+- Sinisterly (https://sinister.ly)
+-- Forum: Computers (https://sinister.ly/Forum-Computers)
+--- Forum: Operating Systems (https://sinister.ly/Forum-Operating-Systems)
+--- Thread: Tutorial Harden Debian (/Thread-Tutorial-Harden-Debian)
Harden Debian - DoXeD - 10-02-2023
Enable automatic security updates: Installs and configures unattended upgrades to automatically install security updates.
Firewall configuration (UFW): Installs and configures the Uncomplicated Firewall (UFW) to deny incoming connections by default and allow outgoing connections. It also allows SSH connections.
Install and configure Fail2Ban: Installs and configures Fail2Ban, a service that helps prevent brute-force attacks by monitoring and blocking suspicious IP addresses.
Enable and configure a strong password policy: Installs libpam-cracklib and modifies the common-password PAM configuration to enforce password complexity requirements.
Secure SSH configuration: Modifies the SSH server configuration (sshd_config) to disable root login and password authentication, improving SSH security.
Set up automatic security checks with Lynis: Installs Lynis, a security auditing tool, and runs an audit on the system.
Enable automatic updates for other software packages: Installs and configures unattended upgrades to automatically update other software packages.
Install and configure a basic intrusion detection system (AIDE): Installs AIDE, an intrusion detection system, and initializes it.
Harden user accounts and privileges: This section provides an example of locking user accounts without passwords. It suggests reviewing and making changes based on specific needs.
Disable unnecessary services: This section advises reviewing and disabling unnecessary services based on specific requirements.
Monitor system logs for suspicious activity: Suggests implementing log monitoring solutions tailored to specific needs.
Regularly update and patch the system: Updates the system by running apt-get update and apt-get upgrade.
Code:
#!/bin/bash
# Enable automatic security updates
sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# Firewall configuration (UFW)
sudo apt-get install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
# Install and configure Fail2Ban
sudo apt-get install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
# Enable and configure a strong password policy
sudo apt-get install -y libpam-cracklib
sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.backup
echo "password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1" | sudo tee -a /etc/pam.d/common-password
# Secure SSH configuration
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# Set up automatic security checks with Lynis
sudo apt-get install -y lynis
sudo lynis audit system
# Enable automatic updates for other software packages
sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# Install and configure a basic intrusion detection system (AIDE)
sudo apt-get install -y aide
sudo aideinit
# Harden user accounts and privileges
# (Review each change carefully, as it may affect your specific use case)
# Example: Lock accounts without passwords
# sudo passwd -l <username>
# Disable unnecessary services
# (Review each service and disable if not needed)
# Example: sudo systemctl disable <service-name>
# Monitor system logs for suspicious activity
# (Implement log monitoring solutions based on your specific requirements)
# Regularly update and patch the system
sudo apt-get update && sudo apt-get upgrade -y
echo "Hardening complete. Please review each change to ensure it aligns with your requirements."RE: Harden Debian - zipsqu - 02-21-2024
Thank you, very informative
RE: Harden Debian - Slimthugga - 02-22-2024
Very interesting information
RE: Harden Debian - goatberry - 02-22-2024
wow cool info thx !! !! !!
RE: Harden Debian - waru89afbans - 02-29-2024
Consider installing and configuring rsyslog to give some visibility on the system