Remove the sudo command from docs.
This commit is contained in:
parent
2678bb54b4
commit
d54fa4f75c
28
README-CN.md
28
README-CN.md
|
@ -6,7 +6,7 @@
|
|||
|
||||
审计功能的使用示例:
|
||||
```console
|
||||
$ sudo bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --audit-all
|
||||
[...]
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
|
||||
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
|
||||
|
@ -29,13 +29,13 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
### 下载及初始化
|
||||
```console
|
||||
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
|
||||
$ sudo cp etc/default.cfg /etc/default/cis-hardening
|
||||
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
$ sudo bin/hardening.sh --init
|
||||
# cp etc/default.cfg /etc/default/cis-hardening
|
||||
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
# bin/hardening.sh --init
|
||||
```
|
||||
### 对所有的安全检查项进行审计
|
||||
```
|
||||
$ sudo bin/hardening.sh --audit-all
|
||||
# bin/hardening.sh --audit-all
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
|
||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
||||
1.1_install_updates [INFO] Checking Configuration
|
||||
|
@ -55,8 +55,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
```
|
||||
### 设置加固级别并进行自动修复
|
||||
```
|
||||
$ sudo bin/hardening.sh --set-hardening-level 5
|
||||
$ sudo bin/hardening.sh --apply
|
||||
# bin/hardening.sh --set-hardening-level 5
|
||||
# bin/hardening.sh --apply
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
|
||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
||||
1.1_install_updates [INFO] Checking Configuration
|
||||
|
@ -75,17 +75,17 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
### 需要预装的软件
|
||||
如果是使用的最小安装方式安装的Debian GNU/Linux系统,在使用此项目之前,需要安装如下的软件:
|
||||
```
|
||||
sudo apt-get install -y bc net-tools pciutils
|
||||
# apt-get install -y bc net-tools pciutils
|
||||
```
|
||||
如果系统是Redhat/CentOS,在使用此项目前,需要安装如下的软件包:
|
||||
```
|
||||
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
|
||||
# yum install -y bc net-tools pciutils NetworkManager epel-release
|
||||
```
|
||||
|
||||
### 需要预先进行的配置
|
||||
在使用此项目前,必须给所有要用到的用户设置了密码。如果没有设置密码的话,将在进行自动化加固后不能够登录到系统。例如(用户:root和test):
|
||||
```
|
||||
$ sudo -s
|
||||
|
||||
# passwd
|
||||
# passwd test
|
||||
```
|
||||
|
@ -155,8 +155,8 @@ EXCEPTIONS=""
|
|||
基于iptables的部署:
|
||||
```
|
||||
$ INTERFACENAME="your network interfacename(Example eth0)"
|
||||
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
$ sudo -s
|
||||
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
|
||||
# iptables-save > /etc/iptables/rules.v4
|
||||
# ip6tables-save > /etc/iptables/rules.v6
|
||||
```
|
||||
|
@ -164,13 +164,13 @@ $ sudo -s
|
|||
按照以下命令修改nftables.conf(你的对外网口的名称,例如:eth0):
|
||||
```
|
||||
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
|
||||
$ sudo nft -f ./etc.nftables.conf
|
||||
# nft -f ./etc.nftables.conf
|
||||
```
|
||||
5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作:
|
||||
1.使用passwd命令去重新设置常规用户及root用户的密码,以满足pam_cracklib模块配置的密码强度和健壮性。
|
||||
2. 重新初始化aide工具的数据库。
|
||||
```
|
||||
$ sudo bin/hardening.sh --final
|
||||
# bin/hardening.sh --final
|
||||
```
|
||||
|
||||
## 特别注意
|
||||
|
|
28
README.md
28
README.md
|
@ -10,7 +10,7 @@ The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debia
|
|||
|
||||
|
||||
```console
|
||||
$ sudo bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --audit-all
|
||||
[...]
