mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 11:41:33 -05:00
Unbound for Ubuntu
This commit is contained in:
parent
e239821b65
commit
6df908ae81
@ -15,8 +15,10 @@ sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
|
|||||||
sudo ufw enable
|
sudo ufw enable
|
||||||
sudo ufw allow 22/tcp
|
sudo ufw allow 22/tcp
|
||||||
|
|
||||||
|
#Setup tuned
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
|
#Setup unbound
|
||||||
echo 'server:
|
echo 'server:
|
||||||
trust-anchor-file: "/var/lib/unbound/root.key
|
trust-anchor-file: "/var/lib/unbound/root.key
|
||||||
trust-anchor-signaling: yes
|
trust-anchor-signaling: yes
|
||||||
|
@ -7,6 +7,91 @@ sudo ua enable usg
|
|||||||
sudo apt install -y usg
|
sudo apt install -y usg
|
||||||
sudo usg fix cis_level2_server
|
sudo usg fix cis_level2_server
|
||||||
|
|
||||||
|
#Install packages
|
||||||
|
sudo apt update -y
|
||||||
|
sudo apt full-upgrade -y
|
||||||
|
sudo apt install -y curl fwupd resolveconf tuned unbound
|
||||||
|
|
||||||
|
#Setup tuned
|
||||||
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
|
#Setup unbound
|
||||||
|
echo 'server:
|
||||||
|
trust-anchor-file: "/var/lib/unbound/root.key
|
||||||
|
trust-anchor-signaling: yes
|
||||||
|
root-key-sentinel: yes
|
||||||
|
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
hide-identity: yes
|
||||||
|
hide-trustanchor: yes
|
||||||
|
hide-version: yes
|
||||||
|
deny-any: yes
|
||||||
|
harden-algo-downgrade: yes
|
||||||
|
harden-large-queries: yes
|
||||||
|
harden-referral-path: yes
|
||||||
|
ignore-cd-flag: yes
|
||||||
|
max-udp-size: 3072
|
||||||
|
module-config: "validator iterator"
|
||||||
|
qname-minimisation-strict: yes
|
||||||
|
unwanted-reply-threshold: 10000000
|
||||||
|
use-caps-for-id: yes
|
||||||
|
|
||||||
|
outgoing-port-permit: 1024-65535
|
||||||
|
|
||||||
|
prefetch: yes
|
||||||
|
prefetch-key: yes
|
||||||
|
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "."
|
||||||
|
forward-tls-upstream: yes
|
||||||
|
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
|
||||||
|
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
|
||||||
|
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
||||||
|
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
|
||||||
|
|
||||||
|
sudo mv /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.bk
|
||||||
|
|
||||||
|
mkdir -p /etc/systemd/system/unbound.service.d
|
||||||
|
echo $'[Service]
|
||||||
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
|
||||||
|
ProtectKernelTunables=false
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=strict
|
||||||
|
RuntimeDirectory=unbound
|
||||||
|
ConfigurationDirectory=unbound
|
||||||
|
StateDirectory=unbound
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||||
|
RestrictRealtime=true
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
|
||||||
|
|
||||||
|
# Below rules are needed when chroot is enabled (usually it\'s enabled by default).
|
||||||
|
# If chroot is disabled like chroot: "" then they may be safely removed.
|
||||||
|
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
|
||||||
|
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
|
||||||
|
BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
|
||||||
|
BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
|
||||||
|
BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart unbound
|
||||||
|
sudo systemctl disable --now systemd-resolved
|
||||||
|
|
||||||
#Security kernel settings
|
#Security kernel settings
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
@ -38,11 +123,6 @@ sudo systemctl stop whoopsie.service
|
|||||||
sudo systemctl disable whoopsie.service
|
sudo systemctl disable whoopsie.service
|
||||||
sudo systemctl mask whoopsie.service
|
sudo systemctl mask whoopsie.service
|
||||||
|
|
||||||
#Update packages and firmware
|
|
||||||
sudo apt update -y
|
|
||||||
sudo apt full-upgrade -y
|
|
||||||
sudo apt install fwupd
|
|
||||||
|
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
echo '[Service]
|
echo '[Service]
|
||||||
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user