Script for hardening Linux servers
Parameter | Description |
---|---|
-k | Enter keyword or option |
-e | Enter export location |
-t | Include thorough (lengthy) tests |
-r | Enter report name |
-h | Displays this help text |
-i | Displays IPTABLES Basic or Advanced Execution Command for LAN Network. Mode: -i basic/advanced |
-r | Displays RECON in LAN Network. Mode: -r scan/dhcp/dns |
-s | Displays SERVICES in Server. Mode: -s info/start/restart/stop |
-S | Displays SYSTEM in Server. Mode: -S host/timezone |
Functions | Keyword |
---|---|
iptables_basic | status: Basic iptables status of firewall dns_ext: Allow DNS request through Internet http_ext: Allow HTTP and HTTPS request through Internet dhcp_ext: Allow DHCP request icmp_ext: Allow outgoing ping request ssh_ext: Allow SSH request ssh_server: Allow SSH conexion to this Server icmp_lan: Allow ICMP forwarding to LAN Network http_lan: Allow HTTP and HTTPS traffic forwarding to LAN Network http_server: Allow HTTP Server forwarding to LAN Network dns_lan: Allow DNS Request forwarding to LAN Network dnat_http: DNAT to client of the LAN Network snat_lan: SNAT for outgoing packets through internet list_filter: List of rules applied to the filter table list_nat: List of rules applied for the table nat delete_selective: Selective deleting by rule number restart_firewall: Deleting (flushing) all the rules and delete chain policy_default: Setting policy by default |
iptables_advanced | status: Basic iptables status of firewall avoid_scan: Restrict certain types of scans or malformed packages avoid_syn: Limit incoming TCP SYN connections avoid_ping: Avoid ping per second and IP ADDRESS dns_ext: Allow DNS request through Internet http_ext: Allow HTTP and HTTPS request through Internet icmp_ext: Allow or enable ping request ssh_ext: Allow SSH ssh_dmz: Allow SSH request to DMZ ssh_server: Allow SSH Server traffic icmp_dmz: Allow source ICMP traffic from DMZ http_dmz: Allow HTTP and HTTPS traffic dns_dmz: Allow DNS Requests http_dmz_server: Allow DMZ Web Server traffic. HTTP and HTTPS mail_dmz_server: Allow Mail Web Server traffic icmp_lan: Allow source ICMP traffic from LAN Network http_lan: Allow HTTP and HTTPS traffic http_server: Allow HTTP server in LAN Network dns_lan: Allow DNS Requests dnat_http: DNAT to client of the DMZ Network --> HTTP Port 80 dnat_https: DNAT to client of the DMZ Network --> HTTPS Port 443 dnat_smtp: DNAT to client of the DMZ Network --> SMTP Port 25 dnat_smtps: DNAT to client of the DMZ Network --> SMTPS Port 465 dnat_pop3: DNAT to client of the DMZ Network --> POP3 Port 110 dnat_pop3secure: DNAT to client of the DMZ Network --> POP3 Securely Port 995 dnat_imap: DNAT to client of the DMZ Network --> IMAP Port 220 dnat_imaps: DNAT to client of the DMZ Network --> IMAPS Port 993 snat_lan: SNAT for outgoing packets through internet and LAN NETWORK snat_dmz: SNAT for outgoing packets through internet and DMZ NETWORK list_filter: List of rules applied to the filter table list_nat: List of rules applied for the table nat delete_selective: Selective deleting by rule number restart_firewall: Deleting (flushing) all the rules and delete chain policy_default: Setting policy by default disable_ipv6: Deactivation of the ipv6 protocol |
recon_scan | bash_ping: Ping sweep nmap_ping: Ping sweep nmap_scan: Scan TCP, verbose and determine open ports and services |
recon_dhcp | No Keyword |
recon_dns | No Keyword |
services_info | service: Status of service ps: Displays information about a selection of the active processes. |
services_start | apache2: Start a service mysql: Start a service |
services_restart | apache2: Restart a service mysql: Restart a service |
services_stop | apache2: Stop a service mysql: Stop a service |
host | configure: Host file configuration route_localhost: Add new malicious domain to hosts file, and route to localhost check_route: Check if hosts file is working, by sending ping to 127.0.0.1 dns_flush: DNS cache flush dnsmasq_flush: Flush dnsmasq DNS cache |
timezone | configure: Timezone configuration |
Example:
./linuxprotect.sh -i basic -k ssh_server
IPTABLES**(avoid_scan,avoid_syn and avoid_ping) These rules must be executed just before the rules for connections