Tips-Of-Mine/Hardening-Linux-Debian-Ubuntu
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update : all variable, create function service

Browse Source
This commit is contained in:
Hubert Cornet 2025-04-24 08:09:49 +02:00
parent 5991764110
commit 9db64d936e
15 changed files with 104 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
test/common.sh
View File

@ -155,4 +155,9 @@ command_exists() {
# Function to check if package is installed
is_package_installed() {
dpkg -l "$1" | grep -q "^ii" >/dev/null 2>&1
}
# Function to check if a service is running
service() {
systemctl $1 $2
}

2
test/modules/additional_hardening.sh
View File

@ -278,7 +278,7 @@ EOF
log_message "SUCCESS" "Rsyslog security configuration created at $rsyslog_security"
# Restart rsyslog
systemctl restart rsyslog
service restart rsyslog
# Configure log rotation
local logrotate_conf="/etc/logrotate.d/rsyslog-security"

12
test/modules/antivirus.sh
View File

@ -44,11 +44,11 @@ configure_clamav() {
log_message "SUCCESS" "ClamAV freshclam configuration updated"
# Create a daily scan script
local scan_script="/etc/cron.daily/clamscan"
local SCAN_SCRIPT="/etc/cron.daily/clamscan"
log_message "INFO" "Creating daily scan script"
cat > "$scan_script" << 'EOF'
cat > "$SCAN_SCRIPT" << 'EOF'
#!/bin/bash
# ClamAV daily scan script
@ -84,13 +84,13 @@ fi
echo "ClamAV daily scan completed at $(date)" >> "$LOG_FILE"
EOF
chmod +x "$scan_script"
log_message "SUCCESS" "ClamAV daily scan script created at $scan_script"
chmod +x "$SCAN_SCRIPT"
log_message "SUCCESS" "ClamAV daily scan script created at $SCAN_SCRIPT"
# Restart ClamAV services
log_message "INFO" "Starting ClamAV services"
systemctl start clamav-freshclam
systemctl start clamav-daemon
service start clamav-freshclam
service start clamav-daemon
if [ $? -eq 0 ]; then
log_message "SUCCESS" "ClamAV services started successfully"

10
test/modules/auditing.sh
View File

@ -26,12 +26,12 @@ configure_auditd() {
fi
# Configure auditd
local audit_rules="/etc/audit/rules.d/audit.rules"
local AUDIT_RULES="/etc/audit/rules.d/audit.rules"
log_message "INFO" "Creating audit rules"
backup_file "$audit_rules"
backup_file "$AUDIT_RULES"
cat > "$audit_rules" << 'EOF'
cat > "$AUDIT_RULES" << 'EOF'
# Audit configuration
# Hardened audit rules
@ -106,11 +106,11 @@ configure_auditd() {
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
EOF
log_message "SUCCESS" "Audit rules created at $audit_rules"
log_message "SUCCESS" "Audit rules created at $AUDIT_RULES"
# Restart auditd service
log_message "INFO" "Restarting auditd service"
service auditd restart
service restart auditd
if [ $? -eq 0 ]; then
log_message "SUCCESS" "auditd service restarted successfully"

26
test/modules/auto_updates.sh
View File

@ -27,12 +27,12 @@ configure_auto_updates() {
fi
# Configure unattended-upgrades
local unattended_conf="/etc/apt/apt.conf.d/50unattended-upgrades"
local UNATTENDED_CONF="/etc/apt/apt.conf.d/50unattended-upgrades"
log_message "INFO" "Creating unattended-upgrades configuration"
backup_file "$unattended_conf"
backup_file "$UNATTENDED_CONF"
cat > "$unattended_conf" << EOF
cat > "$UNATTENDED_CONF" << EOF
// Unattended-Upgrades configuration
// Generated by security hardening script
@ -87,14 +87,14 @@ APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
log_message "SUCCESS" "unattended-upgrades configuration created at $unattended_conf"
log_message "SUCCESS" "unattended-upgrades configuration created at $UNATTENDED_CONF"
# Create a configuration file to enable automatic updates
local auto_upgrades="/etc/apt/apt.conf.d/20auto-upgrades"
local AUTO_UPGRADES="/etc/apt/apt.conf.d/20auto-upgrades"
log_message "INFO" "Creating auto-upgrades configuration"
cat > "$auto_upgrades" << EOF
cat > "$AUTO_UPGRADES" << EOF
// Auto-upgrade configuration
// Generated by security hardening script
@ -104,15 +104,15 @@ APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
log_message "SUCCESS" "auto-upgrades configuration created at $auto_upgrades"
log_message "SUCCESS" "auto-upgrades configuration created at $AUTO_UPGRADES"
# Configure apt-listchanges
local listchanges_conf="/etc/apt/listchanges.conf"
local LISTCHANGES_CONF="/etc/apt/listchanges.conf"
log_message "INFO" "Creating apt-listchanges configuration"
backup_file "$listchanges_conf"
backup_file "$LISTCHANGES_CONF"
cat > "$listchanges_conf" << EOF
cat > "$LISTCHANGES_CONF" << EOF
[apt]
frontend=pager
email_address=root
@ -121,12 +121,12 @@ save_seen=/var/lib/apt/listchanges.db
which=both
EOF
log_message "SUCCESS" "apt-listchanges configuration created at $listchanges_conf"
log_message "SUCCESS" "apt-listchanges configuration created at $LISTCHANGES_CONF"
# Enable and start unattended-upgrades service
log_message "INFO" "Enabling unattended-upgrades service"
systemctl enable unattended-upgrades
systemctl restart unattended-upgrades
service enable unattended-upgrades
service restart unattended-upgrades
if [ $? -eq 0 ]; then
log_message "SUCCESS" "unattended-upgrades service enabled and restarted successfully"

82
test/modules/custom_prompt.sh
View File

@ -79,61 +79,6 @@ configure_custom_profile() {
# Custom secure server profile
# Generated by security hardening script
# Check if the terminal supports colors
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# Color definitions
BLUE="\[\033[01;34m\]"
GREEN="\[\033[01;32m\]"
RED="\[\033[01;31m\]"
YELLOW="\[\033[01;33m\]"
PURPLE="\[\033[01;35m\]"
CYAN="\[\033[01;36m\]"
WHITE="\[\033[01;37m\]"
RESET="\[\033[00m\]"
BOLD="\[\033[01m\]"
# Get server IP
SERVER_IP=$(hostname -I | awk '{print $1}')
# Define symbols based on privilege
if [ "$(id -u)" -eq 0 ]; then
# Root user - red prompt
USER_COLOR=$RED
PROMPT_SYMBOL="#"
else
# Regular user - green prompt
USER_COLOR=$GREEN
PROMPT_SYMBOL="$"
fi
# Set the prompt
PS1="${BOLD}[${USER_COLOR}\u${RESET}${BOLD}@${CYAN}\h${RESET}${BOLD} ${YELLOW}\w${RESET}${BOLD}]${RESET}\\n${USER_COLOR}${PROMPT_SYMBOL}${RESET} "
# Show additional security information for root users
if [ "$(id -u)" -eq 0 ]; then
# Display system information
echo -e "\n${RED}ATTENTION: ROOT LOGIN${RESET}"
echo -e "${YELLOW}System Info:${RESET}"
echo -e " ${CYAN}Hostname:${RESET} $(hostname)"
echo -e " ${CYAN}IP Address:${RESET} ${SERVER_IP}"
echo -e " ${CYAN}Kernel:${RESET} $(uname -r)"
echo -e " ${CYAN}Uptime:${RESET} $(uptime -p | sed 's/up //')"
echo -e " ${CYAN}Load:${RESET} $(cat /proc/loadavg | awk '{print $1 ", " $2 ", " $3}')"
# Show recent failed login attempts
FAILED_LOGINS=$(grep "Failed password" /var/log/auth.log | tail -5)
if [ ! -z "$FAILED_LOGINS" ]; then
echo -e "\n${YELLOW}Recent Failed Login Attempts:${RESET}"
echo -e "${RED}$(grep "Failed password" /var/log/auth.log | tail -5)${RESET}"
fi
echo -e "\n${RED}THIS IS A SECURED SERVER - ALL ACTIONS ARE LOGGED${RESET}\n"
fi
else
# Simple prompt for terminals without color support
PS1="[\u@\h \W]\\$ "
fi
# Set some useful aliases
alias ll='ls -la'
alias l='ls -l'
@ -141,6 +86,7 @@ alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias grep='grep --color=auto'
alias ls='ls --color=auto'
EOF
chmod +x "$profile_file"
@ -177,21 +123,21 @@ PROCESSOR_NAME=$(awk -F": " '/model name/ { print $2 }' /proc/cpuinfo | head -1)
PROCESSOR_COUNT=$(grep -ioPc 'processor\t:' /proc/cpuinfo)
# colors
W="\e[0;39m"
G="\e[1;32m"
R="\e[1;31m"
WHITE="\e[0;39m"
GREEN="\e[1;32m"
RED="\e[1;31m"
dim="\e[2m"
undim="\e[0m"
echo -e "${W}System info:
$W Hostname$dim····$undim: $W${HOSTNAME}
$W Distro$dim······$undim: $W$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
$W Kernel$dim······$undim: $W$(uname -sr)
$W Uptime$dim······$undim: $W$(uptime -p)
$W Load$dim········$undim: $G$LOAD1$W (1m), $G$LOAD5$W (5m), $G$LOAD15$W (15m)
$W Processes$dim···$undim: $G$PROCESS_ROOT$W (root), $G$PROCESS_USER$W (user), $G$PROCESS_ALL$W (total)
$W CPU$dim·········$undim: $W$PROCESSOR_NAME ($G$PROCESSOR_COUNT$W vCPU)
$W Memory$dim······$undim: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total"
$WHITE Hostname$dim····$undim: $WHITE${HOSTNAME}
$WHITE Distro$dim······$undim: $WHITE$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
$WHITE Kernel$dim······$undim: $WHITE$(uname -sr)
$WHITE Uptime$dim······$undim: $WHITE$(uptime -p)
$WHITE Load$dim········$undim: $GREEN$LOAD1$WHITE (1m), $GREEN$LOAD5$WHITE (5m), $GREEN$LOAD15$WHITE (15m)
$WHITE Processes$dim···$undim: $GREEN$PROCESS_ROOT$WHITE (root), $GREEN$PROCESS_USER$WHITE (user), $GREEN$PROCESS_ALL$WHITE (total)
$WHITE CPU$dim·········$undim: $WHITE$PROCESSOR_NAME ($GREEN$PROCESSOR_COUNT$WHITE vCPU)
$WHITE Memory$dim······$undim: $GREEN$USED$WHITE used, $GREEN$AVAIL$WHITE avail, $GREEN$TOTAL$WHITE total"
# config
max_usage=90
@ -206,9 +152,9 @@ while read line; do
used_width=$((($usage*$bar_width)/100))
# color is green if usage < max_usage, else red
if [ "${usage}" -ge "${max_usage}" ]; then
color=$R
color=$RED
else
color=$G
color=$GREEN
fi
# print green/red bar until used_width
bar="[${color}"

