Automatic secure server configuration script + readme

3 files changed, 254 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6541e40
--- /dev/null
+++ b/README.md
@@ -0,0 +1,10 @@
+# Secure server
+---
+
+This repo contain a script that does basic security on a server.  
+The script add automatic security update, hardened ssh and add logwatch / rkhunter / clamav to check for virus/malware...  
+  
+This is the strict minimum to use for every server you owm, I also recommand to use a firewall and a vpn if you want to open some port to any some networks.
+
+**Attention, the script assume the current user has sudo access and is the user you want to access via SSH, if you want to access other users via SSH change the `AllowUsers` line in the `/etc/ssh/sshd_config.d/custom.conf` file.**
+
diff --git a/custom.conf b/custom.conf
new file mode 100644
index 0000000..dedce96
--- /dev/null
+++ b/custom.conf
@@ -0,0 +1,139 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+#
+### Modern (OpenSSH 6.7+) -- source: <https://infosec.mozilla.org/guidelines/openssh.html> (July 4, 2019 -pEEAT.)
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Password based logins are disabled - only public key based logins are allowed.
+#AuthenticationMethods publickey
+PubkeyAuthentication yes
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+#SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as systemd and auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
+PermitRootLogin No
+
+### Audit and Harden Your SSH Configuration --  source: <https://linux-audit.com/audit-and-harden-your-ssh-configuration/> (July 5, 2019 -pEEAT.)
+Port 22
+Protocol 2
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Authentication:
+LoginGraceTime 2m
+StrictModes yes
+MaxAuthTries 3
+MaxSessions 3
+AllowUsers debian
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding no
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd yes
+PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+#Subsystem      sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
diff --git a/secure.sh b/secure.sh
new file mode 100644
index 0000000..448b11b
--- /dev/null
+++ b/secure.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+# A script to secure a server
+
+TITLE='\033[0;36m'
+INFO='\033[0;32m'
+RESET='\033[0m'
+
+if [ "$UID" -eq "0" ]; then
+	clear
+	echo "This script MUST NOT be run as root."
+	echo "Exiting.."
+	sleep 3 && exit 1
+fi
+
+echo -e "${TITLE}- Updating system & adding automatic updates ${RESET}"
+# Update the server
+sudo apt update
+sudo apt upgrade
+
+# Automatic upgrades
+sudo apt install unattended-upgrades -y
+sed -i -e "s^//Unattended-Upgrade::Mail \"\";^Unattended-Upgrade::Mail \"root\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"false\";^Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sed -i -e "s^//Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot \"true\";^Unattended-Upgrade::Automatic-Reboot \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
+sudo tee -a /etc/apt/apt.conf.d/02periodic &>/dev/null << EOF
+APT::Periodic::Enable '1';
+APT::Periodic::Update-Package-Lists '1';
+APT::Periodic::Download-Upgradeable-Packages '1';
+APT::Periodic::Unattended-Upgrade '1';
+APT::Periodic::AutocleanInterval '1';
+APT::Periodic::Verbose '2';
+EOF
+
+
+echo -e "${TITLE}- Deleting useless services ${RESET}"
+# Stopping useless services
+sudo service --status-all
+echo -e "${INFO}Which services do you want to remove - q to stop the loop ${RESET}"
+while read -r service
+do
+    if [ "$service" = "q" ]; then 
+        break
+    fi
+    sudo apt remove $service
+done
+
+echo -e "${TITLE}- Setup SSH securities ${RESET}"
+# SSH Security
+sudo apt install fail2ban
+sudo systemctl start fail2ban
+sudo systemctl enable fail2ban
+sudo tee -a /etc/motd &>/dev/null << EOF
+***************************************************************************
+                            NOTICE TO USERS
+
+This computer system is the private property of its owner, whether
+individual, corporate or government.  It is for authorized use only.
+Users (authorized or unauthorized) have no explicit or implicit
+expectation of privacy.
+
+Any or all uses of this system and all files on this system may be
+intercepted, monitored, recorded, copied, audited, inspected, and
+disclosed to your employer, to authorized site, government, and law
+enforcement personnel, as well as authorized officials of government
+agencies, both domestic and foreign.
+
+By using this system, the user consents to such interception, monitoring,
+recording, copying, auditing, inspection, and disclosure at the
+discretion of such personnel or officials.  Unauthorized or improper use
+of this system may result in civil and criminal penalties and
+administrative or disciplinary action, as appropriate. By continuing to
+use this system you indicate your awareness of and consent to these terms
+and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
+conditions stated in this warning.
+
+****************************************************************************
+EOF
+sudo ln -sf "$(pwd)/custom.conf" /etc/ssh/sshd_config.d/custom.conf
+sudo tee -a /etc/ssh/sshd_config.d/custom.conf << EOF
+AllowUsers $USER
+EOF
+
+sudo service ssh restart
+sudo systemctl enable ssh
+
+echo -e "${TITLE}- Checking virus, rootkits, and logging with logwatch ${RESET}"
+# Installing root-kit checking
+sudo apt install rkhunter
+sudo rkhunter --propupd
+sudo rkhunter --check
+# Installing clamAV
+sudo apt install clamav clamav-daemon
+sudo systemctl enable clamav-freshclam
+sudo freshclam
+sudo systemctl start clamav-freshclam
+sudo clamscan -i -r --remove /
+# Installing logwatch
+sudo apt install logwatch
+
+
+echo -e "${INFO}[v] Configuration done ${RESET}"
+