Recently I had the pleasure to install Parrot in my network. I’m using it to scan for vulnerabilities on everything that is connected. And do some hardening here and there with the scan results. But in the meantime I want Parrot to be hardened as well. So this is my tech bit of the steps I’ve taken to get Parrot hardened and ready to scan for vulns.
Use it at your own risk, check if these steps are sane for you and your setup. No warranties or guarantees from me. Test your steps if needed, don’t lock yourself out and don’t come crying to me if all goes pear shaped.
# get updates
sudo apt update -y && sudo apt upgrade -y
# get rdp
sudo apt install xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils
sudo apt install xrdp
sudo apt remove dbus-user-session
sudo apt install dbus-x11
# get ntp working
sudo apt install systemd-timesyncd
sudo timedatectl set-ntp true
# configure GVM
sudo apt install nsis
sudo openvas-setup
# setup firewall and enable
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 3389 comment 'allow rdp port 3389'
sudo ufw allow 80 comment 'allow http'
sudo ufw allow 443 comment 'allow https'
sudo ufw allow 9392 comment 'allow https Greenbone Security Assistant/OpenVAS'
sudo ufw enable
# get the latest lynis, not from distro
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 013baa07180c50a7101097ef9de922f1c2fde6c4
sudo apt install apt-transport-https
echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update
sudo apt-cache policy lynis
sudo touch /etc/apt/preferences.d/lynis
echo 'Package: lynis' | sudo tee -a /etc/apt/preferences.d/lynis
echo 'Pin: origin packages.cisofy.com' | sudo tee -a /etc/apt/preferences.d/lynis
echo 'Pin-Priority: 1002' | sudo tee -a /etc/apt/preferences.d/lynis
sudo apt update
sudo apt install lynis
sudo lynis update check
sudo lynis audit system
# hardening steps
# core dump prevention:
echo '## hardening lynis audit' | sudo tee -a /etc/security/limits.conf
echo '## https://www.cyberciti.biz/faq/disable-core-dumps-in-linux-with-systemd-sysctl/' | sudo tee -a /etc/security/limits.conf
echo '* hard core 0' | sudo tee -a /etc/security/limits.conf
echo '* soft core 0' | sudo tee -a /etc/security/limits.conf
sudo touch /etc/sysctl.d/9999-disable-core-dump.conf
echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/9999-disable-core-dump.conf
echo 'kernel.core_pattern=|/bin/false' | sudo tee -a /etc/sysctl.d/9999-disable-core-dump.conf
sudo sysctl -p /etc/sysctl.d/9999-disable-core-dump.conf
# hardening redis config openvas:
sudo chmod 640 /etc/redis/redis-openvas.conf
# install pam password quality control:
sudo apt install libpam-passwdqc
# install debsums, etc
sudo apt install debsums
sudo apt install apt-show-versions
sudo apt install unattended-upgrades
# install security apache2 modules
# see https://www.rapid7.com/blog/post/2017/04/09/how-to-configure-modevasive-with-apache-on-ubuntu-linux/
sudo apt-get install libapache2-mod-evasive
# remove all preceding # (hash symbols):
sudo vim /etc/apache2/mods-enabled/evasive.conf
# set up need stuff for logfile:
sudo mkdir /var/log/mod_evasive
sudo chown -R www-data:www-data /var/log/mod_evasive
# restart apache:
sudo systemctl restart apache2
# now install mod_security:
# see https://ubiq.co/tech-blog/install-apache-mod_security-ubuntu/
sudo apt-get install libapache2-mod-security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# you can do sudo vim /etc/modsecurity/modsecurity.conf and set the firs param to: on, but we are not doing that
# restart apache:
sudo systemctl restart apache2
# there could be more hardening steps, look closely at your lynis audit output
# adapt vim/nvim against visual mode
# see Disable annoying visual mode in (n)vim on Parrot
# set /usr/bin/gvm-feed-update in root cronjob for Greenbone Vulnerability Manger to get the latest NVT's and CVE's
# 0 0 * * 3 /usr/bin/gvm-feed-update
# solve GVM vulnerability on server-status Apache via httpd
# https://stackoverflow.com/questions/45609000/disable-apache-server-status-check
locate a2dismod
sudo a2dismod status
sudo apache2ctl configtest
sudo systemctl restart apache2