Write a shell script to secure linux server from outside attack
To secure a Linux server from outside attacks, you can create a basic shell script to implement several security measures like updating the system, setting up a firewall, disabling root login over SSH, and securing SSH access.
Here’s a simple script that performs some of these actions. You can extend this as needed for your particular use case:
#!/bin/bash
# This script helps to secure a Linux server by implementing basic security measures.
# Function to update the system
update_system() {
echo "Updating system packages..."
sudo apt-get update -y && sudo apt-get upgrade -y
}
# Function to configure UFW firewall
setup_firewall() {
echo "Setting up the firewall..."
sudo apt-get install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
echo "Firewall configured."
}
# Function to disable root login over SSH
disable_root_ssh() {
echo "Disabling root login over SSH..."
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
echo "Root login over SSH disabled."
}
# Function to change default SSH port
change_ssh_port() {
SSH_PORT=$1
echo "Changing SSH port to $SSH_PORT..."
sudo sed -i "s/#Port 22/Port $SSH_PORT/" /etc/ssh/sshd_config
sudo systemctl restart sshd
echo "SSH port changed to $SSH_PORT."
}
# Function to install and configure Fail2ban
install_fail2ban() {
echo "Installing Fail2ban..."
sudo apt-get install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
echo "Fail2ban installed and running."
}
# Function to configure basic SSH security
secure_ssh() {
echo "Configuring SSH settings..."
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#UsePAM yes/UsePAM no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
echo "SSH secured."
}
# Function to remove unnecessary services
remove_unnecessary_services() {
echo "Removing unnecessary services..."
sudo apt-get purge telnet -y
sudo apt-get purge vsftpd -y
sudo apt-get autoremove -y
echo "Unnecessary services removed."
}
# Main function to run the script
main() {
echo "Starting server security setup..."
# Step 1: Update system
update_system
# Step 2: Setup firewall
setup_firewall
# Step 3: Disable root SSH login
disable_root_ssh
# Step 4: Change SSH port (Optional: Change port from 22 to 2222 or any desired port)
change_ssh_port 2222
# Step 5: Secure SSH configurations
secure_ssh
# Step 6: Install Fail2ban to protect against brute-force attacks
install_fail2ban
# Step 7: Remove unnecessary services
remove_unnecessary_services
echo "Server security setup completed!"
}
# Execute the main function
main
Steps performed by this script:
1. Update System: Ensures that the system packages are up to date.
2. Setup UFW Firewall: Configures the UFW firewall to allow SSH, HTTP, and HTTPS traffic while denying other incoming traffic.
3. Disable Root Login over SSH: Disables root login over SSH for better security.
4. Change SSH Port: Changes the default SSH port to reduce exposure to common brute-force attacks.
5. Install Fail2ban: Installs Fail2ban to block IPs after a certain number of failed login attempts.
6. Secure SSH Configuration: Disables password authentication in favor of key-based login and other recommended SSH settings.
7. Remove Unnecessary Services: Removes insecure and unnecessary services like Telnet and FTP.
How to use this script:
1. Save it to a file, e.g., secure_server.sh.
2. Make it executable with: chmod +x secure_server.sh.
3. Run the script as a superuser: sudo ./secure_server.sh.
Notes:
You should have SSH key-based authentication set up before disabling password authentication.
Test changes like the SSH port change in a safe environment to avoid getting locked out of your server.
Real time Project based Book: https://payhip.com/b/247HD
Comments
Post a Comment