From 912c884841c5a1449b6f818f6a349bcce22fd7d4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 28 Apr 2024 11:47:36 -0700 Subject: [PATCH] Move networking setup to the end of the scripts Signed-off-by: Tommy --- Fedora-Workstation-39.sh | 34 ++++++++++++++++++---------------- Fedora-Workstation-40.sh | 34 ++++++++++++++++++---------------- Kali-Linux.sh | 19 ++++++++++--------- Ubuntu-22.04-Server.sh | 15 ++++++++------- Ubuntu-23.10-Desktop.sh | 33 +++++++++++++++++++-------------- 5 files changed, 73 insertions(+), 62 deletions(-) diff --git a/Fedora-Workstation-39.sh b/Fedora-Workstation-39.sh index d135255..77886f5 100644 --- a/Fedora-Workstation-39.sh +++ b/Fedora-Workstation-39.sh @@ -61,17 +61,6 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m sudo systemctl restart chronyd -# Setup Networking -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf -sudo nmcli general reload conf -sudo hostnamectl hostname 'localhost' -sudo hostnamectl --transient hostname '' -sudo firewall-cmd --set-default-zone=block -sudo firewall-cmd --permanent --add-service=dhcpv6-client -sudo firewall-cmd --reload -sudo firewall-cmd --lockdown-on - # Remove nullok sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth @@ -113,11 +102,6 @@ fi # Disable coredump unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf -# Systemd Hardening -sudo mkdir -p /etc/systemd/system/NetworkManager.service.d -unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf -sudo systemctl restart NetworkManager - # Disable XWayland umask 022 sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d @@ -277,4 +261,22 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then sudo dnf install hardened_malloc -y fi +# Setup Networking + +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' +sudo firewall-cmd --set-default-zone=block +sudo firewall-cmd --permanent --add-service=dhcpv6-client +sudo firewall-cmd --reload +sudo firewall-cmd --lockdown-on + +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager + output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.' \ No newline at end of file diff --git a/Fedora-Workstation-40.sh b/Fedora-Workstation-40.sh index a9b8db0..f17c288 100644 --- a/Fedora-Workstation-40.sh +++ b/Fedora-Workstation-40.sh @@ -61,17 +61,6 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m sudo systemctl restart chronyd -# Setup Networking -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf -sudo nmcli general reload conf -sudo hostnamectl hostname 'localhost' -sudo hostnamectl --transient hostname '' -sudo firewall-cmd --set-default-zone=block -sudo firewall-cmd --permanent --add-service=dhcpv6-client -sudo firewall-cmd --reload -sudo firewall-cmd --lockdown-on - # Remove nullok sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth @@ -113,11 +102,6 @@ fi # Disable coredump unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf -# Systemd Hardening -sudo mkdir -p /etc/systemd/system/NetworkManager.service.d -unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf -sudo systemctl restart NetworkManager - # Disable XWayland umask 022 sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d @@ -277,4 +261,22 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then sudo dnf install hardened_malloc -y fi +# Setup Networking + +sudo firewall-cmd --set-default-zone=block +sudo firewall-cmd --permanent --add-service=dhcpv6-client +sudo firewall-cmd --reload +sudo firewall-cmd --lockdown-on + +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager + output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.' \ No newline at end of file diff --git a/Kali-Linux.sh b/Kali-Linux.sh index 9e1d79f..5932418 100644 --- a/Kali-Linux.sh +++ b/Kali-Linux.sh @@ -29,10 +29,6 @@ sudo apt full-upgrade -y # Install all tools sudo apt install kali-linux-everything -y -# Setup UFW -sudo apt install ufw -y -sudo ufw enable - # Kernel hardening unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf sudo chmod 644 /etc/modprobe.d/30_security-misc.conf @@ -52,10 +48,6 @@ sudo update-initramfs -u # Disable coredump unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf -# System Hardening -sudo mkdir -p /etc/systemd/system/NetworkManager.service.d -curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf - # Update GRUB config echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality"' | sudo tee -a /etc/grub.d/40_custom sudo update-grub @@ -84,4 +76,13 @@ else fi # Enable fstrim.timer -sudo systemctl enable --now fstrim.timer \ No newline at end of file +sudo systemctl enable --now fstrim.timer + +# Setup Networking +sudo apt install ufw -y +sudo ufw enable + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager \ No newline at end of file diff --git a/Ubuntu-22.04-Server.sh b/Ubuntu-22.04-Server.sh index c6e2d1a..27cfd12 100644 --- a/Ubuntu-22.04-Server.sh +++ b/Ubuntu-22.04-Server.sh @@ -51,13 +51,6 @@ sudo apt install -y chrony unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf sudo systemctl restart chronyd -# Setup UFW -# UFW Snap is strictly confined, unlike its .deb counterpart -sudo apt purge -y ufw -sudo snap install ufw -sudo ufw enable -sudo ufw allow SSH - # Harden SSH unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf @@ -222,4 +215,12 @@ sudo systemctl daemon-reload sudo systemctl restart unbound sudo systemctl disable systemd-resolved +# Setup Networking + +# UFW Snap is strictly confined, unlike its .deb counterpart +sudo apt purge -y ufw +sudo snap install ufw +sudo ufw enable +sudo ufw allow SSH + sudo reboot diff --git a/Ubuntu-23.10-Desktop.sh b/Ubuntu-23.10-Desktop.sh index 7e28b87..2ab352e 100644 --- a/Ubuntu-23.10-Desktop.sh +++ b/Ubuntu-23.10-Desktop.sh @@ -52,19 +52,6 @@ sudo apt install -y chrony unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf sudo systemctl restart chronyd -# Setup Networking -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf -sudo nmcli general reload conf -sudo hostnamectl hostname 'localhost' -sudo hostnamectl --transient hostname '' - -# Setup UFW -#UFW Snap is strictly confined, unlike its .deb counterpart -sudo apt purge -y ufw -sudo snap install ufw -sudo ufw enable - # Harden SSH unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf @@ -224,4 +211,22 @@ else sudo apt install qemu-guest-agent -y fi sudo tuned-adm profile virtual-guest -fi \ No newline at end of file +fi + +# Setup Networking + +# UFW Snap is strictly confined, unlike its .deb counterpart +sudo apt purge -y ufw +sudo snap install ufw +sudo ufw enable + +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager \ No newline at end of file