Parrot OS Hardening Toolkit
A comprehensive guide to building a secure penetration testing environment
Hardened Parrot OS Security Edition
Objective
Create a secure, minimal, and reliable penetration testing environment based on Parrot OS Security Edition with full disk encryption, network hardening, and intrusion detection.
Target Audience
Penetration testers, security researchers, and cybersecurity professionals who need a secure field kit for assessments.
Key Security Considerations
Minimal Attack Surface
Reduce installed packages and services to only what's necessary
Strong Authentication
Implement MFA and secure password policies
Disk Encryption
Full disk encryption to protect data at rest
Network Hardening
Minimize network exposure and secure services
Regular Updates
Automatic security updates and patch management
Logging & Auditing
Comprehensive activity tracking and monitoring
Included Security Tools
UFW Firewall
Fail2Ban
Lynis
OpenVAS
AIDE
Rkhunter
Chkrootkit
Auditd
Ansible Playbook for Hardening
This Ansible playbook automates the hardening process for Parrot OS Security Edition. It includes disk encryption setup, firewall configuration, service management, and intrusion detection.
parrot_hardening.yml
---
- name: Harden Parrot OS Security Edition
hosts: all
become: true
vars:
# User configuration
admin_user: "pentester"
admin_groups: "sudo"
ssh_port: 2222
# Packages to remove
packages_to_remove:
- xserver-xorg
- bluetooth
- cups
- avahi-daemon
- modemmanager
# Services to disable
services_to_disable:
- bluetooth
- cups
- avahi-daemon
- modemmanager
- apparmor
tasks:
# Update system
- name: Update all packages
apt:
update_cache: yes
upgrade: dist
autoremove: yes
# Remove unnecessary packages
- name: Remove unwanted packages
apt:
name: "{{ packages_to_remove }}"
state: absent
purge: yes
# Disable unnecessary services
- name: Disable unwanted services
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop: "{{ services_to_disable }}"
# Configure UFW firewall
- name: Install UFW
apt:
name: ufw
state: present
- name: Configure UFW default policies
ufw:
state: enabled
policy: deny
direction: incoming
- name: Allow SSH on custom port
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
# Install and configure Fail2Ban
- name: Install Fail2Ban
apt:
name: fail2ban
state: present
- name: Configure Fail2Ban
copy:
dest: /etc/fail2ban/jail.local
content: |
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = {{ ssh_port }}
filter = sshd
logpath = /var/log/auth.log
- name: Restart Fail2Ban
systemd:
name: fail2ban
state: restarted
# Configure automatic updates
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: Configure automatic updates
copy:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
content: |
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
# Install security tools
- name: Install security tools
apt:
name:
- lynis
- aide
- rkhunter
- chkrootkit
- auditd
state: present
# Configure auditd
- name: Configure auditd rules
copy:
dest: /etc/audit/rules.d/hardening.rules
content: |
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
- name: Restart auditd
systemd:
name: auditd
state: restarted
# Configure sysctl hardening
- name: Configure sysctl settings
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
reload: yes
with_items:
- { key: "net.ipv4.conf.all.rp_filter", value: "1" }
- { key: "net.ipv4.conf.default.rp_filter", value: "1" }
- { key: "net.ipv4.icmp_echo_ignore_broadcasts", value: "1" }
- { key: "net.ipv4.icmp_ignore_bogus_error_responses", value: "1" }
- { key: "net.ipv4.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.default.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.all.secure_redirects", value: "0" }
- { key: "net.ipv4.conf.default.secure_redirects", value: "0" }
- { key: "net.ipv6.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv6.conf.default.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.all.send_redirects", value: "0" }
- { key: "net.ipv4.conf.default.send_redirects", value: "0" }
- { key: "net.ipv4.tcp_syncookies", value: "1" }
- { key: "net.ipv4.tcp_max_syn_backlog", value: "2048" }
- { key: "net.ipv4.tcp_synack_retries", value: "2" }
- { key: "net.ipv4.tcp_syn_retries", value: "5" }
- { key: "kernel.randomize_va_space", value: "2" }
# Configure SSH hardening
- name: Configure SSH
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^{{ item.regexp }}$"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: "Port", line: "Port {{ ssh_port }}" }
- { regexp: "PermitRootLogin", line: "PermitRootLogin no" }
- { regexp: "Protocol", line: "Protocol 2" }
- { regexp: "X11Forwarding", line: "X11Forwarding no" }
- { regexp: "MaxAuthTries", line: "MaxAuthTries 3" }
- { regexp: "IgnoreRhosts", line: "IgnoreRhosts yes" }
- { regexp: "HostbasedAuthentication", line: "HostbasedAuthentication no" }
- { regexp: "PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
- { regexp: "ClientAliveInterval", line: "ClientAliveInterval 300" }
- { regexp: "ClientAliveCountMax", line: "ClientAliveCountMax 2" }
- { regexp: "LoginGraceTime", line: "LoginGraceTime 60" }
- { regexp: "AllowAgentForwarding", line: "AllowAgentForwarding no" }
- { regexp: "AllowTcpForwarding", line: "AllowTcpForwarding no" }
- { regexp: "PermitTunnel", line: "PermitTunnel no" }
- name: Restart SSH
systemd:
name: ssh
state: restarted
# Configure password policies
- name: Install libpam-pwquality
apt:
name: libpam-pwquality
state: present
- name: Configure password policies
copy:
dest: /etc/security/pwquality.conf
content: |
minlen = 14
minclass = 4
maxrepeat = 2
maxsequence = 3
maxclassrepeat = 2
gecoscheck = 1
dictcheck = 1
usercheck = 1
enforcing = 1
- name: Configure PAM password policies
lineinfile:
dest: /etc/pam.d/common-password
regexp: "^password.*pam_pwquality.so.*$"
line: "password requisite pam_pwquality.so retry=3"
state: present
# Final message
- name: Display completion message
debug:
msg: "Parrot OS hardening complete. System reboot recommended."
