OS-Hardening is a post Debian like operating system hardening script written in Bash and should be executed after a clean installation.
wget https://raw.githubusercontent.com/ITNerdbox/OS-Hardening/master/debian_hardening.sh
chmod +x debian_hardening.sh
./debian_hardening.shA terminal based wizzard is used to guide users through the installation and configuration process.
| Item | Action | Description |
|---|---|---|
| PAM Cracklib | Added | PAM Cracklib is now properly configured based on in script user settings. |
| Firehol | Added | Firewall: Replaced ufw with Firehol as it is easier to configure multiple network zones. |
| Added | Firehol configuration is automatically generated and set to only allow SSH on the main interface. | |
| Backup | Fixed | Backup of configuration files was not handeled properly. |
File System and Permission Configuration
- Default umask is changed to 027 (750), which prevents any user created directories to be world readable.
- Set proper permissions in /home
- Set noexec bit on /tmp partition
- Disable creating hardlinks and symbolic links for unauthorized users
Memory Configuration
- Enable memory randomization
- Disable OOM (Out of Memory) killer to prevent random processes being killed.
Network Configuration
- Disable IPv6
- Disable IPv4 forwarding
- Disable ICMP redirects
- Disable IP source route packets
- Disable source routing
- Disable BOOTP relay
- Disable Proxy ARP
- Disable specific network protocols (dccp, sctp, rds and tipc)
- Ignore ICMP ECHO and TIMESTAMP requests via broadcast/multicast
- Enable source address verification to prevent spoofing attacks
- Enable source validation by reversed path
- Enable firewall to deny any incoming traffic
- Enable firewall to accept incomming connection to TCP/22 (SSH)
Authentication
- Disable root login from the console
- Disable root login from SSH
- Disable password based authentication for SSH
Passwords
- Storing passwords using the SHA512 hashing algorithm
- Default number of SHA rounds is set between (min) 5000000 and (max) 9000000
- Install and enable PAM cracklib
- Configure PAM cracklib with user defined settings
- Enforce a password policy: Password change frequency for shared systems
SSH Configuration
- Enforce strong Key Exchange Algorithms (KEX)
- Enforce strong ciphers
- Enforce strong Message Authentication Codes (MACs)
- Only allow users that are part of the group sshlogin
- Only allow ed25519 SSH keys (RSA is no longer accepted)
Hardware
- Disable USB
- Disable Firewire
- Enable Spectre like attack protection
| Date | Type | Description |
|---|---|---|
| MAY-22-2021 | Release | Released version 1.4 |
| DEC-04-2020 | Bugfix | Script would stop when entering a username that already existed |
| OCT-03-2020 | Bugfix | After enabling the firewall, the script hung |
If you have suggestions, comments, requests or found a bug, feel free to contact me.