mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 03:31:33 -05:00
Move networking setup to the end of the scripts
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
41a1237561
commit
912c884841
@ -61,17 +61,6 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
|||||||
|
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
# Setup Networking
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
|
||||||
sudo nmcli general reload conf
|
|
||||||
sudo hostnamectl hostname 'localhost'
|
|
||||||
sudo hostnamectl --transient hostname ''
|
|
||||||
sudo firewall-cmd --set-default-zone=block
|
|
||||||
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
sudo firewall-cmd --lockdown-on
|
|
||||||
|
|
||||||
# Remove nullok
|
# Remove nullok
|
||||||
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||||
|
|
||||||
@ -113,11 +102,6 @@ fi
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
|
||||||
# Systemd Hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
sudo systemctl restart NetworkManager
|
|
||||||
|
|
||||||
# Disable XWayland
|
# Disable XWayland
|
||||||
umask 022
|
umask 022
|
||||||
sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d
|
sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d
|
||||||
@ -277,4 +261,22 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
|||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install hardened_malloc -y
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Setup Networking
|
||||||
|
|
||||||
|
sudo hostnamectl hostname 'localhost'
|
||||||
|
sudo hostnamectl --transient hostname ''
|
||||||
|
sudo firewall-cmd --set-default-zone=block
|
||||||
|
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
||||||
|
sudo firewall-cmd --reload
|
||||||
|
sudo firewall-cmd --lockdown-on
|
||||||
|
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||||
|
sudo nmcli general reload conf
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'
|
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'
|
@ -61,17 +61,6 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
|||||||
|
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
# Setup Networking
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
|
||||||
sudo nmcli general reload conf
|
|
||||||
sudo hostnamectl hostname 'localhost'
|
|
||||||
sudo hostnamectl --transient hostname ''
|
|
||||||
sudo firewall-cmd --set-default-zone=block
|
|
||||||
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
sudo firewall-cmd --lockdown-on
|
|
||||||
|
|
||||||
# Remove nullok
|
# Remove nullok
|
||||||
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||||
|
|
||||||
@ -113,11 +102,6 @@ fi
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
|
||||||
# Systemd Hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
sudo systemctl restart NetworkManager
|
|
||||||
|
|
||||||
# Disable XWayland
|
# Disable XWayland
|
||||||
umask 022
|
umask 022
|
||||||
sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d
|
sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d
|
||||||
@ -277,4 +261,22 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
|||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install hardened_malloc -y
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Setup Networking
|
||||||
|
|
||||||
|
sudo firewall-cmd --set-default-zone=block
|
||||||
|
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
||||||
|
sudo firewall-cmd --reload
|
||||||
|
sudo firewall-cmd --lockdown-on
|
||||||
|
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||||
|
sudo nmcli general reload conf
|
||||||
|
sudo hostnamectl hostname 'localhost'
|
||||||
|
sudo hostnamectl --transient hostname ''
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'
|
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'
|
@ -29,10 +29,6 @@ sudo apt full-upgrade -y
|
|||||||
# Install all tools
|
# Install all tools
|
||||||
sudo apt install kali-linux-everything -y
|
sudo apt install kali-linux-everything -y
|
||||||
|
|
||||||
# Setup UFW
|
|
||||||
sudo apt install ufw -y
|
|
||||||
sudo ufw enable
|
|
||||||
|
|
||||||
# Kernel hardening
|
# Kernel hardening
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||||
@ -52,10 +48,6 @@ sudo update-initramfs -u
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
|
||||||
# System Hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
|
|
||||||
# Update GRUB config
|
# Update GRUB config
|
||||||
echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality"' | sudo tee -a /etc/grub.d/40_custom
|
echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality"' | sudo tee -a /etc/grub.d/40_custom
|
||||||
sudo update-grub
|
sudo update-grub
|
||||||
@ -84,4 +76,13 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
||||||
|
|
||||||
|
# Setup Networking
|
||||||
|
sudo apt install ufw -y
|
||||||
|
sudo ufw enable
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart NetworkManager
|
@ -51,13 +51,6 @@ sudo apt install -y chrony
|
|||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
# Setup UFW
|
|
||||||
# UFW Snap is strictly confined, unlike its .deb counterpart
|
|
||||||
sudo apt purge -y ufw
|
|
||||||
sudo snap install ufw
|
|
||||||
sudo ufw enable
|
|
||||||
sudo ufw allow SSH
|
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
|
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
@ -222,4 +215,12 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl restart unbound
|
sudo systemctl restart unbound
|
||||||
sudo systemctl disable systemd-resolved
|
sudo systemctl disable systemd-resolved
|
||||||
|
|
||||||
|
# Setup Networking
|
||||||
|
|
||||||
|
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
|
sudo apt purge -y ufw
|
||||||
|
sudo snap install ufw
|
||||||
|
sudo ufw enable
|
||||||
|
sudo ufw allow SSH
|
||||||
|
|
||||||
sudo reboot
|
sudo reboot
|
||||||
|
@ -52,19 +52,6 @@ sudo apt install -y chrony
|
|||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
# Setup Networking
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
|
||||||
sudo nmcli general reload conf
|
|
||||||
sudo hostnamectl hostname 'localhost'
|
|
||||||
sudo hostnamectl --transient hostname ''
|
|
||||||
|
|
||||||
# Setup UFW
|
|
||||||
#UFW Snap is strictly confined, unlike its .deb counterpart
|
|
||||||
sudo apt purge -y ufw
|
|
||||||
sudo snap install ufw
|
|
||||||
sudo ufw enable
|
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
@ -224,4 +211,22 @@ else
|
|||||||
sudo apt install qemu-guest-agent -y
|
sudo apt install qemu-guest-agent -y
|
||||||
fi
|
fi
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Setup Networking
|
||||||
|
|
||||||
|
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
|
sudo apt purge -y ufw
|
||||||
|
sudo snap install ufw
|
||||||
|
sudo ufw enable
|
||||||
|
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||||
|
sudo nmcli general reload conf
|
||||||
|
sudo hostnamectl hostname 'localhost'
|
||||||
|
sudo hostnamectl --transient hostname ''
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart NetworkManager
|
Loading…
Reference in New Issue
Block a user