10
test/modules/dns_config.sh
View File

@ -17,12 +17,12 @@ configure_dns() {
backup_file "/etc/resolv.conf"
# Create systemd-resolved configuration
local resolved_conf="/etc/systemd/resolved.conf"
local RESOLVED_CONF="/etc/systemd/resolved.conf"
log_message "INFO" "Creating systemd-resolved configuration"
backup_file "$resolved_conf"
backup_file "$RESOLVED_CONF"
cat > "$resolved_conf" << EOF
cat > "$RESOLVED_CONF" << EOF
[Resolve]
# Google and Cloudflare DNS servers
DNS=8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1
@ -39,12 +39,12 @@ DNSStubListener=yes
ReadEtcHosts=yes
EOF
log_message "SUCCESS" "systemd-resolved configuration created at $resolved_conf"
log_message "SUCCESS" "systemd-resolved configuration created at $RESOLVED_CONF"
# Restart systemd-resolved service
if systemctl is-active systemd-resolved >/dev/null 2>&1; then
log_message "INFO" "Restarting systemd-resolved service"
systemctl restart systemd-resolved
service restart systemd-resolved
if [ $? -eq 0 ]; then
log_message "SUCCESS" "systemd-resolved service restarted successfully"

10
test/modules/fail2ban.sh
View File

@ -26,12 +26,12 @@ configure_fail2ban() {
fi
# Create fail2ban local configuration
local fail2ban_local="/etc/fail2ban/jail.local"
local FAIL2BAN_LOCAL="/etc/fail2ban/jail.local"
log_message "INFO" "Creating fail2ban configuration"
backup_file "$fail2ban_local"
backup_file "$FAIL2BAN_LOCAL"
cat > "$fail2ban_local" << EOF
cat > "$FAIL2BAN_LOCAL" << EOF
[DEFAULT]
# Ban hosts for 1 hour
bantime = 3600
@ -52,7 +52,7 @@ banaction_allports = iptables-allports
# SSH jail configuration (custom port)
[sshd]
enabled = true
port = 2222
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
@ -75,7 +75,7 @@ logpath = /var/log/nginx/error.log
maxretry = 3
EOF
log_message "SUCCESS" "fail2ban configuration created at $fail2ban_local"
log_message "SUCCESS" "fail2ban configuration created at $FAIL2BAN_LOCAL"
# Restart fail2ban service
log_message "INFO" "Restarting fail2ban service"

