This repo contains a masterless Puppet environment which may be used to lock down a minimal Debian server even further than stock. These controls utilize only open-source components, and can be deploy to any stock Debian 9 machine.

Works on Debian 9 and Puppet 4.8.2

Only intented for a non-gui Debian install, starting with only the "Standard system utilites" and "SSH Server"

• Disables IPv6 + unecessary network services
• Disables desktop GUI (Gnome, KDE, etc.)
• Hardens SSH server + brute force protection
• Enforces Stanford password policy and Google TOTP 2FA
• Enables memory corruption exploit mitigations
• Applies security patches daily
• Locks down firewall rule to minimal necessary
• Disables uncommon kernel modules (floppy, usb storage, etc)

apt install sudo git wget

Automatically downloads and installs the hardening controls on a stock Debian machine.
Ensure you have console access to the box if recovery is needed.

$(cd /opt/ && sudo git clone https://github.com/0x9090/Linux-Hardening.git && sudo sh -c setup.sh -a)

• puppetlabs/stdlib - https://forge.puppet.com/puppetlabs/stdlib
• puppetlabs/firewall - https://forge.puppet.com/puppetlabs/firewall
• hardening/os_hardening - https://forge.puppet.com/hardening/os_hardening
• hardening/ssh_hardening - https://forge.puppet.com/hardening/ssh_hardening
• saz/ssh - https://forge.puppet.com/saz/ssh
• dhoppe/fail2ban - https://forge.puppet.com/dhoppe/fail2ban
• camptocamp/googleauthenticator - https://forge.puppet.com/camptocamp/googleauthenticator
• thias/sysctl - https://forge.puppet.com/thias/sysctl
• puppet/unattended_upgrades - https://forge.puppet.com/puppet/unattended_upgrades
• puppetlabs/apt - https://forge.puppet.com/puppetlabs/apt
• voxpopuli/extlib - https://forge.puppet.com/puppet/extlib
• camptocamp/kmod - https://forge.puppet.com/camptocamp/kmod

setup.sh = Main installer script. Run this once, and the controls will be implemented and enforced
run.sh = Performs a Puppet run to manually apply the security controls
site.pp = Top-level node definitions

There are several different hardening domains, and each domain is a collection of related security controls.

• OS - Locks down Debian and reduces attack surfaces (os_hardening_config/manifests/init.pp)
• SSH - Configures SSH (and Google 2FA) for secure access (ssh_hardening_config/manifests/init.pp)
• Firewall - Enforces the host firewall config to your rule set (firewall_config/manifests/init.pp)

Most of the code is in the /modules/ folder. Every "_config" postpended module, is a hardening domain configuration module. Those modules contain an init.pp file, which configures the hardening domain. Those init.pp files are what you'll work in to customize the hardening to your needs.

• Thoroughly test this in your own environment before using in production. Use at your own risk
• These controls are only to be used on a fresh, minimal Debian 9 install
• You need to configure Google 2FA in the os_hardening_config module
• Firewall is only configured for SSH inbound
• Create a lowly privleged user, as these controls will disallow root to SSH in
• It's a good practice to update all the bundled modules before deployment to ensure any known vulnerabilities are removed