Created
September 2, 2024 21:33
-
-
Save subfission/b021a4ad2d7ce45716e3744799a73d65 to your computer and use it in GitHub Desktop.
Basics of hardening
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "╔══════════════════════════════════════════════════════════════════════════════╗" | |
| echo "║ LINUX HARDENING SCRIPT ║" | |
| echo "╚══════════════════════════════════════════════════════════════════════════════╝" | |
| echo " ༺୨──────────────────୧༻ " | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ filesystem │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Enable hard/soft link protection." | |
| echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf && echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf | |
| echo "Disable uncommon filesystems." | |
| echo "install cramfs /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install freevxfs /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install jffs2 /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install hfs /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install hfsplus /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install squashfs /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install udf /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install fat /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install vfat /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install nfs /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install nfsv3 /bin/false" >> /etc/modprobe.d/uncommon-fs.conf && \ | |
| echo "install gfs2 /bin/false" >> /etc/modprobe.d/uncommon-fs.conf | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ firewall │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Configure system to automatically log out users who are inactive for 15 minutes. Additionally, users won't be able to modify their command history files." | |
| echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh&& echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh&& chmod +x /etc/profile.d/idle-users.sh | |
| echo "Enable the maximum number of days that the password applies to the root user." | |
| chage -M 20 root | |
| echo "Restrict GRUB configuration files & directories to root, preventing regular users from accessing or modifying them." | |
| chown root:root /etc/grub.conf && chown -R root:root /etc/grub.d && chmod og-rwx /etc/grub.conf && chmod og-rwx /etc/grub.conf && chmod -R og-rwx /etc/grub.d | |
| echo "The default setting allows every user on the system to access the home directory. If there's a guest account, it can also read all the data from the home directory." | |
| chmod 0700 /home/$USER | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ network │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Enable TCP SYN cookie protection" | |
| echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf | |
| echo "Disable IP source routing." | |
| echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf | |
| echo "Disable ICMP redirect acceptance." | |
| echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf | |
| echo "Ignore ICMP IPv4 requests." | |
| echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf | |
| echo "Ignore IPv4 broadcasts requests." | |
| echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf | |
| echo "Make sure new incoming TCP connections are SYN packets." | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| echo "Drop incoming packets with fragments." | |
| iptables -A INPUT -f -j DROP | |
| echo "Drop incoming malformed XMAS packets." | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| echo "Drop incoming malformed NULL packets." | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| echo "Restrict the usage of 'ping' and 'ifconfig' network commands to root." | |
| chmod 0750 /bin/ping && chmod 0750 /sbin/ifconfig | |
| echo "Restrict the usage of 'w' and 'who' commands to root." | |
| chmod 0750 /usr/bin/w && chmod 0750 /usr/bin/who | |
| echo "Restrict the usage of 'locate' and 'whereis' commands to root." | |
| chmod 0750 /usr/bin/locate && chmod 0750 /usr/bin/whereis | |
| echo "Disable IPv6 System wide to reduce the attack surface of a system (assuming you are not using it)." | |
| echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf && echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf && echo "net.ipv6.conf.lo.disable_ipv6 = 1 >> /etc/sysctl.conf" | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ services │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Ensure syslog service is enabled and running." | |
| systemctl enable rsyslog && systemctl start rsyslog | |
| echo "Set permissions of the sysctl preload/configuration file." | |
| chmod 0700 /etc/sysctl.conf | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ kernel │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Restrict access to kernel logs." | |
| echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf | |
| echo "Restrict access to kernel pointers." | |
| echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf | |
| echo "Enable the ExecShield protection." | |
| echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf | |
| echo "Randomise the memory space." | |
| echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf | |
| echo "┌──────────────────────────────────────────────────────────────────────────────┐" | |
| echo "│ Other │" | |
| echo "╘══════════════════════════════════════════════════════════════════════════════╛" | |
| echo "Disable the option to login directly as root via SSH, use sudo instead." | |
| echo "PermitRootLogin no" >> /etc/ssh/sshd_config | |
| echo "Disable SSH authentication using passwords and force keys instead." | |
| echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config && echo "PasswordAuthentication no" >> /etc/ssh/sshd_config | |
| echo "Disable empty passwords on SSH Authentication." | |
| echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config | |
| echo "Change the default SSH port." | |
| echo "Port 4567" >> /etc/ssh/sshd_config | |
| echo "Older linux distributions still have SSH Protocol 1 available. It has known vulnerabilities, and should not be used anymore." | |
| echo "Protocol 2" >> /etc/ssh/sshd_config | |
| echo "The X11 protocol is not security oriented. It should be disabled if not needed." | |
| echo "X11Forwarding no" >> /etc/ssh/sshd_config | |
| echo "Turn off IPv6 for SSH." | |
| echo "AddressFamily inet" >> /etc/ssh/sshd_config | |
| echo "Disable GSSAPI authentication." | |
| echo "GSSAPIAuthentication no" >> /etc/ssh/sshd_config | |
| echo "Disable Kerberos authentication." | |
| echo "KerberosAuthentication no" >> /etc/ssh/sshd_config | |
| echo "Disable SSH verbose banner that shows various information about the OS." | |
| echo "DebianBanner no" >> /etc/ssh/sshd_config | |
| echo "Limit the number of SSH login attempts such that after a number of failed attempts, the connection drops." | |
| echo "MaxAuthTries 3" >> /etc/ssh/sshd_config | |
| echo "Reduce the amount of time (in seconds) a user has to complete authentication after connecting to an SSH server." | |
| echo "LoginGraceTime 30" >> /etc/ssh/sshd_config | |
| echo "Disable Agent forwarding." | |
| echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config | |
| echo "Disable TCP forwarding." | |
| echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config | |
| echo "Disable device forwarding." | |
| echo "PermitTunnel no" >> /etc/ssh/sshd_config | |
| echo "Disable X11 client display forwarding." | |
| echo "ForwardX11 no" >> /etc/ssh/ssh_config | |
| echo "Disable client tunneling." | |
| echo "Tunnel no" >> /etc/ssh/ssh_config | |
| echo "Disable client agent forwarding." | |
| echo "ForwardAgent no" >> /etc/ssh/ssh_config | |
| echo "Disable client GSSAPI authentication." | |
| echo "GSSAPIAuthentication no" >> /etc/ssh/ssh_config | |
| echo "Disable (client) host based authentication." | |
| echo "HostbasedAuthentication no" >> /etc/ssh/ssh_config | |
| echo "Disable legacy 'Arcfour' ciphers." | |
| echo "Ciphers -arcfour*,-*cbc" >> /etc/ssh/ssh_config | |
| echo "Get warning if key / fingerprint of remote server has changed." | |
| echo "StrictHostKeyChecking ask" >> /etc/ssh/ssh_config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment