mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 11:41:33 -05:00
Compare commits
8 Commits
563101601e
...
fab1de02fd
Author | SHA1 | Date | |
---|---|---|---|
fab1de02fd | |||
98a59dec9a | |||
97e596463a | |||
3be6ad0817 | |||
5eb1eea440 | |||
a6a4f3085b | |||
70f007a264 | |||
55db69f9e2 |
@ -33,6 +33,7 @@ systemctl restart chronyd
|
|||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
|
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
mkdir -p /etc/systemd/system/ssh.service.d
|
mkdir -p /etc/systemd/system/ssh.service.d
|
||||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
||||||
@ -71,7 +72,6 @@ proxmox-boot-tool refresh
|
|||||||
|
|
||||||
# Kernel hardening
|
# Kernel hardening
|
||||||
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
||||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||||
sysctl -p
|
sysctl -p
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ For server installations (except Proxmox), Unbound will be configured to handle
|
|||||||
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
|
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
|
||||||
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
|
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
|
||||||
|
|
||||||
|
## Notes on io_uring
|
||||||
|
io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
|
||||||
|
|
||||||
# Arch Linux
|
# Arch Linux
|
||||||
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
||||||
|
|
||||||
|
@ -1,11 +1,43 @@
|
|||||||
X11Forwarding no
|
# Encryption hardening
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
HostKeyAlgorithms ssh-ed25519
|
HostKeyAlgorithms ssh-ed25519
|
||||||
|
KexAlgorithms sntrup761x25519-sha512@openssh.com
|
||||||
PubkeyAcceptedKeyTypes ssh-ed25519
|
PubkeyAcceptedKeyTypes ssh-ed25519
|
||||||
Ciphers aes256-gcm@openssh.com
|
Ciphers aes256-gcm@openssh.com
|
||||||
MACs -*
|
MACs -*
|
||||||
|
|
||||||
|
# Security hardening
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
Compression no
|
||||||
|
DisableForwarding yes
|
||||||
|
LoginGraceTime 15s
|
||||||
|
MaxAuthTries 1
|
||||||
|
PermitUserEnvironment no
|
||||||
|
PermitUserRC no
|
||||||
|
StrictModes yes
|
||||||
|
UseDNS no
|
||||||
|
|
||||||
|
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
|
||||||
|
TCPKeepAlive no
|
||||||
|
ClientAliveInterval 15
|
||||||
|
ClientAliveCountMax 4
|
||||||
|
|
||||||
|
## Use PAM for session checks here but authentication is disabled below
|
||||||
|
## Also, this prevents running sshd as non-root
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
# Disabling unused authentication methods
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
HostbasedAuthentication no
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
PermitRootLogin no
|
PermitRootLogin no
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
KbdInteractiveAuthentication no
|
||||||
KerberosAuthentication no
|
KerberosAuthentication no
|
||||||
GSSAPIAuthentication no
|
|
||||||
|
# Displaying info
|
||||||
Banner /etc/issue.net
|
Banner /etc/issue.net
|
||||||
|
PrintLastLog yes
|
||||||
|
PrintMotd yes
|
||||||
|
@ -23,6 +23,13 @@ fs.suid_dumpable = 0
|
|||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
kernel.dmesg_restrict = 1
|
kernel.dmesg_restrict = 1
|
||||||
|
|
||||||
|
# Disable io_uring
|
||||||
|
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||||
|
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||||
|
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||||
|
# on a Proxmox node.
|
||||||
|
kernel.io_uring_disabled = 2
|
||||||
|
|
||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||||
@ -50,12 +57,6 @@ kernel.yama.ptrace_scope = 1
|
|||||||
# Official Linux kernel documentation only says >= so it probably will work.
|
# Official Linux kernel documentation only says >= so it probably will work.
|
||||||
kernel.perf_event_paranoid = 4
|
kernel.perf_event_paranoid = 4
|
||||||
|
|
||||||
# https://github.com/containerd/containerd/issues/9048
|
|
||||||
# Disable io_uring, a very sus feature.
|
|
||||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
|
||||||
# on a Proxmox node.
|
|
||||||
kernel_io_uring_disable = 2
|
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Disable sysrq.
|
# Disable sysrq.
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
|
@ -51,9 +51,12 @@ kernel.yama.ptrace_scope = 3
|
|||||||
# Official Linux kernel documentation only says >= so it probably will work.
|
# Official Linux kernel documentation only says >= so it probably will work.
|
||||||
kernel.perf_event_paranoid = 4
|
kernel.perf_event_paranoid = 4
|
||||||
|
|
||||||
# https://github.com/containerd/containerd/issues/9048
|
# Disable io_uring
|
||||||
# Disable io_uring, a very sus feature.
|
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||||
kernel_io_uring_disable = 2
|
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||||
|
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||||
|
# on a Proxmox node.
|
||||||
|
kernel.io_uring_disabled = 2
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Disable sysrq.
|
# Disable sysrq.
|
||||||
|
Loading…
Reference in New Issue
Block a user