# Hardening

Apply a layered hardening methodology for Debian/Ubuntu systems. Includes firewalling, automatic updates, intrusion prevention, malware scanning, rootkit detection, and auditing.

Audit the current system configuration:

```
sudo lynis audit system
```

Configure a restrictive firewall with UFW:

```
sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable
```

Verify firewall status:

```
sudo ufw status verbose
```

Install and enable automatic security updates:

```
sudo apt install unattended-upgrades && sudo dpkg-reconfigure unattended-upgrades
```

Verify automatic updates are running:

```
systemctl status unattended-upgrades
```

Disable Avahi network discovery services:

```
sudo systemctl disable --now avahi-daemon
```

Verify Avahi is disabled:

```
systemctl is-enabled avahi-daemon
```

Disable the CUPS printing service:

```
sudo systemctl disable --now cups
```

Verify CUPS is disabled:

```
systemctl is-enabled cups
```

Install and enable Fail2Ban intrusion prevention:

```
sudo apt install fail2ban && sudo systemctl enable --now fail2ban
```

Copy default config file to ensure upgrades don't overwrite changes: 0
```
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
```

Show Fail2Ban status:

```
sudo fail2ban-client status
```

Show SSH jail activity:
    
```
sudo fail2ban-client status sshd
```

View Banned IPs:

```
sudo fail2ban-client get sshd banip
```

Install ClamAV antivirus:

```
sudo apt install clamav clamav-daemon
```

Update ClamAV Virus Definitions:

```
sudo systemctl stop clamav-freshclam && sudo freshclam && sudo systemctl start clamav-freshclam
```

Scan the home directory for infected files:

```
clamscan -r --bell -i ~
```

Scan the entire system excluding /sys:

```
sudo clamscan -r / --exclude-dir="^/sys"
```

Install and update RKHunter:

```
sudo apt install rkhunter && sudo rkhunter --update
```

Run a non-interactive RKHunter scan:

```
sudo rkhunter --check --sk
```

Install and run Chkrootkit:

```
sudo apt install chkrootkit && sudo chkrootkit
```

Run a quieter Chkrootkit scan:

```
sudo chkrootkit -q
```

Install Needrestart to identify services using outdated libraries:

```
sudo apt install needrestart
```

Check which services require restarting:

```
sudo needrestart
```

Install Debsums for package integrity verification:

```
sudo apt install debsums
```

Show packages with modified files:

```
sudo debsums -c
```

Show only checksum mismatches:

```
sudo debsums -ca
```

Install and enable Linux auditing:

```
sudo apt install auditd audispd-plugins && sudo systemctl enable --now auditd
```

Verify auditd status:

```
sudo systemctl status auditd
```

Show audit events from today:

```
sudo ausearch -ts today
```

Generate an audit summary report:

```
sudo aureport --summary
```

Show login activity from audit logs:

```
sudo aureport --login
```

Install needrestart debsums apt-cacher apt-listchanges and apt-show-versions:

```
sudo apt install needrestart debsums apt-cacher apt-listchanges apt-show-versions
```


##### Credits: 
[https://github.com/DouglasFreshHabian/Cheatsh33ts/blob/main/TLDR/fortress.md](https://github.com/DouglasFreshHabian/Cheatsh33ts/blob/main/TLDR/fortress.md)