-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhardening-debian.sh
103 lines (81 loc) · 2.71 KB
/
hardening-debian.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash
# Ensure script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run this script as root or using sudo."
exit 1
fi
echo "Updating and upgrading packages..."
apt-get update
apt-get upgrade -y
# Enable firewall and configure rules (if not already configured)
if ! iptables -L | grep -q "Chain INPUT (policy DROP)"; then
echo "Configuring the firewall..."
<<<<<<< HEAD
iptables -P INPUT DROP
# Allow SSH (replace with your SSH port if necessary)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
=======
# Set the default policy for INPUT chain to DROP
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>>>>>> add
iptables-save > /etc/iptables.rules
# Enable the firewall on boot
echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
apt-get install -y iptables-persistent
fi
# Configure and harden SSH
if [ -f "/etc/ssh/sshd_config" ]; then
echo "Configuring SSH..."
<<<<<<< HEAD
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Disable password-based authentication (use key-based authentication)
=======
# Disable root login
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
>>>>>>> add
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh
fi
<<<<<<< HEAD
# Remove unnecessary packages (adjust according to your requirements)
=======
>>>>>>> add
echo "Removing unnecessary packages..."
apt-get remove -y --purge telnet rsh
echo "Disabling unused services..."
systemctl disable <service-name>
<<<<<<< HEAD
# Secure the cron daemon
=======
>>>>>>> add
echo "Securing the cron daemon..."
chmod o-rwx /etc/cron.deny /etc/at.deny
chmod o-rwx /etc/cron.allow /etc/at.allow
<<<<<<< HEAD
#echo "Setting file permissions..."
#find / -type f -exec chmod 644 {} \;
#find / -type d -exec chmod 755 {} \;
=======
echo "Setting file permissions..."
find / -type f -exec chmod 644 {} \;
find / -type d -exec chmod 755 {} \;
>>>>>>> add
# Set secure permissions for sensitive files (adjust as needed)
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
chmod 644 /etc/passwd
chmod 644 /etc/group
# Clear history and logs
echo "Clearing history and logs..."
history -c
find /var/log -type f -exec truncate --size 0 {} \;
echo "Debian hardening completed."
# reboot