mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-25 02:31:34 -05:00
Compare commits
8 Commits
563101601e
...
fab1de02fd
Author | SHA1 | Date | |
---|---|---|---|
fab1de02fd | |||
98a59dec9a | |||
97e596463a | |||
3be6ad0817 | |||
5eb1eea440 | |||
a6a4f3085b | |||
70f007a264 | |||
55db69f9e2 |
@ -33,6 +33,7 @@ systemctl restart chronyd
|
||||
|
||||
# Harden SSH
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
mkdir -p /etc/systemd/system/ssh.service.d
|
||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
||||
@ -71,7 +72,6 @@ proxmox-boot-tool refresh
|
||||
|
||||
# Kernel hardening
|
||||
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||
sysctl -p
|
||||
|
||||
|
@ -19,6 +19,9 @@ For server installations (except Proxmox), Unbound will be configured to handle
|
||||
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
|
||||
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
|
||||
|
||||
## Notes on io_uring
|
||||
io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
|
||||
|
||||
# Arch Linux
|
||||
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
||||
|
||||
|
@ -1,11 +1,43 @@
|
||||
X11Forwarding no
|
||||
# Encryption hardening
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKeyAlgorithms ssh-ed25519
|
||||
KexAlgorithms sntrup761x25519-sha512@openssh.com
|
||||
PubkeyAcceptedKeyTypes ssh-ed25519
|
||||
Ciphers aes256-gcm@openssh.com
|
||||
MACs -*
|
||||
|
||||
# Security hardening
|
||||
AuthenticationMethods publickey
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
Compression no
|
||||
DisableForwarding yes
|
||||
LoginGraceTime 15s
|
||||
MaxAuthTries 1
|
||||
PermitUserEnvironment no
|
||||
PermitUserRC no
|
||||
StrictModes yes
|
||||
UseDNS no
|
||||
|
||||
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
|
||||
TCPKeepAlive no
|
||||
ClientAliveInterval 15
|
||||
ClientAliveCountMax 4
|
||||
|
||||
## Use PAM for session checks here but authentication is disabled below
|
||||
## Also, this prevents running sshd as non-root
|
||||
UsePAM yes
|
||||
|
||||
# Disabling unused authentication methods
|
||||
ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
HostbasedAuthentication no
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
KbdInteractiveAuthentication no
|
||||
KerberosAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
|
||||
# Displaying info
|
||||
Banner /etc/issue.net
|
||||
PrintLastLog yes
|
||||
PrintMotd yes
|
||||
|
@ -23,6 +23,13 @@ fs.suid_dumpable = 0
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# Disable io_uring
|
||||
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel.io_uring_disabled = 2
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
@ -50,12 +57,6 @@ kernel.yama.ptrace_scope = 1
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq.
|
||||
kernel.sysrq = 0
|
||||
|
@ -51,9 +51,12 @@ kernel.yama.ptrace_scope = 3
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
kernel_io_uring_disable = 2
|
||||
# Disable io_uring
|
||||
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel.io_uring_disabled = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq.
|
||||
|
Loading…
Reference in New Issue
Block a user