HardenOps

Security Assessment

HardenOps

Linux Security Hardening Platform

0%

Security Score

0 completed19 total checks
SSH Security
Secure SSH configuration and access controls
0/4

Disable Root SSH Login

CRITICAL

Prevent direct root login via SSH to reduce attack surface

Command
sudo sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config && sudo systemctl restart sshd

Change Default SSH Port

HIGH

Move SSH from default port 22 to reduce automated attacks

Command
sudo sed -i "s/#Port 22/Port 2222/" /etc/ssh/sshd_config && sudo systemctl restart sshd

Enable SSH Key Authentication

HIGH

Use key-based authentication instead of passwords

Command
sudo sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config && sudo systemctl restart sshd

Disable Password Authentication

MEDIUM

Force key-based authentication only

Command
sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl restart sshd
Firewall Configuration
Configure and enable system firewall protection
0/4

Enable UFW Firewall

CRITICAL

Activate Ubuntu's Uncomplicated Firewall

Command
sudo ufw --force enable

Set Default Deny Policy

CRITICAL

Block all incoming connections by default

Command
sudo ufw default deny incoming && sudo ufw default allow outgoing

Allow SSH (Custom Port)

HIGH

Allow SSH connections on custom port

Command
sudo ufw allow 2222/tcp

Enable Logging

MEDIUM

Enable firewall logging for monitoring

Command
sudo ufw logging on
Kernel Security
Harden kernel parameters and module loading
0/3

Disable Core Dumps

HIGH

Prevent core dumps that could leak sensitive information

Command
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf && echo "fs.suid_dumpable=0" | sudo tee -a /etc/sysctl.conf

Enable ASLR

CRITICAL

Enable Address Space Layout Randomization

Command
echo "kernel.randomize_va_space=2" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

Restrict Kernel Logs

MEDIUM

Prevent non-root users from reading kernel logs

Command
echo "kernel.dmesg_restrict=1" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
System Monitoring
Set up intrusion detection and monitoring tools
0/3

Install Fail2Ban

CRITICAL

Install and configure Fail2Ban for intrusion prevention

Command
sudo apt install fail2ban -y && sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Configure SSH Fail2Ban

HIGH

Protect SSH service with Fail2Ban

Command
echo -e "[sshd]\nenabled = true\nport = ssh\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 3\nbantime = 3600" | sudo tee /etc/fail2ban/jail.local

Install AIDE

MEDIUM

Install Advanced Intrusion Detection Environment

Command
sudo apt install aide -y && sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Network Security
Harden network configuration and services
0/3

Disable IP Forwarding

MEDIUM

Prevent system from acting as a router

Command
echo "net.ipv4.ip_forward=0" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

Enable SYN Cookies

HIGH

Protect against SYN flood attacks

Command
echo "net.ipv4.tcp_syncookies=1" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

Disable ICMP Redirects

MEDIUM

Prevent ICMP redirect attacks

Command
echo "net.ipv4.conf.all.accept_redirects=0" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
User Management
Manage user accounts and access controls
0/2

Set Password Policies

HIGH

Configure strong password requirements

Command
sudo apt install libpam-pwquality -y && echo "minlen=12" | sudo tee -a /etc/security/pwquality.conf

Configure Account Lockout

MEDIUM

Lock accounts after failed login attempts

Command
echo "auth required pam_tally2.so deny=5 unlock_time=900" | sudo tee -a /etc/pam.d/common-auth
Always test commands in a safe environment before production deployment
    Built with v0