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
|
||||
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
|
||||
|
@ -32,10 +32,10 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
|
||||
```console
|
||||
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
|
||||
$ sudo cp etc/default.cfg /etc/default/cis-hardening
|
||||
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
$ sudo bin/hardening.sh --init
|
||||
$ sudo bin/hardening.sh --audit-all
|
||||
# cp etc/default.cfg /etc/default/cis-hardening
|
||||
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
# bin/hardening.sh --init
|
||||
# bin/hardening.sh --audit-all
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
|
||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
||||
1.1_install_updates [INFO] Checking Configuration
|
||||
|
@ -52,8 +52,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
Total Failed Checks : [ 39/278 ]
|
||||
Enabled Checks Percentage : 100.00 %
|
||||
Conformity Percentage : 85.97 %
|
||||
$ sudo bin/hardening.sh --set-hardening-level 5
|
||||
$ sudo bin/hardening.sh --apply
|
||||
# bin/hardening.sh --set-hardening-level 5
|
||||
# bin/hardening.sh --apply
|
||||
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
|
||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
||||
1.1_install_updates [INFO] Checking Configuration
|
||||
|
@ -73,18 +73,18 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
|
|||
|
||||
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
|
||||
```
|
||||
sudo apt-get install -y bc net-tools pciutils network-manager
|
||||
# apt-get install -y bc net-tools pciutils network-manager
|
||||
```
|
||||
|
||||
Redhat/CentOS need install packages before use the hardening tool:
|
||||
```
|
||||
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
|
||||
# yum install -y bc net-tools pciutils NetworkManager epel-release
|
||||
```
|
||||
|
||||
### Pre-Set
|
||||
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
|
||||
```
|
||||
$ sudo -s
|
||||
|
||||
# passwd
|
||||
# passwd test
|
||||
```
|
||||
|
@ -169,8 +169,8 @@ Set the corresponding firewall rules according to the applications used. Hardene
|
|||
to do the following:
|
||||
```
|
||||
$ INTERFACENAME="your network interfacename(Example eth0)"
|
||||
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
$ sudo -s
|
||||
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
|
||||
# iptables-save > /etc/iptables/rules.v4
|
||||
# ip6tables-save > /etc/iptables/rules.v6
|
||||
```
|
||||
|
@ -180,13 +180,13 @@ $ sudo -s
|
|||
to do the following(your network interfacename(Example eth0)):
|
||||
```
|
||||
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
|
||||
$ sudo nft -f ./etc.nftables.conf
|
||||
# nft -f ./etc.nftables.conf
|
||||
```
|
||||
5) When all repairs are completed. --final method will:
|
||||
1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
|
||||
2. Aide reinitializes.
|
||||
```
|
||||
$ sudo bin/hardening.sh --final
|
||||
# bin/hardening.sh --final
|
||||
```
|
||||
|
||||
## Special Note
|
||||
|
|
|
@ -24,15 +24,15 @@ The creation process is as follows:
|
|||
|
||||
### Pre-Install
|
||||
```
|
||||
$ sudo apt update
|
||||
$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
|
||||
# apt update
|
||||
# apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
|
||||
```
|
||||
|
||||
### Get harbian-audit project
|
||||
```
|
||||
$ cd /opt
|
||||
/opt$ sudo wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
|
||||
/opt$ sudo unzip master.zip
|
||||
/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
|
||||
/opt# unzip master.zip
|
||||
/opt$ cd harbian-audit-master/
|
||||
```
|
||||
### How to use harbian-audit to audit and apply
|
||||
|
@ -40,7 +40,6 @@ $ cd /opt
|
|||
//maybe not need
|
||||
#### Set passwd to all user:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ sudo -s
|
||||
admin@ip:/opt/harbian-audit-master# passwd
|
||||
admin@ip:/opt/harbian-audit-master# passwd admin
|
||||
```
|
||||
|
@ -49,27 +48,26 @@ admin@ip:/opt/harbian-audit-master# passwd admin
|
|||
|
||||
##### First audit && apply:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ sudo cp etc/default.cfg /etc/default/cis-hardening
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply
|
||||
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||
admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
|
||||
admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply
|
||||
admin@ip:/opt/harbian-audit-master# reboot
|
||||
```
|
||||
##### Second audit && apply(After reboot)
|
||||
Configuring the firewall:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
|
||||
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
|
||||
admin@ip:/opt/harbian-audit-master$ sudo -s
|
||||
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
|
||||
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
|
||||
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
|
||||
admin@ip:/opt/harbian-audit-master# exit
|
||||
|
@ -77,28 +75,28 @@ admin@ip:/opt/harbian-audit-master# exit
|
|||
|
||||
Apply need to apply twice items and that items of must apply after first apply:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
|
||||
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.32
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5
|
||||
admin@ip:/opt/harbian-audit-master# reboot
|
||||
```
|
||||
|
||||
##### Third apply(after reboot)
|
||||
Apply need to apply three times items:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2
|
||||
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2
|
||||
admin@ip:/opt/harbian-audit-master# reboot
|
||||
```
|
||||
|
||||
### Set issues
|
||||
```
|
||||
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
```
|
||||
|
||||
### Hacking
|
||||
|
@ -110,24 +108,23 @@ Use the following guidelines to reduce the attack surface and improve the reliab
|
|||
|
||||
#### Clean harbian-audit temp file and conf
|
||||
```
|
||||
$ sudo rm /opt/master.zip
|
||||
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
|
||||
# rm /opt/master.zip
|
||||
# rm /opt/harbian-audit-master/tmp/backups/*
|
||||
# rm /opt/harbian-audit-master/etc/conf.d/*.cfg
|
||||
```
|
||||
|
||||
#### Uninstall
|
||||
```
|
||||
$ sudo apt-get purge --autoremove unzip -y
|
||||
# apt-get purge --autoremove unzip -y
|
||||
```
|
||||
|
||||
#### Clear the current log:
|
||||
```
|
||||
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
|
||||
$ sudo rm /root/.wget-hsts
|
||||
$ sudo rm /root/.viminfo
|
||||
$ sudo -s
|
||||
# find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
# find / -name "authorized_keys" -exec shred -u {} \;
|
||||
# rm /root/.wget-hsts
|
||||
# rm /root/.viminfo
|
||||
# echo > /var/log/debug
|
||||
# echo > /var/log/btmp
|
||||
# echo > /var/log/error
|
||||
|
@ -145,7 +142,7 @@ $ sudo -s
|
|||
#### Final apply
|
||||
Reset password for all users and reinit aide database:
|
||||
```
|
||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final
|
||||
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final
|
||||
```
|
||||
|
||||
#### Clear bash hostory
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
## Use harbian-audit to check
|
||||
```
|
||||
admin@ip-:~$ cd /opt/harbian-audit-master/
|
||||
admin@ip-:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
|
||||
admin@ip-:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
|
||||
......
