Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Debian 8 Hardening

Debian 8 Hardening

  1. Update root's mail recipient. Open /etc/aliases replacing administrator@example.tld with an administrator's email address. This is where logs will be emailed.

    root:     administrator@example.tld
  2. Update the the default umask to 027. Edit the file /etc/init.d/rc and change the following setting:

    umask 027
  3. Install Cracklib for stronger passwords

    sudo apt-get -y install libpam-cracklib
  4. Update login definitions. Open the file /etc/login.defs in your favourite editor and change the settings below:

    umask 027
  5. Update password rules (optional). Edit the file /etc/pam.d/common-password - Password rules

  6. Install Fail2bban

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  1. Setup fail2ban. Open the file /etc/fail2ban/jail.local and make the following changes
enabled  = true
  1. Restart Fail2ban
sudo service fail2ban restart
  1. Edit the network configuration. Open the file /etc/sysctl.conf and make the following changes. Lynis info
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
kernel.kptr_restrict = 2
kernel.core_uses_pid = 1
net.ipv4.conf.all.rp_filter = 1
  1. Reboot server inout of memory condition (optional)
vm.panic_on_oom = 1
kernel.panic = 10
  1. Reload the network configuration
sudo sysctl --system
  1. Install systat

    sudo apt-get -y install sysstat
  2. Enable systat. Open the file /etc/default/sysstat

    set ENABLED=”true”
  3. Update the systat cronjob. Open the file /etc/cron.d/sysstat and change cron job to every 2 minutes

    # Activity reports every 10 minutes everyday
    */2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
  4. Restart systat

    sudo service sysstat restart
  5. Install and enable process accounting

    sudo apt-get -y install acct
    sudo service acct start
  6. Install and start the Logwatch service

    sudo apt-get -y install logwatch
    sudo mkdir /var/cache/logwatch
    sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
    sudo cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/
  7. Install Evasive Apache modules to secure against DDOS attacks

    sudo apt-get -y install libapache2-mod-evasive
    sudo mkdir -p /var/log/apache2/evasive
    sudo chown -R www-data:root /var/log/apache2/evasive
  8. Update the settings for the Evasive module. Open /etc/apache2/mods-available/evasive.conf

    DOSHashTableSize        2048
    DOSPageCount            20      # maximum number of requests for the same page
    DOSSiteCount            300     # total number of requests for any object by the same client IP on the same listener
    DOSPageInterval         1.0     # interval for the page count threshold
    DOSSiteInterval         1.0     # interval for the site count threshold
    DOSBlockingPeriod       10.0    # time that a client IP will be blocked for
    DOSLogDir               /var/log/apache2/evasive
  9. Install Auditd

    sudo apt-get -y install auditd audispd-plugins
  10. Update the auditd rules in /etc/audit/audit.rules. Add the following rules:

    # Increase the buffers to survive stress events.
    # Make this bigger for busy systems
    -b 1024
    ## Failure Mode
    ## Possible values are 0 (silent), 1 (printk, print a failure message),
    ## and 2 (panic, halt the system).
    -f 1
    ## Audit the audit logs.
    ## successful and unsuccessful attempts to read information from the
    ## audit records; all modifications to the audit trail
    -w /var/log/audit/ -k auditlog
    ## Auditd configuration
    ## modifications to audit configuration that occur while the audit
    ## collection functions are operating.
    -w /etc/audit/ -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp/ -p wa -k audispconfig
    ## Monitor for use of audit management tools
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    ## special files
    -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
    -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
    ## Mount operations
    -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
    -a exit,always -F arch=b64 -S mount -S umount2 -k mount
    ## changes to the time
    -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
    -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
    ## Use stunnel
    -w /usr/sbin/stunnel -p x -k stunnel
    ## cron configuration & scheduled jobs
    -w /etc/cron.allow -p wa -k cron
    -w /etc/cron.deny -p wa -k cron
    -w /etc/cron.d/ -p wa -k cron
    -w /etc/cron.daily/ -p wa -k cron
    -w /etc/cron.hourly/ -p wa -k cron
    -w /etc/cron.monthly/ -p wa -k cron
    -w /etc/cron.weekly/ -p wa -k cron
    -w /etc/crontab -p wa -k cron
    -w /var/spool/cron/crontabs/ -k cron
    ## user, group, password databases
    -w /etc/group -p wa -k etcgroup
    -w /etc/passwd -p wa -k etcpasswd
    -w /etc/gshadow -k etcgroup
    -w /etc/shadow -k etcpasswd
    -w /etc/security/opasswd -k opasswd
    ## monitor usage of passwd
    -w /usr/bin/passwd -p x -k passwd_modification
    #Monitor for use of tools to change group identifiers
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    ## login configuration and information
    -w /etc/login.defs -p wa -k login
    -w /etc/securetty -p wa -k login
    -w /var/log/faillog -p wa -k login
    -w /var/log/lastlog -p wa -k login
    -w /var/log/tallylog -p wa -k login
    ## network configuration
    -w /etc/hosts -p wa -k hosts
    -w /etc/network/ -p wa -k network
    ## system startup scripts
    -w /etc/inittab -p wa -k init
    -w /etc/init.d/ -p wa -k init
    -w /etc/init/ -p wa -k init
    ## library search paths
    -w /etc/ -p wa -k libpath
    ## local time zone
    -w /etc/localtime -p wa -k localtime
    ## kernel parameters
    -w /etc/sysctl.conf -p wa -k sysctl
    ## modprobe configuration
    -w /etc/modprobe.conf -p wa -k modprobe
    ## pam configuration
    -w /etc/pam.d/ -p wa -k pam
    -w /etc/security/limits.conf -p wa  -k pam
    -w /etc/security/pam_env.conf -p wa -k pam
    -w /etc/security/namespace.conf -p wa -k pam
    -w /etc/security/namespace.init -p wa -k pam
    ## postfix configuration
    -w /etc/aliases -p wa -k mail
    -w /etc/postfix/ -p wa -k mail
    ## ssh configuration
    -w /etc/ssh/sshd_config -k sshd
    ## changes to hostname
    -a exit,always -F arch=b32 -S sethostname -k hostname
    -a exit,always -F arch=b64 -S sethostname -k hostname
    ## changes to issue
    -w /etc/issue -p wa -k etcissue
    -w /etc/ -p wa -k etcissue
    ## this was to noisy currently.
    # log all commands executed by an effective id of 0 aka root.
    -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
    -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
    ## Capture all failures to access on critical elements
    -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
    -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
    ## Monitor for use of process ID change (switching accounts) applications
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /etc/sudoers -p rw -k priv_esc
    ## Monitor usage of commands to change power state
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    ## Make the configuration immutable
    -e 2
  11. Purge old package configuration files

    dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge
  12. Install & run Lynis

    sudo apt-key adv --keyserver --recv-keys 91CA5D5F
    sudo bash -c 'echo "deb [arch=amd64] jessie main" > /etc/apt/sources.list.d/cisofy-lynis.list'
    sudo apt install apt-transport-https
    sudo apt update
    sudo apt install lynis
    sudo lynis audit system --quick --upload
    sudo mkdir /var/log/lynis
  13. Add a cronjob for Lynis. Add the following to /etc/cron.daily/lynis

    DATE=$(date +%Y%m%d)
    cd /usr/local/lynis
    lynis audit system --auditor "${AUDITOR}" --upload --cronjob > ${REPORT}
    mv /var/log/lynis-report.dat ${DATA}
    # The End
  14. Make the cronjob executable

    sudo chmod +x /etc/cron.daily/lynis
  15. Install Tripwire (optional), answering yes to all the questions and ensuring the use of a strong password for both the site key and local key. Instructions here

    sudo apt-get -y install tripwire
  16. Initialise the Tripwire database. You will be prompted for the site passphrase you configured earlier

    sudo twadmin --create-polfile /etc/tripwire/twpol.txt
  17. Run Tripwire

    sudo tripwire --check --interactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment