jc00ke · February 11, 2016 01:22
diff --git a/user_data_hardening.sh b/user_data_hardening.sh
 #!/bin/bash
 # user-data-hardening.sh
 # Authors: Cody Bunch ([email protected])
 #
 # Script intended to be supplied as userdata to a cloud of some flavor.
 # Enables some sane sysctl defaults, turns up iptables, and
 # installs a HIDS / NIDS package

 # Supply your email here
 echo "What's your email address?"
 read email_address

 # Other things worth verifying / changing:
 MODPROBE=/sbin/modprobe

 export DEBIAN_FRONTEND=noninteractive
 sudo apt-get update
 sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
 sudo apt-get install -y \
  ufw \
  logwatch \
  aide \
  psad \
  postfix \
  fail2ban


 # Sysctl
 sudo echo "
 # IP Spoofing protection
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1

 # Ignore ICMP broadcast requests
 net.ipv4.icmp_echo_ignore_broadcasts = 1

 # Disable source packet routing
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv6.conf.default.accept_source_route = 0

 # Ignore send redirects
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0

 # Block SYN attacks
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_max_syn_backlog = 2048
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_syn_retries = 5

 # Log Martians
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1

 # Ignore ICMP redirects
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0

 # Ignore Directed pings
 net.ipv4.icmp_echo_ignore_all = 1
 " >> /etc/sysctl.conf

 sudo sysctl -p

 # Firewall
 sudo ufw default allow
 sudo ufw enable
 sudo ufw allow 22/tcp    # allow ssh
 sudo ufw default deny

 sudo ufw allow 53/tcp   # uncomment this line to allow incoming dns
 sudo ufw allow 53/udp  # uncomment this line to allow incoming dns

 ### load connection-tracking modules
 #
 $MODPROBE ip_conntrack
 $MODPROBE iptable_nat
 $MODPROBE ip_conntrack_ftp
 $MODPROBE ip_nat_ftp

 # Postfix
 $hostname = `hostname -f`
 cat > /var/cache/debconf/postfix.preseed <<EOF
 postfix postfix/chattr  boolean false
 postfix postfix/mailname    string  $hostname
 postfix postfix/main_mailer_type    select  Internet Site
 EOF

 sudo debconf-set-selections /var/cache/debconf/postfix.preseed

 # HIDS - Aide
 sudo aideinit
 sudo aide -u

 # Log Reporting

 sudo echo "
 /usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
 " >> /etc/cron.daily/00logwatch
	#!/bin/bash
	# user-data-hardening.sh
	# Authors: Cody Bunch ([email protected])
	#
	# Script intended to be supplied as userdata to a cloud of some flavor.
	# Enables some sane sysctl defaults, turns up iptables, and
	# installs a HIDS / NIDS package

	# Supply your email here
	echo "What's your email address?"
	read email_address

	# Other things worth verifying / changing:
	MODPROBE=/sbin/modprobe

	export DEBIAN_FRONTEND=noninteractive
	sudo apt-get update
	sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
	sudo apt-get install -y \
	ufw \
	logwatch \
	aide \
	psad \
	postfix \
	fail2ban


	# Sysctl
	sudo echo "
	# IP Spoofing protection
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Ignore ICMP broadcast requests
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Disable source packet routing
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Ignore send redirects
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Block SYN attacks
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 2048
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_syn_retries = 5

	# Log Martians
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ignore ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Ignore Directed pings
	net.ipv4.icmp_echo_ignore_all = 1
	" >> /etc/sysctl.conf

	sudo sysctl -p

	# Firewall
	sudo ufw default allow
	sudo ufw enable
	sudo ufw allow 22/tcp # allow ssh
	sudo ufw default deny

	sudo ufw allow 53/tcp # uncomment this line to allow incoming dns
	sudo ufw allow 53/udp # uncomment this line to allow incoming dns

	### load connection-tracking modules
	#
	$MODPROBE ip_conntrack
	$MODPROBE iptable_nat
	$MODPROBE ip_conntrack_ftp
	$MODPROBE ip_nat_ftp

	# Postfix
	$hostname = `hostname -f`
	cat > /var/cache/debconf/postfix.preseed <<EOF
	postfix postfix/chattr boolean false
	postfix postfix/mailname string $hostname
	postfix postfix/main_mailer_type select Internet Site
	EOF

	sudo debconf-set-selections /var/cache/debconf/postfix.preseed

	# HIDS - Aide
	sudo aideinit
	sudo aide -u

	# Log Reporting

	sudo echo "
	/usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
	" >> /etc/cron.daily/00logwatch