacOS and Linux Optimisation
Raw
harden-linux.sh
#!/bin/bash
# Function to set sysctl values with error handling
set_sysctl() {
sysctl -w $1=$2
if [ $? -ne 0 ]; then
echo "Failed to set $1 to $2"
else
echo "$1 set to $2"
echo "$1=$2" | sudo tee -a /etc/sysctl.conf
fi
}
# Check if the running kernel supports kTLS
kernel_version=$(uname -r)
if [[ "$(echo $kernel_version | cut -d'.' -f1-2)" < "5.11" ]]; then
echo "kTLS is not supported on kernels older than 5.11. Please upgrade your kernel."
exit 1
fi
# Ensure the kernel module for kTLS is loaded
sudo modprobe tls
if [ $? -ne 0 ]; then
echo "Failed to load kTLS module. Please check if your kernel supports kTLS."
exit 1
fi
# Enable ASLR (Address Space Layout Randomization)
set_sysctl kernel.randomize_va_space 2
# Enable kTLS (Kernel TLS)
set_sysctl net.ipv4.tcp_tls_enable 1
# Check and install GCC if necessary
sudo apt-get update
sudo apt-get install -y gcc
# Secure shared memory
echo 'tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0' | sudo tee -a /etc/fstab
sudo mount -o remount,noexec,nosuid /run/shm
# Disable core dumps
set_sysctl fs.suid_dumpable 0
ulimit -c 0
# Enable additional kernel security features
set_sysctl kernel.kptr_restrict 2
set_sysctl kernel.yama.ptrace_scope 1
# Install and configure Uncomplicated Firewall (UFW)
sudo apt-get install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
# Disable unnecessary services
sudo systemctl disable rpcbind
sudo systemctl stop rpcbind
# Set SSH security features
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sudo sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
echo "UsePAM yes" | sudo tee -a /etc/ssh/sshd_config
echo "AllowUsers your_username" | sudo tee -a /etc/ssh/sshd_config
# Determine the correct SSH service name and restart the SSH service
if systemctl list-units --full -all | grep -q 'sshd.service'; then
sudo systemctl restart sshd
elif systemctl list-units --full -all | grep -q 'ssh.service'; then
sudo systemctl restart ssh
else
echo "SSH service not found."
exit 1
fi
# Install and configure fail2ban
sudo apt-get install -y fail2ban
cat << 'EOF' | sudo tee /etc/fail2ban/jail.local
[sshd]
enabled = true
filter = sshd
action = ufw[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 5
EOF
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
echo "System security hardening complete. Review /etc/sysctl.conf and /etc/ssh/sshd_config for persistent settings."
Raw
tune-freebsd.sh
#!/bin/sh
# Function to set sysctl values with error handling
set_sysctl() {
sysctl $1=$2
if [ $? -ne 0 ]; then
echo "Failed to set $1 to $2"
else
echo "$1 set to $2"
echo "$1=$2" >> /etc/sysctl.conf
fi
}
# Increase File Descriptor Limits (System-wide settings)
set_sysctl kern.maxfiles 1000000
set_sysctl kern.maxfilesperproc 500000
# Optimize Network Performance (System-wide settings)
set_sysctl net.inet.tcp.recvspace 1048576
set_sysctl net.inet.tcp.sendspace 1048576
set_sysctl net.inet.tcp.rfc1323 1
set_sysctl net.inet.tcp.blackhole 2
set_sysctl net.inet.udp.blackhole 1
set_sysctl kern.ipc.somaxconn 4096
set_sysctl kern.ipc.maxsockbuf 8388608
# File System Optimization (using ZFS) (System-wide settings)
set_sysctl vfs.zfs.arc_max 4294967296
set_sysctl vfs.zfs.arc_min 1073741824
# Tuning TCP/IP Settings (System-wide settings)
set_sysctl net.inet.tcp.fastopen 3
set_sysctl net.inet.tcp.mssdflt 1448
set_sysctl net.inet.tcp.cc.algorithm htcp
set_sysctl net.inet.tcp.sack.enable 1
set_sysctl net.inet.tcp.tso 1 # Enable TCP segmentation offloading
set_sysctl net.inet.tcp.lro 1 # Enable Large Receive Offload
# Increase Shared Memory Limits (System-wide settings)
set_sysctl kern.ipc.shmmax 67108864
set_sysctl kern.ipc.shmall 32768
# Enable kTLS (Kernel TLS) (System-wide settings)
set_sysctl kern.ipc.maxsockbuf 16777216
set_sysctl net.inet.tcp.tls.enable 1
# Enable MPTCP (Multipath TCP) (System-wide settings)
set_sysctl net.inet.mptcp.enable 1
set_sysctl net.inet.mptcp.capable 1
# Enable ASLR (Address Space Layout Randomization)
set_sysctl kern.elf64.aslr.enable 1
set_sysctl kern.elf32.aslr.enable 1
# Enable Stack Smashing Protection
set_sysctl kern.elf64.ssp 1
set_sysctl kern.elf32.ssp 1
# Enable W^X (Write XOR Execute) Memory Protection
set_sysctl kern.elf64.nxstack 1
set_sysctl kern.elf32.nxstack 1
# Disable core dumps
set_sysctl kern.coredump 0
# Enable Securelevel (set to 1 or higher for production systems)
set_sysctl kern.securelevel 1
# Enable IP Security (IPSec)
set_sysctl net.inet.ipsec.enable 1
# Apply sysctl changes
sysctl -p /etc/sysctl.conf
if [ $? -ne 0 ]; then
echo "Failed to apply sysctl settings"
else
echo "Sysctl settings applied successfully"
fi
# Set jemalloc environment variables (Application-specific settings)
export MALLOC_CONF="narenas:4,dirty_decay_ms:1000,muzzy_decay_ms:1000,lg_chunk:21,lg_dirty_mult:3"
if [ $? -ne 0 ]; then
echo "Failed to set jemalloc environment variables"
else
echo "Jemalloc environment variables set successfully"
fi
# Make jemalloc settings persistent across reboots by adding to /etc/profile
echo 'export MALLOC_CONF="narenas:4,dirty_decay_ms:1000,muzzy_decay_ms:1000,lg_chunk:21,lg_dirty_mult:3"' >> /etc/profile
echo "System tuning complete. Review /etc/sysctl.conf and /etc/profile for persistent settings."
