Created
July 25, 2017 15:08
-
-
Save e23z/faede90c30c5016749c11bfa2f147db1 to your computer and use it in GitHub Desktop.
[Ubuntu 16.04 Server Hardener] A script to make it easy to harden an Ubuntu 16.04 server. Its purpose is to setup simple security measures out-of-the-box, not to apply advanced security measures. #scripts #security #configuration #utils
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| cd ~ | |
| read -s -p 'Sudo password: ' PASSWORD | |
| echo "" | |
| echo "Configuring server..." | |
| read -p "What's the hostname of this machine? " NEW_HOSTNAME | |
| echo $PASSWORD | sudo -Sk hostnamectl set-hostname $NEW_HOSTNAME | |
| sudo sed -i -e "s/^127.0.0.1.*$/127.0.0.1 localhost $NEW_HOSTNAME/g" /etc/hosts | |
| sudo dpkg-reconfigure tzdata | |
| sudo service cron restart | |
| echo "Start hardening..." | |
| sudo apt-get update | |
| echo "Installing required software..." | |
| sudo apt-get install -y ufw denyhosts psad rkhunter chkrootkit | |
| echo "Protecting shared memory..." | |
| sudo sh -c "echo 'tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0' >> /etc/fstab" | |
| echo "Creating new admin user and group..." | |
| read -p "New username: " USERNAME | |
| sudo adduser --shell /bin/bash --gecos '$USERNAME' $USERNAME | |
| sudo groupadd admin | |
| sudo usermod -a -G admin $USERNAME | |
| sudo dpkg-statoverride --update --add root admin 4750 /bin/su | |
| echo "Protecting ssh..." | |
| cd ~ | |
| mkdir .ssh | |
| mkdir -p "/home/$USERNAME/.ssh" | |
| echo "ssh-rsa YOUR_PUB_RSA_KEY" >> .ssh/authorized_keys | |
| echo "ssh-rsa YOUR_PUB_RSA_KEY" >> "/home/$USERNAME/.ssh/authorized_keys" | |
| echo "SSH..." | |
| read -p "Which port should we use for ssh? " SSH_PORT | |
| sudo sed -i -e "s/^Port .*$/Port $SSH_PORT/g" /etc/ssh/sshd_config | |
| sudo sed -i -e "s/^Protocol .*$/Protocol 2/g" /etc/ssh/sshd_config | |
| sudo sed -i -e "s/^PermitRootLogin .*$/PermitRootLogin no/g" /etc/ssh/sshd_config | |
| sudo sh -c "echo 'DebianBanner no' >> /etc/ssh/sshd_config" | |
| sudo service ssh restart | |
| echo "Network..." | |
| sudo sed -i -e "s/#net.ipv4.conf.all.rp_filter/net.ipv4.conf.all.rp_filter/g" /etc/sysctl.conf | |
| sudo sed -i -e "s/#net.ipv4.conf.default.rp_filter/net.ipv4.conf.default.rp_filter/g" /etc/sysctl.conf | |
| sudo sh -c "echo 'net.ipv4.icmp_echo_ignore_broadcasts=1' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv4.conf.default.accept_source_route=0' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv6.conf.default.accept_source_route=0' >> /etc/sysctl.conf" | |
| sudo sed -i -e "s/#net.ipv4.conf.all.send_redirects/net.ipv4.conf.all.send_redirects/g" /etc/sysctl.conf | |
| sudo sh -c "echo 'net.ipv4.conf.default.send_redirects=0' >> /etc/sysctl.conf" | |
| sudo sed -i -e "s/#net.ipv4.tcp_syncookies/net.ipv4.tcp_syncookies/g" /etc/sysctl.conf | |
| sudo sh -c "echo 'net.ipv4.tcp_max_syn_backlog=2048' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv4.tcp_synack_retries=2' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv4.tcp_syn_retries=5' >> /etc/sysctl.conf" | |
| sudo sed -i -e "s/#net.ipv4.conf.all.log_martians/net.ipv4.conf.all.log_martians/g" /etc/sysctl.conf | |
| sudo sh -c "echo 'net.ipv4.icmp_ignore_bogus_error_responses=1' >> /etc/sysctl.conf" | |
| sudo sed -i -e "s/#net.ipv4.conf.all.accept_redirects/net.ipv4.conf.all.accept_redirects/g" /etc/sysctl.conf | |
| sudo sed -i -e "s/#net.ipv6.conf.all.accept_redirects/net.ipv6.conf.all.accept_redirects/g" /etc/sysctl.conf | |
| sudo sh -c "echo 'net.ipv4.conf.default.accept_redirects=0' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv6.conf.default.accept_redirects=0' >> /etc/sysctl.conf" | |
| sudo sh -c "echo 'net.ipv4.icmp_echo_ignore_all=1' >> /etc/sysctl.conf" | |
| sudo sysctl -p | |
| echo "IP Spoofing..." | |
| sudo sed -i -e "s/^order .*$/order bind,hosts/g" /etc/host.conf | |
| sudo sh -c "echo 'nospoof on' >> /etc/host.conf" | |
| echo "DenyHosts..." | |
| sudo sed -i -e "s/^ADMIN_EMAIL = .*$/ADMIN_EMAIL = email@gmail.com/g" /etc/denyhosts.conf | |
| sudo sed -i -e "s/^SMTP_HOST = .*$/SMTP_HOST = smtp.gmail.com/g" /etc/denyhosts.conf | |
| sudo sed -i -e "s/^#SMTP_USERNAME = .*$/SMTP_USERNAME = email@gmail.com/g" /etc/denyhosts.conf | |
| sudo sed -i -e "s/^#SMTP_PASSWORD = .*$/SMTP_PASSWORD = pwd/g" /etc/denyhosts.conf | |
| sudo sed -i -e "s/^#SYSLOG_REPORT=YES*$/SYSLOG_REPORT=YES/g" /etc/denyhosts.conf | |
| echo "IDS..." | |
| sudo sed -i -e "s/^EMAIL_ADDRESSES .*$/EMAIL_ADDRESSES email@gmail.com;/g" /etc/psad/psad.conf | |
| sudo sed -i -e "s/^HOSTNAME .*$/HOSTNAME $NEW_HOSTNAME;/g" /etc/psad/psad.conf | |
| sudo sed -i -e "s/^ENABLE_AUTO_IDS .*$/ENABLE_AUTO_IDS Y;/g" /etc/psad/psad.conf | |
| sudo sed -i -e "s/^ENABLE_AUTO_IDS_EMAILS .*$/ENABLE_AUTO_IDS_EMAILS Y;/g" /etc/psad/psad.conf | |
| sudo iptables -A INPUT -j LOG | |
| sudo iptables -A FORWARD -j LOG | |
| sudo ip6tables -A INPUT -j LOG | |
| sudo ip6tables -A FORWARD -j LOG | |
| sudo psad -R | |
| sudo psad --sig-update | |
| sudo psad -H | |
| sudo psad --Status | |
| echo "Rootkits..." | |
| sudo chkrootkit | |
| sudo rkhunter --update | |
| sudo rkhunter --propupd | |
| sudo rkhunter --check | |
| echo "Enabling the firewall..." | |
| sudo ufw enable | |
| read -p "Should we allow http requests through the firewall? [y/n]" ALLOW_HTTP | |
| if [[ $ALLOW_HTTP == "y" || $ALLOW_HTTP == "Y" ]]; then | |
| echo "Enabling HTTP in the firewall..." | |
| sudo ufw allow http | |
| sudo ufw allow https | |
| fi | |
| sudo ufw allow 39/tcp | |
| sudo ufw status verbose | |
| echo "Hardening completed!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment