Consistency fix

Allow openssh instead of 22/tcp on Debian systems
Consistency fix
2024-11-09 03:31:33 -05:00 · 2023-08-22 17:58:32 -07:00 · 2023-08-22 17:51:33 -07:00 · 2023-08-22 17:46:56 -07:00 · 2023-08-22 17:35:22 -07:00 · 2023-08-22 16:54:08 -07:00
5 changed files with 48 additions and 28 deletions
--- a/GCP-Debian-11.sh
+++ b/GCP-Debian-11.sh
@ -11,11 +11,11 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {
 # Update and install packages
 sudo apt update
 sudo apt upgrade -y
 sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
 # Setup ufw
 sudo apt install ufw -y
 sudo ufw enable
-sudo ufw allow 22/tcp
+sudo ufw allow OpenSSH
 # Harden SSH
 echo 'GSSAPIAuthentication no
@ -42,6 +42,9 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
 echo "* hard core 0" | tee -a /etc/security/limits.conf
 # Setup unbound
 sudo apt instal unbound resolvconf -y
 echo 'server:
  trust-anchor-signaling: yes
  root-key-sentinel: yes
@ -112,6 +115,7 @@ sudo systemctl restart unbound
 sudo systemctl disable --now systemd-resolved
 # Setup tuned
 sudo dnf install tuned -y
 sudo tuned-adm profile virtual-guest
 # Enable fstrim.timer
--- a/Proxmox-8.sh
+++ b/Proxmox-8.sh
@ -21,12 +21,13 @@ systemctl restart sshd
 # Setup repositories
 sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
-echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
+echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free
+deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
-# security updates
+deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-deb https://security.debian.org bookworm-security main contrib non-free
+
 deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
 deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
--- a/RHEL-Server-9.sh
+++ b/RHEL-Server-9.sh
@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
 sudo systemctl daemon-reload
 sudo systemctl restart irqbalance
 # Install packages
 sudo dnf install tuned unbound yara -y
 # Setup unbound
 sudo dnf install unbound -y
 echo 'server:
  chroot: ""
@ -113,6 +113,8 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
 sudo systemctl enable --now unbound
 # Setup yara
 sudo dnf install -y yara
 sudo insights-client --collector malware-detection
 sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
@ -121,7 +123,16 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d
 sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
 sudo systemctl enable --now dnf-automatic.timer
 #Setup fwupd
 sudo dnf install fwupd -y
 mkdir -p /etc/systemd/system/fwupd-refresh.service.d
 echo '[Service]
 ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
 sudo systemctl daemon-reload
 sudo systemctl enable --now fwupd-refresh.timer
 # Setup tuned
 sudo dnf install tuned -y
 sudo tuned-adm profile virtual-guest
 # Enable fstrim.timer
--- a/Ubuntu-22.04-Desktop.sh
+++ b/Ubuntu-22.04-Desktop.sh
@ -1,13 +1,15 @@
 #!/bin/bash
 #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
-#Customize it to your liking
+##The script assumes you already have Ubuntu Pro activated
 #Run this script as your admin user, NOT root
-# Compliance
+#Compliance and updates
 sudo ua enable usg
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt install -y usg
-sudo usg fix cis_level2_workstation
+sudo apt autoremove -y
 sudo usg fix cis_level2_server
 # Remove AIDE
 sudo apt purge -y aide*
@ -22,9 +24,6 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
 sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
 echo "umask 077" | sudo tee --append /etc/profile
 # Make sure the system has curl (minimal installs do not include it)
 sudo apt install -y curl
 # Setup NTS
 sudo systemctl disable systemd-timesyncd
 sudo apt install -y chrony
@ -114,4 +113,5 @@ EOF
 sudo systemctl restart NetworkManager
 # Enable fstrim.timer
 sudo apt install tuned -y
 sudo systemctl enable --now fstrim.timer
--- a/Ubuntu-22.04-Server.sh
+++ b/Ubuntu-22.04-Server.sh
@ -1,24 +1,22 @@
 #!/bin/bash
 #Meant to be run on Ubuntu Pro Minimal 
 #The script assumes you already have Ubuntu Pro activated
-#Compliance
+#Compliance and updates
 sudo ua enable usg
-sudo apt install -y usg
+sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt install -y usg curl libpam-pwquality
 sudo apt autoremove -y
 sudo usg fix cis_level2_server
 # Remove AIDE
 sudo apt purge -y aide*
 # Update and install packages
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt install -y curl fwupd libpam-pwquality tuned unbound
 # Setup NTS
-sudo systemctl disable systemd-timesyncd
+sudo systemctl disable --now systemd-timesyncd
 sudo apt install -y chrony
 rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
@ -27,11 +25,11 @@ sudo systemctl restart chronyd
 sudo apt purge -y ufw
 sudo snap install ufw
 sudo ufw enable
-sudo ufw allow 22
+sudo ufw allow OpenSSH
 # Harden SSH
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+echo "GSSAPIAuthentication no
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
@ -39,6 +37,9 @@ sudo systemctl daemon-reload
 sudo systemctl restart sshd
 # Setup unbound
 sudp apt install -y unbound
 echo 'server:
  trust-anchor-signaling: yes
  root-key-sentinel: yes
@ -121,6 +122,8 @@ sudo systemctl stop whoopsie.service
 sudo systemctl disable whoopsie.service
 sudo systemctl mask whoopsie.service
 #Setup fwupd
 sudo apt install fwupd -y
 mkdir -p /etc/systemd/system/fwupd-refresh.service.d
 echo '[Service]
 ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
@ -128,6 +131,7 @@ sudo systemctl daemon-reload
 sudo systemctl enable --now fwupd-refresh.timer
 # Setup tuned
 sudo apt install tuned -y
 sudo tuned-adm profile virtual-guest
 # Enable fstrim.timer
Author	SHA1	Message	Date
Tommy	1ab3c4de47	Consistency fix	2023-08-22 17:58:32 -07:00
Tommy	0880786054	Allow openssh instead of 22/tcp on Debian systems	2023-08-22 17:51:33 -07:00
Tommy	85ada77f4c	Consistency fix	2023-08-22 17:46:56 -07:00
Tommy	ebf0284c32	apt update and autoremove	2023-08-22 17:35:22 -07:00
Tommy	80c2957f6c	Add non-free-firmware	2023-08-22 16:54:08 -07:00
Tommy	ad0de6f2a0	Add notes	2023-08-22 15:49:44 -07:00