From 19a99b7d91491ee003a426bf7aae71b4cffa6d7f Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 25 Jan 2023 06:18:44 -0500 Subject: [PATCH] Setup unbound Signed-off-by: Tommy --- install.sh | 74 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/install.sh b/install.sh index d9c3803..6c575dd 100644 --- a/install.sh +++ b/install.sh @@ -186,9 +186,6 @@ EOF dnf install -y tuned tune-adm profile latency-performance - - systemctl disable --now sshd.service - systemctl enable --now sshd.socket } install_pterodactyl() { @@ -572,15 +569,76 @@ ssl_certs(){ } linux_hardening(){ + + dnf install -y unbound + + echo 'server: + chroot: "" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + trust-anchor-signaling: yes + root-key-sentinel: yes + tls-ciphers: "PROFILE=SYSTEM" + hide-http-user-agent: yes + hide-identity: yes + hide-trustanchor: yes + hide-version: yes + deny-any: yes + do-not-query-localhost: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-referral-path: yes + ignore-cd-flag: yes + max-udp-size: 3072 + module-config: "validator iterator" + qname-minimisation-strict: yes + unwanted-reply-threshold: 10000000 + use-caps-for-id: yes + outgoing-port-permit: 1024-65535 + prefetch: yes + prefetch-key: yes +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8#dns.google + forward-addr: 8.8.4.4#dns.google + forward-addr: 2001:4860:4860::8888#dns.google + forward-addr: 2001:4860:4860::8844#dns.google' | sudo tee /etc/unbound/unbound.conf + + mkdir -p /etc/systemd/system/unbound.service.d + echo $'[Service] +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility. +ProtectKernelTunables=true +ProtectProc=invisible +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.conf + + systemctl enable --now unbound + + mkdir -p /etc/systemd/system/sshd.service.d + curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf + systemctl restart sshd + + curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf + systemctl restart chronyd + curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf sysctl -p - curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf - systemctl restart chronyd - mkdir -p /etc/systemd/system/NetworkManager.service.d curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf systemctl restart NetworkManager @@ -589,10 +647,6 @@ linux_hardening(){ curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf systemctl restart irqbalance - mkdir -p /etc/systemd/system/sshd.service.d - curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf - systemctl restart sshd - if [ "$lsb_dist" = "rhel" ]; then insights-client --register dnf install -y yara