Proxmox-8.sh

@@ -33,7 +33,6 @@ systemctl restart chronyd
 
 # Harden SSH
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
-sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
 mkdir -p /etc/systemd/system/ssh.service.d
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
@@ -72,6 +71,7 @@ proxmox-boot-tool refresh
 
 # Kernel hardening
 curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
+sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
 sysctl -p
 
@@ -109,4 +109,4 @@ systemctl restart pveproxy.service
 tuned-adm profile virtual-host
 
 # Enable fstrim.timer
-systemctl enable --now fstrim.timer
+systemctl enable --now fstrim.timer

README.md

@@ -19,9 +19,6 @@ For server installations (except Proxmox), Unbound will be configured to handle
 - If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
 - If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
 
-## Notes on io_uring
-io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
-
 # Arch Linux
 Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
 

etc/ssh/sshd_config.d/10-custom.conf

@@ -1,43 +1,11 @@
-# Encryption hardening
+X11Forwarding no
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKeyAlgorithms ssh-ed25519
-KexAlgorithms sntrup761x25519-sha512@openssh.com
 PubkeyAcceptedKeyTypes ssh-ed25519
 Ciphers aes256-gcm@openssh.com
 MACs -*
-
-# Security hardening
-AuthenticationMethods publickey
-AuthorizedKeysFile .ssh/authorized_keys
-Compression no
-DisableForwarding yes
-LoginGraceTime 15s
-MaxAuthTries 1
-PermitUserEnvironment no
-PermitUserRC no
-StrictModes yes
-UseDNS no
-
-# Use KeepAlive over SSH instead of with TCP to prevent spoofing
-TCPKeepAlive no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-
-## Use PAM for session checks here but authentication is disabled below
-## Also, this prevents running sshd as non-root
-UsePAM yes
-
-# Disabling unused authentication methods
-ChallengeResponseAuthentication no
-GSSAPIAuthentication no
-HostbasedAuthentication no
 PasswordAuthentication no
 PermitRootLogin no
-PermitEmptyPasswords no
-KbdInteractiveAuthentication no
 KerberosAuthentication no
-
-# Displaying info
-Banner /etc/issue.net
-PrintLastLog yes
-PrintMotd yes
+GSSAPIAuthentication no
+Banner /etc/issue.net

etc/sysctl.d/99-server.conf

@@ -23,13 +23,6 @@ fs.suid_dumpable = 0
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.dmesg_restrict = 1
 
-# Disable io_uring
-# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
-# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
-# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
-# on a Proxmox node.
-kernel.io_uring_disabled = 2
-
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
@@ -57,6 +50,12 @@ kernel.yama.ptrace_scope = 1
 # Official Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 
+# https://github.com/containerd/containerd/issues/9048
+# Disable io_uring, a very sus feature.
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel_io_uring_disable = 2
+
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Disable sysrq.
 kernel.sysrq = 0

etc/sysctl.d/99-workstation.conf

@@ -51,12 +51,9 @@ kernel.yama.ptrace_scope = 3
 # Official Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 
-# Disable io_uring
-# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
-# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
-# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
-# on a Proxmox node.
-kernel.io_uring_disabled = 2
+# https://github.com/containerd/containerd/issues/9048
+# Disable io_uring, a very sus feature.
+kernel_io_uring_disable = 2
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Disable sysrq.