-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhardening.sh
120 lines (90 loc) · 2.89 KB
/
hardening.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/bin/bash
#Set MOTD
cat templates/motd > /etc/motd
cat templates/motd > /etc/issue
cat templates/motd > /etc/issue.net
#Update System
apt update
apt upgrade -y
apt dist-upgrade -y
#Setting a more restructive UMASK
cp templates/login.defs /etc/login.defs
#Disabling Unused Filesystems
echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf
#Diabling uncommon network protocols
echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf
echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf
#Create Privileged User
useradd -m -s /bin/bash swupoh
usermod -aG sudo swupoh
mkdir -p /home/swupoh/.ssh
cp templates/swupoh_authorized_keys /home/swupoh/.ssh/authorized_keys
chown -R swupoh: /home/swupoh/.ssh
chmod 700 /home/swupoh/.ssh
chown -R swupoh: /home/swupoh/.ssh/authorized_keys
chmod 600 /home/swupoh/.ssh/authorized_keys
#Secure SSH
cp templates/sshd_config /etc/ssh/sshd_config
service ssh restart
#Secure /tmp folder
#dd if=/dev/zero of=/usr/tmpDISK bs=1024 count=2048000
#mkdir /tmpbackup
#cp -Rpf /tmp /tmpbackup
#mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDISK /tmp
#chmod 1777 /tmp
#cp -Rpf /tmpbackup/* /tmp/
#rm -rf /tmpbackup
#echo "/usr/tmpDISK /tmp tmpfs loop,nosuid,nodev,noexec,rw 0 0" >> /etc/fstab
#sudo mount -o remount /tmp
#Setup UFW
ufw enable
ufw allow ssh
ufw allow 8080/tcp
ufw allow 9100/tcp
ufw allow 10000:11000/tcp
#Install PSAD
#PSAD actively monitors firewall logs to determine if a scan or attack is taking place
apt-get install psad
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG
ufw logging on
cp templates/psad.conf /etc/psad/psad.conf
psad --sig-update
service psad restart
#Install Fail2ban
apt install sendmail
apt install fail2ban
#Enable Process Accounting
apt install acct
touch /var/log/wtmp
#Setting File Permissions on critical system files
chmod -R g-wx,o-rwx /var/log/*
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config
chown root:root /etc/passwd
chmod 644 /etc/passwd
chown root:shadow /etc/shadow
chmod o-rwx,g-wx /etc/shadow
chown root:root /etc/group
chmod 644 /etc/group
chown root:shadow /etc/gshadow
chmod o-rwx,g-rw /etc/gshadow
chown root:root /etc/passwd-
chmod 600 /etc/passwd-
chown root:root /etc/shadow-
chmod 600 /etc/shadow-
chown root:root /etc/group-
chmod 600 /etc/group-
chown root:root /etc/gshadow-
chmod 600 /etc/gshadow-