← Back to all products
$29
Linux Hardening Scripts
Automated server hardening scripts implementing CIS benchmarks: firewall, SSH, audit logging, user management.
ShellJSONMarkdown
📁 File Structure 18 files
linux-hardening-scripts/
├── LICENSE
├── README.md
├── checklists/
│ └── cis-benchmark-ubuntu.md
├── configs/
│ ├── audit.rules
│ ├── jail.local
│ ├── sshd_config.hardened
│ └── sysctl-hardened.conf
├── guides/
│ └── linux-security-guide.md
└── scripts/
├── audit-setup.sh
├── auto-updates.sh
├── filesystem-hardening.sh
├── full-hardening.sh
├── harden-ssh.sh
├── kernel-hardening.sh
├── setup-fail2ban.sh
├── setup-firewall.sh
└── user-management.sh
📖 Documentation Preview README excerpt
Linux Hardening Scripts
Production-ready server hardening automation implementing CIS benchmarks and industry best practices.
Automated Bash scripts and configuration files for securing Ubuntu/Debian and RHEL/CentOS Linux servers. Covers SSH hardening, firewall setup, intrusion detection, kernel tuning, audit logging, and more — all aligned with CIS Benchmark Level 1 and Level 2 recommendations.
What You Get
- 9 modular hardening scripts — run individually or all at once
- 4 hardened configuration files — drop-in replacements for critical services
- CIS Benchmark checklist — track your compliance progress
- Comprehensive security guide — understand the "why" behind each control
File Tree
linux-hardening-scripts/
├── README.md
├── LICENSE
├── manifest.json
├── scripts/
│ ├── harden-ssh.sh # SSH daemon hardening
│ ├── setup-firewall.sh # UFW / firewalld configuration
│ ├── setup-fail2ban.sh # Brute-force protection
│ ├── kernel-hardening.sh # Sysctl network & kernel tuning
│ ├── audit-setup.sh # Auditd rules and configuration
│ ├── user-management.sh # Account policies & sudo hardening
│ ├── auto-updates.sh # Unattended security patches
│ ├── filesystem-hardening.sh # Mount options, SUID/SGID cleanup
│ └── full-hardening.sh # Orchestrator — runs all scripts
├── configs/
│ ├── sshd_config.hardened # Hardened SSH daemon config
│ ├── sysctl-hardened.conf # Kernel parameter tuning
│ ├── audit.rules # Comprehensive audit rules
│ └── jail.local # Fail2Ban jail configuration
├── checklists/
│ └── cis-benchmark-ubuntu.md # CIS Level 1 & 2 checklist
└── guides/
└── linux-security-guide.md # Security strategy & explanations
Getting Started
1. Clone or extract the archive
unzip linux-hardening-scripts.zip
cd linux-hardening-scripts
2. Review and customize
Before running any script, review the configuration files and adjust for your environment:
# Review the hardened SSH config
cat configs/sshd_config.hardened
# Check kernel parameters
cat configs/sysctl-hardened.conf
*... continues with setup instructions, usage examples, and more.*
📄 Code Sample .sh preview
scripts/audit-setup.sh
#!/usr/bin/env bash
# =============================================================================
# audit-setup.sh — Linux Audit Daemon Configuration
# Part of: Linux Hardening Scripts by Datanest Digital
# License: MIT | https://datanest.dev
# =============================================================================
#
# Installs and configures the Linux Audit System (auditd):
# - Installs auditd and audispd-plugins
# - Deploys comprehensive audit rules (CIS Benchmark aligned)
# - Configures log rotation and retention
# - Monitors: file changes, user activity, network, privilege escalation
#
# Usage: sudo bash audit-setup.sh [--dry-run]
# =============================================================================
set -euo pipefail
# Configuration
LOG_RETENTION_DAYS=90 # How long to keep audit logs
MAX_LOG_FILE_SIZE=50 # Max log file size in MB
NUM_LOGS=10 # Number of rotated logs to keep
SPACE_LEFT_ACTION="email" # Action when disk is getting full
ADMIN_SPACE_LEFT_ACTION="halt" # Action when disk is critically full
# Script variables
DRY_RUN=false
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CONFIG_DIR="$(dirname "$SCRIPT_DIR")/configs"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
# Parse arguments
for arg in "$@"; do
case "$arg" in
--dry-run) DRY_RUN=true ;;
--help|-h)
echo "Usage: sudo bash $0 [--dry-run]"
exit 0
;;
esac
done
# ... 222 more lines ...