Forum

Hardening Ubuntu or...
 
Notifications
Clear all

[Sticky] Hardening Ubuntu or Raspbian (Raspberry Pi or other Linux Servers) for 3D Printing

1 Posts
1 Users
0 Likes
178 Views
Print3D
(@print3d)
Member Admin
Joined: 5 years ago
Posts: 101
Topic starter  

Hello,

 

We are attaching a script you can use to harden your raspbian or Ubuntu server for running Mainsail or Octoprint and have a secure server that will not be hacked. I have seen clients whom have had raspberry pi or other linux server hacked literally within the first 12 hours of attaching to their network; there are ALWAYS people hunting to hack your devices and add them to a botnet. I recommend using this hardening guide at the very minimum, and make sure to research for each operating system. Some stuff is manually done, some is done by my script.

Save the script in your server via ssh as "harden.sh" and then make sure to "chmod +x harden.sh"

#!/bin/bash

# Update the package list and upgrade installed packages
sudo apt update
sudo apt upgrade -y

# Enable Uncomplicated Firewall (UFW) and allow necessary ports
sudo ufw enable
sudo ufw allow 22  # Allow SSH
sudo ufw allow 80  # Allow HTTP (if applicable)
sudo ufw allow 443 # Allow HTTPS (if applicable)
sudo ufw allow 7125 # Allow moonraker
# sudo ufw allow 8080 # Allow crowsnest if you are using webcam, remove the #

# Disable root login and password authentication
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh

# Set up fail2ban to protect against brute force attacks
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Install and configure a firewall
sudo apt install -y iptables-persistent
# Add your firewall rules here
# Example: sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 7125 -j ACCEPT
# Save the rules: sudo service iptables-persistent save
sudo service iptables-persistent save
# Enable the rules to persist after a reboot: sudo service iptables-persistent start
sudo service iptables-persistent start

# Install and configure intrusion detection system (IDS)
sudo apt install -y rkhunter
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter -c --sk

# Regularly update and upgrade packages
echo "0 4 * * 1 root apt update && apt upgrade -y" | sudo tee -a /etc/crontab

# Install and configure automatic security updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Enable automatic updates for security patches
sudo sed -i 's,//\t"${distro_id}:${distro_codename}-security",\t"${distro_id}:${distro_codename}-security",g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's,//\t"${distro_id}:${distro_codename}-updates",\t"${distro_id}:${distro_codename}-updates",g' /etc/apt/apt.conf.d/50unattended-upgrades

# Optional: Install and configure antivirus software
# sudo apt install -y clamav
# sudo freshclam

echo "Hardening script completed. Remember to review your firewall rules and adjust them according to your specific needs."

 

Once you have completed that script, follow this list and ensure each option is applied.

  • Make a sudo-enabled user and stop using root! (Automatically done on most distributions)
    Lock the root account from user account -
    sudo passwd -l root
  • Remove unneeded packages (Don't run this in a Qube, it may fuck up the utils for Qubes Tools) -
    sudo apt autoclean && sudo apt autoremove && sudo apt autopurge
  • Install upgrades unattended for Debian -
    sudo apt install unattended-upgrades && sudo apt install apt-config-auto-update && sudo apt install powermgmt-base && sudo systemctl enable unattended-upgrades && sudo systemctl start unattended-upgrades
  • Delete log history for the current session -
    sudo lastlog --clear --user <USER> && sudo lastlog -C -u <USER>
  • Disable history persistence for downloads -
    sudo ln -s -f /dev/null ~/.wget-hsts
  • Disable shell history completely -
    echo 'set +o history' >> ~/.bashrc && source ~/.bashrc && rm -rf ~/.bash_history && history -c

    *Alternatively you can just erase it after every session -

    sudo ln -s -f /dev/null ~/.bash_history*
  • Disable shell history session persistence -
    sudo ln -s -f /dev/null ~/.bash_rc
  • Disable history persistence for Python shells -
    sudo ln -s -f /dev/null ~/.python_history
  • Limit SSH brute-force attacks - In this example, we drop connections from any IP address if it attempts to open more than 10 connections to the SSH port within 120 seconds.
    sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 10 -j DROP
    Limit HTTP/S requests - These rules continue to accept new connections as long as they don’t exceed the limit of 20 connections per minute from each IP address.
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
    sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j DROP

This is just to get you started, and ensure you are following specific guides that fit your hardware and operating system/distro! Harden your installations to prevent being used by hackers.

This topic was modified 3 months ago by Print3D

Business IT Solutions - https://bizhostnc.com
Plastic Process Engineering


   
Quote
Share:
Scroll to Top