This repository is a collection of independent scripts designed to audit and harden Linux-based distributions.
Each script is intended to be used on its own. There is no required install order, shared runtime, or single hardening profile for the whole repository. Review the README for the specific script you plan to run before applying it to a system.
Table of Contents
Below is a list of scripts included in this repository. Each script has its own README with requirements, usage, compatibility notes, safety warnings, and a changelog link.
| Script | Purpose | Category | Details |
|---|---|---|---|
| Lynis Installer | Download Lynis, a security auditing tool for Unix-like systems. | Auditing | README / Script |
| Root Locker | Lock the root account to prevent direct root logins. | Hardening | README / Script |
| SSHD Hardening | Harden OpenSSH server configuration based on Lynis recommendations. | Hardening | README / Script |
| UFW Cloudflare | Configure UFW to allow HTTP/HTTPS traffic only from Cloudflare IP ranges. | Hardening | README / Script |
| Nginx WAF | Install and configure ModSecurity with the OWASP Core Rule Set for Nginx. | Hardening | README / Script |
The following requirements apply broadly to the repository:
- Bash: Version 4.0 or higher
- Operating System: Linux-based distribution
Note
Individual scripts may require root privileges, network access, packages, or services such as OpenSSH, UFW, or Nginx. Check the script's README before running it.
All you need to do is download this repository to your local machine:
git clone https://github.com/StrangeRanger/linux-security-scripts
cd linux-security-scriptsAn audit-first workflow can help you decide which hardening changes are appropriate for a system:
-
Install Lynis: Run the Lynis installer to download the auditing tool.
./auditing/Lynis\ Installer/lynis-installer.bash -
Run a security audit: Use Lynis to identify security issues.
cd ~/lynis clear sudo ./lynis audit system
-
Apply hardening selectively: Based on the audit results, run only the hardening scripts that match your needs.
This workflow is optional. The hardening scripts do not depend on the Lynis installer.
Caution
Production Environment Warning: Always test scripts in a non-production environment first. Some scripts modify critical system configurations and may affect system accessibility.
Run only the script you need. Most hardening scripts require root privileges:
sudo ./path/to/script.bashScripts can also be run through Bash directly:
bash ./path/to/script.bashSee each script's README for exact usage, requirements, warnings, and verification steps.
After running a script:
- Review the script output for warnings or manual follow-up steps.
- Verify the specific service, account, firewall, or configuration that was changed.
- Keep any backups created by the script until you are confident the system is working correctly.
- Re-run relevant audits or service checks after applying changes.
The scripts target Linux systems with Bash 4.0 or newer. Compatibility varies by script because each one touches different tools, services, and configuration files.
Refer to each script's README for tested distributions and script-specific compatibility notes.
Below is a list of additional resources that you can/should use to help make your system as secure as possible.
- SSH Audit - SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
- CIS Benchmarks - Industry-standard security configuration guidelines
- NIST Cybersecurity Framework - Comprehensive cybersecurity guidance
- OpenSCAP - Security compliance and vulnerability management
- AIDE - Advanced Intrusion Detection Environment
- Fail2Ban - Intrusion prevention software
- rkhunter - Rootkit detection tool
Please use GitHub Issues for bug reports and feature requests.
Licensing may vary by script; see individual file headers.