🔒 Linux Security Hardening Script

A comprehensive, production-ready security hardening script for Debian/Ubuntu systems. Automatically implements security best practices, creates secure admin users, and configures enterprise-grade monitoring tools.

Perfect for servers, workstations, and VMs. Works interactively or fully automated.

---

📋 Table of Contents

• Features
• What Gets Hardened
• Prerequisites
• Quick Start
• Usage Modes
• Command-Line Flags
• What the Script Does
• Safety Features
• After Running the Script
• Logs and Reports
• Verification
• Troubleshooting
• FAQ
• Contributing
• License
• Disclaimer

---

✨ Features

• 🚀 Fully Automated - Runs without user interaction (optional)
• 🔐 Auto User Creation - Creates secure admin user with random username
• 🛡️ Comprehensive Hardening - 29 security hardening steps
• 🔍 Security Scanning - Lynis, RKHunter, AIDE integration
• 📊 Detailed Logging - Every action documented
• ♻️ Safe to Re-run - Can be run multiple times safely
• 🎯 VPS-Safe - Tests accounts before disabling root
• 🔄 Automatic Rollback - Reverts on SSH config errors
• 📦 Zero Dependencies - Only uses built-in tools
• 🌐 Works Offline - No internet required after package installation

---

🎯 What Gets Hardened

System Security

• ✅ SSH hardening (disable root login, key-only auth, port restrictions)
• ✅ Firewall configuration (Fail2Ban for SSH brute-force protection)
• ✅ Kernel parameters (sysctl hardening)
• ✅ File permissions (sensitive files secured)
• ✅ User account policies (password aging, quality requirements)
• ✅ Disable unnecessary services and network protocols
• ✅ Compiler access restrictions
• ✅ Core dump prevention

Monitoring & Detection

• ✅ File integrity monitoring (AIDE)
• ✅ Rootkit detection (RKHunter)
• ✅ System auditing (auditd with comprehensive rules)
• ✅ Security scanning (Lynis)
• ✅ Process accounting
• ✅ Log monitoring and rotation

Access Control

• ✅ PAM configuration (password quality, history)
• ✅ Sudo group restrictions
• ✅ Su command restrictions (wheel group)
• ✅ Session timeouts
• ✅ Legal banners

Network Security

• ✅ TCP SYN cookies
• ✅ IP forwarding disabled
• ✅ ICMP redirect disabled
• ✅ Source routing disabled
• ✅ Reverse path filtering
• ✅ IPv6 hardening

---

📋 Prerequisites

Required

• OS: Debian 10+ or Ubuntu 18.04+
• User: Root access (sudo)
• Disk: ~500MB free space for logs and packages

For Remote Servers (VPS)

• SSH Keys: Root should have SSH keys configured
  • If not, use --local-vm flag for testing
• Access: Keep current SSH session open while testing

For Local VMs/Workstations

• No special requirements
• Use --local-vm flag to skip SSH key checks

---

🚀 Quick Start

1. Download the Script

## 🚀 Quick Start

### 1. Download the Script
# Clone the repository
git clone https://github.com/Z-A-P-P-I-T/debian-ubuntu-hardening-script.git
cd debian-ubuntu-hardening-script

# OR download directly
wget https://github.com/Z-A-P-P-I-T/Debian-Ubuntu-Security-Hardening-Script/blob/main/debian-ubuntu-hardening-script.sh

chmod +x hardening_script.sh

2. Run the Script
bash# Interactive mode (recommended for first-time users)
sudo bash hardening_script.sh

# OR fully automated mode
sudo bash hardening_script.sh --disable-root-login
3. Save Your Credentials
The script will create a secure random admin user and display credentials:
Example:
Username: sec_a3f9c2b1
Password: xK8#mP2$vR9@wL4!qT7y
⚠️ SAVE THESE IMMEDIATELY!

🎮 Usage Modes
Interactive Mode (Default)
Best for first-time users and production servers.
bashsudo bash hardening_script.sh
What happens:

Creates secure admin user with random username
Tests sudo access before making changes
Pauses 60 seconds for you to test the new account
Asks if you want to disable root SSH login
Applies all security hardening
Displays credentials at the end


Fully Automated Mode
Perfect for CI/CD, automation, and mass deployments.
bashsudo bash hardening_script.sh --disable-root-login
What happens:

Creates secure admin user automatically
Tests sudo access
Brief 10-second pause
Automatically disables root SSH login
Applies all security hardening
Displays credentials at the end


Safety Mode
Creates user but keeps root SSH enabled (for cautious admins).
bashsudo bash hardening_script.sh --keep-root-login
What happens:

Creates secure admin user automatically
Tests sudo access
Keeps root SSH login enabled
Applies all other security hardening
You can disable root login later after testing


Local VM/Testing Mode
For local virtual machines where SSH keys aren't needed.
bashsudo bash hardening_script.sh --local-vm
What happens:

Skips SSH key requirement checks
Password authentication stays enabled
Creates secure admin user
Applies security hardening suitable for local environments


🚩 Command-Line Flags
FlagDescriptionUse Case--disable-root-loginAutomatically disable root SSH loginAutomation, CI/CD, unattended mode--keep-root-loginCreate user but keep root SSH enabledCautious admins, testing--local-vmSkip SSH key requirementsLocal VMs, workstations, testing--skip-user-creationDon't create a new userWhen you already have admin users--enable-pam-lockoutEnable PAM account lockoutHigh-security environments (risky!)
Combining Flags
bash# Local VM with root login kept
sudo bash hardening_script.sh --local-vm --keep-root-login

# Automated deployment for production
sudo bash hardening_script.sh --disable-root-login

# Testing environment
sudo bash hardening_script.sh --local-vm --skip-user-creation

🔧 What the Script Does
Phase 1: Pre-Hardening (Steps 1-5)

✅ System compatibility checks
✅ Verifies root access
✅ Checks for SSH keys (if remote server)
✅ Creates secure admin user with random username
✅ Tests new user's sudo access

Phase 2: Package Installation (Steps 6-8)

✅ Updates system packages
✅ Installs security tools (Lynis, AIDE, RKHunter, Fail2Ban, etc.)
✅ Enables accounting services

Phase 3: Initial Scan (Step 9)

✅ Runs Lynis security audit (baseline)

Phase 4: Security Configuration (Steps 10-18)

✅ Configures Fail2Ban (brute-force protection)
✅ Configures Auditd (system monitoring)
✅ Applies kernel security parameters (sysctl)
✅ Configures password policies
✅ Initializes AIDE (file integrity)
✅ Sets up security banners
✅ Restricts compiler access
✅ Installs and configures RKHunter
✅ Asks about disabling root SSH (or auto-disables with flag)

Phase 5: Auto-Remediation (Steps 19-24)

✅ SSH hardening (root login, password auth, key-only)
✅ File permissions fixes
✅ Disables unused kernel modules
✅ Fixes default umask settings
✅ Additional network parameters
✅ Applies Lynis recommendations

Phase 6: Verification (Steps 25-29)

✅ Re-runs Lynis (shows improvements)
✅ Verifies package integrity (debsums)
✅ Runs RKHunter scan (checks for rootkits)
✅ Verifies AIDE baseline (confirms integrity monitoring)
✅ Verifies Fail2Ban (confirms brute-force protection)


🛡️ Safety Features
Before Disabling Root SSH

✅ Creates and tests new admin user
✅ Verifies sudo access works
✅ Copies SSH keys automatically
✅ Gives 60-second pause to test in new terminal
✅ Asks for confirmation (unless --disable-root-login flag)

Configuration Safety

✅ Backs up all config files before modification
✅ Validates SSH config before applying
✅ Automatic rollback on SSH errors
✅ All changes logged with timestamps
✅ Can be re-run safely multiple times

Prevents Common Issues

✅ Creates /run/sshd directory (prevents SSH start failure)
✅ Preserves SCP/SFTP functionality
✅ Doesn't break boot process (/boot permissions safe)
✅ Handles PAM lockout carefully (disabled by default)
✅ Prevents VPS lockouts


📝 After Running the Script
1. Save Your Credentials
The script creates a credentials file at:
/var/log/hardening/IMPORTANT_CREDENTIALS.txt
Copy it to your local machine:
bashscp root@your-server:/var/log/hardening/IMPORTANT_CREDENTIALS.txt ~/
Then delete the file from the server:
bashrm /var/log/hardening/IMPORTANT_CREDENTIALS.txt

2. Test the New User Account
CRITICAL: Do this BEFORE closing your root session!
In a NEW terminal window:
bash# Test SSH login
ssh sec_a3f9c2b1@your-server-ip
# Enter the password from credentials file

# Test sudo access
sudo whoami
# Should output: root

# Test becoming root
sudo su -
# You should now be root
✅ If all tests pass, you're safe to logout of the original root session.

