In ubuntu 18.04, I selected the option CIS Benchmark script. Inside the script it's still showing ubuntu 16. Please add an option to choose if boot loader password is req or not, while running the script in Google Cloud there is no option to view boot sequence, so the OS didn't boot up after the reboot. Also there is not mention of which ssh port set by the script.

Following are the error messages I got while running the script.

do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/ssh.service/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/ssh.service/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sshguard.service/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sshguard.service/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-fs-fuse-connections.mount/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-fs-fuse-connections.mount/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-kernel-config.mount/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-kernel-config.mount/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-kernel-debug.mount/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/sys-kernel-debug.mount/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/system-getty.slice/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/system-getty.slice/devices.allow failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/devices/system.slice/system-postfix.slice/devices.deny failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-machine-id-commit.service/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-machine-id-commit.service/memory.pressure_level failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-machine-id-commit.service/cgroup.event_control failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/memory.pressure_level failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd-wait-online.service/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/memory.pressure_level failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/cgroup.event_control failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/memory.pressure_level failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/user.slice/memory.force_empty failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/user.slice/memory.pressure_level failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control failed: Permission denied

There's a problem running the script on Ubuntu 18.04.5 within Microsoft Azure's VM. I was able to encrypt the grub (as well as enable all other options), and still boot the system with success and eventually gain root access.

However, the issue comes with trying to ssh into the vm via the user account that gets generated.

I've tried every ..

noket@noket:~/.ssh$ ssh -o PasswordAuthentication=yes -vvv -o User=dbparent -o EnableSSHKeysign=no -o AddKeysToAgent=yes -o PreferredAuthentications=password xx.xxx.xx.xx OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xx.xx [xx.xxx.xxx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_rsa-cert type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_dsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: identity file /home/noket/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 kex_exchange_identification: banner line contains invalid characters
single ..

noket@noket:~/.ssh$ ssh -o PasswordAuthentication=yes -vvv -o User=azureuser xx.xxx.xx.xx OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_rsa-cert type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_dsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: identity file /home/noket/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: kex_exchange_identification: banner line 0: \344\250\324\300<\013\251\342.#\351]e\360N>\356\277\224\242\2039\252!\264\253$ kex_exchange_identification: banner line contains invalid characters noket@noket:~/.ssh$
.. variation

noket@noket:~/.ssh$ ssh -vvv -o CertificateFile=./[email protected] [email protected] OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xxx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xx.xx [xx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: certificate file ./[email protected] type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 kex_exchange_identification: banner line contains invalid characters

.. but no matter what I do .. no matter how grossly permissive I made the settings (ie: setting fail2ban's limit to 250 attempts, or setting sshd's limits to 250 attempts and active sessions) .. I keep getting hit with this problem

I've tried ssh-add -D .. I've tried rebooting both systems several times .. I've tried clearing out all my private keys .. I've tried reinstalling the daemon .. Nothing has worked.

I kind of need a hardened azure vm for a production setting. Any help you can offer would be appreciated; ideally with a proper bug-fix and maybe a quick fix .. ie: "oh, the problem is module xyz, don't use it when you run hardening" (because the 30 links I've investigated on Google have all been dead ends)

Avoid Legal Charges, Disconnect NOW if you're not and authorized user!

On final step

---------------------------------------------------------------------------------------------------------
[+] Final Step
---------------------------------------------------------------------------------------------------------

./jshielder.sh: line 1213: replace: command not found

Despues de correr la herrmienta, recibo un mensaje de You don't have permission to access / on this server.

On Ubuntu 16.04 LTS, I encountered several issues with the PAM configurations that may warrant review / confirmation. Tested this on a basic server configuration with base system OpenSSH installed (only).

Under the CIS controls for 5.3:

1. Since we are using pam-pwquality, you may want to install the linux package: apt-get install libpam-pwquality BEFORE copying files.

2. The template file (templates/common-passwd-CIS) copy command had no affect in my testing because the system file that you want to overwrite is actually: /etc/pam.d/common-password

3. The templates/command-passwd-CIS syntax is actually non-compliant with CIS control 5.3.3, which is expecting the module pam_pwhistory to be used. Also, the section added to the template following the "#CIS" comment did not behave as expected in my testing. I think a template config like the following may work better: (at least, it achieved my objectives and behaved as expected/desired for password resets for local users and from root)

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password	requisite			pam_pwquality.so  try_first_pass retry=3
password    required            pam_pwhistory.so  use_authtok  remember=5
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required			pam_permit.so

# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

When can I have a version that supports Debian?

Hi,

Want to first say great stuff with these scripts! They really make things easier.

I tried to install nginx with mod_security for Ubuntu 18.04 and couldn't get it working. In the end I decided to run the commands in the script manually and found the following:

The install package, needs to be corrected: apache2-prefork-dev should be changed to apache2-dev
apt -y install git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev

For the configure command, it is pointing to Ubuntu 14.04 directory when i think it should be pointing to the 18.04 directory
./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --add-module=/root/JShielder/UbuntuServer_18.04LTS/src/ModSecurity/nginx/modsecurity

I had gcc 7 installed and there is a compilation bug with nginx working with gcc7. It is recommended to install nginx 1.13+, I installed the latest 1.15.0. https://trac.nginx.org/nginx/ticket/1259

Again great work and keep it up!

Thanks

Greetings! Thank you so much for this script. I love the tools that it includes which have made a great research project.

I have encountered an issue where every time I try to run anything php, the server returns:
"Tareas de mantenimiento en curso. Disculpe las molestias"
It's very hindering when my LAMP server cannot do as intended, so I am trying to figure out what is responsible for coming back with it.
When I looked into it, I found that the message comes up when there is a "ErrorDocument 500." Even when I changed all directories to have permissions 777, the message remained. It's not a permissions issue.
Any ideas on how to fix it so I can run my web programs?

Thank you!

https://medium.com/linode-cube/why-you-should-consider-moving-from-ntp-to-ntpsec-edab616b6740

https://github.com/ntpsec/ntpsec

Working for Deployments on other Distros

• CentOS
• Debian
• Red Hat
• Fedora Server

After running this utility, I get a message from while connecting to server using ssh and public IP.

ssh: connect to host 52.x.x.x port 3xx: Connection timed out

using below ssh command

ssh -i ~/.ssh/example.pem 52.x.x.x -p 3xx

After installing lamp on ubuntu 18.0.4 I get an error message when I try to install Algo.
./algo: line 22: /home/<user>/algo/env/bin/ansible-playbook: Permission denied
Is there anything in the server hardening that would be causing this? That particular line in the ansible-playbook is :

line 21: from __future__ import (absolute_import, division, print_function)
line 22: __metaclass__ = type

Any ideas?

Multiple Errors on Jshielder Deployment on Ubuntu 16.04LTS

• Dependencies Issues
• Errors on Various Configuration Templates

Apache service does not start after Jshielder script ends.

ModSecurity used to have this feature, but now that MaxMind has moved to GeoIP2, it's all broken.

It is still possible to set country-level blocking based on known ip ranges of IPV4 and IPV6, but it requires manually building MaxMind and editing the apache2.conf.

Ideally at install time, the bash script can allow someone to enable which countries they want to allow.

Preliminary code is below. You would still need to add directives to apache2.conf, create cron job that auto updates ip ranges, and a couple of other things.

### MAXMIND
# Program to update database
# Edit apache.conf to allow maxmind and set <if> block
add-apt-repository ppa:maxmind/ppa
apt-get update
apt-get install libmaxminddb0 libmaxminddb-dev mmdb geoipupdate -y
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz
tar -xvf GeoLite2-Country*
mkdir /usr/local/share/GeoIP
mv GeoLite2-Country*/GeoLite2-Country.mmdb /usr/local/share/GeoIP

wget https://github.com/maxmind/mod_maxminddb/releases/download/1.1.0/mod_maxminddb-1.1.0.tar.gz
tar -xvf mod_maxminddb-1.1.0.tar.gz
cd mod_maxminddb-1.1.0
./configure
make install
# Configure GeoIP update https://dev.maxmind.com/geoip/geoipupdate/

On a recent Lynis run detected some insecure PHP configuration parameters that need to be removed.

Are you planning to contribute more to this repo? CentOS 7 says it's under development but hasn't had anything added for 2 years. Ubuntu 18.04 LTS hasn't been really touched in 4 months, and I'm questioning if it's still worth using or if there are any security flaws that might've cropped up.

During latest updates, universe source is missing breaking the install.

The current CIS benchmark is v2.0.1 - 01-03-2020. Is the Ubuntu 18.04 LTS script still up-to-date with the new benchmarks or no?

Ubuntu 16.04LTS will be EOL. Removing it to focus on 2 last major release

Give the ability to the user to set the desired SSH port.

Add Ubuntu 20.04LTS version, Starting with CIS deployment and moving to General Deployment.

Add rootcheck install during JSHielder Execution. Rootcheck is and open source command line tool that looks for indicators of compromise on Linux or BSD systems. It looks for known backdoors, kernel-level rootkits, malware and insecure configuration settings. It performs a few tests that will certainly help during a hack investigation.

Take some Hardening Steps from the CIS deployer and add them to the Normal deployer to improve security posture.

Update Ubuntu 18.04LTS CIS Deployer using version 2.0.1

Harden Nginx configuration to improve security posture on LEMP Deployments.

What are the Level 1 and Level 2 Profiles within a CIS Benchmark?
Most CIS Benchmarks include multiple configuration profiles. A profile definition describes the configurations assigned to benchmark recommendations.

The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.

The Level 2 profile is considered to be "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.

Every recommendation within each CIS Benchmark is associated with at least one profile. Regardless of which level profile you plan to implement in your environment, we recommend applying CIS Benchmark guidance in a test environment first to determine potential impact.

Will separate the Steps run by Jshielder CIS by levels, this will give the user some flexibility. For level 2 , given that the Steps may be a little restrictive, most of them will have description and the user may choose not to run them depending on their environment.

You may wish to increase the ServerKeyBits in sshd_config-CIS to 1024, from 768.

https://github.com/Jsitech/JShielder/blob/master/UbuntuServer_18.04LTS/templates/php

I assume this is for configuring the php.ini file?

If so, can I add in the latest directives for PHP 7? It adds a few new ones.

Example:

  session.sid_length        = 128
  session.sid_bits_per_character   = 6

PSAD configuration has change on new version. Need to update template.

Multiple Issues to Fix. Thanks Erik Bos for Testing the Script and pointing them out.

Hi Jason,

Really like your script, it’s a lot of work- and a lot more to be done to polish. I hope that the below, helps you on your way to a great script.

You just have work thru it module by module.

Erik

My test environment:
ran it last night on a vultr server as a test, ran into a ton of errors.
On: fresh 14.04 ubuntu

Please note; I have some technical experience but am not a professional, I don’t know how to affect changes on GIT or contribute that way.
End goal: clean script install that is easy to use, works and the programs installed will securely email you when things go wrong and you also get a email at the end of installing showing you a bunch of commands you can use.

Suggestions:

Tell the user navigate to folder where jsheilder is.

Then chmod permission of jsheilder.sh to 744 so that it can write.

chmod 744 ./jsheilder.sh

then
./jsheilder.sh

Include in update system:

apt-get dist-upgrade

try to be consistent in all the prompts- some modules require user interaction [Y/N] to download the apt-get files, some don’t.
I would just change this to Y for automatic downloading of new modules/programs.

APACHE install

For apache, fail2ban install just build in an automatic Y to download files needed.

Apache reports a fail for restart:
“
To activate the new configuration, you need to run:
service apache2 restart

• Restarting web server apache2 [fail]
• The apache2 configtest failed.
  Output of config test was:
  AH00526: Syntax error on line 86 of /etc/apache2/apache2.conf:
  Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
  Action 'configtest' failed.
  “

You need to install mod_headers as it doesn’t have it;

Check mods installed:

/usr/sbin/apache2 -l

This shows the error that you because of no mod_header:

apachectl -t -D DUMP_MODULES
or
apachectl -M

lists available;

ls /etc/apache2/mods-available

TO FIX:
you need to activate the mod_headers:

a2enmod headers

FIX this;
apache2.conf
TO this: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html

Header unset ETag
FileETag none
TraceEnable off

ErrorDocument 404 "Archivo no encontrado"
ErrorDocument 500 "Tareas de mantenimiento en curso. Disculpe las molestias"

To

ErrorDocument 404 "File Not Found"
ErrorDocument 500 "The sever encountered an internal error or misconfiguration and was unable to complete your request"

Mod security;

Install works but fails to create
/etc/modsecurity/modsecurity.conf

Mod_security install

Action 'configtest' failed.
The Apache error log may have more information.
apache2_reload: Your configuration is broken. Not restarting Apache 2
Processing triggers for libc-bin (2.19-0ubuntu6.7) ...

• Restarting web server apache2 [fail]
• The apache2 configtest failed.
  Output of config test was:
  apache2: Syntax error on line 69 of /etc/apache2/apache2.conf: Could not open config directory /usr/share/modsecurity-crs: No such file or directory
  Action 'configtest' failed.

Again this is not a module that is loaded; go into /etc/apache2 to see mods enabled.

Run:

apt-get install libapache2-modsecurity

apt-get install --reinstall modsecurity-crs

which installs the folders apache config is asking for.

service apache2 restart

gives no errors

but there is a new 3.0 forked version out:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Upcoming_Major_Release_3_0_0

install instructions:
https://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

ROOTKIT HUNTER

To fix at end of install, change to english;

**To Run RootKit Hunter **
rkhunter -c --enable all --disable none
Puede ver el reporte detallado en /var/log/rkhunter.log

IPtables fix

Doesn’t save rules between reboots. To make persistent;

apt-get install iptables-persistent
service iptables-persistent start

*also Iptables doesn’t seem to be integrated with PSAD, even with these commands:

iptables -A INPUT -j LOG

iptables -A FORWARD -j LOG

UNHIDE

Add this to the end script or email out to users;
Commands to run to find hidden processes and hidden ports

sudo unhide-linux26proc
sudo unhide-linux26 sys
sudo unhide-linux26 brute
sudo unhide-tcp

PSAD IPS

Errors on install:

[*] Invalid EMAIL_ADDRESSES value: "INBOX" at /usr/sbin/psad line 3475.

