From d96f5a70da4a2b5c227deebddc9a81eb303f55d1 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 26 Jul 2024 04:59:01 -0700 Subject: [PATCH] Update modprobe url and bug fixes --- Fedora-Server-40.sh | 4 +++- Fedora-Workstation-40.sh | 3 ++- Proxmox-8.sh | 5 +++-- RHEL-9.sh | 5 ++++- Ubuntu-24.04-Desktop.sh | 2 +- Ubuntu-24.04-Server.sh | 5 +++-- 6 files changed, 16 insertions(+), 8 deletions(-) diff --git a/Fedora-Server-40.sh b/Fedora-Server-40.sh index dbb8d84..695b0ab 100644 --- a/Fedora-Server-40.sh +++ b/Fedora-Server-40.sh @@ -62,13 +62,14 @@ sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null sudo chmod 644 /etc/systemd/system/sshd.service.d/override.conf sudo systemctl daemon-reload sudo systemctl restart sshd # Security kernel settings -unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null +unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null sudo chmod 644 /etc/modprobe.d/server-blacklist.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null sudo chmod 644 /etc/sysctl.d/99-server.conf @@ -162,6 +163,7 @@ else fi # Setup networking +sudo systemctl enable --now firewalld sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --reload sudo firewall-cmd --lockdown-on diff --git a/Fedora-Workstation-40.sh b/Fedora-Workstation-40.sh index c4f62c6..050c25c 100644 --- a/Fedora-Workstation-40.sh +++ b/Fedora-Workstation-40.sh @@ -67,7 +67,7 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf if [ "${virtualization}" = 'parallels' ]; then unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null else - unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null + unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null fi sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf > /dev/null @@ -241,6 +241,7 @@ else fi # Setup networking +sudo systemctl enable --now firewalld sudo firewall-cmd --set-default-zone=block sudo firewall-cmd --permanent --add-service=dhcpv6-client sudo firewall-cmd --reload diff --git a/Proxmox-8.sh b/Proxmox-8.sh index d583fc0..5e3829c 100644 --- a/Proxmox-8.sh +++ b/Proxmox-8.sh @@ -37,7 +37,8 @@ systemctl restart chronyd curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null -mkdir -p /etc/systemd/system/ssh.service.d +sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null systemctl daemon-reload systemctl restart sshd @@ -73,7 +74,7 @@ proxmox-boot-tool refresh ### # Kernel hardening -curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf > /dev/null +curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf > /dev/null curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf > /dev/null sysctl -p diff --git a/RHEL-9.sh b/RHEL-9.sh index 00a368a..a00c350 100644 --- a/RHEL-9.sh +++ b/RHEL-9.sh @@ -56,12 +56,14 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Script sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf +sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null sudo systemctl daemon-reload sudo systemctl restart sshd # Security kernel settings -unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null +unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null sudo chmod 644 /etc/modprobe.d/server-blacklist.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null sudo chmod 644 /etc/sysctl.d/99-server.conf @@ -184,6 +186,7 @@ else fi # Setup networking +sudo systemctl enable --now firewalld sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --reload sudo firewall-cmd --lockdown-on diff --git a/Ubuntu-24.04-Desktop.sh b/Ubuntu-24.04-Desktop.sh index d4025ca..befb5a9 100644 --- a/Ubuntu-24.04-Desktop.sh +++ b/Ubuntu-24.04-Desktop.sh @@ -60,7 +60,7 @@ if [ "${virtualization}" = 'parallels' ]; then unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf else - unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null + unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf fi sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf diff --git a/Ubuntu-24.04-Server.sh b/Ubuntu-24.04-Server.sh index a9b9052..674bb5f 100644 --- a/Ubuntu-24.04-Server.sh +++ b/Ubuntu-24.04-Server.sh @@ -55,14 +55,15 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Script sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf -sudo mkdir -p /etc/systemd/system/ssh.service.d +sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null sudo chmod 644 /etc/systemd/system/ssh.service.d/override.conf sudo systemctl daemon-reload sudo systemctl restart ssh # Security kernel settings -unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null +unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null sudo chmod 644 /etc/modprobe.d/server-blacklist.conf unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null sudo chmod 644 /etc/sysctl.d/99-server.conf