|
||||
|
||||
################### SUMMARY ###################
|
||||
|
|
|
@ -77,9 +77,8 @@ root@harbian:/opt/harbian-audit-master# reboot
|
|||
|
||||
After reboot:
|
||||
```
|
||||
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
|
||||
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v6.sh eth0
|
||||
harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s
|
||||
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
|
||||
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v6.sh eth0
|
||||
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/sysconfig/iptables
|
||||
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/sysconfig/ip6tables
|
||||
```
|
||||
|
@ -88,7 +87,7 @@ Related how to use harbian-audit to adit and apply, please reference:
|
|||
|
||||
### Set issues
|
||||
```
|
||||
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
```
|
||||
|
||||
### Set grub passwd
|
||||
|
@ -101,7 +100,6 @@ Related how to config grub2 password protection, please reference:
|
|||
|
||||
### Re-set passwd of all users
|
||||
```
|
||||
harbian-audit@harbian:~$ sudo -s
|
||||
root@harbian:/home/harbian-audit# passwd
|
||||
root@harbian:/home/harbian-audit# passwd harbian-audit
|
||||
```
|
||||
|
@ -113,38 +111,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
|
|||
|
||||
#### Uninstall
|
||||
```
|
||||
$ sudo apt-get purge --autoremove unzip -y
|
||||
# apt-get purge --autoremove unzip -y
|
||||
```
|
||||
|
||||
#### Clean harbian-audit temp file and conf
|
||||
```
|
||||
$ sudo rm /opt/master.zip
|
||||
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||
# rm /opt/master.zip
|
||||
# rm /opt/harbian-audit-master/tmp/backups/*
|
||||
$ cd /opt/harbian-audit-master/etc/conf.d
|
||||
$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
|
||||
# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
|
||||
```
|
||||
|
||||
#### Final fix
|
||||
```
|
||||
$ cd /opt/harbian-audit-master
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.1.32
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.4.1
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.4.2
|
||||
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
# bash bin/hardening.sh --apply --only 8.1.32
|
||||
# bash bin/hardening.sh --apply --only 8.4.1
|
||||
# bash bin/hardening.sh --apply --only 8.4.2
|
||||
# rm /opt/harbian-audit-master/tmp/backups/*
|
||||
# rm /opt/harbian-audit-master/etc/conf.d/*
|
||||
```
|
||||
|
||||
#### Clear the current log
|
||||
```
|
||||
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
|
||||
$ sudo rm /root/.wget-hsts
|
||||
$ sudo rm /root/.viminfo
|
||||
$ sudo -s
|
||||
# find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
# find / -name "authorized_keys" -exec shred -u {} \;
|
||||
# rm /root/.wget-hsts
|
||||
# rm /root/.viminfo
|
||||
# echo > /var/log/debug
|
||||
# echo > /var/log/btmp
|
||||
# echo > /var/log/error
|
||||
|
@ -160,7 +157,7 @@ $ sudo -s
|
|||
|
||||
#### AIDE RE-INIT
|
||||
```
|
||||
$ sudo aideinit -y -f
|
||||
# aideinit -y -f
|
||||
```
|
||||
|
||||
#### Clear bash hostory
|
||||
|
@ -169,7 +166,7 @@ $ sudo aideinit -y -f
|
|||
# history -cw
|
||||
$ echo > ~/.bash_history
|
||||
$ history -cw
|
||||
$ sudo poweroff
|
||||
# poweroff
|
||||
```
|
||||
|
||||
## sign QEMU image
|
||||
|
|
|
@ -77,8 +77,7 @@ root@harbian:/opt/harbian-audit-master# reboot
|
|||
|
||||
After reboot:
|
||||
```
|
||||
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
|
||||
harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s
|
||||
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
|
||||
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
|
||||
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
|
||||
```
|
||||
|
@ -87,7 +86,7 @@ Related how to use harbian-audit to adit and apply, please reference:
|
|||
|
||||
### Set issues
|
||||
```
|
||||
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
|
||||
```
|
||||
|
||||
### Set grub passwd
|
||||
|
@ -100,7 +99,6 @@ Related how to config grub2 password protection, please reference:
|
|||
|
||||
### Re-set passwd of all users
|
||||
```
|
||||
harbian-audit@harbian:~$ sudo -s
|
||||
root@harbian:/home/harbian-audit# passwd
|
||||
root@harbian:/home/harbian-audit# passwd harbian-audit
|
||||
```
|
||||
|
@ -112,38 +110,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
|
|||
|
||||
#### Uninstall
|
||||
```
|
||||
$ sudo apt-get purge --autoremove unzip -y
|
||||
