From ce6c733081d01527df15316190e5d8b144b39261 Mon Sep 17 00:00:00 2001 From: Edwin Lyon Date: Wed, 20 Sep 2023 13:37:30 -0700 Subject: [PATCH] Update 'cloud_setup.sh' --- cloud_setup.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/cloud_setup.sh b/cloud_setup.sh index 34af3b5..9bb57a9 100644 --- a/cloud_setup.sh +++ b/cloud_setup.sh @@ -1,6 +1,7 @@ #!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# General hardening echo "umask 027" >> /etc/profile rm /etc/cron.deny 2> /dev/null rm /etc/at.deny 2> /dev/null @@ -15,15 +16,63 @@ echo 'ALL: PARANOID' > /etc/hosts.deny chmod 644 /etc/hosts.allow chmod 644 /etc/hosts.deny +# Hide PID 2 echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab +# Backup SSH_CONFIG +mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + +# Harden SSH Settings +cat <<-EOF > /etc/ssh/sshd_config +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +AcceptEnv LANG LC_* +AllowGroups root sudo +Banner /etc/issue.net +ChallengeResponseAuthentication no +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +ClientAliveCountMax 0 +ClientAliveInterval 300 +Compression no +HostbasedAuthentication no +IgnoreUserKnownHosts yes +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +LoginGraceTime 20 +LogLevel VERBOSE +Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +MaxAuthTries 3 +MaxSessions 3 +MaxStartups 10:30:60 +PermitEmptyPasswords no +PermitRootLogin no +PubkeyAuthentication yes +PasswordAuthentication no +PermitUserEnvironment no +PrintLastLog yes +PrintMotd no +StrictModes yes +Subsystem sftp internal-sftp +UseDNS no +UsePAM yes +X11Forwarding no +AllowTcpForwarding yes +EOF + +# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock +sudo systemctl disable unattended-upgrades.service +sudo systemctl stop unattended-upgrades.service + +# Install needed programs apt install curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make dh-systemd neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor libpam-tmpdir apparmor-utils apparmor-easyprof haveged auditd libpam-cracklib +# Setup NTP timedatectl set-ntp true timedatectl set-timezone America/Los_Angeles echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf date +# Setup Auditd Rules cat <<-EOF > /etc/audit/rules.d/server.rules # Remove any existing rules -D @@ -186,12 +235,16 @@ cat <<-EOF > /etc/audit/rules.d/server.rules -e 2 EOF +# Setup Apparmor echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor +# Enable Services systemctl enable auditd systemctl enable apparmor systemctl enable haveged +systemctl enable unattended-upgrades +# Setup SSH Host Keys rm /etc/ssh/ssh_host_* ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N "" ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""