First Ten Seconds - Ubuntu, Red Hat / Rocky Linux / Alma Linux Edition

First Ten Seconds - Ubuntu, Red Hat / Rocky Linux / Alma Linux Edition
Post-run output describing what the script did

There are a few initial security steps you should take for any new Linux server. This script performs several of those tasks in an automated fashion for you, saving you time and ensuring consistency.

I really liked Jerry Gamblin's "My first 10 seconds on a server" blog post,  and Bryan Kennedy's "My first 5 minutes on a server." Jerry's script runs on Ubuntu. I like and use Ubuntu primarily, but thought a script that runs on Red Hat builds as well as Ubuntu would be useful. The steps required are quite different for those distro's even though the end goal is the same.

Also, Jerry's script is probably great for his use case, but it doesn't do some things I like to do, and does some I wouldn't typically do. For example, it doesn't disable remote access for the root user, and it captures all network packets to a PCAP file.

Bryan's guide is great but it's a manual process that takes much more time and effort than firing off a script.

The script is available on GitHub under the GPL. It is open source. Feel free to use it and suggest improvements.

To successfully run this script in its entirety, you'll have to have a non-root user created and that user should have sudo permissions and be configured to use key-based SSH for remote access.

This script will do the following for Ubuntu:

  1. Ensure a non-root user is set up.
  2. Ensure non-root user also has sudo permission (script won't continue without it).
  3. Ensure SSH is allowed through the ufw firewall.
  4. Ensure ufw firewall is enabled.
  5. Lock down SSH if you choose "y" for that step.
  6. Set SSH not to display banner
  7. Disable all forwarding
  8. Disable root login over SSH
  9. Ignore rhosts
  10. Disable password authentication
  11. Install fail2ban and configured it to protect SSH. (note) For a default Ubuntu server installation, automatic security updates are enabled so no action was taken regarding updates.

The script will do the following for Red Hat and Red Hat based distro's:

  1. Ensure a non-root user is set up.
  2. Ensure non-root user also has sudo permission (script won't continue without it).
  3. Ensure SSH is allowed through the firewalld firewall.
  4. Ensure firewalld firewall is enabled.
  5. Locked down SSH if you choose "y" for that step.
  6. Set SSH not to display banner
  7. Disable all forwarding
  8. Disable root login over SSH
  9. Ignore rhosts
  10. Disable password authentication
  11. Install fail2ban and configured it to protect SSH.
  12. Ensure automatic security updates are configured.

Again, please visit the project on GitHub. Usage instructions are included and the code is completely visible.