# apt-get purge --autoremove unzip -y
|
||||
```
|
||||
|
||||
#### Clean harbian-audit temp file and conf
|
||||
```
|
||||
$ sudo rm /opt/master.zip
|
||||
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||
# rm /opt/master.zip
|
||||
# rm /opt/harbian-audit-master/tmp/backups/*
|
||||
$ cd /opt/harbian-audit-master/etc/conf.d
|
||||
$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
|
||||
# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
|
||||
```
|
||||
|
||||
#### Final fix
|
||||
```
|
||||
$ cd /opt/harbian-audit-master
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.1.32
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.4.1
|
||||
$ sudo bash bin/hardening.sh --apply --only 8.4.2
|
||||
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||
# bash bin/hardening.sh --apply --only 8.1.32
|
||||
# bash bin/hardening.sh --apply --only 8.4.1
|
||||
# bash bin/hardening.sh --apply --only 8.4.2
|
||||
# rm /opt/harbian-audit-master/tmp/backups/*
|
||||
# rm /opt/harbian-audit-master/etc/conf.d/*
|
||||
```
|
||||
|
||||
#### Clear the current log
|
||||
```
|
||||
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
|
||||
$ sudo rm /root/.wget-hsts
|
||||
$ sudo rm /root/.viminfo
|
||||
$ sudo -s
|
||||
# find /var/log/ -name "*.log" -exec shred -u {} \;
|
||||
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
|
||||
# find / -name "authorized_keys" -exec shred -u {} \;
|
||||
# rm /root/.wget-hsts
|
||||
# rm /root/.viminfo
|
||||
# echo > /var/log/debug
|
||||
# echo > /var/log/btmp
|
||||
# echo > /var/log/error
|
||||
|
@ -159,7 +156,7 @@ $ sudo -s
|
|||
|
||||
#### AIDE RE-INIT
|
||||
```
|
||||
$ sudo aideinit -y -f
|
||||
# aideinit -y -f
|
||||
```
|
||||
|
||||
#### Clear bash hostory
|
||||
|
@ -168,7 +165,7 @@ $ sudo aideinit -y -f
|
|||
# history -cw
|
||||
$ echo > ~/.bash_history
|
||||
$ history -cw
|
||||
$ sudo poweroff
|
||||
# poweroff
|
||||
```
|
||||
|
||||
## sign QEMU image
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Pre-install
|
||||
```
|
||||
sudo apt-get install build-essential dh-make debhelper lintian wget
|
||||
# apt-get install build-essential dh-make debhelper lintian wget
|
||||
```
|
||||
## Config evc var for dh_make
|
||||
```
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
## Server
|
||||
### Install package
|
||||
```
|
||||
sudo apt install -y auditd
|
||||
# apt install -y auditd
|
||||
```
|
||||
|
||||
### Configure
|
||||
|
@ -21,7 +21,7 @@ systemctl restart auditd
|
|||
## Client
|
||||
### Install package
|
||||
```
|
||||
sudo apt install -y audispd-plugins auditd
|
||||
# apt install -y audispd-plugins auditd
|
||||
```
|
||||
|
||||
### Configure
|
||||
|
|
|
@ -3,7 +3,7 @@ Debian Buster uses the nftables framework by default.
|
|||
|
||||
## Pre-install
|
||||
```
|
||||
$ sudo apt install nftables
|
||||
# apt install nftables
|
||||
```
|
||||
|
||||
## Check iptables link point
|
||||
|
@ -13,7 +13,7 @@ You can switch back and forth between iptables-nft and iptables-legacy by means
|
|||
|
||||
Check iptables currently link:
|
||||
```
|
||||
$ sudo update-alternatives --display iptables
|
||||
# update-alternatives --display iptables
|
||||
iptables - auto mode
|
||||
link best version is /usr/sbin/iptables-nft
|
||||
link currently points to /usr/sbin/iptables-nft
|
||||
|
@ -29,11 +29,11 @@ iptables - auto mode
|
|||
```
|
||||
If you see above, don't need switching, if currently link to iptables-legacy, need use command to switching to iptables-nft:
|
||||
```
|
||||
$ sudo update-alternatives --set iptables /usr/sbin/iptables-nft
|
||||
$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
|
||||
$ sudo update-alternatives --set arptables /usr/sbin/arptables-nft
|
||||
$ sudo update-alternatives --set ebtables /usr/sbin/ebtables-nft
|
||||
$ sudo update-alternatives --display iptables
|
||||
# update-alternatives --set iptables /usr/sbin/iptables-nft
|
||||
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
|
||||
# update-alternatives --set arptables /usr/sbin/arptables-nft
|
||||
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
|
||||
# update-alternatives --display iptables
|
||||
```
|
||||
## Migrating
|
||||
move from an existing iptables ruleset to nftables:
|
||||
|
@ -41,17 +41,17 @@ move from an existing iptables ruleset to nftables:
|
|||
### Command translation
|
||||
You can generate a translation of an iptables/ip6tables command to know the nftables equivalent.
|
||||
```
|
||||
$ sudo iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
||||
# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
||||
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
|
||||
$ sudo ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
|
||||
# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
|
||||
nft add rule ip6 filter FORWARD iifname "eth0" oifname "eth3" meta l4proto udp udp dport { 111,222} counter accept
|
||||
```
|
||||
|
||||
Instead of translating command by command, you can translate your whole ruleset in a single run:
|
||||
|
||||
```
|
||||
$ sudo iptables-save > save.txt
|
||||
$ sudo iptables-restore-translate -f save.txt
|
||||
# iptables-save > save.txt
|
||||
# iptables-restore-translate -f save.txt
|
||||
# Translated by iptables-restore-translate v1.8.2 on Fri Jul 12 04:33:36 2019
|
||||
add table ip filter
|
||||
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
|
||||
|
@ -114,10 +114,10 @@ add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; po
|
|||
```
|
||||
You should be able to directly give this to nftables:
|
||||
```
|
||||
$ sudo iptables-restore-translate -f save.txt > ruleset.nft
|
||||
$ sudo nft -f ruleset.nft
|
||||
# iptables-restore-translate -f save.txt > ruleset.nft
|
||||
# nft -f ruleset.nft
|
||||
```
|
||||
$ sudo nft list ruleset
|
||||
# nft list ruleset
|
||||
List nft ruleset:
|
||||
```
|
||||
table ip filter {
|
||||
|
@ -263,7 +263,7 @@ table ip mangle {
|
|||
|
||||
## Uninstall iptables
|
||||
```
|
||||
$ sudo apt purge --autoremove iptables
|
||||
# apt purge --autoremove iptables
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
|
|
@ -9,7 +9,7 @@ netfilter-persistent 1.0.4+nmu2
|
|||
|
||||
## Install
|
||||
```
|
||||
$ sudo apt-get install -y iptables-persistent
|
||||
# apt-get install -y iptables-persistent
|
||||
```
|
||||
This command will install iptables-persistent and netfilter-persistent(depended iptables-persistent),
|
||||
|
||||
|
@ -19,19 +19,19 @@ netfilter-persistent service is auto running when netfilter-persistent was insta
|
|||
|
||||
Check service status:
|
||||
```
|
||||
$ sudo systemctl status netfilter-persistent
|
||||
# systemctl status netfilter-persistent
|
||||
```
|
||||
|
||||
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
|
||||
```
|
||||
$ sudo systemctl start netfilter-persistent
|
||||
# systemctl start netfilter-persistent
|
||||
```
|
||||
|
||||
## How to config for persistent iptables
|
||||
|
||||
First, when configuring iptables rules done, need use the following command to save current iptables rules:
|
||||
```
|
||||
$ sudo dpkg-reconfigure iptables-persistent
|
||||
# dpkg-reconfigure iptables-persistent
|
||||
```
|
||||
|
||||
or
|
||||
|
@ -45,5 +45,5 @@ Note: User iptables-save/ip6tables-save command, save file must is above file na
|
|||
## Well-done
|
||||
Iptables rules would auto restore iptables rules when Operation system restart, or manual to exec following command:
|
||||
```
|
||||
$ sudo systemctl restart netfilter-persistent
|
||||
# systemctl restart netfilter-persistent
|
||||
```
|
||||
|
|
|
@ -8,12 +8,12 @@ nftables 0.9.0-2
|
|||
|
||||
## Pre-Install
|
||||
```
|
||||
$ sudo apt-get install -y nftables netfilter-persistent
|
||||
# apt-get install -y nftables netfilter-persistent
|
||||
```
|
||||
|
||||
## Uninstall iptables
|
||||
```
|
||||
$ sudo apt purge --autoremove iptables
|
||||
# apt purge --autoremove iptables
|
||||
```
|
||||
|
||||
## How to enable netfilter-persistent service
|
||||
|
@ -22,12 +22,12 @@ netfilter-persistent service is auto running when netfilter-persistent was insta
|
|||
|
||||
Check service status:
|
||||
```
|
||||
$ sudo systemctl status netfilter-persistent
|
||||
# systemctl status netfilter-persistent
|
||||
```
|
||||
|
||||
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
|
||||
```
|
||||
$ sudo systemctl start netfilter-persistent
|
||||
# systemctl start netfilter-persistent
|
||||
```
|
||||
|
||||
## How to config for persistent nft rules
|
||||
|
@ -35,7 +35,7 @@ $ sudo systemctl start netfilter-persistent
|
|||
### Get nftables ruleset
|
||||
```
|
||||
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/etc.nftables.conf
|
||||
~$ sudo mv etc.nftables.conf /etc/nftables.conf
|
||||
~# mv etc.nftables.conf /etc/nftables.conf
|
||||
```
|
||||
|
||||
Note: Please replace ens33 to interface name of your device
|
||||
|
@ -43,32 +43,32 @@ Note: Please replace ens33 to interface name of your device
|
|||
### Get plugin of netfilter-persistent
|
||||
```
|
||||
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft
|
||||
~$ sudo mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft
|
||||
~$ sudo chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft
|
||||
~# mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft
|
||||
~# chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft
|
||||
```
|
||||
|
||||
## Well-done
|
||||
Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command:
|
||||
```
|
||||
$ sudo netfilter-persistent start
|
||||
# netfilter-persistent start
|
||||
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
|
||||
```
|
||||
|
||||
## Additional usage
|
||||
### Flush nft rules
|
||||
```
|
||||
$ sudo netfilter-persistent flush
|
||||
# netfilter-persistent flush
|
||||
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft flush
|
||||
```
|
||||
### Save nft rules
|
||||
```
|
||||
$ sudo netfilter-persistent save
|
||||
# netfilter-persistent save
|
||||
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft save
|
||||
```
|
||||
|
||||
### Restore nft rules
|
||||
```
|
||||
$ sudo netfilter-persistent start
|
||||
# netfilter-persistent start
|
||||
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
|
||||
```
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Install
|
||||
```
|
||||
sudo apt-get install apache2
|
||||
# apt-get install apache2
|
||||
```
|
||||
|
||||
# How to use harbian-audit to audit and apply
|
||||
|
@ -10,7 +10,7 @@ sudo apt-get install apache2
|
|||
## Set firewall
|
||||
```
|
||||
sed -i 's/PUB_IFS=.*/PUB_IFS="interface of machine"/g' ./etc.iptables.rules.v4.4http.sh
|
||||
sudo bash ./etc.iptables.rules.v4.4http.sh
|
||||
# bash ./etc.iptables.rules.v4.4http.sh
|
||||
```
|
||||
|
||||
## Audit and apply
|
||||
|
@ -18,11 +18,11 @@ See the documentation for more details:
|
|||
[harbian-audit-readme](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
|
||||
|
||||
```
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# This is set special service to exception(6.10)
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
|
||||
|
|
|
@ -5,18 +5,18 @@
|
|||
|
||||
## Master node
|
||||
```
|
||||
sudo iptables-restore master-ufw-rules.conf
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# iptables-restore master-ufw-rules.conf
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --set-hardening-level 5
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
## Worker node
|
||||
```
|
||||
sudo iptables-restore worker-ufw-rules.conf
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# iptables-restore worker-ufw-rules.conf
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --set-hardening-level 5
