1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-08 11:11:34 -05:00

Compare commits

..

No commits in common. "fab1de02fd2eb0c7660965008a11ebe43565b2f8" and "563101601e4197a976599b0411b438728eb7b760" have entirely different histories.

5 changed files with 14 additions and 53 deletions

View File

@ -33,7 +33,6 @@ systemctl restart chronyd
# Harden SSH
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
mkdir -p /etc/systemd/system/ssh.service.d
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
@ -72,6 +71,7 @@ proxmox-boot-tool refresh
# Kernel hardening
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
sysctl -p
@ -109,4 +109,4 @@ systemctl restart pveproxy.service
tuned-adm profile virtual-host
# Enable fstrim.timer
systemctl enable --now fstrim.timer
systemctl enable --now fstrim.timer

View File

@ -19,9 +19,6 @@ For server installations (except Proxmox), Unbound will be configured to handle
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
## Notes on io_uring
io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
# Arch Linux
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />

View File

@ -1,43 +1,11 @@
# Encryption hardening
X11Forwarding no
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
KexAlgorithms sntrup761x25519-sha512@openssh.com
PubkeyAcceptedKeyTypes ssh-ed25519
Ciphers aes256-gcm@openssh.com
MACs -*
# Security hardening
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
Compression no
DisableForwarding yes
LoginGraceTime 15s
MaxAuthTries 1
PermitUserEnvironment no
PermitUserRC no
StrictModes yes
UseDNS no
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
TCPKeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 4
## Use PAM for session checks here but authentication is disabled below
## Also, this prevents running sshd as non-root
UsePAM yes
# Disabling unused authentication methods
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
KerberosAuthentication no
# Displaying info
Banner /etc/issue.net
PrintLastLog yes
PrintMotd yes
GSSAPIAuthentication no
Banner /etc/issue.net

View File

@ -23,13 +23,6 @@ fs.suid_dumpable = 0
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
@ -57,6 +50,12 @@ kernel.yama.ptrace_scope = 1
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# https://github.com/containerd/containerd/issues/9048
# Disable io_uring, a very sus feature.
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel_io_uring_disable = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.
kernel.sysrq = 0

View File

@ -51,12 +51,9 @@ kernel.yama.ptrace_scope = 3
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://github.com/containerd/containerd/issues/9048
# Disable io_uring, a very sus feature.
kernel_io_uring_disable = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.