-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLinuxHardening.sh
More file actions
304 lines (251 loc) · 9.94 KB
/
Copy pathLinuxHardening.sh
File metadata and controls
304 lines (251 loc) · 9.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
#!/bin/bash
set -e
set -u
set -o pipefail
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root. Use sudo."
exit 1
fi
# Set variables
TIMEZONE="America/Edmonton"
# Set the timezone to Americas/Edmonton
echo "Setting timezone to $TIMEZONE..."
if timedatectl set-timezone "$TIMEZONE"; then
echo "Timezone successfully set to $TIMEZONE."
else
echo "Failed to set timezone. Please check your permissions or the timezone value."
exit 1
fi
# Configure Apt repositories
echo adding Apt repositories for commonly used packages...
#Elasticsearch
# Get the GPG Key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
# Add the Elastic Repo
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
# DOCKER
# Add Docker's official GPG key:
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
#System76
# Add the System76 repository for additional drivers and tools
apt-add-repository -y ppa:system76-dev/stable
# Update the package list
apt-get update
# Update the system
echo "Updating the system..."
if apt-get update && apt-get upgrade -y; then
echo "System successfully updated."
else
echo "Failed to update the system. Please check your network connection or package manager."
exit 1
fi
# === Hostname Configuration ===
read -p "Enter the desired hostname (e.g. example-hostname): " NEW_HOSTNAME
hostnamectl set-hostname "$NEW_HOSTNAME"
echo "127.0.0.1 localhost" > /etc/hosts
read -p "Enter the internal IP (e.g. 172.17.1.250): " INTERNAL_IP
read -p "Enter the FQDN (e.g. xxxx.una.ca): " FQDN
HOSTNAME_SHORT=$(echo "$FQDN" | cut -d. -f1)
echo "$INTERNAL_IP $FQDN $HOSTNAME_SHORT" >> /etc/hosts
# Make base UNA folders
echo "Creating base UNA folders..."
mkdir /una-scripts
mkdir /una-backups
#Disable SSH root login
echo "Disabling root login via SSH..."
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || \
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl reload ssh
echo "Root login via SSH has been disabled."
# === Firewall Setup (UFW) ===
echo "Setting up UFW firewall..."
apt-get install -y ufw
ufw limit from 172.17.0.0/16 to any port ssh
ufw limit from 192.168.40.0/24 to any port ssh
read -p "Enter any additional ports to allow (e.g. 80/tcp 443/tcp): " PORTS
for port in $PORTS; do
ufw allow "$port"
done
echo "Enabling UFW..."
ufw --force enable
echo "UFW configuration completed but not secure!"
echo "Current UFW status:"
sudo ufw status
# Secure the tmp directory
echo "Securing the /tmp directory..."
dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000
mkdir /tmpbackup && cp -Rpf /tmp /tmpbackup
mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp
chmod 1777 /tmp
cp -Rpf /tmpbackup/* /tmp/ && rm -rf /tmpbackup/*
echo "/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0" >> /etc/fstat
mount -o remount /tmp
mkdir /var/tmpold
mv /var/tmp /var/tmpold
ln -s /tmp /var/tmp
cp -prf /var/tmpold/* /tmp/
rm -rf /var/tmpold
echo "Secured the /tmp directory."
#Configure 10-Periodic Updates
if sed -i 's/#\?\(APT::Periodic::Update-Package-Lists\).*$/\1 "1";/' /etc/apt/apt.conf.d/10periodic; then
echo "APT 'Update-Package-Lists' configured successfully."
else
echo "Failed to configure APT 'Update-Package-Lists'. Manually check /etc/apt/apt.conf.d/10periodic."
exit 1
fi
if sed -i 's|^//\(APT::Periodic::Update-Package-Lists\.*\)$|\1|' /etc/apt/apt.conf.d/10periodic; then
echo "Uncommented 'Periodic::Update-Package-Lists' successfully"
else
echo "Failed to Uncomment 'Periodic::Update-Package-Lists' Manually check /etc/apt/apt.conf.d/10periodic"
exit 1
fi
if sed -i 's/#\?\(APT::Periodic::Download-Upgradeable-Packages\).*$/\1 "1";/' /etc/apt/apt.conf.d/10periodic; then
echo "APT 'Download-Upgradeable-Packages' configured successfully."
else
echo "Failed to configure APT 'Download-Upgradeable-Packages'. Manually check /etc/apt/apt.conf.d/10periodic."
exit 1
fi
if sed -i 's|^//\(APT::Periodic::Download-Upgradeable-Packages\)$|\1|' /etc/apt/apt.conf.d/10periodic; then
echo "Uncommented 'Periodic::Download-Upgradeable-Packages' successfully"
else
echo "Failed to Uncomment 'Periodic::Download-Upgradeable-Packages' Manually check /etc/apt/apt.conf.d/10periodic"
exit 1
fi
if sed -i 's/#\?\(APT::Periodic::AutocleanInterval\).*$/\1 "7";/' /etc/apt/apt.conf.d/10periodic; then
echo "APT 'AutocleanInterval' configured successfully."
else
echo "Failed to configure APT 'AutocleanInterval'. Manually check /etc/apt/apt.conf.d/10periodic."