25
test/modules/firewall.sh
View File

@ -29,30 +29,41 @@ configure_ufw() {
ufw --force reset
# Set default policies
log_message "INFO" "Setting default UFW policies"
log_message "INFO" "IPv4 : Setting default UFW policies"
ufw default deny incoming
ufw default allow outgoing
# Allow SSH on custom port
log_message "INFO" "Allowing SSH on port 2222"
ufw allow 2222/tcp
log_message "INFO" "IPv4 : Allowing SSH on port 22"
ufw allow 22/tcp
# Allow HTTP/HTTPS for web services if needed
log_message "INFO" "Allowing HTTP/HTTPS ports"
log_message "INFO" "IPv4 : Allowing HTTP/HTTPS ports"
ufw allow 80/tcp
ufw allow 443/tcp
# Allow SNMP for monitoring
log_message "INFO" "Allowing SNMP port for monitoring"
log_message "INFO" "IPv4 : Allowing SNMP port for monitoring"
ufw allow 161/udp
# Allow NRPE for monitoring
log_message "INFO" "Allowing NRPE port for monitoring"
log_message "INFO" "IPv4 : Allowing NRPE port for monitoring"
ufw allow 5666/tcp
# Allow IPv6 if needed
log_message "INFO" "IPv6 : Setting default UFW policies"
ufw allow in on lo
ufw allow out on lo
ufw deny in from ::/0
ufw allow out to ::/0
# Enable log
log_message "INFO" "Enabling logging for UFW"
ufw logging on
# Enable UFW
log_message "INFO" "Enabling UFW"
echo "y" | ufw enable
echo "y" | ufw -force enable
if [ $? -eq 0 ]; then
log_message "SUCCESS" "UFW enabled successfully"

4
test/modules/glpi_agent.sh
View File

@ -138,8 +138,8 @@ EOF
# Enable and start GLPI agent service
log_message "INFO" "Enabling and starting GLPI agent service"
systemctl daemon-reload
systemctl enable glpi-agent
systemctl restart glpi-agent
service enable glpi-agent
service restart glpi-agent
if [ $? -eq 0 ]; then
log_message "SUCCESS" "GLPI agent service enabled and started"

8
test/modules/monitoring.sh
View File

@ -102,8 +102,8 @@ EOF
# Restart SNMP service
log_message "INFO" "Restarting SNMP service"
systemctl enable snmpd
systemctl restart snmpd
service enable snmpd
service restart snmpd
if [ $? -eq 0 ]; then
log_message "SUCCESS" "SNMP service restarted successfully"
@ -279,8 +279,8 @@ EOF
# Restart NRPE service
log_message "INFO" "Restarting NRPE service"
systemctl enable nagios-nrpe-server
systemctl restart nagios-nrpe-server
service enable nagios-nrpe-server
service restart nagios-nrpe-server
if [ $? -eq 0 ]; then
log_message "SUCCESS" "NRPE service restarted successfully"

12
test/modules/ntp.sh
View File

@ -27,12 +27,12 @@ configure_ntp() {
fi
# Configure chrony
local chrony_conf="/etc/chrony/chrony.conf"
local CHRONY_CONFf="/etc/chrony/chrony.conf"
log_message "INFO" "Creating chrony configuration"
backup_file "$chrony_conf"
backup_file "$CHRONY_CONF"
cat > "$chrony_conf" << EOF
cat > "$CHRONY_CONF" << EOF
# Chrony NTP configuration
# Generated by security hardening script
@ -72,12 +72,12 @@ allow 127.0.0.1
deny all
EOF
log_message "SUCCESS" "chrony configuration created at $chrony_conf"
log_message "SUCCESS" "chrony configuration created at $CHRONY_CONF"
# Restart chrony service
log_message "INFO" "Restarting chrony service"
systemctl enable chrony
systemctl restart chrony
service enable chrony
service restart chrony
if [ $? -eq 0 ]; then
log_message "SUCCESS" "chrony service restarted successfully"

1
test/modules/package_management.sh
View File

@ -141,6 +141,7 @@ install_new_packages() {
EOF
chmod +x "$SCRIPT_DIR/install_packages.sh"
log_message "INFO" "Created new package installation module at $SCRIPT_DIR/install_packages.sh"
# Main execution for package management

30
test/modules/ssh_hardening.sh
View File

@ -106,17 +106,18 @@ harden_ssh_config() {
# Hardened configuration from security script
# Basic SSH server settings
Port 2222
AddressFamily inet
ListenAddress 0.0.0.0
Port 22
#AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::
# Authentication settings
#AuthorizedKeysFile /root/.ssh/authorized_keys/%u
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PermitRootLogin prohibit-password
#PubkeyAuthentication yes
#PasswordAuthentication no
#PermitEmptyPasswords no
#ChallengeResponseAuthentication no
UsePAM yes
# Security settings
@ -127,15 +128,18 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# Hardening options
LoginGraceTime 30
MaxAuthTries 3
MaxSessions 5
MaxAuthTries 5
MaxSessions 3
ClientAliveInterval 300
ClientAliveCountMax 3
#
Banner /etc/banner
# Disable weak crypto
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
# Logging
SyslogFacility AUTH

4
test/modules/wazuh_agent.sh
View File

@ -91,8 +91,8 @@ EOF
# Enable and start Wazuh agent
log_message "INFO" "Enabling and starting Wazuh agent"
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl restart wazuh-agent
service enable wazuh-agent
service restart wazuh-agent
if [ $? -eq 0 ]; then
log_message "SUCCESS" "Wazuh agent service enabled and started"