1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/bin/bash
# A script to secure a server
TITLE='\033[0;36m'
INFO='\033[0;32m'
RESET='\033[0m'
if [ "$UID" -eq "0" ]; then
clear
echo "This script MUST NOT be run as root."
echo "Exiting.."
sleep 3 && exit 1
fi
echo -e "${TITLE}- Updating system & adding automatic updates ${RESET}"
# Update the server
sudo apt update
sudo apt upgrade
# Automatic upgrades
sudo apt install unattended-upgrades -y
sed -i -e "s^//Unattended-Upgrade::Mail \"\";^Unattended-Upgrade::Mail \"root\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"false\";^Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot \"true\";^Unattended-Upgrade::Automatic-Reboot \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sudo tee -a /etc/apt/apt.conf.d/02periodic &>/dev/null << EOF
APT::Periodic::Enable '1';
APT::Periodic::Update-Package-Lists '1';
APT::Periodic::Download-Upgradeable-Packages '1';
APT::Periodic::Unattended-Upgrade '1';
APT::Periodic::AutocleanInterval '1';
APT::Periodic::Verbose '2';
EOF
echo -e "${TITLE}- Deleting useless services ${RESET}"
# Stopping useless services
sudo service --status-all
echo -e "${INFO}Which services do you want to remove - q to stop the loop ${RESET}"
while read -r service
do
if [ "$service" = "q" ]; then
break
fi
sudo apt remove $service
done
echo -e "${TITLE}- Setup SSH securities ${RESET}"
# SSH Security
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo tee -a /etc/motd &>/dev/null << EOF
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
EOF
sudo ln -sf "$(pwd)/custom.conf" /etc/ssh/sshd_config.d/custom.conf
sudo tee -a /etc/ssh/sshd_config.d/custom.conf << EOF
AllowUsers $USER
EOF
sudo service ssh restart
sudo systemctl enable ssh
echo -e "${TITLE}- Checking virus, rootkits, and logging with logwatch ${RESET}"
# Installing root-kit checking
sudo apt install rkhunter
sudo rkhunter --propupd
sudo rkhunter --check
# Installing clamAV
sudo apt install clamav clamav-daemon
sudo systemctl enable clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
sudo clamscan -i -r --remove /
# Installing logwatch
sudo apt install logwatch
echo -e "${TITLE}- Installing and configuring firewall ${RESET}"
# Install firewall
sudo apt install ufw
sudo ufw enable
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
echo -e "${TITLE}- Sysctl config for security ${RESET}"
sudo tee -a /etc/sysctl.conf << EOF
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
vm.unprivileged_userfaultfd=0
kernel.kexec_load_disabled=1
kernel.sysrq=4
kernel.unprivileged_userns_clone=0
kernel.perf_event_paranoid=3
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2
vm.swappiness=1
EOF
sudo sysctl -p
echo -e "${INFO}[v] Configuration done ${RESET}"
|
