The project aims to automate the process of hardening and securing a fresh installation of Ubuntu 22.04 LTS on a server. This script enhances the security posture of your server by implementing best practices for system and network security, including firewall configuration, SSH hardening, intrusion detection, and DDoS protection.
- Swap Creation: Automatically creates swap space based on physical memory.
- System Update and Upgrade: Ensures the server has the latest updates and security patches.
- User Management: Adds a new user and configures SSH keys for secure access.
- SSH Configuration: Hardens SSH configuration by changing the default port, disabling root login, and enforcing key-based authentication.
- Firewall Setup: Configures UFW firewall with default deny rules and allows necessary ports.
- Server Hardening: Includes various security measures such as installing fail2ban, configuring unattended-upgrades, and securing shared memory.
- Intrusion Detection: Installs and configures PSAD for network intrusion detection.
- DDoS Protection: Implements iptables rules to protect against DDoS attacks.
- Service Disabling: Disables unnecessary services to reduce attack surface.
- File Integrity Monitoring: Sets up AIDE for regular file system integrity checks.
- Logging and Monitoring: Installs auditd and configures logwatch for enhanced logging and monitoring.
- A fresh installation of Ubuntu 22.04 LTS.
- Root access to the server.
- Clone the repository:
git clone https://github.com/mzubair481/UbuntuServerHardening.git cd UbuntuServerHardening - Make the script executable:
chmod +x harden-ubuntu.sh
- Run the script:
sudo ./harden-ubuntu.sh
- Follow the on-screen instructions to configure the script.
The script modifies /etc/ssh/sshd_config to enhance SSH security:
- Changes the SSH port (user-specified).
- Disables root login.
- Enforces public key authentication.
- Limits authentication attempts and sessions.
The script sets up UFW with the following rules:
- Deny all incoming traffic by default.
- Allow all outgoing traffic by default.
- Allow SSH on the user-specified port.
Configures fail2ban to protect against brute-force attacks:
- Monitors SSH access attempts.
- Bans IPs with too many failed login attempts.
Installs and configures PSAD for intrusion detection:
- Monitors network traffic for suspicious activity.
- Updates signature database.
Sets up AIDE for file integrity monitoring:
- Initializes the AIDE database.
- Schedules daily checks for file integrity.
You can customize various aspects of the script by modifying the respective functions within the harden-ubuntu.sh file. For example, you can change the default SSH port, add additional firewall rules, or configure different fail2ban settings.
Contributions are welcome! Please fork the repository and submit a pull request with your improvements.
This project is licensed under the MIT License. See the LICENSE file for details.
This script is provided as-is and without warranty. Always review and test the script in a safe environment before using it in production.