|
|
|
@ -60,14 +60,17 @@ AllowTcpForwarding no |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock |
|
|
|
# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock |
|
|
|
sudo systemctl disable unattended-upgrades.service |
|
|
|
systemctl disable unattended-upgrades.service |
|
|
|
sudo systemctl stop unattended-upgrades.service |
|
|
|
systemctl stop unattended-upgrades.service |
|
|
|
|
|
|
|
|
|
|
|
# Check for Updates |
|
|
|
# Check for Updates |
|
|
|
sudo apt update |
|
|
|
apt update |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Upgrade Ubuntu packages |
|
|
|
|
|
|
|
apt upgrade -y |
|
|
|
|
|
|
|
|
|
|
|
# Install needed programs |
|
|
|
# Install needed programs |
|
|
|
sudo apt install -y curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor apparmor-utils apparmor-easyprof haveged auditd audispd-plugins libpam-cracklib |
|
|
|
apt install -y curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor apparmor-utils apparmor-easyprof haveged auditd audispd-plugins libpam-cracklib gnutls-bin net-tools |
|
|
|
|
|
|
|
|
|
|
|
# Setup NTP |
|
|
|
# Setup NTP |
|
|
|
timedatectl set-ntp true |
|
|
|
timedatectl set-ntp true |
|
|
|
@ -242,11 +245,22 @@ EOF |
|
|
|
# Setup Apparmor |
|
|
|
# Setup Apparmor |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Rsyslog enable log shipping to centralized syslog server |
|
|
|
|
|
|
|
echo '*.* @@10.128.100.2:514' >> /etc/rsyslog.d/50-default.conf |
|
|
|
|
|
|
|
|
|
|
|
# Enable Services |
|
|
|
# Enable Services |
|
|
|
sudo systemctl enable auditd |
|
|
|
systemctl enable auditd |
|
|
|
sudo systemctl enable apparmor |
|
|
|
systemctl enable apparmor |
|
|
|
sudo systemctl enable haveged |
|
|
|
systemctl enable haveged |
|
|
|
sudo systemctl enable unattended-upgrades |
|
|
|
systemctl enable unattended-upgrades |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Restart Services |
|
|
|
|
|
|
|
systemctl daemon-reload |
|
|
|
|
|
|
|
systemctl restart unattended-upgrades |
|
|
|
|
|
|
|
systemctl restart apparmor |
|
|
|
|
|
|
|
systemctl restart auditd |
|
|
|
|
|
|
|
systemctl restart haveged |
|
|
|
|
|
|
|
systemctl restart rsyslog |
|
|
|
|
|
|
|
|
|
|
|
# Setup SSH Host Keys |
|
|
|
# Setup SSH Host Keys |
|
|
|
rm /etc/ssh/ssh_host_* |
|
|
|
rm /etc/ssh/ssh_host_* |
|
|
|
@ -270,3 +284,13 @@ cat <<-EOF > /etc/motd |
|
|
|
# Disconnect IMMEDIATELY if you are not an authorized user! # |
|
|
|
# Disconnect IMMEDIATELY if you are not an authorized user! # |
|
|
|
######################################################################################################################## |
|
|
|
######################################################################################################################## |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Disable IPv6 in UFW |
|
|
|
|
|
|
|
sed -i "/ipv6=/Id" /etc/default/ufw |
|
|
|
|
|
|
|
echo "IPV6=no" | sudo tee -a /etc/default/ufw |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Enable UFW firewall |
|
|
|
|
|
|
|
ufw allow 22/tcp |
|
|
|
|
|
|
|
ufw allow 80/tcp |
|
|
|
|
|
|
|
ufw allow 443/tcp |
|
|
|
|
|
|
|
ufw enable |
