“Learn Linux, Now! Use it Everyday!!!
Here’s a script that can be used to harden an Ubuntu Desktop 22.04 system:
Note: this script needs to be tested as you might require some libraries. Never just blindly copy and paste from the internet. Copy test on a test environment. Then implement
#!/bin/bash
# Set password policy
sudo apt install -y libpam-pwquality
sudo sed -i 's/#\?\(password\s*requisite\s*pam_pwquality\.so.*\)/\1/' /etc/pam.d/common-password
sudo sed -i 's/#\?\(password\s*[a-z]*\s*pam_unix\.so.*\)/\1 try_first_pass remember=5/' /etc/pam.d/common-password
sudo sed -i 's/#\?\(password\s*optional\s*pam_gnome_keyring\.so.*\)/\1/' /etc/pam.d/common-password
# Disable root login and password-based authentication
sudo sed -i 's/#\?\(PermitRootLogin\s*\).*$/\1no/' /etc/ssh/sshd_config
sudo sed -i 's/#\?\(PasswordAuthentication\s*\).*$/\1no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# Install and enable firewall
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
# Install and configure AppArmor
sudo apt install -y apparmor apparmor-profiles apparmor-utils
sudo aa-enforce /etc/apparmor.d/*
sudo systemctl enable apparmor.service
sudo systemctl restart apparmor.service
# Install and configure fail2ban
sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo sed -i 's/bantime\ \=\ 600s/bantime\ \=\ 86400s/' /etc/fail2ban/jail.local
sudo systemctl enable fail2ban.service
sudo systemctl restart fail2ban.service
# Disable guest session
sudo sh -c 'printf "[SeatDefaults]\nallow-guest=false\n" > /etc/lightdm/lightdm.conf.d/50-no-guest.conf'
# Disable Bluetooth if not needed
sudo systemctl disable bluetooth
# Update system packages
sudo apt update
sudo apt upgrade -y
echo "System hardening complete!"
This script performs the following actions:
- Sets a stronger password policy by installing the
libpam-pwquality
library and modifying the/etc/pam.d/common-password
file. - Disables root login and password-based authentication over SSH by modifying the
/etc/ssh/sshd_config
file and restarting the SSH service. - Installs and enables the Uncomplicated Firewall (UFW) to restrict incoming connections, allows outgoing connections, and permits SSH traffic.
- Installs and configures AppArmor to restrict application access to system resources.
- Installs and configures fail2ban to prevent brute-force attacks on SSH.
- Disables the guest session feature to prevent unauthorized access.
- Disables Bluetooth if not needed to reduce the attack surface.
- Updates the system packages to the latest version.
To use the script, save it to a file (e.g., harden_system.sh
), make it executable with the command chmod +x harden_system.sh
, and then run it with sudo ./harden_system.sh
. Note that some of the changes may require a system reboot to take effect.
Note:
pwquality
is a library used to enforce stronger password policies on Linux systems. It can be used to set rules for the minimum length, complexity, and uniqueness of passwords, as well as to prevent users from using commonly used or easily guessable passwords.
A password policy using pwquality
typically involves modifying the /etc/pam.d/common-password
file, which is used to define password-related rules for all applications that use the Pluggable Authentication Modules (PAM) system.