exit 1
fi
if sed -i 's|^//\(APT::Periodic::AutocleanInterval\)$|\1|' /etc/apt/apt.conf.d/10periodic; then
echo "Uncommented 'APT::Periodic::AutocleanInterval' successfully"
else
echo "Failed to Uncomment 'APT::Periodic::AutocleanInterval' Manually check /etc/apt/apt.conf.d/10periodic"
exit 1
fi
#Configure 20-AutoUpdates
# Configure APT auto-upgrades
if sed -i 's/#\?\(APT::Periodic::Update-Package-Lists\).*$/\1 "1";/' /etc/apt/apt.conf.d/20auto-upgrades; then
echo "APT 'Update-Package-Lists' in 20auto-upgrades configured successfully."
else
echo "Failed to configure APT 'Update-Package-Lists'. Manually check /etc/apt/apt.conf.d/20auto-upgrades."
exit 1
fi
if sed -i 's|^//\(APT::Periodic::Update-Package-Lists\)$|\1|' /etc/apt/apt.conf.d/20auto-upgrades; then
echo "Uncommented 'APT::Periodic::Update-Package-Lists' successfully"
else
echo "Failed to Uncomment 'APT::Periodic::Update-Package-Lists'"
exit 1
fi
if sed -i 's/#\?\(APT::Periodic::Unattended-Upgrade\).*$/\1 "1";/' /etc/apt/apt.conf.d/20auto-upgrades; then
echo "APT 'Unattended-Upgrade' enabled."
else
echo "Failed to configure APT 'Unattended-Upgrade'. Manually check /etc/apt/apt.conf.d/20auto-upgrades."
exit 1
fi
if sed -i 's|^//\(APT::Periodic::Unattended-Upgrade\)$|\1|' /etc/apt/apt.conf.d/20auto-upgrades; then
echo "Uncommented 'APT::Periodic::Unattended-Upgrade\' successfully"
else
echo "Failed to Uncomment 'APT::Periodic::Unattended-Upgrade\'"
exit 1
fi
#Configure 50-Unattended updates
# Enable automatic security patches:
echo "Enabling automatic security patches..."
if apt-get install -y unattended-upgrades; then
echo "Unattended upgrades installed successfully."
else
echo "Failed to install unattended-upgrades. Please check your package manager."
exit 1
fi
if sed -i 's/#\?\(Unattended-Upgrade::Remove-Unused-Dependencies;\).*$/\1 "true";/' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Unattended 'Remove-Unused-Dependencies' configured successfully."
else
echo "Failed to configure unattended 'Remove-Unused-Dependencies'. Manually check /etc/apt/apt.conf.d/50unattended-upgrades."
exit 1
fi
if sed -i 's|^//\(Unattended-Upgrade::Remove-Unused-Dependencies.*\)$|\1|' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Uncommented 'Remove-Unused-Dependencies' successfully"
else
echo "Failed to Uncomment 'Remove-Unused-Dependencies'"
exit 1
fi
if sed -i 's/#\?\(Unattended-Upgrade::Automatic-Reboot-Time\).*$/\1 "03:15";/' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Unattended 'Automatic-Reboot-Time' configured successfully."
else
echo "Failed to configure unattended 'Automatic-Reboot-Time'. Manually check /etc/apt/apt.conf.d/50unattended-upgrades."
exit 1
fi
if sed -i 's|^//\(Unattended-Upgrade::Automatic-Reboot-Time.*\)$|\1|' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Uncommented 'Automatic-Reboot-Time' successfully"
else
echo "Failed to Uncomment 'Automatic-Reboot-Time'"
exit 1
fi
if sed -i 's/#\?\(Unattended-Upgrade::Automatic-Reboot\).*$/\1 "true";/' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Unattended 'Automatic-Reboot' configured successfully."
else
echo "Failed to configure unattended 'Automatic-Reboot'. Manually check /etc/apt/apt.conf.d/50unattended-upgrades."
exit 1
fi
if sed -i 's|^//\(Unattended-Upgrade::Automatic-Reboot.*\)$|\1|' /etc/apt/apt.conf.d/50unattended-upgrades; then
echo "Uncommented 'Automatic-Reboot' successfully"
else
echo "Failed to Uncomment 'Automatic-Reboot'"
exit 1
fi
# Install Glances app for monitoring
echo "Installing Glances..."
if apt-get install -y glances; then
echo "Glances installed successfully."
else
echo "Failed to install Glances. Please check your package manager."
exit 1
fi
# Install and configure Fail2Ban
echo "Installing Fail2Ban..."
if apt-get install -y fail2ban; then
echo "Fail2Ban installed successfully."
else
echo "Failed to install Fail2Ban. Please check your package manager."
exit 1
fi
# Install Filebeat
sudo apt-get update
sudo apt-get install -y filebeat
# Enable and start Filebeat service
sudo systemctl enable filebeat
sudo systemctl start filebeat
echo "Filebeat installation complete."
#Remove unused packages
echo "Removing unused packages..."
if apt-get autoremove -y; then
echo "Unused packages removed successfully."
else
echo "Failed to remove unused packages. Please check your package manager."
exit 1
fi
echo "=== Setup complete ==="
echo ">> You should now manually verify and configure:"
echo " - Netplan config (/etc/netplan/*.yaml)"
echo " - SSL certificates if applicable"
echo " - Disk mounting and formatting if needed"
echo " - Filebeat setup for graylog.una.ca"
echo ">> Reboot the server to apply all changes."
read -p "Do you want to reboot now? (y/n): " REBOOT_CHOICE
if [[ "$REBOOT_CHOICE" == "y" || "$REBOOT_CHOICE" == "Y" ]]; then
echo "Rebooting the server..."
reboot
else
echo "Reboot skipped. Please remember to reboot later to apply all changes."
fi
# End of script