Lockdown.sh is a single file zero config shell script to be run to lockdown a newly installed linux os. Lockdown.sh aims to set a sensible baseline which can be built upon for specific needs.
- Zero Config
- Zero Install
- Single file POSIX shell script
This script changes the ssh port to 141. And restricts ssh to key only for the created admin user.
Download and run the script as root, if prompted for anything select y.
wget https://raw.githubusercontent.com/x08d/lockdown.sh/master/lockdown.sh
chmod +x ./lockdown.sh
./lockdown.sh- Updates packages
- Restricts firewall to only allow ssh on
141 - Installs fail2ban
- Configures the kernel
- Adds daily cronjob to update packages on server
- Installs and configures auditd with sensible rules
- Disables core dumps
- Restricts logins
- Create a new admin user
- Restricts ssh and enables only the created admin user
- Adds a legal banner to /etc/issue and /etc/issue.net
- Installs packages recommended by lynis
- Installs and sets up aide
- Enables process accounting
- Disables uncommon filesystems
- Disables firewire and usb storage
- Disables uncommon network protocols
- Restricts access to /root
- Restrict access to compilers
- Moves tmp to tmpfs
- Remounts /tmp /proc /dev /run to be more restrictive
- Purges old and removed packages
- Debian 10
- Debian 8
- (Should work with most debian and debian based OS's)
Please open pull requests and issues on github for anything you find.