Raw
tune-linux.sh
# sudo touch /etc/sysctl.conf
vm.swappiness = 20
net.ipv4.ip_local_port_range = 10240 65535
net.ipv4.tcp_rmem = 65536 1048576 8388608
net.ipv4.tcp_wmem = 65536 1048576 8388608
net.ipv4.tcp_mem= 1073741824 4294967296 8589934592
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.rmem_default = 1048576
net.core.wmem_default = 1048576
fs.pipe-max-size = 8388608
net.core.somaxconn = 32768
net.core.netdev_budget = 600
net.core.dev_weight = 128
net.ipv4.tcp_timestamps = 0
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Disable acceptance of router advertisements
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# sudo sysctl -p
Raw
tune-macos.sh
#!/bin/bash
# Define paths
SYSCTL_SCRIPT_PATH="$HOME/set_sysctl_params.sh"
PLIST_PATH="/Library/LaunchDaemons/com.user.setsysctlparams.plist"
# Create the shell script for setting sysctl parameters
echo "Creating sysctl script at $SYSCTL_SCRIPT_PATH"
cat << 'EOF' > "$SYSCTL_SCRIPT_PATH"
#!/bin/bash
sysctl kern.sysv.shmmax=134217728
sysctl kern.sysv.shmmin=1
sysctl kern.sysv.shmmni=1048576
sysctl kern.sysv.shmseg=1024
sysctl kern.sysv.shmall=1048576
sysctl kern.ipc.somaxconn=32767
sysctl kern.maxfiles=1048576
sysctl kern.maxvnodes=1048576
sysctl kern.maxfilesperproc=8192
sysctl kern.ipc.maxsockbuf=134217728
sysctl net.inet.tcp.delayed_ack=0
sysctl net.inet.ip.forwarding=0
sysctl net.inet.icmp.bmcastecho=0
sysctl net.inet.tcp.blackhole=2
sysctl net.inet.udp.blackhole=1
sysctl net.inet.tcp.msl=3000
sysctl net.inet.tcp.mssdflt=1460
sysctl net.inet.tcp.win_scale_factor=2
sysctl net.inet.tcp.sendspace=1048576
sysctl net.inet.tcp.recvspace=1048576
sysctl net.inet.tcp.autorcvbufmax=134217728
sysctl net.inet.tcp.autosndbufmax=134217728
sysctl net.inet.ip.portrange.first=32768
sysctl net.inet.ip.portrange.last=65535
EOF
# Make the shell script executable
echo "Making the sysctl script executable"
chmod +x "$SYSCTL_SCRIPT_PATH"
# Verify the script creation
if [ ! -f "$SYSCTL_SCRIPT_PATH" ]; then
echo "Failed to create the sysctl script"
exit 1
fi
# Create the LaunchDaemon plist file
echo "Creating LaunchDaemon plist at $PLIST_PATH"
sudo tee "$PLIST_PATH" > /dev/null << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.user.setsysctlparams</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>$SYSCTL_SCRIPT_PATH</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
EOF
# Set proper permissions for the plist file
echo "Setting permissions for the plist file"
sudo chmod 644 "$PLIST_PATH"
# Verify the plist creation
if [ ! -f "$PLIST_PATH" ]; then
echo "Failed to create the plist file"
exit 1
fi
# Load the LaunchDaemon
echo "Loading the LaunchDaemon"
sudo launchctl unload "$PLIST_PATH"
sudo launchctl load "$PLIST_PATH"
# Check for errors
if [ $? -eq 0 ]; then
echo "Setup complete. The sysctl parameters will be set at startup."
else
echo "Failed to load the LaunchDaemon. Please check the plist file and permissions."
echo "Contents of the plist file:"
cat "$PLIST_PATH"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment