
Show HN: Lockdown.sh Simple shell script for locking down new linux installs - x8d
https://github.com/x08d/lockdown.sh
======
amarshall
> [top of readme] lockdown a newly installed linux os

> [bottom of readme] Supported OS: Debian

Not all Linux is Debian or a Debian derivative.

> Remounts /tmp /proc /dev /run to be more restrictive

Unfortunately it only appears to remount, which will not persist across
reboots (unless I’m missing something).

> Restrict access to compilers

Is this actually meaningful from a security perspective? If one can get some
source onto a machine and execute a compiler and then execute that binary, how
is that substantially different than them just getting a binary onto the
machine and executing that instead?

~~~
q3k
> Unfortunately it only appears to remount, which will not persist across
> reboots (unless I’m missing something).

Yeah and then it also reboots immediately. What's the point? Has this even
been tested?

------
q3k

        # Add legal banner
        echo "
        Unauthorized access to this server is prohibited.
        Legal action will be taken. Disconnect now.
        " > /etc/issue
    

Heh.

~~~
pero_p
Cute

------
igetspam
We already have sensible OS level and app level baselines in CIS workbenches.
There's also code to apply the policies and check the policies. It's nice that
this is an attempt to set some kind of sanity in a single shell script but
unless the author is a known quantity expert in this area, it's not a good
idea to use this, unless you are also capable of vetting this code, in which
case you probably don't need it.

~~~
getcrunk
Can u reccomended somethings I can refer to?

------
ivan_ah
Wow nice! This will be useful both for expert users who can go through and
learn about various security options and apply manually, but also useful for
non-expert users who can just run the script.

~~~
amarshall
> useful for non-expert users who can just run the script.

Running random scripts one doesn’t understand as root has its potential
problems, though. Non-experts should still audit what this script (or any
script requiring elevated privileges) is doing and strive to understand it.

~~~
ivan_ah
True that. After looking through the script in more details, I wouldn't
recommend running without checking. I thought it was doing just basic ssh +
firewall, but it does a lot more things, so probably better to run piecemeal
even for non-experts.

Maybe this could be turned into some interactive script that explains a little
(in beginner-friendly language) what each step does? It would be also nice to
have a log of which steps were performed, and instructions for the undo-step
in case users want to go back... wishlist.append( ^ ).

------
rmrfstar
This is a reasonable jumping off point for someone newly interested in
hardening a bare-metal Debian deployment. [1,2] are also quite good.

[1] [https://github.com/Whonix/security-
misc](https://github.com/Whonix/security-misc)

[2] [https://forums.whonix.org/t/fixing-the-desktop-linux-
securit...](https://forums.whonix.org/t/fixing-the-desktop-linux-security-
model/9172)

------
mathiasrw
Would love to see this as an interactive informing and asking leaving you with
the parts you want.

~~~
x8d
Hey, thanks for the feedback. I've just updated it so each section prompts you
with the commands its about to run and whether or not to run them.

