Debian / Ubuntu Hardening

We've built a custom cloud-init config to set up basic security hardening on a new server instance by installing and configuring fail2ban and ufw (firewall), applying SSH hardening settings, and rebooting the server to apply changes.


Specific Actions

Package Management

  • Installs fail2ban (brute-force protection for SSH and other services).

  • Installs ufw (Uncomplicated Firewall).

  • Updates the package list.

  • Upgrades all installed packages to the latest version.

Runtime Configuration (runcmd)

  • Writes a minimal configuration file for fail2ban to enable SSH protection and use iptables-multiport for banning.

  • Enables fail2ban service to start on boot.

  • Allows inbound SSH (port 22) through the firewall.

  • Enables ufw firewall.

  • Applies multiple SSH hardening settings via sed to modify /etc/ssh/sshd_config:

    • Disables keyboard-interactive authentication.

    • Disables challenge-response authentication.

    • Limits maximum authentication attempts to 2.

    • Disables TCP forwarding.

    • Disables X11 forwarding.

    • Disables agent forwarding.

  • Reboots the system to apply all changes.

O/S Supported

  • Debian 12 (Bookworm)
  • Ubuntu 24.04 LTS (Noble Numbat)
Cette réponse était-elle pertinente? 30 Utilisateurs l'ont trouvée utile (49 Votes)

Powered by WHMCompleteSolution