This repository is a collection of scripts designed to secure/harden Linux-based distributions.
Table of Contents
Below is a list of tools included in this repository.
| Tool Name | Description | Category | Requirements | Notes |
|---|---|---|---|---|
| Lynis Installer | Download (clone) Lynis, a security auditing tool for Unix-like systems. | Auditing | Git, Internet connection | No root required |
| Root Locker | Locks the root account to prevent direct logins. | Hardening | Root privileges | Preserves sudo access |
| SSHD Hardening | Harden OpenSSH server (sshd) per Lynis recommendations. | Hardening | Root privileges | Creates backups |
| UFW Cloudflare | Configure UFW to only allow HTTP/HTTPS from Cloudflare IP ranges. | Hardening | Root privileges, UFW, Internet connection | Creates backups |
Note
All scripts include version information in their headers. Check individual CHANGELOG.md files in each tool's directory for version history and updates.
The following requirements extend to every tool in this repository:
- Bash: Version 4.0 or higher
- Operating System: Linux-based distribution
Note
Individual scripts may have additional requirements listed in the table above.
All you need to do is download this repository to your local machine:
git clone https://github.com/StrangeRanger/linux-security-scripts
cd linux-security-scriptsFor users who want to get started immediately:
-
Audit your system first: Run the Lynis installer to download the auditing tool.
./auditing/Lynis\ Installer/lynis-installer.bash -
Run a security audit: Use Lynis to identify security issues.
cd ~/lynis && sudo ./lynis audit system
-
Apply hardening: Based on the audit results, run the appropriate hardening scripts with root privileges.
Caution
Production Environment Warning: Always test scripts in a non-production environment first. Some scripts modify critical system configurations and may affect system accessibility.
You can run any script individually using one of the following methods:
./[script-name]or
bash [script-name]After running the hardening scripts:
- Verify SSH access: Before logging out, test SSH connectivity in a new terminal session.
- Review firewall rules: Check UFW status with
sudo ufw status verboseif you used the UFW Cloudflare script. - Run Lynis again: Re-audit your system to see security improvements.
- Backup configurations: Keep copies of any modified configuration files.
Warning
The SSHD hardening script modifies SSH configurations. Ensure you have alternative access to your system before applying changes in production environments.
All of the scripts should work on most, if not all, Linux distributions with Bash v4.0+ installed. With that said, below is a list of Linux distributions that the scripts have been officially tested and are confirmed to work on.
| Distributions | Distro Versions |
|---|---|
| Ubuntu | 24.04, 22.04, 20.04 |
| Debian | 11, 10, 9 |
Below is a list of additional resources that you can/should use to help make your system as secure as possible.
- SSH Audit - SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
- CIS Benchmarks - Industry-standard security configuration guidelines
- NIST Cybersecurity Framework - Comprehensive cybersecurity guidance
- OpenSCAP - Security compliance and vulnerability management
- AIDE - Advanced Intrusion Detection Environment
- Fail2Ban - Intrusion prevention software
- rkhunter - Rootkit detection tool
Please use GitHub Issues for bug reports and feature requests.
Licensing may vary by tool; see individual file headers.