-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathdebian_harden.sh
executable file
·164 lines (137 loc) · 4.59 KB
/
debian_harden.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/bin/bash
#
# Perform hardening operations for Debian distributions
#####################
# Author : Emir Ozer
# Creation Date: 11 Jan 2015
#####################
echo -n "I do not claim any responsibility for your use of this script."
sys_upgrades() {
apt-get --yes --force-yes update
apt-get --yes --force-yes upgrade
apt-get --yes --force-yes autoremove
apt-get --yes --force-yes autoclean
}
unattended_upg() {
# IMPORTANT - Unattended upgrades may cause issues
# But it is known that the benefits are far more than
# downsides
apt-get --yes --force-yes install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# This will create the file /etc/apt/apt.conf.d/20auto-upgrades
# with the following contents:
#############
# APT::Periodic::Update-Package-Lists "1";
# APT::Periodic::Unattended-Upgrade "1";
#############
}
disable_root() {
passwd -l root
# for any reason if you need to re-enable it:
# sudo passwd -l root
}
purge_nfs() {
# This the standard network file sharing for Unix/Linux/BSD
# style operating systems.
# Unless you require to share data in this manner,
# less layers = more sec
apt-get --yes purge nfs-kernel-server nfs-common portmap rpcbind autofs
}
disable_compilers() {
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
# 755 to bring them back online
# It is better to restrict access to them
# unless you are working with a specific one
}
firewall() {
apt-get --yes --force-yes install ufw
ufw allow ssh
ufw allow http
ufw deny 23
ufw default deny
ufw enable
}
harden_ssh_brute() {
# Many attackers will try to use your SSH server to brute-force passwords.
# This will only allow 6 connections every 30 seconds from the same IP address.
ufw limit OpenSSH
}
harden_ssh(){
sudo sh -c 'echo "PermitRootLogin no" >> /etc/ssh/ssh_config'
}
logwatch_reporter() {
apt-get --yes --force-yes install logwatch
# make it run weekly
cd /
mv /etc/cron.daily/00logwatch.dpkg-new /etc/cron.weekly/
cd
}
set_chkrootkit() {
apt-get --yes install chkrootkit
chkrootkit
}
purge_at() {
apt-get --yes purge at
# less layers equals more security
}
disable_avahi() {
update-rc.d -f avahi-daemon disable
# The Avahi daemon provides mDNS/DNS-SD discovery support
# (Bonjour/Zeroconf) allowing applications to discover services on the network.
}
disable_exim_pckgs() {
update-rc.d -f exim4 disable
}
process_accounting() {
# Linux process accounting keeps track of all sorts of details about which commands have been run on the server, who ran them, when, etc.
apt-get --yes --force-yes install acct
cd /
touch /var/log/wtmp
cd
# To show users' connect times, run ac. To show information about commands previously run by users, run sa. To see the last commands run, run lastcomm.
}
kernel_tuning() {
sudo sh -c 'echo "kernel.randomize_va_space=1" >> /etc/sysctl.conf'
# Enable IP spoofing protection
sudo sh -c 'echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf'
# Disable IP source routing
sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf'
# Ignoring broadcasts request
sudo sh -c 'echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf'
# Make sure spoofed packets get logged
sudo sh -c 'echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.conf'
sudo sh -c 'echo "net.ipv4.conf.default.log_martians=1" >> /etc/sysctl.conf'
# Disable ICMP routing redirects
sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf'
sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.conf'
sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf'
# Disables the magic-sysrq key
sudo sh -c 'echo "kernel.sysrq=0" >> /etc/sysctl.conf'
# Turn off the tcp_timestamps
sudo sh -c 'echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.conf'
# Enable TCP SYN Cookie Protection
sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf'
# Enable bad error message Protection
sudo sh -c 'echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf'
# RELOAD WITH NEW SETTINGS
/sbin/sysctl -p
}
main() {
sys_upgrades
unattended_upg
disable_root
purge_nfs
disable_compilers
firewall
harden_ssh_brute
harden_ssh
logwatch_reporter
set_chkrootkit
process_accounting
purge_at
disable_avahi
disable_exim_pckgs
kernel_tuning
}
main "$@"