• Unable to start the daemon
• Starting Port Scan Attack Detector psad [fail]
  Installation and Configuration Complete
  Run service psad status, for detected events

This is the line on psad 3475;

die qq([*] Invalid EMAIL_ADDRESSES value: "$config{'EMAIL_ADDRESSES'}")

which could indicate a sendmail error.
Testing sendmail

sendmail -v -s "test" [email protected]

Looking in

/var/log/mail.log

reveals that sendmail is not setup properly and needs a relay, needs the username password email information.

You need to install

apt-get install postfix

and get saslauthd is the daemon for sending authentication
and get the whole sendmail relay working.

And you have to add the email and host name here:

nano /etc/psad/psad.conf

Then update the definitions;

psad --sig-update

then import the signatures;

service psad restart

psad -H

see here to configure ; https://www.digitalocean.com/community/tutorials/how-to-use-psad-to-detect-network-intrusion-attempts-on-an-ubuntu-vps

out of the box it doesn’t seem to be integrated with iptables, you have to check but I only see fail2ban;

iptables -L
or
iptables -S

SSH install

This is just a mess.

Specifically- the biggest one is the SSH key creation, the script is trying to create directories via cat but it cannot.

Change the wording:

tell the user to open up a new connection to the server to create the SSH keys on the server.

but first give them the commands to create new folders or have the script fixed to accomplish that.

This is just a mess.

PHP

Install PHP 7, better memory use, security, newest.

Replace PortSentry with Artillery

Project Artillery is a great open source linux tool written by TrustedSec. Artillery will setup multiple ports on the Linux system and if anything touches it will automatically blacklist them (Port Scanners, etc). In addition, it monitors the filesystem for changes and emails the changes back to you. Artillery has the ability to setup a honeypot, which will give attackers and malware the appearance that specific ports are open. Once those ports are accessed, the IPs are blocked. This is a great way to filter out attackers and botnets.

It also Makes use of a Global Blacklists and we would have the ability of integrating our own.

Port Knocking can be used to further secure the SSH Server. Adding port knocking will set a Firewall rule to block SSH access from everywhere. To access, a sequence of connections attempts to predefined ports must be made to enable access to SSH.

I just want "root" as my default login.
Requesting to suggest me from your script

Will focus on CIS Benchmarks deployment and separate LAMP steps into optional scripts since some user might want to have more flexibility.

Recent Nginx Deployment with Mod-security for Ubuntu 16.04 and 18.04 .

I inquired in a previous issue if JShielder was updated to the new CIS 2.0.1 standard. While testing out all the features with JShielder, I noticed that some of "Customized Run" scripts aren't executing.

Replication:

• Run jshielder.sh as root.
• Enter the "2. Ubuntu Server 18.04 LTS" menu.
• Enter the "6. Customized Run (Only run desired Options)" menu.
• Try running any of the following; they don't execute:
  -- 10. Install Nginx with ModSecurity Module and Set OwaspRules
  -- 11. Set Nginx Vhost with PHP
  -- 12. Set Nginx Vhost
  -- 14. Install and Secure PHP for Nginx Server

There are probably more issues, but I've noticed that any scripts related to Nginx don't seem to run. If money is a possible incentive, I'm willing to send money to you via PayPal to get an updated version of JShielder. I love this script; it makes my work securing my servers so much more convenient. CIS also released their benchmark for Ubuntu 20.04 LTS, but I understand if you're not ready to dive into that one just yet. Either way, I hope to hear from you soon. Thank you again for creating this project. I just hope to see an update soon. 🙂

--2019-09-08 04:09:41-- http://nginx.org/download/nginx-1.14.0
Resolving nginx.org (nginx.org)... 95.211.80.227, 62.210.92.35, 2001:1af8:4060:a004:21::e3
Connecting to nginx.org (nginx.org)|95.211.80.227|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-09-08 04:09:42 ERROR 404: Not Found.

--2019-09-08 04:09:42-- http://1.14.0/
Resolving 1.14.0 (1.14.0)... 1.14.0.0
Connecting to 1.14.0 (1.14.0)|1.14.0.0|:80... failed: Connection timed out.
Retrying.

--2019-09-08 04:11:53-- (try: 2) http://1.14.0/
Connecting to 1.14.0 (1.14.0)|1.14.0.0|:80...