Skip to content

Instantly share code, notes, and snippets.

@renier
Last active February 10, 2019 02:05
Show Gist options
  • Save renier/3149337b127d4a50bbd0ef85c55d52f7 to your computer and use it in GitHub Desktop.
Save renier/3149337b127d4a50bbd0ef85c55d52f7 to your computer and use it in GitHub Desktop.
Super Harden Ubuntu
#!/bin/bash
# https://developer.ibm.com/answers/questions/462237/error-groot-must-be-grub-root-device-on-ubuntu/
sed -i -e 's/LABEL=cloudimg-rootfs/(hd0)/' /boot/grub/menu.lst
apt-get update > /dev/null
apt-get install unattended-upgrades -y
timeout 20m unattended-upgrade
apt-get autoremove -y
apt-get autoclean -y
apt-get install denyhosts -y
# Configure firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw --force enable
# Create some user so we can login later
#u=$1
u=renier
useradd -m -p $(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c 32) -s /bin/bash -U $u
mkdir /home/$u/.ssh
chmod 700 /home/$u/.ssh
cp ~/.ssh/authorized_keys /home/$u/.ssh/
chmod 600 /home/$u/.ssh/authorized_keys
chown -R $u:$u /home/$u/.ssh
echo "$u ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/10-$u
# Harden SSH
sed -i -e '/^PermitRootLogin/d' /etc/ssh/sshd_config
sed -i -e '/^ChallengeResponseAuthentication/d' /etc/ssh/sshd_config
sed -i -e '/^PasswordAuthentication/d' /etc/ssh/sshd_config
sed -i -e '/^UsePAM/d' /etc/ssh/sshd_config
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
echo 'DebianBanner no' >> /etc/ssh/sshd_config
echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config
echo 'UsePAM yes' >> /etc/ssh/sshd_config
echo 'AuthenticationMethods publickey' >> /etc/ssh/sshd_config
echo "AllowUsers $u" >> /etc/ssh/sshd_config
# Disable insecure algos
echo 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' >> /etc/ssh/sshd_config
service ssh restart
# Harden against TCP attacks
printf "
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
" >> /etc/sysctl.d/10-network-security.conf
service procps start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment