File size: 48,082 Bytes
1a74165 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 |
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Parrot OS Hardening Toolkit</title>
<script src="https://cdn.tailwindcss.com"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
<style>
.code-block {
background-color: #2d2d2d;
color: #f8f8f2;
border-radius: 0.375rem;
padding: 1rem;
font-family: 'Courier New', Courier, monospace;
overflow-x: auto;
margin: 1rem 0;
}
.tab-content {
display: none;
}
.tab-content.active {
display: block;
}
.nav-tabs .active {
border-bottom: 3px solid #3b82f6;
color: #3b82f6;
font-weight: 600;
}
.copy-btn {
transition: all 0.2s ease;
}
.copy-btn:hover {
background-color: #3b82f6;
color: white;
}
.copy-btn.copied {
background-color: #10b981;
color: white;
}
</style>
</head>
<body class="bg-gray-100 min-h-screen">
<div class="container mx-auto px-4 py-8">
<!-- Header -->
<header class="mb-8">
<div class="flex items-center justify-between">
<div>
<h1 class="text-3xl font-bold text-gray-800">
<i class="fas fa-shield-alt text-blue-500 mr-2"></i>
Parrot OS Hardening Toolkit
</h1>
<p class="text-gray-600 mt-2">
A comprehensive guide to building a secure penetration testing environment
</p>
</div>
<div class="hidden md:block">
<img src="https://www.parrotsec.org/images/logo.png" alt="Parrot OS Logo" class="h-16">
</div>
</div>
</header>
<!-- Main Content -->
<div class="bg-white rounded-lg shadow-lg overflow-hidden">
<!-- Tabs Navigation -->
<div class="border-b border-gray-200">
<nav class="flex nav-tabs overflow-x-auto">
<button class="px-6 py-3 text-sm font-medium active" data-tab="overview">
<i class="fas fa-info-circle mr-2"></i>Overview
</button>
<button class="px-6 py-3 text-sm font-medium" data-tab="ansible">
<i class="fas fa-code mr-2"></i>Ansible Playbook
</button>
<button class="px-6 py-3 text-sm font-medium" data-tab="manual">
<i class="fas fa-terminal mr-2"></i>Manual Setup
</button>
<button class="px-6 py-3 text-sm font-medium" data-tab="verification">
<i class="fas fa-check-circle mr-2"></i>Verification
</button>
<button class="px-6 py-3 text-sm font-medium" data-tab="resources">
<i class="fas fa-book mr-2"></i>Resources
</button>
</nav>
</div>
<!-- Tab Contents -->
<div class="p-6">
<!-- Overview Tab -->
<div id="overview" class="tab-content active">
<h2 class="text-2xl font-bold text-gray-800 mb-4">
<i class="fas fa-shield-virus text-blue-500 mr-2"></i>
Hardened Parrot OS Security Edition
</h2>
<div class="grid grid-cols-1 md:grid-cols-2 gap-6 mb-6">
<div class="bg-blue-50 p-4 rounded-lg">
<h3 class="font-bold text-blue-800 mb-2">
<i class="fas fa-bullseye mr-2"></i>Objective
</h3>
<p class="text-gray-700">
Create a secure, minimal, and reliable penetration testing environment based on Parrot OS Security Edition with full disk encryption, network hardening, and intrusion detection.
</p>
</div>
<div class="bg-green-50 p-4 rounded-lg">
<h3 class="font-bold text-green-800 mb-2">
<i class="fas fa-users mr-2"></i>Target Audience
</h3>
<p class="text-gray-700">
Penetration testers, security researchers, and cybersecurity professionals who need a secure field kit for assessments.
