Fedora-Server-40.sh

@@ -80,7 +80,7 @@ fi
 # Disable coredump
 umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 

Fedora-Workstation-40.sh

@@ -91,7 +91,7 @@ fi
 # Disable coredump
 umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 

Proxmox-8.sh

@@ -78,6 +78,7 @@ chmod 644 /etc/modprobe.d/server-blacklist.conf
 sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
 chmod 644 /etc/sysctl.d/99-server.conf
+dracut -f
 sysctl -p
 
 # Rebuild initramfs
@@ -85,9 +86,9 @@ update-initramfs -u
 
 # Disable coredump
 umask 022
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /etc/security/limits.d/30-disable-coredump.conf
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
 mkdir -p /etc/systemd/coredump.conf.d
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | tee /etc/systemd/coredump.conf.d/disable.conf
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 
 # Harden SSH

RHEL-9.sh

@@ -69,7 +69,7 @@ sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spe
 # Disable coredump
 umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 

Ubuntu-23.10-Desktop.sh

@@ -61,6 +61,7 @@ fi
 sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf
 sudo chmod 644 /etc/sysctl.d/99-workstation.conf
+sudo dracut -f
 sudo sysctl -p
 
 # Rebuild initramfs
@@ -69,7 +70,7 @@ sudo update-initramfs -u
 # Disable coredump
 umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 

Ubuntu-24.04-Server.sh

@@ -62,6 +62,7 @@ unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/
 sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
 sudo chmod 644 /etc/sysctl.d/99-server.conf
+sudo dracut -f
 sudo sysctl -p
 
 # Rebuild initramfs
@@ -70,7 +71,7 @@ sudo update-initramfs -u
 # Disable coredump
 umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
 umask 077
 

etc/sysctl.d/99-server.conf

@@ -71,8 +71,8 @@ net.ipv6.conf.*.accept_redirects = 0
 net.ipv4.conf.*.rp_filter = 1
 
 # Respond to ICMP
-net.ipv4.icmp_echo_ignore_all = 0
+net.ipv4.icmp_echo_ignore_all = 1
-net.ipv6.icmp.echo_ignore_all = 0
+net.ipv6.icmp.echo_ignore_all = 1
 
 # Enable IP Forwarding
 # Almost all of my servers run Docker anyways, and Docker absolutely requires this.

etc/sysctl.d/99-workstation.conf

@@ -42,8 +42,6 @@ net.core.bpf_jit_harden = 2
 kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
-# Also, the Debian gVisor package from Google will just take priority over this with their
-# /etc/sysctl.d/999-gvisor.conf file.
 kernel.yama.ptrace_scope = 3
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
@@ -54,6 +52,8 @@ kernel.perf_event_paranoid = 4
 
 # https://github.com/containerd/containerd/issues/9048
 # Disable io_uring, a very sus feature.
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
 kernel_io_uring_disable = 2
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel