A robust POSIX-compliant shell script that automates security hardening for Linux systems through SSH hardening, intrusion detection, firewall configuration, and granular access controls. This production-grade solution ensures consistent security baselines while maintaining compatibility across major Linux distributions.
This script can potentially make your server inaccessible if not used properly. Make sure you:
- Have a backup access method
- Review the script before running
- Keep the terminal session open until completion
- Save all credentials shown/logged during execution
After running the script, you MUST:
-
Save the SSH Private Key
- Copy the entire private key content (starts with
-----BEGIN OPENSSH PRIVATE KEY-----
) - Store it securely on your local machine as
id_ed25519
or similar - Keep it strictly private and NEVER share it with anyone
- Without this key, you cannot access your server
- Copy the entire private key content (starts with
-
Save the Key Passphrase
- Store the generated passphrase securely
- Required every time you use the private key
- Keep it secret like a password
- Cannot be recovered if lost
-
Public Key (Optional Save)
- The part ending in
.pub
(starts withssh-ed25519
) - Already configured on the server
- Can be shared safely with others
- Used for adding access to other servers
- The part ending in
Without the private key and passphrase, you will permanently lose access to your server!
Tested and working on:
- Debian 11, 12
- Ubuntu 22.04, 24.04, 24.10
- Sensitive Data Control: New
-s
flag to control credential display - Separate console/file logging levels
- Better organized log file structure
- More detailed operation logging
- Better Examples: More usage examples and scenarios
- Clear Warnings: Improved warning messages and precautions
-
Removed unnecessary OS Restrictions
-
Tested on the following distributions:
- Ubuntu 22.04, 24.04, 24.10
- Debian 11, 12
- Fedora 40, 41 (in testing)
- FreeBSD (in future)
- Test Commands: Added various test scenarios
- Multi-distro: Support for testing across distributions
- Quick Testing: Faster feedback loop for testing changes
- Root/sudo privileges
- One of the supported Linux distributions:
- Debian 11/12
- Ubuntu 20.04/22.04/24.04
- Fedora 40/41
-u USERNAME
: Create a new sudo user-r
: Reset root password to secure random value-s
: Show sensitive information in console output-h
: Display help message
# Basic hardening (SSH, Fail2ban, UFW, create & secure SSH key for logged in user)
# Default behavior - no user creation, no root reset, no show credentials info
# Use it when VPS already disabled root password and created new user during setup (e.g. NetCup)
./init-linux-harden.sh
# Create new sudo user during hardening
# Use it when VPS already disabled root password, but no new user created
./init-linux-harden.sh -u jay
# Create new user and reset root password
./init-linux-harden.sh -u jay -r
# Show all credentials in console output (less secure)
./init-linux-harden.sh -u jay -s
- Check if the services are working properly
sudo ufw status
sudo fail2ban-client status
The script performs comprehensive security hardening:
- Uses Ed25519 SSH keys (stronger than RSA)
- Disables root login
- Disables password authentication
- Enforces public key authentication
- Creates backup of original config
- Secures authorized_keys file with proper permissions
- Protects against brute force attempts
- Configures SSH jail (1 day ban time)
- Configures recidive jail (30 days for repeat offenders)
- Configures nginx-http-auth jail
- Auto-excludes server's public IP
- TIP: Unban using
fail2ban-client set sshd unbanip <IP>
- Enables and configures UFW
- Allows SSH (22), HTTP (80), HTTPS (443)
- Blocks all other incoming traffic
- Allows all outgoing traffic
- TIP: Add new rules with
ufw allow <service>
- Option to reset root password
- Creates new sudo user (optional)
- Generates secure random password
- Creates Ed25519 SSH key pair with 1000 KDF rounds
- Configures authorized_keys securely
- TIP: Copy the user credentials from the log file after the script completes
- Creates backups of all modified configuration files
- Automatic recovery if operations fail
- Restarts affected services as needed
- Detailed logging for troubleshooting
- All operations logged to
./${SCRIPT_NAME}_TIMESTAMP.log
- Sensitive information only logged to file by default
- Optional console display with
-s
flag - Execution time tracking
- Separate console/file logging levels
- Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now)
- Test on FreeBSD
Copyright © 2025, Pratik Kumar Tripathy. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.