</p>
</div>
</div>
<h3 class="text-xl font-bold text-gray-800 mt-6 mb-3">
<i class="fas fa-lock mr-2"></i>Key Security Considerations
</h3>
<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4 mb-6">
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-blue-500">
<h4 class="font-semibold text-gray-800">Minimal Attack Surface</h4>
<p class="text-sm text-gray-600">Reduce installed packages and services to only what's necessary</p>
</div>
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-green-500">
<h4 class="font-semibold text-gray-800">Strong Authentication</h4>
<p class="text-sm text-gray-600">Implement MFA and secure password policies</p>
</div>
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-purple-500">
<h4 class="font-semibold text-gray-800">Disk Encryption</h4>
<p class="text-sm text-gray-600">Full disk encryption to protect data at rest</p>
</div>
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-red-500">
<h4 class="font-semibold text-gray-800">Network Hardening</h4>
<p class="text-sm text-gray-600">Minimize network exposure and secure services</p>
</div>
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-yellow-500">
<h4 class="font-semibold text-gray-800">Regular Updates</h4>
<p class="text-sm text-gray-600">Automatic security updates and patch management</p>
</div>
<div class="bg-gray-50 p-4 rounded-lg border-l-4 border-indigo-500">
<h4 class="font-semibold text-gray-800">Logging & Auditing</h4>
<p class="text-sm text-gray-600">Comprehensive activity tracking and monitoring</p>
</div>
</div>
<h3 class="text-xl font-bold text-gray-800 mt-6 mb-3">
<i class="fas fa-tools mr-2"></i>Included Security Tools
</h3>
<div class="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-4 gap-3 mb-6">
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">UFW Firewall</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">Fail2Ban</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">Lynis</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">OpenVAS</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">AIDE</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">Rkhunter</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">Chkrootkit</span>
<span class="bg-gray-100 px-3 py-1 rounded-full text-sm">Auditd</span>
</div>
</div>
<!-- Ansible Playbook Tab -->
<div id="ansible" class="tab-content">
<h2 class="text-2xl font-bold text-gray-800 mb-4">
<i class="fas fa-code mr-2"></i>Ansible Playbook for Hardening
</h2>
<p class="text-gray-700 mb-4">
This Ansible playbook automates the hardening process for Parrot OS Security Edition. It includes disk encryption setup, firewall configuration, service management, and intrusion detection.
</p>
<div class="mb-6">
<div class="flex justify-between items-center bg-gray-800 px-4 py-2 rounded-t-lg">
<span class="text-white text-sm">parrot_hardening.yml</span>
<button class="copy-btn bg-gray-700 text-white px-3 py-1 rounded text-sm" data-clipboard-target="#ansible-playbook">
<i class="far fa-copy mr-1"></i> Copy
</button>
</div>
<pre id="ansible-playbook" class="code-block">---
- name: Harden Parrot OS Security Edition
hosts: all
become: true
vars:
# User configuration
admin_user: "pentester"
admin_groups: "sudo"
ssh_port: 2222
# Packages to remove
packages_to_remove:
- xserver-xorg
- bluetooth
- cups
- avahi-daemon
- modemmanager
# Services to disable
services_to_disable:
- bluetooth
- cups
- avahi-daemon
- modemmanager
- apparmor
tasks:
# Update system
- name: Update all packages
apt:
update_cache: yes
upgrade: dist
autoremove: yes
# Remove unnecessary packages
- name: Remove unwanted packages
apt:
name: "{{ packages_to_remove }}"
state: absent
purge: yes
# Disable unnecessary services
- name: Disable unwanted services
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop: "{{ services_to_disable }}"
# Configure UFW firewall
- name: Install UFW
apt:
name: ufw
state: present
- name: Configure UFW default policies
ufw:
state: enabled
policy: deny
direction: incoming
- name: Allow SSH on custom port
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
# Install and configure Fail2Ban
- name: Install Fail2Ban
apt:
name: fail2ban
state: present
- name: Configure Fail2Ban
copy:
dest: /etc/fail2ban/jail.local
content: |
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = {{ ssh_port }}
filter = sshd
logpath = /var/log/auth.log
- name: Restart Fail2Ban
systemd:
name: fail2ban
state: restarted
# Configure automatic updates
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: Configure automatic updates
copy:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
content: |
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
# Install security tools
- name: Install security tools
apt:
name:
- lynis
- aide
- rkhunter
- chkrootkit
- auditd
state: present
# Configure auditd
- name: Configure auditd rules
copy:
dest: /etc/audit/rules.d/hardening.rules
content: |
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
- name: Restart auditd
systemd:
name: auditd
state: restarted
# Configure sysctl hardening
- name: Configure sysctl settings
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
reload: yes
with_items:
- { key: "net.ipv4.conf.all.rp_filter", value: "1" }
- { key: "net.ipv4.conf.default.rp_filter", value: "1" }
- { key: "net.ipv4.icmp_echo_ignore_broadcasts", value: "1" }
- { key: "net.ipv4.icmp_ignore_bogus_error_responses", value: "1" }
- { key: "net.ipv4.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.default.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.all.secure_redirects", value: "0" }
- { key: "net.ipv4.conf.default.secure_redirects", value: "0" }
- { key: "net.ipv6.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv6.conf.default.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.all.send_redirects", value: "0" }
- { key: "net.ipv4.conf.default.send_redirects", value: "0" }
- { key: "net.ipv4.tcp_syncookies", value: "1" }
- { key: "net.ipv4.tcp_max_syn_backlog", value: "2048" }
- { key: "net.ipv4.tcp_synack_retries", value: "2" }
- { key: "net.ipv4.tcp_syn_retries", value: "5" }
- { key: "kernel.randomize_va_space", value: "2" }
# Configure SSH hardening
- name: Configure SSH
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^{{ item.regexp }}$"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: "Port", line: "Port {{ ssh_port }}" }
- { regexp: "PermitRootLogin", line: "PermitRootLogin no" }
- { regexp: "Protocol", line: "Protocol 2" }
- { regexp: "X11Forwarding", line: "X11Forwarding no" }
- { regexp: "MaxAuthTries", line: "MaxAuthTries 3" }
- { regexp: "IgnoreRhosts", line: "IgnoreRhosts yes" }
- { regexp: "HostbasedAuthentication", line: "HostbasedAuthentication no" }
- { regexp: "PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
- { regexp: "ClientAliveInterval", line: "ClientAliveInterval 300" }
- { regexp: "ClientAliveCountMax", line: "ClientAliveCountMax 2" }
- { regexp: "LoginGraceTime", line: "LoginGraceTime 60" }
- { regexp: "AllowAgentForwarding", line: "AllowAgentForwarding no" }
- { regexp: "AllowTcpForwarding", line: "AllowTcpForwarding no" }
- { regexp: "PermitTunnel", line: "PermitTunnel no" }
- name: Restart SSH
systemd:
name: ssh
state: restarted
# Configure password policies
- name: Install libpam-pwquality
apt:
name: libpam-pwquality
state: present
- name: Configure password policies
copy:
dest: /etc/security/pwquality.conf
content: |
minlen = 14
minclass = 4
maxrepeat = 2
maxsequence = 3
maxclassrepeat = 2
gecoscheck = 1
dictcheck = 1
usercheck = 1
enforcing = 1
- name: Configure PAM password policies
lineinfile:
dest: /etc/pam.d/common-password
regexp: "^password.*pam_pwquality.so.*$"
line: "password requisite pam_pwquality.so retry=3"
state: present
# Final message
- name: Display completion message
debug:
msg: "Parrot OS hardening complete. System reboot recommended."</pre>
</div>
<div class="bg-blue-50 p-4 rounded-lg mb-6">
<h3 class="font-bold text-blue-800 mb-2">
<i class="fas fa-info-circle mr-2"></i>Usage Instructions
</h3>
<ol class="list-decimal pl-5 text-gray-700 space-y-2">
<li>Install Ansible on your control machine: <code class="bg-gray-200 px-1 rounded">sudo apt install ansible</code></li>
<li>Create an inventory file with your target Parrot OS system's IP address</li>
<li>Save the playbook as <code class="bg-gray-200 px-1 rounded">parrot_hardening.yml</code></li>
<li>Run the playbook: <code class="bg-gray-200 px-1 rounded">ansible-playbook -i inventory parrot_hardening.yml</code></li>
<li>Reboot the system after completion</li>
</ol>
</div>
</div>
<!-- Manual Setup Tab -->
<div id="manual" class="tab-content">
<h2 class="text-2xl font-bold text-gray-800 mb-4">
<i class="fas fa-terminal mr-2"></i>Manual Hardening Steps
</h2>
<div class="space-y-6">
<!-- Initial Setup -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-download mr-2 text-blue-500"></i>
Initial Setup
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 1</span>
</div>
<div class="p-4">
<ol class="list-decimal pl-5 space-y-2 text-gray-700">
<li>Download Parrot OS Security Edition ISO from the <a href="https://www.parrotsec.org/download/" class="text-blue-600 hover:underline" target="_blank">official website</a></li>
<li>Verify the ISO checksum:
<div class="mt-2 code-block">sha256sum parrot-security-5.1_amd64.iso</div>
</li>
<li>Create bootable USB using Balena Etcher or dd:
<div class="mt-2 code-block">dd if=parrot-security-5.1_amd64.iso of=/dev/sdX bs=4M status=progress</div>
</li>
<li>Boot from USB and start installation</li>
<li>During installation:
<ul class="list-disc pl-5 mt-2 space-y-1">
<li>Select <strong>Guided - use entire disk with encrypted LVM</strong></li>
<li>Set a strong encryption passphrase (minimum 20 characters)</li>
<li>Create a non-root user account for daily use</li>
<li>Disable automatic login</li>
</ul>
</li>
</ol>
</div>
</div>
<!-- System Update -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-sync-alt mr-2 text-green-500"></i>
System Update
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 2</span>
</div>
<div class="p-4">
<div class="code-block">sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove --purge -y
sudo apt clean</div>
</div>
</div>
<!-- Remove Unnecessary Packages -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-trash-alt mr-2 text-red-500"></i>
Remove Unnecessary Packages
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 3</span>
</div>
<div class="p-4">
<div class="code-block">sudo apt purge -y xserver-xorg xserver-xorg-core xserver-xorg-input-all \
xserver-xorg-video-all x11-common x11-utils x11-xserver-utils \
bluetooth bluez bluez-obexd pulseaudio-module-bluetooth \
cups cups-daemon cups-common cups-filters cups-ppdc \
avahi-daemon modemmanager</div>
</div>
</div>
<!-- Firewall Configuration -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-fire mr-2 text-orange-500"></i>
Firewall Configuration (UFW)
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 4</span>
</div>
<div class="p-4">
<div class="code-block">sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Custom SSH port
sudo ufw enable
sudo systemctl enable ufw
sudo systemctl start ufw</div>
</div>
</div>
<!-- SSH Hardening -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-terminal mr-2 text-purple-500"></i>
SSH Hardening
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 5</span>
</div>
<div class="p-4">
<p class="text-gray-700 mb-2">Edit <code class="bg-gray-200 px-1 rounded">/etc/ssh/sshd_config</code>:</p>
<div class="code-block"># Change default port
Port 2222
# Disable root login
PermitRootLogin no
# Use only SSH protocol 2
Protocol 2
# Disable X11 forwarding
X11Forwarding no
# Limit authentication attempts
MaxAuthTries 3
LoginGraceTime 60
# Disable empty passwords
PermitEmptyPasswords no
# Disable password authentication (use keys only)
PasswordAuthentication no
# Configure key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Disable other features
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
# Configure session timeouts
ClientAliveInterval 300
ClientAliveCountMax 2</div>
<p class="text-gray-700 mt-4">Then restart SSH:</p>
<div class="code-block">sudo systemctl restart ssh</div>
</div>
</div>
<!-- Fail2Ban Installation -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-shield-alt mr-2 text-yellow-500"></i>
Fail2Ban Installation
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 6</span>
</div>
<div class="p-4">
<div class="code-block">sudo apt install -y fail2ban
# Create custom jail configuration
echo '[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log' | sudo tee /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban</div>
</div>
</div>
<!-- Additional Security Tools -->
<div class="bg-white border border-gray-200 rounded-lg shadow-sm">
<div class="flex items-center justify-between p-4 border-b border-gray-200 bg-gray-50 rounded-t-lg">
<h3 class="font-semibold text-gray-800">
<i class="fas fa-tools mr-2 text-indigo-500"></i>
Additional Security Tools
</h3>
<span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded-full">Step 7</span>
</div>
<div class="p-4">
<div class="code-block"># Install security tools
sudo apt install -y lynis aide rkhunter chkrootkit auditd
# Initialize AIDE database
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Configure daily AIDE checks
echo '#!/bin/sh
/usr/bin/aide --check
exit 0' | sudo tee /etc/cron.daily/aide-check
sudo chmod +x /etc/cron.daily/aide-check
# Configure auditd
echo '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity' | sudo tee /etc/audit/rules.d/hardening.rules
sudo systemctl restart auditd
sudo systemctl enable auditd</div>
</div>
</div>
</div>
</div>
<!-- Verification Tab -->
<div id="verification" class="tab-content">
<h2 class="text-2xl font-bold text-gray-800 mb-4">
<i class="fas fa-check-double mr-2"></i>Verification & Testing
</h2>
<div class="grid grid-cols-1 md:grid-cols-2 gap-6 mb-6">
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-boot text-blue-500 mr-2"></i>Boot Process Verification
</h3>
<ul class="space-y-2 text-gray-700">
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Verify system prompts for disk encryption passphrase on boot</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Check that no automatic login occurs</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Verify that only necessary services are running:
<div class="code-block mt-2">systemctl list-units --type=service --state=running</div>
</span>
</li>
</ul>
</div>
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-network-wired text-purple-500 mr-2"></i>Network Verification
</h3>
<ul class="space-y-2 text-gray-700">
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Check open ports:
<div class="code-block mt-2">sudo ss -tulnp</div>
</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Verify UFW status:
<div class="code-block mt-2">sudo ufw status verbose</div>
</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Test SSH access on custom port only</span>
</li>
</ul>
</div>
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-shield-virus text-red-500 mr-2"></i>Security Audits
</h3>
<ul class="space-y-2 text-gray-700">
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Run Lynis audit:
<div class="code-block mt-2">sudo lynis audit system</div>
</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Check for rootkits:
<div class="code-block mt-2">sudo rkhunter --checkall</div>
</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Run AIDE check:
<div class="code-block mt-2">sudo aide --check</div>
</span>
</li>
</ul>
</div>
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-user-lock text-yellow-500 mr-2"></i>Authentication Tests
</h3>
<ul class="space-y-2 text-gray-700">
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Attempt SSH root login (should fail)</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Attempt password authentication (should fail if disabled)</span>
</li>
<li class="flex items-start">
<i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
<span>Test Fail2Ban by making failed SSH attempts:
<div class="code-block mt-2">ssh -p 2222 root@localhost</div>
</span>
</li>
</ul>
</div>
</div>
<div class="bg-yellow-50 border-l-4 border-yellow-400 p-4 rounded-lg">
<div class="flex">
<div class="flex-shrink-0">
<i class="fas fa-exclamation-triangle text-yellow-500 text-xl"></i>
</div>
<div class="ml-3">
<h3 class="text-sm font-medium text-yellow-800">
Important Note
</h3>
<div class="mt-2 text-sm text-yellow-700">
<p>
After completing all hardening steps, perform a full system reboot and verify all security measures are still in place. Some settings (like sysctl parameters) may require a reboot to take effect.