3. If Root Login Was Disabled
You can only login as the new user now:
bash# With SSH keys (recommended)
ssh -i ~/.ssh/your_key sec_a3f9c2b1@your-server

# With password (if keys not available)
ssh sec_a3f9c2b1@your-server
To become root:
bashsudo su -

4. If Root Login Was Kept
You can login as either root or the new user:
bash# As root (still works)
ssh root@your-server

# Or as new user (recommended)
ssh sec_a3f9c2b1@your-server
To disable root login later:
bash# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Change this line:
PermitRootLogin yes

# To:
PermitRootLogin no

# Restart SSH
sudo systemctl restart ssh

📊 Logs and Reports
All logs are saved to /var/log/hardening/
/var/log/hardening/
├── main/
│   ├── execution.log          # Complete execution log
│   └── summary.log             # Quick summary of changes
├── tools/
│   ├── lynis.log              # Lynis security audit results
│   ├── rkhunter.log           # RKHunter rootkit scan
│   ├── aide.log               # AIDE initialization log
│   ├── fail2ban.log           # Fail2Ban configuration log
│   └── auditd.log             # Auditd configuration log
├── auto-fixes/
│   └── remediation.log        # All auto-fixes with timestamps
└── configs/
    └── backups/               # Backed up config files
View Logs
bash# Main execution log (everything)
less /var/log/hardening/main/execution.log

# Quick summary
cat /var/log/hardening/main/summary.log

# Lynis security report
less /var/log/hardening/tools/lynis.log

# RKHunter scan results
less /var/log/hardening/tools/rkhunter.log

# All auto-fixes applied
cat /var/log/hardening/auto-fixes/remediation.log

🔍 Verification
Check Security Tools Status
bash# Fail2Ban (SSH brute-force protection)
sudo fail2ban-client status sshd

# AIDE (File integrity)
sudo aide --check

# RKHunter (Rootkit detection)
sudo rkhunter --check

# Lynis (Security audit)
sudo lynis audit system

# Auditd (System monitoring)
sudo auditctl -l
Check Services
bash# All security services
sudo systemctl status fail2ban
sudo systemctl status auditd
sudo systemctl status ssh

# View banned IPs
sudo fail2ban-client status sshd
Review Changes
bash# What was changed
cat /var/log/hardening/auto-fixes/remediation.log

# Summary
cat /var/log/hardening/main/summary.log

🔧 Troubleshooting
"SSH connection refused" after running script
Cause: SSH service didn't restart properly
Fix:
bash# From console/VPS control panel
sudo systemctl start ssh
sudo systemctl status ssh

# Check SSH config
sudo sshd -t

# View SSH log
sudo tail -f /var/log/auth.log

"Permission denied (publickey)" after running script
Cause: Password authentication was disabled but you don't have SSH keys
Fix:
bash# From your LOCAL machine, copy your SSH key
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server

# Or enable password auth temporarily (from console)
sudo nano /etc/ssh/sshd_config
# Change: PasswordAuthentication no
# To: PasswordAuthentication yes
sudo systemctl restart ssh

"Cannot login as root" after running script
This is expected! Root login was disabled for security.
Solution: Login as the admin user that was created:
bashssh sec_a3f9c2b1@your-server
sudo su -  # Become root

"Account locked after failed login attempts"
Cause: PAM lockout enabled with --enable-pam-lockout flag
Fix:
bash# Unlock using faillock (if available)
sudo faillock --user username --reset

# OR using pam_tally2
sudo pam_tally2 --user=username --reset

AIDE initialization taking forever
Normal! AIDE needs to scan every file on the system.
Expected time:

Small VPS: 5-10 minutes
Medium server: 10-30 minutes
Large server: 30-60 minutes

Check progress:
bashtail -f /var/log/hardening/tools/aide.log

RKHunter showing warnings after hardening
Normal! False positives are common after system changes.
Fix:
bash# Update RKHunter database
sudo rkhunter --propupd

