Script for hardening Linux servers
| Parameter | Description |
|---|---|
| -k | Enter keyword or option |
| -e | Enter export location |
| -t | Include thorough (lengthy) tests |
| -r | Enter report name |
| -h | Displays this help text |
| -i | Displays IPTABLES Basic or Advanced Execution Command for LAN Network. Mode: -i basic/advanced |
| -r | Displays RECON in LAN Network. Mode: -r scan/dhcp/dns |
| -s | Displays SERVICES in Server. Mode: -s info/start/restart/stop |
| -S | Displays SYSTEM in Server. Mode: -S host/timezone |
| Functions | Keyword |
|---|---|
| iptables_basic | status: Basic iptables status of firewall dns_ext: Allow DNS request through Internet http_ext: Allow HTTP and HTTPS request through Internet dhcp_ext: Allow DHCP request icmp_ext: Allow outgoing ping request ssh_ext: Allow SSH request ssh_server: Allow SSH conexion to this Server icmp_lan: Allow ICMP forwarding to LAN Network http_lan: Allow HTTP and HTTPS traffic forwarding to LAN Network http_server: Allow HTTP Server forwarding to LAN Network dns_lan: Allow DNS Request forwarding to LAN Network dnat_http: DNAT to client of the LAN Network snat_lan: SNAT for outgoing packets through internet list_filter: List of rules applied to the filter table list_nat: List of rules applied for the table nat delete_selective: Selective deleting by rule number restart_firewall: Deleting (flushing) all the rules and delete chain policy_default: Setting policy by default |
| iptables_advanced | status: Basic iptables status of firewall avoid_scan: Restrict certain types of scans or malformed packages avoid_syn: Limit incoming TCP SYN connections avoid_ping: Avoid ping per second and IP ADDRESS dns_ext: Allow DNS request through Internet http_ext: Allow HTTP and HTTPS request through Internet icmp_ext: Allow or enable ping request ssh_ext: Allow SSH ssh_dmz: Allow SSH request to DMZ ssh_server: Allow SSH Server traffic icmp_dmz: Allow source ICMP traffic from DMZ http_dmz: Allow HTTP and HTTPS traffic dns_dmz: Allow DNS Requests http_dmz_server: Allow DMZ Web Server traffic. HTTP and HTTPS mail_dmz_server: Allow Mail Web Server traffic icmp_lan: Allow source ICMP traffic from LAN Network http_lan: Allow HTTP and HTTPS traffic http_server: Allow HTTP server in LAN Network dns_lan: Allow DNS Requests dnat_http: DNAT to client of the DMZ Network --> HTTP Port 80 dnat_https: DNAT to client of the DMZ Network --> HTTPS Port 443 dnat_smtp: DNAT to client of the DMZ Network --> SMTP Port 25 dnat_smtps: DNAT to client of the DMZ Network --> SMTPS Port 465 dnat_pop3: DNAT to client of the DMZ Network --> POP3 Port 110 dnat_pop3secure: DNAT to client of the DMZ Network --> POP3 Securely Port 995 dnat_imap: DNAT to client of the DMZ Network --> IMAP Port 220 dnat_imaps: DNAT to client of the DMZ Network --> IMAPS Port 993 snat_lan: SNAT for outgoing packets through internet and LAN NETWORK snat_dmz: SNAT for outgoing packets through internet and DMZ NETWORK list_filter: List of rules applied to the filter table list_nat: List of rules applied for the table nat delete_selective: Selective deleting by rule number restart_firewall: Deleting (flushing) all the rules and delete chain policy_default: Setting policy by default disable_ipv6: Deactivation of the ipv6 protocol |
| recon_scan | bash_ping: Ping sweep nmap_ping: Ping sweep nmap_scan: Scan TCP, verbose and determine open ports and services |
| recon_dhcp | No Keyword |
| recon_dns | No Keyword |
| services_info | service: Status of service ps: Displays information about a selection of the active processes. |
| services_start | apache2: Start a service mysql: Start a service |
| services_restart | apache2: Restart a service mysql: Restart a service |
| services_stop | apache2: Stop a service mysql: Stop a service |
| host | configure: Host file configuration route_localhost: Add new malicious domain to hosts file, and route to localhost check_route: Check if hosts file is working, by sending ping to 127.0.0.1 dns_flush: DNS cache flush dnsmasq_flush: Flush dnsmasq DNS cache |
| timezone | configure: Timezone configuration |
Example:
./linuxprotect.sh -i basic -k ssh_server
IPTABLES**(avoid_scan,avoid_syn and avoid_ping) These rules must be executed just before the rules for connections