</p>
</div>
</div>
</div>
</div>
</div>
<!-- Resources Tab -->
<div id="resources" class="tab-content">
<h2 class="text-2xl font-bold text-gray-800 mb-4">
<i class="fas fa-book mr-2"></i>Additional Resources
</h2>
<div class="grid grid-cols-1 md:grid-cols-2 gap-6">
<!-- Documentation -->
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-file-alt text-blue-500 mr-2"></i>Official Documentation
</h3>
<ul class="space-y-3">
<li>
<a href="https://www.parrotsec.org/docs/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Parrot OS Official Documentation
</a>
</li>
<li>
<a href="https://docs.ansible.com/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Ansible Documentation
</a>
</li>
<li>
<a href="https://help.ubuntu.com/lts/serverguide/firewall.html" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
UFW Firewall Guide
</a>
</li>
</ul>
</div>
<!-- Security Guides -->
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-shield-alt text-green-500 mr-2"></i>Security Hardening Guides
</h3>
<ul class="space-y-3">
<li>
<a href="https://www.cisecurity.org/benchmark/ubuntu_linux/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
CIS Ubuntu Benchmark
</a>
</li>
<li>
<a href="https://www.sshaudit.com/hardening_guides.html" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
SSH Hardening Guide
</a>
</li>
<li>
<a href="https://linux-audit.com/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Linux Audit Project
</a>
</li>
</ul>
</div>
<!-- Tools -->
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-tools text-purple-500 mr-2"></i>Useful Tools
</h3>
<ul class="space-y-3">
<li>
<a href="https://cisofy.com/lynis/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Lynis - Security Auditing Tool
</a>
</li>
<li>
<a href="https://aide.github.io/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
AIDE - File Integrity Checker
</a>
</li>
<li>
<a href="https://www.openvas.org/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
OpenVAS - Vulnerability Scanner
</a>
</li>
</ul>
</div>
<!-- Community -->
<div class="bg-white p-4 rounded-lg shadow-sm border border-gray-200">
<h3 class="font-semibold text-gray-800 mb-3">
<i class="fas fa-users text-red-500 mr-2"></i>Community Resources
</h3>
<ul class="space-y-3">
<li>
<a href="https://community.parrotsec.org/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Parrot OS Community Forum
</a>
</li>
<li>
<a href="https://www.reddit.com/r/ParrotSecurity/" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Parrot Security Subreddit
</a>
</li>
<li>
<a href="https://discord.gg/parrot" target="_blank" class="flex items-center text-blue-600 hover:underline">
<i class="fas fa-external-link-alt mr-2"></i>
Parrot OS Discord Server
</a>
</li>
</ul>
</div>
</div>
<div class="mt-8 bg-blue-50 p-4 rounded-lg border-l-4 border-blue-400">
<h3 class="font-semibold text-blue-800 mb-2">
<i class="fas fa-question-circle mr-2"></i>Need Help?
</h3>
<p class="text-blue-700">
For additional assistance with hardening your Parrot OS system, consider consulting with security professionals or posting specific questions on the Parrot OS community forums.
</p>
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="mt-12 text-center text-gray-600 text-sm">
<p>
<i class="fas fa-code-branch mr-1"></i> Parrot OS Hardening Toolkit v1.0
<span class="mx-2">|</span>
<i class="fas fa-calendar-alt mr-1"></i> Last updated: July 2023
</p>
<p class="mt-2">
<i class="fas fa-exclamation-triangle mr-1 text-yellow-500"></i>
This guide is provided for educational purposes only. Use at your own risk.
</p>
<div class="mt-4 flex justify-center space-x-4">
<a href="#" class="text-blue-600 hover:underline">
<i class="fab fa-github mr-1"></i> GitHub
</a>
<a href="#" class="text-blue-600 hover:underline">
<i class="fas fa-bug mr-1"></i> Report Issue
</a>
<a href="#" class="text-blue-600 hover:underline">
<i class="fas fa-envelope mr-1"></i> Contact
</a>
</div>
</footer>
</div>
<script>
// Tab switching functionality
document.querySelectorAll('[data-tab]').forEach(tab => {
tab.addEventListener('click', () => {
// Remove active class from all tabs and contents
document.querySelectorAll('.nav-tabs button').forEach(t => t.classList.remove('active'));
document.querySelectorAll('.tab-content').forEach(c => c.classList.remove('active'));
// Add active class to clicked tab and corresponding content
tab.classList.add('active');
const tabId = tab.getAttribute('data-tab');
document.getElementById(tabId).classList.add('active');
});
});
// Copy button functionality
document.querySelectorAll('.copy-btn').forEach(btn => {
btn.addEventListener('click', function() {
const targetId = this.getAttribute('data-clipboard-target');
const codeBlock = document.querySelector(targetId);
const textToCopy = codeBlock.textContent;
navigator.clipboard.writeText(textToCopy).then(() => {
// Change button appearance temporarily
const originalText = this.innerHTML;
this.innerHTML = '<i class="fas fa-check mr-1"></i> Copied!';
this.classList.add('copied');
// Reset after 2 seconds
setTimeout(() => {
this.innerHTML = originalText;
this.classList.remove('copied');
}, 2000);
}).catch(err => {
console.error('Failed to copy text: ', err);
});
});
});
</script>
<p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=S-Dreamer/hard-os" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
</html> |