Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # user-data-hardening.sh
- # Authors: Cody Bunch (bunchc@gmail.com)
- #
- # Script intended to be supplied as userdata to a cloud of some flavor.
- # Enables some sane sysctl defaults, turns up iptables, and
- # installs a HIDS / NIDS package
- # Supply your email here
- echo "What's your email address?"
- read email_address
- # Other things worth verifying / changing:
- MODPROBE=/sbin/modprobe
- export DEBIAN_FRONTEND=noninteractive
- sudo apt-get update
- sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade
- sudo apt-get install -y \
- ufw \
- logwatch \
- aide \
- psad \
- postfix \
- fail2ban
- # Sysctl
- sudo echo "
- # IP Spoofing protection
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- # Ignore ICMP broadcast requests
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- # Disable source packet routing
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- net.ipv6.conf.default.accept_source_route = 0
- # Ignore send redirects
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.default.send_redirects = 0
- # Block SYN attacks
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_max_syn_backlog = 2048
- net.ipv4.tcp_synack_retries = 2
- net.ipv4.tcp_syn_retries = 5
- # Log Martians
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # Ignore ICMP redirects
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- # Ignore Directed pings
- net.ipv4.icmp_echo_ignore_all = 1
- " >> /etc/sysctl.conf
- sudo sysctl -p
- # Firewall
- sudo ufw default allow
- sudo ufw enable
- sudo ufw allow 22/tcp # allow ssh
- sudo ufw default deny
- sudo ufw allow 53/tcp # uncomment this line to allow incoming dns
- sudo ufw allow 53/udp # uncomment this line to allow incoming dns
- ### load connection-tracking modules
- #
- $MODPROBE ip_conntrack
- $MODPROBE iptable_nat
- $MODPROBE ip_conntrack_ftp
- $MODPROBE ip_nat_ftp
- # Postfix
- $hostname = `hostname -f`
- cat > /var/cache/debconf/postfix.preseed <<EOF
- postfix postfix/chattr boolean false
- postfix postfix/mailname string $hostname
- postfix postfix/main_mailer_type select Internet Site
- EOF
- sudo debconf-set-selections /var/cache/debconf/postfix.preseed
- # HIDS - Aide
- sudo aideinit
- sudo aide -u
- # Log Reporting
- sudo echo "
- /usr/sbin/logwatch --output mail --mailto ${email_address} --detail high
- " >> /etc/cron.daily/00logwatch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement