special =mk-secure
- std hardening
- allow ping
- no auto-update
- all network i/f dhcp
File =mk-secure for tested on Ubuntu 16.06/18.04
#!/bin/bash
# base load for 16.04 and 18.04
if [ `whoami` != "root" ] ; then
echo not root - please run sudo -s
sleep 3
exit
fi
# ISO time stamps
echo =====================================================================
echo ====================== ISO time stamps ==============================
echo =====================================================================
cp /etc/rsyslog.conf /etc/rsyslog.conf_0
sed -i 's;^$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat;#&;' /etc/rsyslog.conf
service rsyslog restart
# nominal upgrade/update
echo =====================================================================
echo ====================== update / upgrade =============================
echo =====================================================================
apt-get update
apt-get -y upgrade
# keep all logs weekly for FOUR years
echo =====================================================================
echo ====================== keep logs for four years ======================
echo =====================================================================
for log in `egrep 'rotate [0-9]' /etc/logrotate.d/* | sed 's;:.*;;' | sort -u` ; do
echo ${log}:
if [ ! -f ${log}_0 ] ; then
# make a copy of original file
cp ${log} ${log}_0
fi
sed 's;rotate [0-9].*; rotate 224;' < ${log}_0 | \
sed 's;monthly;weekly;' | \
sed 's;daily;weekly;' > ${log}
diff ${log}_0 ${log}
done
egrep 'day|week|month| rotate' /etc/logrotate.d/* | egrep -v _0
# configure and enable firewall
echo =====================================================================
echo ====================== ufw ==========================================
echo =====================================================================
apt-get install -y ufw
ufw allow ssh
ufw allow http
sleep 3
ufw --force enable
sleep 3
ufw status numbered
# install fail2ban (default config)
echo =====================================================================
echo ====================== fail2ban =====================================
echo =====================================================================
apt-get -y install fail2ban
service fail2ban restart
fail2ban-client status
# ban for 1 year
fail2ban-client set sshd bantime 1314000
fail2ban-client get sshd bantime
service fail2ban restart
# harden ip forwarding
echo =====================================================================
echo ====================== ip forwarding ================================
echo =====================================================================
if [ ! -f /etc/sysctl.conf_0 ] ; then
cp /etc/sysctl.conf /etc/sysctl.conf_0
fi
cat << EOF >> /etc/sysctl.conf
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
#inet.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Allow Directed pings
net.ipv4.icmp_echo_ignore_all = 0
EOF
diff /etc/sysctl.conf_0 /etc/sysctl.conf
sysctl -p
# enforce password quality (upper/lower/num/special/no-dictionary-words/length >= 8)
# https://hostadvice.com/how-to/how-to-enforce-password-quality-on-ubuntu-18-04-vps-or-dedicated-server/
echo =====================================================================
echo ====================== enforce password quality =====================
echo =====================================================================
apt install -y libpam-pwquality
cp /etc/pam.d/common-password /etc/pam.d/common-password_0
sed -i 's;password.*requisite.*pam_deny.so;& minlen=8;' /etc/pam.d/common-password
# misc
echo =====================================================================
echo ====================== misc =========================================
echo =====================================================================
# disable welcome banners
chmod 644 /etc/update-motd.d/*
chmod 755 /etc/update-motd.d/*reboot*
# fix "locale" issue (for egrep)
if [ ! -f ~/.bashrc_0 ] ; then
cp ~/.bashrc ~/.bashrc_0
fi
echo 'export LC_ALL=C' >> ~/.bashrc
# no p/w for sudo
echo 'ccotton ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/90-cloud-init-users
echo 'export LC_ALL=C' >> ~ccotton/.bashrc
# disable auto-update linux server
systemctl disable --now apt-daily{,-upgrade}.{timer,service}
# enable all network interfaces as dhcp 4 under cloud-init (/etc/netplan/50-cloud-init.yaml)
# see https://www.tecmint.com/configure-network-static-ip-address-in-ubuntu/
if [ ! -f /etc/netplan/50-cloud-init.yaml_0 ] ; then
cp /etc/netplan/50-cloud-init.yaml /etc/netplan/50-cloud-init.yaml_0
fi
lshw -C network |& awk 'BEGIN{print "network:\n ethernets:"} /logical name:/{print " "$3":\n dhcp4: true"} END{print " version: 2"}' > /etc/netplan/50-cloud-init.yaml
Linux IP forwarding - How to Disable/Enable using net.ipv4.ip_forward
# sysctl -w net.ipv4.ip_forward=0
# OR
# sysctl -w net.ipv4.ip_forward=1
# --------------- Another way ----------------
# echo 0 > /proc/sys/net/ipv4/ip_forward
# OR
# echo 1 > /proc/sys/net/ipv4/ip_forward
# ---------- [ 0 disabled , 1 enabled ] -------------
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
cat /proc/sys/net/ipv4/ip_forward
# this would return the result of the forwarding