#!/bin/bash# user-data-hardening.sh# Authors: Cody Bunch (bunchc@gmail.com)#

1. #!/bin/bash
2. # user-data-hardening.sh
3. # Authors: Cody Bunch (bunchc@gmail.com)
4. #
5. # Script intended to be supplied as userdata to a cloud of some flavor.
6. # Enables some sane sysctl defaults, turns up iptables, and
7. # installs a HIDS / NIDS package
8.  
9. # Supply your email here
10. echo "What's your email address?"
11. read email_address
12.  
13. # Other things worth verifying / changing:
14. MODPROBE=/sbin/modprobe
15.  
16. export DEBIAN_FRONTEND=noninteractive
17. sudo apt-get update
18. sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
19. sudo apt-get install -y \
20. ufw \
21. logwatch \
22. aide \
23. psad \
24. postfix \
25. fail2ban
26.  
27.  
28. # Sysctl
29. sudo echo "
30. # IP Spoofing protection
31. net.ipv4.conf.all.rp_filter = 1
32. net.ipv4.conf.default.rp_filter = 1
33.  
34. # Ignore ICMP broadcast requests
35. net.ipv4.icmp_echo_ignore_broadcasts = 1
36.  
37. # Disable source packet routing
38. net.ipv4.conf.all.accept_source_route = 0
39. net.ipv6.conf.all.accept_source_route = 0
40. net.ipv4.conf.default.accept_source_route = 0
41. net.ipv6.conf.default.accept_source_route = 0
42.  
43. # Ignore send redirects
44. net.ipv4.conf.all.send_redirects = 0
45. net.ipv4.conf.default.send_redirects = 0
46.  
47. # Block SYN attacks
48. net.ipv4.tcp_syncookies = 1
49. net.ipv4.tcp_max_syn_backlog = 2048
50. net.ipv4.tcp_synack_retries = 2
51. net.ipv4.tcp_syn_retries = 5
52.  
53. # Log Martians
54. net.ipv4.conf.all.log_martians = 1
55. net.ipv4.icmp_ignore_bogus_error_responses = 1
56.  
57. # Ignore ICMP redirects
58. net.ipv4.conf.all.accept_redirects = 0
59. net.ipv6.conf.all.accept_redirects = 0
60. net.ipv4.conf.default.accept_redirects = 0
61. net.ipv6.conf.default.accept_redirects = 0
62.  
63. # Ignore Directed pings
64. net.ipv4.icmp_echo_ignore_all = 1
65. " >> /etc/sysctl.conf
66.  
67. sudo sysctl -p
68.  
69. # Firewall
70. sudo ufw default allow
71. sudo ufw enable
72. sudo ufw allow 22/tcp # allow ssh
73. sudo ufw default deny
74.  
75. sudo ufw allow 53/tcp # uncomment this line to allow incoming dns
76. sudo ufw allow 53/udp # uncomment this line to allow incoming dns
77.  
78. ### load connection-tracking modules
79. #
80. $MODPROBE ip_conntrack
81. $MODPROBE iptable_nat
82. $MODPROBE ip_conntrack_ftp
83. $MODPROBE ip_nat_ftp
84.  
85. # Postfix
86. $hostname = `hostname -f`
87. cat > /var/cache/debconf/postfix.preseed <<EOF
88. postfix postfix/chattr boolean false
89. postfix postfix/mailname string $hostname
90. postfix postfix/main_mailer_type select Internet Site
91. EOF
92.  
93. sudo debconf-set-selections /var/cache/debconf/postfix.preseed
94.  
95. # HIDS - Aide
96. sudo aideinit
97. sudo aide -u
98.  
99. # Log Reporting
100.  
101. sudo echo "
102. /usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
103. " >> /etc/cron.daily/00logwatch