diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index 9728cb1..369f54d 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -15,8 +15,10 @@ sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw sudo ufw enable sudo ufw allow 22/tcp +#Setup tuned sudo tuned-adm profile virtual-guest +#Setup unbound echo 'server: trust-anchor-file: "/var/lib/unbound/root.key trust-anchor-signaling: yes diff --git a/Ubuntu-22.04-Server.sh b/Ubuntu-22.04-Server.sh index 477f2ba..c746af0 100644 --- a/Ubuntu-22.04-Server.sh +++ b/Ubuntu-22.04-Server.sh @@ -7,6 +7,91 @@ sudo ua enable usg sudo apt install -y usg sudo usg fix cis_level2_server +#Install packages +sudo apt update -y +sudo apt full-upgrade -y +sudo apt install -y curl fwupd resolveconf tuned unbound + +#Setup tuned +sudo tuned-adm profile virtual-guest + +#Setup unbound +echo 'server: + trust-anchor-file: "/var/lib/unbound/root.key + trust-anchor-signaling: yes + root-key-sentinel: yes + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + hide-identity: yes + hide-trustanchor: yes + hide-version: yes + deny-any: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-referral-path: yes + ignore-cd-flag: yes + max-udp-size: 3072 + module-config: "validator iterator" + qname-minimisation-strict: yes + unwanted-reply-threshold: 10000000 + use-caps-for-id: yes + + outgoing-port-permit: 1024-65535 + + prefetch: yes + prefetch-key: yes + + +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 1.1.1.2@853#security.cloudflare-dns.com + forward-addr: 1.0.0.2@853#security.cloudflare-dns.com + forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com + forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf + +sudo mv /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.bk + +mkdir -p /etc/systemd/system/unbound.service.d +echo $'[Service] +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility. +ProtectKernelTunables=false +ProtectProc=invisible +ProtectSystem=strict +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below rules are needed when chroot is enabled (usually it\'s enabled by default). +# If chroot is disabled like chroot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf + +sudo systemctl daemon-reload +sudo systemctl restart unbound +sudo systemctl disable --now systemd-resolved + #Security kernel settings sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf @@ -38,11 +123,6 @@ sudo systemctl stop whoopsie.service sudo systemctl disable whoopsie.service sudo systemctl mask whoopsie.service -#Update packages and firmware -sudo apt update -y -sudo apt full-upgrade -y -sudo apt install fwupd - mkdir -p /etc/systemd/system/fwupd-refresh.service.d echo '[Service] ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf