1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-21 17:11:33 -05:00

Compare commits

...

8 Commits

Author SHA1 Message Date
fab1de02fd
Add notes on io_uring
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 17:56:13 -07:00
98a59dec9a
Reorganization
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 17:52:06 -07:00
97e596463a
Remove extra line
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 17:28:11 -07:00
3be6ad0817
Even more SSHD Hardening
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 14:03:54 -07:00
5eb1eea440
Allow Root login on Proxmox
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 13:45:00 -07:00
a6a4f3085b
More SSH Hardening
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 13:42:21 -07:00
70f007a264
More hardening options
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 12:57:20 -07:00
55db69f9e2
Update SSH Hardening
Signed-off-by: Tommy <contact@tommytran.io>
2024-07-01 12:36:36 -07:00
5 changed files with 53 additions and 14 deletions

View File

@ -33,6 +33,7 @@ systemctl restart chronyd
# Harden SSH # Harden SSH
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
mkdir -p /etc/systemd/system/ssh.service.d mkdir -p /etc/systemd/system/ssh.service.d
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
@ -71,7 +72,6 @@ proxmox-boot-tool refresh
# Kernel hardening # Kernel hardening
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
sysctl -p sysctl -p
@ -109,4 +109,4 @@ systemctl restart pveproxy.service
tuned-adm profile virtual-host tuned-adm profile virtual-host
# Enable fstrim.timer # Enable fstrim.timer
systemctl enable --now fstrim.timer systemctl enable --now fstrim.timer

View File

@ -19,6 +19,9 @@ For server installations (except Proxmox), Unbound will be configured to handle
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible. - If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed. - If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
## Notes on io_uring
io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
# Arch Linux # Arch Linux
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br /> Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />

View File

@ -1,11 +1,43 @@
X11Forwarding no # Encryption hardening
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519 HostKeyAlgorithms ssh-ed25519
KexAlgorithms sntrup761x25519-sha512@openssh.com
PubkeyAcceptedKeyTypes ssh-ed25519 PubkeyAcceptedKeyTypes ssh-ed25519
Ciphers aes256-gcm@openssh.com Ciphers aes256-gcm@openssh.com
MACs -* MACs -*
# Security hardening
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
Compression no
DisableForwarding yes
LoginGraceTime 15s
MaxAuthTries 1
PermitUserEnvironment no
PermitUserRC no
StrictModes yes
UseDNS no
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
TCPKeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 4
## Use PAM for session checks here but authentication is disabled below
## Also, this prevents running sshd as non-root
UsePAM yes
# Disabling unused authentication methods
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
PasswordAuthentication no PasswordAuthentication no
PermitRootLogin no PermitRootLogin no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
KerberosAuthentication no KerberosAuthentication no
GSSAPIAuthentication no
Banner /etc/issue.net # Displaying info
Banner /etc/issue.net
PrintLastLog yes
PrintMotd yes

View File

@ -23,6 +23,13 @@ fs.suid_dumpable = 0
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1 kernel.dmesg_restrict = 1
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
@ -50,12 +57,6 @@ kernel.yama.ptrace_scope = 1
# Official Linux kernel documentation only says >= so it probably will work. # Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4 kernel.perf_event_paranoid = 4
# https://github.com/containerd/containerd/issues/9048
# Disable io_uring, a very sus feature.
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel_io_uring_disable = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq. # Disable sysrq.
kernel.sysrq = 0 kernel.sysrq = 0

View File

@ -51,9 +51,12 @@ kernel.yama.ptrace_scope = 3
# Official Linux kernel documentation only says >= so it probably will work. # Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4 kernel.perf_event_paranoid = 4
# https://github.com/containerd/containerd/issues/9048 # Disable io_uring
# Disable io_uring, a very sus feature. # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
kernel_io_uring_disable = 2 # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq. # Disable sysrq.