API tools faq
paste
brubaker

Hardening Debian 9.6

brubaker
Jan 29th, 2019
299
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.34 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. ### BEGIN INIT INFO
  3.  
  4. systemctl set-default multi-user.target
  5.  
  6. apt remove --purge rpcbind exim4 exim4-config exim4-base isc-dhcp-client isc-dhcp-common xinetd openbsd-inetd -y
  7.  
  8. apt update && apt install tcpdump libpam-cracklib fail2ban ntp pigz haveged arpwatch apt-show-versions auditd locate open-vm-tools iptables-persistent needrestart libpam-tmpdir debian-goodies debsecan debsums apt-listbugs net-tools -y && updatedb
  9.  
  10. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  11.  
  12. echo "[sshd-ddos]" > /etc/fail2ban/jail.d/defaults-debian.conf
  13. echo "enabled = true" >> /etc/fail2ban/jail.d/defaults-debian.conf
  14.  
  15. echo "#################"
  16. echo "# CIS Hardening #"
  17. echo "#################"
  18.  
  19. echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
  20. echo 'install tipc /bin/true' >> /etc/modprobe.d/disable-tipc.conf
  21. echo "blacklist firewire-core" >> /etc/modprobe.d/blacklist-firewire.conf
  22. echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf
  23.  
  24. echo "install cramfs /bin/false" > /etc/modprobe.d/CIS.conf
  25. echo "install freevxfs /bin/false" >> /etc/modprobe.d/CIS.conf
  26. echo "install jffs2 /bin/false" >> /etc/modprobe.d/CIS.conf
  27. echo "install hfs /bin/false" >> /etc/modprobe.d/CIS.conf
  28. echo "install hfsplus /bin/false" >> /etc/modprobe.d/CIS.conf
  29. echo "install squashfs /bin/false" >> /etc/modprobe.d/CIS.conf
  30. echo "install udf /bin/false" >> /etc/modprobe.d/CIS.conf
  31.  
  32. echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
  33. echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
  34.  
  35. sed 's/^PASS_MAX_DAYS.*99999/PASS_MAX_DAYS 365/' -i /etc/login.defs
  36. sed 's/^PASS_MIN_DAYS.*0/PASS_MIN_DAYS 7/' -i /etc/login.defs
  37. sed 's/^PASS_MIN_LEN.*5/PASS_MIN_LEN 8/' -i /etc/login.defs
  38. sed 's/^PASS_WARN_AGE.*7/PASS_WARN_AGE 14/' -i /etc/login.defs
  39.  
  40. cat /dev/null > /etc/securetty
  41. echo "tty1" > /etc/securetty
  42. echo "tty2" >> /etc/securetty
  43. echo "tty3" >> /etc/securetty
  44. chmod 0600 /etc/securetty
  45.  
  46. ### NTP
  47. cat /dev/null > /etc/ntp.conf
  48. touch /var/log/ntpstats/ntpd.log
  49.  
  50. echo "server pool.ntp.org" > /etc/ntp.conf
  51. echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf
  52. echo "logfile /var/log/ntpstats/ntpd.log" >> /etc/ntp.conf
  53. echo "restrict default nomodify notrap nopeer noquery" >> /etc/ntp.conf
  54. echo "restrict 127.0.0.1" >> /etc/ntp.conf
  55. echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf
  56. echo "keys /etc/ntp/keys" >> /etc/ntp.conf
  57.  
  58. echo "#################"
  59. echo "# SSH Hardening #"
  60. echo "#################"
  61.  
  62. # Details : AllowTcpForwarding (YES --> NO)
  63. sed 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' -i /etc/ssh/sshd_config
  64. # ClientAliveCountMax (3 --> 0)
  65. sed 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' -i /etc/ssh/sshd_config
  66. # Compression (YES --> (DELAYED|NO))
  67. sed 's/#Compression delayed/Compression no/g' -i /etc/ssh/sshd_config
  68. # LogLevel (INFO --> VERBOSE)
  69. sed 's/#LogLevel INFO/LogLevel VERBOSE/g' -i /etc/ssh/sshd_config
  70. # MaxAuthTries (6 --> 2)
  71. sed 's/#MaxAuthTries 6/MaxAuthTries 1/g' -i /etc/ssh/sshd_config
  72. # MaxSessions (10 --> 2)
  73. sed 's/#MaxSessions 10/MaxSessions 2/g' -i /etc/ssh/sshd_config
  74. # PermitRootLogin (YES --> NO)
  75. sed 's/#PermitRootLogin WITHOUT-PASSWORD/PermitRootLogin NO/g' -i /etc/ssh/sshd_config
  76. # TCPKeepAlive (YES --> NO)
  77. sed 's/#TCPKeepAlive yes/TCPKeepAlive no/g' -i /etc/ssh/sshd_config
  78. # UseDNS (YES --> NO)
  79. sed 's/#UseDNS yes/UseDNS no/g' -i /etc/ssh/sshd_config
  80. # X11Forwarding (YES --> NO)
  81. sed 's/X11Forwarding yes/X11Forwarding no/g' -i /etc/ssh/sshd_config
  82. # AllowAgentForwarding (YES --> NO)
  83. sed 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' -i /etc/ssh/sshd_config
  84. # IgnoreRhosts (YES)
  85. sed 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' -i /etc/ssh/sshd_config
  86. # PermitEmptyPasswords (NO)
  87. sed 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' -i /etc/ssh/sshd_config
  88. # PermitUserEnvironment (NO)
  89. sed 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' -i /etc/ssh/sshd_config
  90. # PermitRootLogin (NO)
  91. sed 's/#PermitRootLogin WITHOUT-PASSWORD/PermitRootLogin no/g' -i /etc/ssh/sshd_config
  92.  