Usage Instructions
- Install Ansible on your control machine:
sudo apt install ansible - Create an inventory file with your target Parrot OS system's IP address
- Save the playbook as
parrot_hardening.yml - Run the playbook:
ansible-playbook -i inventory parrot_hardening.yml - Reboot the system after completion
Manual Hardening Steps
Initial Setup
Step 1- Download Parrot OS Security Edition ISO from the official website
- Verify the ISO checksum:
sha256sum parrot-security-5.1_amd64.iso
- Create bootable USB using Balena Etcher or dd:
dd if=parrot-security-5.1_amd64.iso of=/dev/sdX bs=4M status=progress
- Boot from USB and start installation
- During installation:
- Select Guided - use entire disk with encrypted LVM
- Set a strong encryption passphrase (minimum 20 characters)
- Create a non-root user account for daily use
- Disable automatic login
System Update
Step 2sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove --purge -y
sudo apt clean
Remove Unnecessary Packages
Step 3sudo apt purge -y xserver-xorg xserver-xorg-core xserver-xorg-input-all \
xserver-xorg-video-all x11-common x11-utils x11-xserver-utils \
bluetooth bluez bluez-obexd pulseaudio-module-bluetooth \
cups cups-daemon cups-common cups-filters cups-ppdc \
avahi-daemon modemmanager
Firewall Configuration (UFW)
Step 4sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Custom SSH port
sudo ufw enable
sudo systemctl enable ufw
sudo systemctl start ufw
SSH Hardening
Step 5Edit /etc/ssh/sshd_config:
# Change default port
Port 2222
# Disable root login
PermitRootLogin no
# Use only SSH protocol 2
Protocol 2
# Disable X11 forwarding
X11Forwarding no
# Limit authentication attempts
MaxAuthTries 3
LoginGraceTime 60
# Disable empty passwords
PermitEmptyPasswords no
# Disable password authentication (use keys only)
PasswordAuthentication no
# Configure key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Disable other features
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
# Configure session timeouts
ClientAliveInterval 300
ClientAliveCountMax 2
Then restart SSH:
sudo systemctl restart ssh
Fail2Ban Installation
Step 6sudo apt install -y fail2ban
# Create custom jail configuration
echo '[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log' | sudo tee /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
Additional Security Tools
Step 7# Install security tools
sudo apt install -y lynis aide rkhunter chkrootkit auditd
# Initialize AIDE database
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Configure daily AIDE checks
echo '#!/bin/sh
/usr/bin/aide --check
exit 0' | sudo tee /etc/cron.daily/aide-check
sudo chmod +x /etc/cron.daily/aide-check
# Configure auditd
echo '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity' | sudo tee /etc/audit/rules.d/hardening.rules
sudo systemctl restart auditd
sudo systemctl enable auditd
Verification & Testing
Boot Process Verification
- Verify system prompts for disk encryption passphrase on boot
- Check that no automatic login occurs
-
Verify that only necessary services are running:
systemctl list-units --type=service --state=running
Network Verification
-
Check open ports:
sudo ss -tulnp
-
Verify UFW status:
sudo ufw status verbose
- Test SSH access on custom port only
Security Audits
-
Run Lynis audit:
sudo lynis audit system
-
Check for rootkits:
sudo rkhunter --checkall
-
Run AIDE check:
sudo aide --check
Authentication Tests
- Attempt SSH root login (should fail)
- Attempt password authentication (should fail if disabled)
-
Test Fail2Ban by making failed SSH attempts:
ssh -p 2222 root@localhost
Important Note
After completing all hardening steps, perform a full system reboot and verify all security measures are still in place. Some settings (like sysctl parameters) may require a reboot to take effect.
Additional Resources
Official Documentation
Security Hardening Guides
Useful Tools
Community Resources
Need Help?
For additional assistance with hardening your Parrot OS system, consider consulting with security professionals or posting specific questions on the Parrot OS community forums.
