Category: Security

Hardening, nginx

Nginx Hardening & Security Script

Tested on Debian 9.x Hide nginx version sed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.confsed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.conf Remove ETags sed -i ‘s/server_tokens off;/server_tokens off;\netag off;/’ /etc/nginx/nginx.confsed -i ‘s/server_tokens off;/server_tokens off;\netag off;/’ /etc/nginx/nginx.conf Remove default page echo "" > /var/www/html/index.htmlecho "" > /var/www/html/index.html Use strong cipher suites sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_ciphers …

Hardening, OpenSSH

SSH Hardening & Security Script

Tested on Debian 9.x Set /etc/ssh/sshd_config ownership and access permissions chown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_configchown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config Change Port sed -i "s/#Port 22/Port 62111/g" /etc/ssh/sshd_configsed -i "s/#Port 22/Port 62111/g" /etc/ssh/sshd_config Use Protocol 2 echo "Protocol 2" >> /etc/ssh/sshd_configecho "Protocol 2" >> /etc/ssh/sshd_config Set SSH LogLevel to INFO sed -i "/LogLevel.*/s/^#//g" …

Hardening, Network

Network Hardening & Security Script

Tested on Debian 9.x Disable IP forwarding sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/" /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/" /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 Disable packet redirect sending sed -i "/net.ipv4.conf.all.send_redirects.*/s/^#//g" /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0sed -i "/net.ipv4.conf.all.send_redirects.*/s/^#//g" /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 Disable source routed …

Hardening, IPTables

Basic iptables security script

Tested on Debian 9.x Install iptables apt -y install iptablesapt -y install iptables Install iptables-persistent apt -y install iptables-persistent systemctl enable netfilter-persistentapt -y install iptables-persistent systemctl enable netfilter-persistent Flush/Delete firewall rules iptables -F iptables -X iptables -Ziptables -F iptables -X iptables -Z Î’lock null packets (DoS) iptables -A INPUT -p tcp –tcp-flags ALL NONE …

Hardening, Linux

Linux Users Hardening & Security Script

Tested on Debian 9.x Set Maximum number of days a password may be used sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defssed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defs Set Minimum number of days allowed between password changes to 5 sed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 5/" /etc/login.defssed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 5/" /etc/login.defs Set Number of days warning given before a password expires sed …

Apache, Hardening

Apache Web Server Hardening & Security Script

Tested on Debian 9.x Become root sudo su -sudo su – Hide Apache2 version echo "ServerSignature Off" >> /etc/apache2/apache2.conf echo "ServerTokens Prod" >> /etc/apache2/apache2.confecho "ServerSignature Off" >> /etc/apache2/apache2.conf echo "ServerTokens Prod" >> /etc/apache2/apache2.conf Remove ETags echo "FileETag None" >> /etc/apache2/apache2.confecho "FileETag None" >> /etc/apache2/apache2.conf Disable Directory Browsing a2dismod -f autoindexa2dismod -f autoindex Remove default …

Hardening, Microsoft Windows server 2016

Windows Server Hardening – Account Policies

The following were tested on Windows Server 2016 (Screenshots included). Account Policies Password Policy 1. Ensure ‘Enforce password history’ is set to ’24 or more password(s) Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value …

Linux, Security

Change admin passwords

System sudo passwd rootsudo passwd root MySQL mysqladmin -u root -p passwordmysqladmin -u root -p password PostgreSQL sudo -u postgres psql -U postgres -h -d postgres -c "ALTER USER postgres WITH PASSWORD ‘newpassword’;"sudo -u postgres psql -U postgres -h -d postgres -c "ALTER USER postgres WITH PASSWORD ‘newpassword’;" Gitlab GLPI Project mysql -u …

Linux, Security

Get a list of Open Ports in Linux

netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Get a list of open tcp/udp ports sudo netstat -plntusudo netstat -plntu -p = display PID/Program name for sockets -l = display listening server sockets -n = don’t resolve names -t = tcp ports -u = udp ports

Debian, Encryption, Security

Remote unlocking LUKS encrypted LVM

Install dropbear on server sudo apt-get install dropbearsudo apt-get install dropbear Generate an SSH key pair on the client system (the one which will be used to unlock the remote machine) Stop dropbear from starting on normal boot on Server sudo update-rc.d -f dropbear removesudo update-rc.d -f dropbear remove Auto start dropbear sudo sed …