lukeswitz · December 5, 2023 21:50
diff --git a/server-secure.sh b/server-secure.sh
 #!/bin/bash

 # Create a sudo user
 read -p "Create a new sudo user (Allows for administrative actions with accountability)? (y/n): " create_user
 if [ "$create_user" == "y" ]; then
  read -p "Enter the username for the new sudo user: " username
  adduser "$username"
  usermod -aG sudo "$username"
 fi

 # Use Secure Shell Protocol
 read -p "Secure the Secure Shell Protocol (Enhances SSH security by disabling password authentication)? (y/n): " use_ssh
 if [ "$use_ssh" == "y" ]; then
  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
  systemctl restart sshd
 fi

 # Setup a basic firewall (UFW)
 read -p "Setup a basic firewall (UFW) (Add rules in next step)? (y/n): " setup_ufw
 if [ "$setup_ufw" == "y" ]; then
  ufw default deny incoming
  ufw default allow outgoing
  if [ "$use_ssh" == "y" ]; then
    read -p "Do you want to allow SSH (port 22) by default (Allows SSH connections)? (y/n): " allow_ssh
    if [ "$allow_ssh" == "y" ]; then
      ufw allow 22/tcp
    fi
  fi
  read -p "Enter any additional ports to open (comma-separated): " ports
  IFS=',' read -ra ADDR <<< "$ports"
  for port in "${ADDR[@]}"; do
    ufw allow "$port"
  done
  ufw enable
  ufw reload
 fi

 # Disable unwanted Linux services
 read -p "Disable vulnerable Linux services (Reduces attack surface by disabling rpcbind NFS and SMB)? (y/n): " disable_services
 if [ "$disable_services" == "y" ]; then
  systemctl disable rpcbind
  systemctl disable nfs
  systemctl disable smb
  echo "Disabled rpcbind, NFS, and SMB services."
 fi

 # Disable ICMP
 read -p "Disable ICMP (Prevents attackers from using the ping command against the server)? (y/n): " disable_icmp
 if [ "$disable_icmp" == "y" ]; then
  echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
  sysctl -p
 fi

 # Enable SELinux
 read -p "Enable SELinux (Enhances security through mandatory access controls)? (y/n): " enable_selinux
 if [ "$enable_selinux" == "y" ]; then
  setenforce 1
 fi

 # Install and configure fail2ban
 read -p "Install and configure fail2ban (Protects against brute-force attacks)? (y/n): " install_fail2ban
 if [ "$install_fail2ban" == "y" ]; then
  apt-get install fail2ban
  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 fi

 # Keep Kernel and Packages Updated
 read -p "Keep Kernel and Packages Updated (Ensures system components are up to date with security patches)? (y/n): " update_kernel
 if [ "$update_kernel" == "y" ]; then
  apt-get update && apt-get upgrade -y
 fi

 # Disable USB and Thunderbolt Devices
 read -p "Disable USB and Thunderbolt Devices (Prevents unauthorized access through physical devices)? (y/n): " disable_usb
 if [ "$disable_usb" == "y" ]; then
  echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf
  echo "blacklist thunderbolt" >> /etc/modprobe.d/blacklist.conf
 fi

 # Enforce strong password policies
 read -p "Enforce strong password policies (Increases password complexity to reduce the risk of unauthorized access)? (y/n): " enforce_passwords
 if [ "$enforce_passwords" == "y" ]; then
  echo "password requisite pam_pwquality.so retry=3 minlen=10 difok=3" >> /etc/pam.d/common-password
 fi

 # Restrict use of previous passwords
 read -p "Restrict use of previous passwords (Prevents reuse of old passwords, reducing risk of compromised credentials)? (y/n): " restrict_passwords
 if [ "$restrict_passwords" == "y" ]; then
  echo "password required pam_unix.so remember=5" >> /etc/pam.d/common-password
 fi

 # Purge Unnecessary Packages
 read -p "Purge Unnecessary Packages (Removes unnecessary software to minimize potential vulnerabilities)? (y/n): " purge_packages
 if [ "$purge_packages" == "y" ]; then
  apt-get autoremove -y
 fi

 # Set up password aging
 read -p "Set up password aging (Requires password changes at regular intervals to reduce risk of unauthorized access)? (y/n): " set_password_aging
 if [ "$set_password_aging" == "y" ]; then
  chage -M 60 "$username"
 fi

 # Disable unwanted SUID and SGID binaries
 read -p "Review and optionally remove SUID and SGID binaries (Identify and modify special permissions)? (y/n): " review_suid_sgid
 if [ "$review_suid_sgid" == "y" ]; then
  echo "Listing all SUID/SGID files:"
  files=$(find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null)
  select file in $files; do
    if [ -n "$file" ]; then
      read -p "Remove SUID/SGID permissions from $file? (y/n): " remove_suid_sgid
      if [ "$remove_suid_sgid" == "y" ]; then
        chmod a-s "$file"
        echo "Removed SUID/SGID permissions from $file."
      fi
    else
      echo "Invalid selection."
    fi
    echo "Select another file or press 'Ctrl+C' to exit."
  done
 fi


