Skip to main content

Hardening

Apply a layered hardening methodology for Debian/Ubuntu systems. Includes firewalling, automatic updates, intrusion prevention, malware scanning, rootkit detection, and auditing.

Audit the current system configuration:

sudo lynis audit system

Configure a restrictive firewall with UFW:

sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable

Verify firewall status:

sudo ufw status verbose

Install and enable automatic security updates:

sudo apt install unattended-upgrades && sudo dpkg-reconfigure unattended-upgrades

Verify automatic updates are running:

systemctl status unattended-upgrades

Disable Avahi network discovery services:

sudo systemctl disable --now avahi-daemon

Verify Avahi is disabled:

systemctl is-enabled avahi-daemon

Disable the CUPS printing service:

sudo systemctl disable --now cups

Verify CUPS is disabled:

systemctl is-enabled cups

Install and enable Fail2Ban intrusion prevention:

sudo apt install fail2ban && sudo systemctl enable --now fail2ban

Copy default config file to ensure upgrades don't overwrite changes: 0

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Show Fail2Ban status:

sudo fail2ban-client status

Show SSH jail activity:

sudo fail2ban-client status sshd

View Banned IPs:

sudo fail2ban-client get sshd banip

Install ClamAV antivirus:

sudo apt install clamav clamav-daemon

Update ClamAV Virus Definitions:

sudo systemctl stop clamav-freshclam && sudo freshclam && sudo systemctl start clamav-freshclam

Scan the home directory for infected files:

clamscan -r --bell -i ~

Scan the entire system excluding /sys:

sudo clamscan -r / --exclude-dir="^/sys"

Install and update RKHunter:

sudo apt install rkhunter && sudo rkhunter --update

Run a non-interactive RKHunter scan:

sudo rkhunter --check --sk

Install and run Chkrootkit:

sudo apt install chkrootkit && sudo chkrootkit

Run a quieter Chkrootkit scan:

sudo chkrootkit -q

Install Needrestart to identify services using outdated libraries:

sudo apt install needrestart

Check which services require restarting:

sudo needrestart

Install Debsums for package integrity verification:

sudo apt install debsums

Show packages with modified files:

sudo debsums -c

Show only checksum mismatches:

sudo debsums -ca

Install and enable Linux auditing:

sudo apt install auditd audispd-plugins && sudo systemctl enable --now auditd

Verify auditd status:

sudo systemctl status auditd

Show audit events from today:

sudo ausearch -ts today

Generate an audit summary report:

sudo aureport --summary

Show login activity from audit logs:

sudo aureport --login

Install needrestart debsums apt-cacher apt-listchanges and apt-show-versions:

sudo apt install needrestart debsums apt-cacher apt-listchanges apt-show-versions
Credits:

https://github.com/DouglasFreshHabian/Cheatsh33ts/blob/main/TLDR/fortress.md