  93. echo "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]" >> /etc/ssh/sshd_config
  94. echo "Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
  95. echo "KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config
  96. #echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
  97. echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
  98. echo "Protocol 2" >> /etc/ssh/sshd_config
  99. echo "UseDNS no" >> /etc/ssh/sshd_config
  100.  
  101. rm /etc/ssh/ssh_host_rsa_key* -f && ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -b 4096 -N ""
  102. rm /etc/ssh/ssh_host_ecdsa_key* -f && ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -b 4096 -N ""
  103. rm /etc/ssh/ssh_host_ed25519_key -f && ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N ""
  104.  
  105. chown root:root /etc/motd && chmod 644 /etc/motd
  106. chown root:root /etc/issue && chmod 644 /etc/issue
  107. chown root:root /etc/issue.net && chmod 644 /etc/issue.net
  108.  
  109. rm -f /root/.ssh/id*
  110. ssh-keygen -b 4096 -t rsa -N "" -f /root/.ssh/id_rsa && ssh-keygen -t ed25519 -N "" -f /root/.ssh/id_ed25519 && ssh-keygen -b 521 -t ecdsa -N "" -f /root/.ssh/id_ecdsa
  111. chmod 700 /root/.ssh
  112.  
  113. chmod 0644 /etc/hosts.deny && chmod 644 /etc/hosts.allow
  114. chown root:root /etc/ssh/sshd_config && chmod 600 /etc/ssh/sshd_config
  115. chmod 0640 /etc/shadow && chmod 644 /etc/passwd && chmod 644 /etc/group && chown root:root /etc/passwd && chown root:root /etc/group
  116. chmod 0644 /etc/passwd && chown root /etc/passwd && chgrp root /etc/passwd
  117.  
  118. chown root:root /etc/crontab
  119. chmod og-rwx /etc/crontab
  120. chown root:root /etc/cron.hourly
  121. chmod og-rwx /etc/cron.hourly
  122. chown root:root /etc/cron.daily
  123. chmod og-rwx /etc/cron.daily
  124. chown root:root /etc/cron.weekly
  125. chmod og-rwx /etc/cron.weekly
  126. chown root:root /etc/cron.monthly
  127. chmod og-rwx /etc/cron.monthly
  128. chown root:root /etc/cron.d
  129. chmod og-rwx /etc/cron.d
  130. rm /etc/cron.deny
  131. rm /etc/at.deny
  132. touch /etc/cron.allow
  133. touch /etc/at.allow
  134. chmod og-rwx /etc/cron.allow
  135. chmod og-rwx /etc/at.allow
  136. chown root:root /etc/cron.allow
  137. chown root:root /etc/at.allow
  138.  
  139. echo " " >> /etc/crontab
  140. echo "# Borrado de logs .GZ cada Domingo a las 3am" >> /etc/crontab
  141. echo "0 3 * * sun root rm -f /var/log/*.gz" >> /etc/crontab
  142.  
  143. ### Audit configuration
  144. sed 's/^max_log_file.*/max_log_file = 25/' -i /etc/audit/auditd.conf
  145. sed 's/^num_logs.*/num_logs = 4/' -i /etc/audit/auditd.conf
  146. sed 's/^space_left_action.*/space_left_action = email/' -i /etc/audit/auditd.conf
  147. sed 's/^action_mail_acct.*/action_mail_acct = root/' -i /etc/audit/auditd.conf
  148. sed 's/^admin_space_left*/admin_space_left = 10/' -i /etc/audit/auditd.conf
  149. sed 's/^admin_space_left_action.*/admin_space_left_action = suspend/' -i /etc/audit/auditd.conf
  150. sed 's/^max_log_file_action.*/max_log_file_action = keep_logs/' -i /etc/audit/auditd.conf
  151.  
  152. chown root:root /etc/audit/rules.d/audit.rules
  153. chmod 0640 /etc/audit/rules.d/audit.rules
  154.  
  155. chmod -R g-wx,o-rwx /var/log/*
  156.  
  157. ### Disable Ctrl-Alt-Del Reboot Activation
  158. systemctl mask ctrl-alt-del.target
  159.  
  160. ### Disable accounts as soon as the password has expired
  161. sed -i 's/^INACTIVE.*/INACTIVE=0/' /etc/default/useradd
  162.  
  163. ### Remember in the command history to 5000
  164. sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
  165.  
  166. echo ""
  167. echo "###############"
  168. echo "# GRUB Config #"
  169. echo "###############"
  170.  
  171. sed 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=2/g' -i /etc/default/grub
  172. sed -e '/GRUB_CMDLINE_LINUX/s/"$/audit=1 ipv6.disable=1"/' -i /etc/default/grub
  173. update-grub && chown root:root /boot/grub/grub.cfg && chmod og-rwx /boot/grub/grub.cfg && chmod 600 /boot/grub/grub.cfg
  174.  
  175. mkdir -p /mnt/cdrom
  176.  
  177. echo " " >> /etc/fstab
  178. echo "###################" >> /etc/fstab
  179. echo "# FSTAB Hardening #" >> /etc/fstab
  180. echo "###################" >> /etc/fstab
  181. echo " " >> /etc/fstab
  182. echo "/tmp /var/tmp tmpfs rw,nosuid,nodev,noexec 0 0" >> /etc/fstab
  183. echo "tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0" >> /etc/fstab
  184. echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
  185. mount -av
  186.  
  187. touch /etc/rsyslog.d/10-iptables.conf
  188. echo ":msg, contains, "iptables: " -/var/log/iptables.log" >> /etc/rsyslog.d/10-iptables.conf
  189. service rsyslog restart
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!