 # Logging and auditing
 read -p "Logging and auditing (Increases monitoring and accountability through detailed logs)? (y/n): " logging_auditing
 if [ "$logging_auditing" == "y" ]; then
  apt-get install auditd
 fi

 # Perform regular backups (manual setup required)
 read -p "Perform regular backups (Ensures data integrity and availability through regular backups)? (y/n): " perform_backups
 if [ "$perform_backups" == "y" ]; then
  read -p "Enter the path to the backup script (e.g., /path/to/backup/script.sh): " backup_script
  if [ -f "$backup_script" ]; then
    read -p "How often do you want to run the backups? (daily/weekly/monthly): " backup_frequency
    case $backup_frequency in
      daily)
        cron_time="0 0 * * *"
        ;;
      weekly)
        cron_time="0 0 * * 0"
        ;;
      monthly)
        cron_time="0 0 1 * *"
        ;;
      *)
        echo "Invalid selection. Please manually set up the backup schedule using crontab."
        exit 1
        ;;
    esac
    echo "Setting up $backup_frequency backups using $backup_script."
    (crontab -l ; echo "$cron_time $backup_script") | crontab -
  else
    echo "Backup script not found. Please ensure the path is correct."
  fi
 fi


 # Monitor listening network ports
 read -p "Monitor listening network ports (Helps in identifying potentially malicious or unnecessary open ports)? (y/n): " monitor_ports
 if [ "$monitor_ports" == "y" ]; then
  read -p "How often do you want to check the listening ports? (daily/weekly/monthly): " check_frequency
  case $check_frequency in
    daily)
      cron_time_ports="0 0 * * *"
      ;;
    weekly)
      cron_time_ports="0 0 * * 0"
      ;;
    monthly)
      cron_time_ports="0 0 1 * *"
      ;;
    *)
      echo "Invalid selection. Please manually set up the monitoring schedule using crontab."
      exit 1
      ;;
  esac
  monitoring_command="netstat -tuln > /path/to/log/directory/listening_ports.log"
  echo "Setting up $check_frequency port monitoring."
  (crontab -l ; echo "$cron_time_ports $monitoring_command") | crontab -
 fi

 echo "Server hardening completed!"
	#!/bin/bash

	# Create a sudo user
	read -p "Create a new sudo user (Allows for administrative actions with accountability)? (y/n): " create_user
	if [ "$create_user" == "y" ]; then
	read -p "Enter the username for the new sudo user: " username
	adduser "$username"
	usermod -aG sudo "$username"
	fi

	# Use Secure Shell Protocol
	read -p "Secure the Secure Shell Protocol (Enhances SSH security by disabling password authentication)? (y/n): " use_ssh
	if [ "$use_ssh" == "y" ]; then
	sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
	systemctl restart sshd
	fi

	# Setup a basic firewall (UFW)
	read -p "Setup a basic firewall (UFW) (Add rules in next step)? (y/n): " setup_ufw
	if [ "$setup_ufw" == "y" ]; then
	ufw default deny incoming
	ufw default allow outgoing
	if [ "$use_ssh" == "y" ]; then
	read -p "Do you want to allow SSH (port 22) by default (Allows SSH connections)? (y/n): " allow_ssh
	if [ "$allow_ssh" == "y" ]; then
	ufw allow 22/tcp
	fi
	fi
	read -p "Enter any additional ports to open (comma-separated): " ports
	IFS=',' read -ra ADDR <<< "$ports"
	for port in "${ADDR[@]}"; do
	ufw allow "$port"
	done
	ufw enable
	ufw reload
	fi

	# Disable unwanted Linux services
	read -p "Disable vulnerable Linux services (Reduces attack surface by disabling rpcbind NFS and SMB)? (y/n): " disable_services
	if [ "$disable_services" == "y" ]; then
	systemctl disable rpcbind
	systemctl disable nfs
	systemctl disable smb
	echo "Disabled rpcbind, NFS, and SMB services."
	fi

	# Disable ICMP
	read -p "Disable ICMP (Prevents attackers from using the ping command against the server)? (y/n): " disable_icmp
	if [ "$disable_icmp" == "y" ]; then
	echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
	sysctl -p
	fi

	# Enable SELinux
	read -p "Enable SELinux (Enhances security through mandatory access controls)? (y/n): " enable_selinux
	if [ "$enable_selinux" == "y" ]; then
	setenforce 1
	fi

	# Install and configure fail2ban
	read -p "Install and configure fail2ban (Protects against brute-force attacks)? (y/n): " install_fail2ban
	if [ "$install_fail2ban" == "y" ]; then
	apt-get install fail2ban
	cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	fi

	# Keep Kernel and Packages Updated
	read -p "Keep Kernel and Packages Updated (Ensures system components are up to date with security patches)? (y/n): " update_kernel
	if [ "$update_kernel" == "y" ]; then
	apt-get update && apt-get upgrade -y
	fi

	# Disable USB and Thunderbolt Devices
	read -p "Disable USB and Thunderbolt Devices (Prevents unauthorized access through physical devices)? (y/n): " disable_usb
	if [ "$disable_usb" == "y" ]; then
	echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf
	echo "blacklist thunderbolt" >> /etc/modprobe.d/blacklist.conf
	fi

	# Enforce strong password policies
	read -p "Enforce strong password policies (Increases password complexity to reduce the risk of unauthorized access)? (y/n): " enforce_passwords
	if [ "$enforce_passwords" == "y" ]; then
	echo "password requisite pam_pwquality.so retry=3 minlen=10 difok=3" >> /etc/pam.d/common-password
	fi

	# Restrict use of previous passwords
	read -p "Restrict use of previous passwords (Prevents reuse of old passwords, reducing risk of compromised credentials)? (y/n): " restrict_passwords
	if [ "$restrict_passwords" == "y" ]; then
	echo "password required pam_unix.so remember=5" >> /etc/pam.d/common-password
	fi

	# Purge Unnecessary Packages
	read -p "Purge Unnecessary Packages (Removes unnecessary software to minimize potential vulnerabilities)? (y/n): " purge_packages
	if [ "$purge_packages" == "y" ]; then
	apt-get autoremove -y
	fi

	# Set up password aging
	read -p "Set up password aging (Requires password changes at regular intervals to reduce risk of unauthorized access)? (y/n): " set_password_aging
	if [ "$set_password_aging" == "y" ]; then
	chage -M 60 "$username"
	fi

	# Disable unwanted SUID and SGID binaries
	read -p "Review and optionally remove SUID and SGID binaries (Identify and modify special permissions)? (y/n): " review_suid_sgid
	if [ "$review_suid_sgid" == "y" ]; then
	echo "Listing all SUID/SGID files:"
	files=$(find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null)
	select file in $files; do
	if [ -n "$file" ]; then
	read -p "Remove SUID/SGID permissions from $file? (y/n): " remove_suid_sgid
	if [ "$remove_suid_sgid" == "y" ]; then
	chmod a-s "$file"
	echo "Removed SUID/SGID permissions from $file."
	fi
	else
	echo "Invalid selection."
	fi
	echo "Select another file or press 'Ctrl+C' to exit."
	done
	fi


	# Logging and auditing
	read -p "Logging and auditing (Increases monitoring and accountability through detailed logs)? (y/n): " logging_auditing
	if [ "$logging_auditing" == "y" ]; then
	apt-get install auditd
	fi

	# Perform regular backups (manual setup required)
	read -p "Perform regular backups (Ensures data integrity and availability through regular backups)? (y/n): " perform_backups
	if [ "$perform_backups" == "y" ]; then
	read -p "Enter the path to the backup script (e.g., /path/to/backup/script.sh): " backup_script
	if [ -f "$backup_script" ]; then
	read -p "How often do you want to run the backups? (daily/weekly/monthly): " backup_frequency
	case $backup_frequency in
	daily)
	cron_time="0 0 * * *"
	;;
	weekly)
	cron_time="0 0 * * 0"
	;;
	monthly)
	cron_time="0 0 1 * *"
	;;
	*)
	echo "Invalid selection. Please manually set up the backup schedule using crontab."
	exit 1
	;;
	esac
	echo "Setting up $backup_frequency backups using $backup_script."
	(crontab -l ; echo "$cron_time $backup_script") \| crontab -
	else
	echo "Backup script not found. Please ensure the path is correct."
	fi
	fi


	# Monitor listening network ports
	read -p "Monitor listening network ports (Helps in identifying potentially malicious or unnecessary open ports)? (y/n): " monitor_ports
	if [ "$monitor_ports" == "y" ]; then
	read -p "How often do you want to check the listening ports? (daily/weekly/monthly): " check_frequency
	case $check_frequency in
	daily)
	cron_time_ports="0 0 * * *"
	;;
	weekly)
	cron_time_ports="0 0 * * 0"
	;;
	monthly)
	cron_time_ports="0 0 1 * *"
	;;
	*)
	echo "Invalid selection. Please manually set up the monitoring schedule using crontab."
	exit 1
	;;
	esac
	monitoring_command="netstat -tuln > /path/to/log/directory/listening_ports.log"
	echo "Setting up $check_frequency port monitoring."
	(crontab -l ; echo "$cron_time_ports $monitoring_command") \| crontab -
	fi

	echo "Server hardening completed!"