# Run check again
sudo rkhunter --check

❓ FAQ
Q: Will this break my existing services?
A: No. The script is designed to be safe:

✅ Preserves SCP/SFTP functionality
✅ Doesn't break boot process
✅ Only disables truly unnecessary services
✅ Backs up all configs before changes
✅ Can rollback SSH changes automatically


Q: Can I run this on a production server?
A: Yes! The script is production-ready:

✅ Used on hundreds of servers
✅ Extensive testing on VPS providers (DigitalOcean, AWS, Linode)
✅ Safe to re-run
✅ Automatic rollback on errors
✅ Non-destructive

Recommendation: Test in a staging environment first.

Q: Can I run this multiple times?
A: Yes! The script is idempotent:

✅ Detects previous runs
✅ Archives old logs
✅ Won't create duplicate users
✅ Updates configurations safely
✅ Refreshes security baselines


Q: What if I forget the admin user password?
Option 1 - If root SSH is still enabled:
bashssh root@your-server
sudo passwd sec_a3f9c2b1  # Set new password
Option 2 - If root SSH is disabled:

Use VPS console/VNC access
Login as root through console
Reset password: passwd sec_a3f9c2b1

Option 3 - Prevention:

Save credentials to password manager
Keep credentials file backed up locally
Add your SSH keys for password-less login


Q: How do I undo the hardening?
A: Config backups are saved:
bash# View backups
ls -la /var/log/hardening/configs/backups/

# Restore a config (example: SSH)
sudo cp /var/log/hardening/configs/backups/sshd_config.backup.TIMESTAMP /etc/ssh/sshd_config
sudo systemctl restart ssh
Better approach: Keep a snapshot/backup of your system before running.

Q: Does this work on CentOS/RHEL/Fedora?
A: Not yet. Currently supports:

✅ Debian 10, 11, 12
✅ Ubuntu 18.04, 20.04, 22.04, 24.04

Future plans: RHEL/CentOS support coming soon.

Q: Will this affect my Docker containers?
A: No. The script doesn't:

❌ Modify Docker configurations
❌ Change container networking
❌ Affect running containers

Docker will continue working normally.

Q: Can I customize what gets hardened?
A: Yes! Edit the script to:

Comment out auto-fix functions you don't want
Modify sysctl parameters
Adjust Fail2Ban rules
Customize password policies
Skip specific hardening steps


Q: How do I add the new user to the wheel group?
bash# Add user to wheel group (for su access)
sudo usermod -aG wheel sec_a3f9c2b1

# Verify
groups sec_a3f9c2b1
The script already creates the wheel group and restricts su command to it.

🤝 Contributing
Contributions are welcome! Here's how you can help:
Report Issues
Found a bug? Open an issue
Submit Pull Requests

Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Commit your changes (git commit -m 'Add amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

Improve Documentation
Help improve this README, add examples, or fix typos!
Share Your Experience
Let us know how the script worked for you in the Discussions

📜 License
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License

Copyright (c) 2025

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

⚠️ Disclaimer
USE AT YOUR OWN RISK
This script modifies critical system configurations including:

SSH settings (can lock you out if misconfigured)
Network parameters
User accounts
Service configurations
File permissions

Before running on production:

✅ Read the entire script
✅ Test in a staging environment
✅ Take a backup/snapshot
✅ Have console access available (VPS control panel)
✅ Keep current SSH session open while testing

The authors are not responsible for:

System lockouts
Data loss
Service disruptions
Any damage caused by using this script

By using this script, you agree that:

You understand what it does
You have tested it in a safe environment
You have backups of your system
You accept full responsibility for the consequences


📞 Support

📖 Documentation: You're reading it!
💬 Discussions: GitHub Discussions
🐛 Bug Reports: GitHub Issues
⭐ Star this repo if you find it useful!


🙏 Acknowledgments
This script implements security best practices from:

CIS Benchmarks
NIST Security Guidelines
Lynis Security Auditing Tool
Debian Security Manual
Ubuntu Security Guide

Special thanks to the open-source security community!

🌟 Star History
Show Image

⬆ Back to Top
Made with ❤️ for the security community
If this script helped you, please consider giving it a ⭐!