Last active
May 13, 2026 06:16
-
-
Save nos486/e74e1730af30e7ba4aa19344d4d8e849 to your computer and use it in GitHub Desktop.
Harden Ubuntu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # ========================================== | |
| # 1. Root Privilege Check | |
| # ========================================== | |
| if [ "$EUID" -ne 0 ]; then | |
| echo "[!] Error: Please run this script as root (use: sudo ./harden_ubuntu.sh)." | |
| exit 1 | |
| fi | |
| # ========================================== | |
| # 2. Operating System Check (Ubuntu Only) | |
| # ========================================== | |
| if [ -f /etc/os-release ]; then | |
| . /etc/os-release | |
| if [ "$ID" != "ubuntu" ]; then | |
| echo "[!] Error: This script is designed specifically for Ubuntu." | |
| echo " Current OS detected: $NAME" | |
| exit 1 | |
| fi | |
| else | |
| echo "[!] Error: Cannot detect Operating System. /etc/os-release not found." | |
| exit 1 | |
| fi | |
| echo "=======================================================" | |
| echo " Advanced Ubuntu Server Hardening Script " | |
| echo "=======================================================" | |
| # ========================================== | |
| # Step 1: Disable Cloud Provider Agents | |
| # ========================================== | |
| echo -e "\n[*] Step 1: Disabling Cloud Provider Agents..." | |
| if systemctl list-unit-files | grep -q qemu-guest-agent; then | |
| systemctl stop qemu-guest-agent 2>/dev/null | |
| systemctl disable qemu-guest-agent 2>/dev/null | |
| echo " [+] qemu-guest-agent disabled." | |
| else | |
| echo " [-] qemu-guest-agent not found. Skipping." | |
| fi | |
| if [ -d /etc/cloud ]; then | |
| touch /etc/cloud/cloud-init.disabled | |
| echo " [+] cloud-init disabled." | |
| else | |
| echo " [-] /etc/cloud directory not found. Skipping." | |
| fi | |
| # ========================================== | |
| # Step 2: Securing Network (Sysctl Hardening) | |
| # ========================================== | |
| echo -e "\n[*] Step 2: Securing Network (Sysctl Hardening)..." | |
| SYSCTL_CONF="/etc/sysctl.d/99-security.conf" | |
| cat <<EOF > $SYSCTL_CONF | |
| # Prevent SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Disable ICMP redirects (prevent MITM routing attacks) | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Disable source routing | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Ignore ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Log spoofed packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| EOF | |
| sysctl -p $SYSCTL_CONF >/dev/null 2>&1 | |
| echo " [+] Network security parameters applied." | |
| # ========================================== | |
| # Step 3: Disabling Uncommon Protocols | |
| # ========================================== | |
| echo -e "\n[*] Step 3: Disabling Uncommon/Vulnerable Network Protocols..." | |
| MODPROBE_CONF="/etc/modprobe.d/disable-uncommon.conf" | |
| cat <<EOF > $MODPROBE_CONF | |
| install dccp /bin/true | |
| install sctp /bin/true | |
| install rds /bin/true | |
| install tipc /bin/true | |
| EOF | |
| echo " [+] DCCP, SCTP, RDS, and TIPC protocols disabled." | |
| # ========================================== | |
| # Step 4: Hardening SSH Server (Ubuntu specific) | |
| # ========================================== | |
| echo -e "\n[*] Step 4: Hardening SSH Server..." | |
| SSHD_CONF="/etc/ssh/sshd_config" | |
| if [ -f "$SSHD_CONF" ]; then | |
| cp $SSHD_CONF "${SSHD_CONF}.bak" | |
| sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' $SSHD_CONF | |
| sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' $SSHD_CONF | |
| sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' $SSHD_CONF | |
| sed -i 's/^#*X11Forwarding.*/X11Forwarding no/' $SSHD_CONF | |
| # In Ubuntu, the SSH service is strictly named 'ssh' | |
| systemctl restart ssh | |
| echo " [+] SSH hardened (Root password login disabled, empty passwords denied)." | |
| else | |
| echo " [!] Error: SSH config file not found at $SSHD_CONF." | |
| fi | |
| # ========================================== | |
| # Step 5: Securing GRUB Bootloader | |
| # ========================================== | |
| echo -e "\n[*] Step 5: Securing GRUB Bootloader..." | |
| read -p " [?] Enter a username for GRUB [default: admin]: " GRUB_USER | |
| GRUB_USER=${GRUB_USER:-admin} | |
| echo " [?] Please enter the GRUB password (you will be prompted twice):" | |
| MKPASS_OUTPUT=$(grub-mkpasswd-pbkdf2) | |
| GRUB_HASH=$(echo "$MKPASS_OUTPUT" | grep -o 'grub\.pbkdf2\.sha512.*') | |
| if [ -z "$GRUB_HASH" ]; then | |
| echo " [!] Error: Failed to generate GRUB password hash. Skipping GRUB configuration." | |
| else | |
| cp /etc/grub.d/40_custom /etc/grub.d/40_custom.bak | |
| cat <<EOF >> /etc/grub.d/40_custom | |
| # Added by Hardening Script | |
| set superusers="$GRUB_USER" | |
| password_pbkdf2 $GRUB_USER $GRUB_HASH | |
| EOF | |
| update-grub >/dev/null 2>&1 | |
| echo " [+] GRUB password successfully configured." | |
| fi | |
| echo "=======================================================" | |
| echo " Hardening Completed! Restarting server is advised. " | |
| echo "=======================================================" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment