Skip to content

Instantly share code, notes, and snippets.

@nos486
Last active May 13, 2026 06:16
Show Gist options
  • Select an option

  • Save nos486/e74e1730af30e7ba4aa19344d4d8e849 to your computer and use it in GitHub Desktop.

Select an option

Save nos486/e74e1730af30e7ba4aa19344d4d8e849 to your computer and use it in GitHub Desktop.
Harden Ubuntu
#!/bin/bash
# ==========================================
# 1. Root Privilege Check
# ==========================================
if [ "$EUID" -ne 0 ]; then
echo "[!] Error: Please run this script as root (use: sudo ./harden_ubuntu.sh)."
exit 1
fi
# ==========================================
# 2. Operating System Check (Ubuntu Only)
# ==========================================
if [ -f /etc/os-release ]; then
. /etc/os-release
if [ "$ID" != "ubuntu" ]; then
echo "[!] Error: This script is designed specifically for Ubuntu."
echo " Current OS detected: $NAME"
exit 1
fi
else
echo "[!] Error: Cannot detect Operating System. /etc/os-release not found."
exit 1
fi
echo "======================================================="
echo " Advanced Ubuntu Server Hardening Script "
echo "======================================================="
# ==========================================
# Step 1: Disable Cloud Provider Agents
# ==========================================
echo -e "\n[*] Step 1: Disabling Cloud Provider Agents..."
if systemctl list-unit-files | grep -q qemu-guest-agent; then
systemctl stop qemu-guest-agent 2>/dev/null
systemctl disable qemu-guest-agent 2>/dev/null
echo " [+] qemu-guest-agent disabled."
else
echo " [-] qemu-guest-agent not found. Skipping."
fi
if [ -d /etc/cloud ]; then
touch /etc/cloud/cloud-init.disabled
echo " [+] cloud-init disabled."
else
echo " [-] /etc/cloud directory not found. Skipping."
fi
# ==========================================
# Step 2: Securing Network (Sysctl Hardening)
# ==========================================
echo -e "\n[*] Step 2: Securing Network (Sysctl Hardening)..."
SYSCTL_CONF="/etc/sysctl.d/99-security.conf"
cat <<EOF > $SYSCTL_CONF
# Prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Disable ICMP redirects (prevent MITM routing attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Log spoofed packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
EOF
sysctl -p $SYSCTL_CONF >/dev/null 2>&1
echo " [+] Network security parameters applied."
# ==========================================
# Step 3: Disabling Uncommon Protocols
# ==========================================
echo -e "\n[*] Step 3: Disabling Uncommon/Vulnerable Network Protocols..."
MODPROBE_CONF="/etc/modprobe.d/disable-uncommon.conf"
cat <<EOF > $MODPROBE_CONF
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
EOF
echo " [+] DCCP, SCTP, RDS, and TIPC protocols disabled."
# ==========================================
# Step 4: Hardening SSH Server (Ubuntu specific)
# ==========================================
echo -e "\n[*] Step 4: Hardening SSH Server..."
SSHD_CONF="/etc/ssh/sshd_config"
if [ -f "$SSHD_CONF" ]; then
cp $SSHD_CONF "${SSHD_CONF}.bak"
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' $SSHD_CONF
sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' $SSHD_CONF
sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' $SSHD_CONF
sed -i 's/^#*X11Forwarding.*/X11Forwarding no/' $SSHD_CONF
# In Ubuntu, the SSH service is strictly named 'ssh'
systemctl restart ssh
echo " [+] SSH hardened (Root password login disabled, empty passwords denied)."
else
echo " [!] Error: SSH config file not found at $SSHD_CONF."
fi
# ==========================================
# Step 5: Securing GRUB Bootloader
# ==========================================
echo -e "\n[*] Step 5: Securing GRUB Bootloader..."
read -p " [?] Enter a username for GRUB [default: admin]: " GRUB_USER
GRUB_USER=${GRUB_USER:-admin}
echo " [?] Please enter the GRUB password (you will be prompted twice):"
MKPASS_OUTPUT=$(grub-mkpasswd-pbkdf2)
GRUB_HASH=$(echo "$MKPASS_OUTPUT" | grep -o 'grub\.pbkdf2\.sha512.*')
if [ -z "$GRUB_HASH" ]; then
echo " [!] Error: Failed to generate GRUB password hash. Skipping GRUB configuration."
else
cp /etc/grub.d/40_custom /etc/grub.d/40_custom.bak
cat <<EOF >> /etc/grub.d/40_custom
# Added by Hardening Script
set superusers="$GRUB_USER"
password_pbkdf2 $GRUB_USER $GRUB_HASH
EOF
update-grub >/dev/null 2>&1
echo " [+] GRUB password successfully configured."
fi
echo "======================================================="
echo " Hardening Completed! Restarting server is advised. "
echo "======================================================="
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment