Add notes on io_uring

Signed-off-by: Tommy <contact@tommytran.io>

Proxmox-8.sh

@@ -33,6 +33,7 @@ systemctl restart chronyd
 
 # Harden SSH
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
+sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
 mkdir -p /etc/systemd/system/ssh.service.d
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
@@ -71,7 +72,6 @@ proxmox-boot-tool refresh
 
 # Kernel hardening
 curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
-sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
 sysctl -p
 

README.md

@@ -19,6 +19,9 @@ For server installations (except Proxmox), Unbound will be configured to handle
 - If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
 - If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
 
+## Notes on io_uring
+io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
+
 # Arch Linux
 Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
 

etc/ssh/sshd_config.d/10-custom.conf

@@ -1,11 +1,43 @@
-X11Forwarding no
+# Encryption hardening
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKeyAlgorithms ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com
 PubkeyAcceptedKeyTypes ssh-ed25519
 Ciphers aes256-gcm@openssh.com
 MACs -*
+
+# Security hardening
+AuthenticationMethods publickey
+AuthorizedKeysFile .ssh/authorized_keys
+Compression no
+DisableForwarding yes
+LoginGraceTime 15s
+MaxAuthTries 1
+PermitUserEnvironment no
+PermitUserRC no
+StrictModes yes
+UseDNS no
+
+# Use KeepAlive over SSH instead of with TCP to prevent spoofing
+TCPKeepAlive no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+
+## Use PAM for session checks here but authentication is disabled below
+## Also, this prevents running sshd as non-root
+UsePAM yes
+
+# Disabling unused authentication methods
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+HostbasedAuthentication no
 PasswordAuthentication no
 PermitRootLogin no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
 KerberosAuthentication no
-GSSAPIAuthentication no
+
+# Displaying info
 Banner /etc/issue.net
+PrintLastLog yes
+PrintMotd yes

etc/sysctl.d/99-server.conf

@@ -23,6 +23,13 @@ fs.suid_dumpable = 0
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.dmesg_restrict = 1
 
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
@@ -50,12 +57,6 @@ kernel.yama.ptrace_scope = 1
 # Official Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 
-# https://github.com/containerd/containerd/issues/9048
-# Disable io_uring, a very sus feature.
-# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
-# on a Proxmox node.
-kernel_io_uring_disable = 2
-
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Disable sysrq.
 kernel.sysrq = 0

etc/sysctl.d/99-workstation.conf

@@ -51,9 +51,12 @@ kernel.yama.ptrace_scope = 3
 # Official Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 
-# https://github.com/containerd/containerd/issues/9048
+# Disable io_uring
-# Disable io_uring, a very sus feature.
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
-kernel_io_uring_disable = 2
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Disable sysrq.