mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 11:41:33 -05:00
Compare commits
No commits in common. "2ff48df2d11fbddc5659741edf716bafd8800c6d" and "88918cf7dc07d81a2d93efdb31627a78d3755d36" have entirely different histories.
2ff48df2d1
...
88918cf7dc
@ -80,7 +80,7 @@ fi
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
|
@ -91,7 +91,7 @@ fi
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
|
@ -78,6 +78,7 @@ chmod 644 /etc/modprobe.d/server-blacklist.conf
|
|||||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||||
chmod 644 /etc/sysctl.d/99-server.conf
|
chmod 644 /etc/sysctl.d/99-server.conf
|
||||||
|
dracut -f
|
||||||
sysctl -p
|
sysctl -p
|
||||||
|
|
||||||
# Rebuild initramfs
|
# Rebuild initramfs
|
||||||
@ -85,9 +86,9 @@ update-initramfs -u
|
|||||||
|
|
||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
|
@ -69,7 +69,7 @@ sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spe
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
|
@ -61,6 +61,7 @@ fi
|
|||||||
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf
|
||||||
sudo chmod 644 /etc/sysctl.d/99-workstation.conf
|
sudo chmod 644 /etc/sysctl.d/99-workstation.conf
|
||||||
|
sudo dracut -f
|
||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
|
|
||||||
# Rebuild initramfs
|
# Rebuild initramfs
|
||||||
@ -69,7 +70,7 @@ sudo update-initramfs -u
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
|
@ -62,6 +62,7 @@ unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/
|
|||||||
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
|
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
|
||||||
sudo chmod 644 /etc/sysctl.d/99-server.conf
|
sudo chmod 644 /etc/sysctl.d/99-server.conf
|
||||||
|
sudo dracut -f
|
||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
|
|
||||||
# Rebuild initramfs
|
# Rebuild initramfs
|
||||||
@ -70,7 +71,7 @@ sudo update-initramfs -u
|
|||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
umask 022
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
|
@ -71,8 +71,8 @@ net.ipv6.conf.*.accept_redirects = 0
|
|||||||
net.ipv4.conf.*.rp_filter = 1
|
net.ipv4.conf.*.rp_filter = 1
|
||||||
|
|
||||||
# Respond to ICMP
|
# Respond to ICMP
|
||||||
net.ipv4.icmp_echo_ignore_all = 0
|
net.ipv4.icmp_echo_ignore_all = 1
|
||||||
net.ipv6.icmp.echo_ignore_all = 0
|
net.ipv6.icmp.echo_ignore_all = 1
|
||||||
|
|
||||||
# Enable IP Forwarding
|
# Enable IP Forwarding
|
||||||
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
||||||
|
@ -42,8 +42,6 @@ net.core.bpf_jit_harden = 2
|
|||||||
kernel.unprivileged_userns_clone = 1
|
kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
# Disable ptrace. Not needed on workstations.
|
# Disable ptrace. Not needed on workstations.
|
||||||
# Also, the Debian gVisor package from Google will just take priority over this with their
|
|
||||||
# /etc/sysctl.d/999-gvisor.conf file.
|
|
||||||
kernel.yama.ptrace_scope = 3
|
kernel.yama.ptrace_scope = 3
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||||
@ -54,6 +52,8 @@ kernel.perf_event_paranoid = 4
|
|||||||
|
|
||||||
# https://github.com/containerd/containerd/issues/9048
|
# https://github.com/containerd/containerd/issues/9048
|
||||||
# Disable io_uring, a very sus feature.
|
# Disable io_uring, a very sus feature.
|
||||||
|
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||||
|
# on a Proxmox node.
|
||||||
kernel_io_uring_disable = 2
|
kernel_io_uring_disable = 2
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
|
Loading…
Reference in New Issue
Block a user