This project automates the implementation of Linux Security Best Practices for Ubuntu-based systems. It includes scripts to enforce security measures such as system updates, SSH hardening, user management, firewall setup, intrusion detection, file permissions, encryption, and much more.
Each script is designed to apply specific security best practices, and the project comes with automated test cases to verify that each feature has been correctly implemented.
- Features Implemented
- Getting Started
- Running Security Scripts
- Testing and Verification
- Project Structure
- Security Features Breakdown
- Troubleshooting
- Contributing
- License
- System Updates: Automates the process of keeping the system updated to patch vulnerabilities.
- SSH Hardening: Disables root login, changes the default SSH port, and enhances security with key-based authentication.
- User Management: Adds a secure user with sudo access, enforces password policies, and limits unnecessary users.
- Firewall Setup: Configures UFW (Uncomplicated Firewall) to restrict access to only required ports.
- Intrusion Detection: Implements
Fail2banto block brute force attacks andAIDEto monitor changes in the filesystem. - File Permissions: Secures system-critical files (
/etc/passwd,/etc/shadow) with appropriate file permissions. - Disk Encryption: Ensures the ability to encrypt disks using
LUKSandcryptsetupto protect sensitive data. - Automated Testing: Each feature has an associated test case to ensure it works as expected.
Follow the steps below to set up, execute the security features, and test the security configuration of your Linux system.
Ensure the following are installed on your machine:
- Ubuntu/Linux System (Debian-based)
- Git: To clone the repository
- Sudo privileges: Necessary to execute most scripts.
git clone https://github.com/venky1912/linux-security-project.git
cd linux-security-projectYou can run the provided scripts individually or as part of a larger deployment pipeline. These scripts automate the application of security best practices to your system.
Automates system updates to ensure all software is current and protected from vulnerabilities.
sudo ./scripts/update_and_upgrade.shThis script secures your SSH setup by disabling root login and changing the default SSH port from 22 to 2222. It ensures SSH key-based authentication.
sudo ./scripts/ssh_hardening.shCreates a new secure user (secureuser), adds it to the sudo group, and enforces password complexity by installing and configuring libpam-pwquality.
sudo ./scripts/user_management.shConfigures UFW to allow only necessary traffic, securing your system by enabling only essential ports (2222/tcp for SSH, 80/tcp for HTTP).
sudo ./scripts/firewall_setup.shInstalls Fail2ban to prevent brute force attacks on SSH and AIDE for monitoring file system changes. This provides a basic layer of defense against unauthorized access attempts.
sudo ./scripts/intrusion_detection.shSecures critical system files by enforcing strong permissions for /etc/passwd and /etc/shadow. This minimizes the risk of privilege escalation.
sudo ./scripts/file_permissions.shInstalls cryptsetup for encrypting disks, ensuring that data on the system is protected from unauthorized access.
sudo ./scripts/encryption.shFor each script, there’s a corresponding test script in the tests/ directory. These tests verify that each security feature is correctly implemented.
To verify the implementation of all security features, you can run each test script individually:
sudo ./tests/test_update_and_upgrade.sh
sudo ./tests/test_ssh_hardening.sh
sudo ./tests/test_user_management.sh
sudo ./tests/test_firewall_setup.sh
sudo ./tests/test_intrusion_detection.sh
sudo ./tests/test_file_permissions.sh
sudo ./tests/test_encryption.shEach test script will output PASSED or FAILED depending on whether the security feature has been properly implemented.
linux-security-project/
├── scripts/
│ ├── update_and_upgrade.sh # Script for system updates
│ ├── ssh_hardening.sh # Script for SSH hardening
│ ├── user_management.sh # Script for secure user creation and password policy
│ ├── firewall_setup.sh # Script for UFW firewall configuration
│ ├── intrusion_detection.sh # Script for Fail2ban and AIDE setup
│ ├── file_permissions.sh # Script for securing file permissions
│ ├── encryption.sh # Script for disk encryption setup
├── tests/
│ ├── test_update_and_upgrade.sh # Test for system updates
│ ├── test_ssh_hardening.sh # Test for SSH hardening
│ ├── test_user_management.sh # Test for user management and password policy
│ ├── test_firewall_setup.sh # Test for firewall configuration
│ ├── test_intrusion_detection.sh # Test for Fail2ban and AIDE
│ ├── test_file_permissions.sh # Test for file permissions
│ ├── test_encryption.sh # Test for disk encryption
├── README.md # Project documentation
└── .gitignore # Git ignore fileEnsuring that the system and all installed packages are regularly updated reduces the risk of exploits due to known vulnerabilities.
- Script:
scripts/update_and_upgrade.sh - Test:
tests/test_update_and_upgrade.sh
Changing default SSH settings, such as disabling root login and using SSH key authentication, adds a strong layer of security to your system.
- Script:
scripts/ssh_hardening.sh - Test:
tests/test_ssh_hardening.sh
Managing user privileges and enforcing password complexity are critical steps in reducing unauthorized access to your system.
- Script:
scripts/user_management.sh - Test:
tests/test_user_management.sh
Firewalls act as a barrier between your internal network and the external internet, allowing only trusted traffic through.
- Script:
scripts/firewall_setup.sh - Test:
tests/test_firewall_setup.sh
Tools like Fail2ban and AIDE help detect and prevent unauthorized access and system compromise.
- Script:
scripts/intrusion_detection.sh - Test:
tests/test_intrusion_detection.sh
Securing critical system files ensures that unauthorized users or processes cannot alter sensitive data.
- Script:
scripts/file_permissions.sh - Test:
tests/test_file_permissions.sh
Encrypting disks protects your data from unauthorized access, especially in scenarios like theft or physical access to the machine.
- Script:
scripts/encryption.sh - Test:
tests/test_encryption.sh
-
Script Execution Issues: Ensure that each script has the necessary permissions to execute:
chmod +x ./scripts/*.sh chmod +x ./tests/*.sh
-
SSH Connection Fails After Hardening: Make sure you're connecting to the new SSH port (
2222). Update your SSH configuration:ssh -p 2222 youruser@yourserver
-
Firewall Issues: If UFW blocks essential traffic, review UFW status:
sudo ufw status
Contributions to this project are welcome. Feel free to submit issues, fork the repository, or open pull requests with improvements or additional features.
This project is licensed under the MIT License - see the LICENSE file for details.
This project helps automate the process of securing a Linux system, making it more resilient to common attacks. By using and extending this project, you'll create a robust defense for your Ubuntu/Linux-based systems.