mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 11:41:33 -05:00
Compare commits
No commits in common. "fab1de02fd2eb0c7660965008a11ebe43565b2f8" and "563101601e4197a976599b0411b438728eb7b760" have entirely different histories.
fab1de02fd
...
563101601e
@ -33,7 +33,6 @@ systemctl restart chronyd
|
||||
|
||||
# Harden SSH
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
mkdir -p /etc/systemd/system/ssh.service.d
|
||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
||||
@ -72,6 +71,7 @@ proxmox-boot-tool refresh
|
||||
|
||||
# Kernel hardening
|
||||
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||
sysctl -p
|
||||
|
||||
|
@ -19,9 +19,6 @@ For server installations (except Proxmox), Unbound will be configured to handle
|
||||
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
|
||||
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
|
||||
|
||||
## Notes on io_uring
|
||||
io_uring is disabled. On Proxmox, use aio=ative for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
|
||||
|
||||
# Arch Linux
|
||||
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
||||
|
||||
|
@ -1,43 +1,11 @@
|
||||
# Encryption hardening
|
||||
X11Forwarding no
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKeyAlgorithms ssh-ed25519
|
||||
KexAlgorithms sntrup761x25519-sha512@openssh.com
|
||||
PubkeyAcceptedKeyTypes ssh-ed25519
|
||||
Ciphers aes256-gcm@openssh.com
|
||||
MACs -*
|
||||
|
||||
# Security hardening
|
||||
AuthenticationMethods publickey
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
Compression no
|
||||
DisableForwarding yes
|
||||
LoginGraceTime 15s
|
||||
MaxAuthTries 1
|
||||
PermitUserEnvironment no
|
||||
PermitUserRC no
|
||||
StrictModes yes
|
||||
UseDNS no
|
||||
|
||||
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
|
||||
TCPKeepAlive no
|
||||
ClientAliveInterval 15
|
||||
ClientAliveCountMax 4
|
||||
|
||||
## Use PAM for session checks here but authentication is disabled below
|
||||
## Also, this prevents running sshd as non-root
|
||||
UsePAM yes
|
||||
|
||||
# Disabling unused authentication methods
|
||||
ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
HostbasedAuthentication no
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
KbdInteractiveAuthentication no
|
||||
KerberosAuthentication no
|
||||
|
||||
# Displaying info
|
||||
GSSAPIAuthentication no
|
||||
Banner /etc/issue.net
|
||||
PrintLastLog yes
|
||||
PrintMotd yes
|
||||
|
@ -23,13 +23,6 @@ fs.suid_dumpable = 0
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# Disable io_uring
|
||||
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel.io_uring_disabled = 2
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
@ -57,6 +50,12 @@ kernel.yama.ptrace_scope = 1
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq.
|
||||
kernel.sysrq = 0
|
||||
|
@ -51,12 +51,9 @@ kernel.yama.ptrace_scope = 3
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# Disable io_uring
|
||||
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel.io_uring_disabled = 2
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq.
|
||||
|
Loading…
Reference in New Issue
Block a user