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
### Install mysql
|
||||
|
||||
```
|
||||
$ sudo apt install mysql-server
|
||||
# apt install mysql-server
|
||||
```
|
||||
#### Configurate database
|
||||
|
||||
Create helloworld database
|
||||
|
||||
```
|
||||
$ sudo mysql -uroot
|
||||
# mysql -uroot
|
||||
|
||||
MariaDB [(none)]> CREATE DATABASE helloworld;
|
||||
```
|
||||
|
@ -45,12 +45,12 @@ deb-src http://mirrors.163.com/debian/ stretch-backports main
|
|||
and update
|
||||
|
||||
```
|
||||
$ sudo apt update
|
||||
# apt update
|
||||
```
|
||||
|
||||
#### install the package
|
||||
```
|
||||
$ sudo apt -t stretch-backports install -y redis-server
|
||||
# apt -t stretch-backports install -y redis-server
|
||||
```
|
||||
|
||||
#### Configurate Redis
|
||||
|
@ -82,7 +82,7 @@ systemctl restart redis
|
|||
### Install Nodejs
|
||||
|
||||
```
|
||||
$ sudo apt install curl -y
|
||||
# apt install curl -y
|
||||
```
|
||||
#as root
|
||||
```
|
||||
|
@ -206,8 +206,8 @@ module.exports = {
|
|||
|
||||
//Installation PM2:
|
||||
```
|
||||
$ sudo npm install pm2 -g
|
||||
$ sudo chmod -R 755 /usr/lib/node_modules/pm2
|
||||
# npm install pm2 -g
|
||||
# chmod -R 755 /usr/lib/node_modules/pm2
|
||||
```
|
||||
|
||||
```
|
||||
|
@ -217,7 +217,7 @@ $ pm2 startup systemd
|
|||
|
||||
[PM2] Init System found: systemd
|
||||
[PM2] To setup the Startup Script, copy/paste the following command:
|
||||
sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
|
||||
# env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
|
||||
```
|
||||
change to root user and execute
|
||||
|
||||
|
@ -238,7 +238,7 @@ now start the service
|
|||
|
||||
## Set iptables rules
|
||||
```
|
||||
$ sudo iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
|
||||
# iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
|
||||
```
|
||||
|
||||
## Test
|
||||
|
|
|
@ -5,22 +5,22 @@
|
|||
|
||||
## Server node
|
||||
```
|
||||
sudo iptables-restore iptables_ufw-4-server.cfg
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
# iptables-restore iptables_ufw-4-server.cfg
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# This is set special service to exception(6.2 6.3 6.10)
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
## Client node
|
||||
```
|
||||
sudo iptables-restore iptables_ufw-4-client.cfg
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
# iptables-restore iptables_ufw-4-client.cfg
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# This is set special service to exception(6.10)
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
|
||||
|
|
|
@ -5,22 +5,22 @@
|
|||
|
||||
## Server node
|
||||
```
|
||||
sudo iptables-restore iptables_ufw-4-server.cfg
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
# iptables-restore iptables_ufw-4-server.cfg
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# This is set special service to exception(6.2 6.3 6.10)
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
## Client node
|
||||
```
|
||||
sudo iptables-restore iptables_ufw-4-client.cfg
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
# iptables-restore iptables_ufw-4-client.cfg
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# This is set special service to exception(6.10)
|
||||
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
sudo bash bin/hardening.sh --audit-all
|
||||
sudo bash bin/hardening.sh --apply
|
||||
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
|
||||
# bash bin/hardening.sh --audit-all
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue