From c0a0469c1cda079940b3a6f137b9b061341971ce Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 25 Jan 2023 05:53:38 -0500 Subject: [PATCH] Use unbound and DOT Signed-off-by: Tommy --- GCP-Debian-11.sh | 74 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 20 deletions(-) diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index 6a31b2a..9655a5c 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -1,31 +1,65 @@ #!/bin/bash -find /etc/apt/sources.list.d -type f -exec sed -i 's/http:/https:/g' {} \; +sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \; -apt update -apt upgrade -y -apt install -y tuned apparmor-profiles ufw +sudo apt update +sudo apt upgrade -y +sudo apt install -y tuned apparmor-profiles unbound ufw -tuned-adm profile virtual-guest +sudo tuned-adm profile virtual-guest -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf -sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf -mkdir -p /etc/systemd/system/NetworkManager.service.d -curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf -mkdir -p /etc/systemd/system/sshd.service.d -curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf +echo 'server: + trust-anchor-signaling: yes + root-key-sentinel: yes -echo "GSSAPIAuthentication no" > /etc/ssh/ssh_config.d/10-custom.conf -echo "VerifyHostKeyDNS yes" >> /etc/ssh/ssh_config.d/10-custom.conf + hide-identity: yes + hide-trustanchor: yes + hide-version: yes + deny-any: yes + do-not-query-localhost: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-referral-path: yes + ignore-cd-flag: yes + max-udp-size: 3072 + module-config: "validator iterator" + qname-minimisation-strict: yes + unwanted-reply-threshold: 10000000 + use-caps-for-id: yes -rm -rf /etc/chrony/chrony.conf -curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf + outgoing-port-permit: 1024-65535 + outgoing-port-avoid: 51820 + + prefetch: yes + prefetch-key: yes + + +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8#dns.google + forward-addr: 8.8.4.4#dns.google + forward-addr: 2001:4860:4860::8888#dns.google + forward-addr: 2001:4860:4860::8844#dns.google' | sudo tee /etc/unbound/unbound.conf.d/custom.conf + +sudo systemctl restart unbound + +sudo rm -rf /etc/chrony/chrony.conf +sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf +sudo systemctl restart chronyd + +sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf +sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf +sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf +sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo mkdir -p /etc/systemd/system/sshd.service.d +sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf + +echo 'GSSAPIAuthentication no +VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf echo "* hard core 0" | tee -a /etc/security/limits.conf sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config - -sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf -systemctl restart systemd-resolved \ No newline at end of file