|
|
|
@ -1,6 +1,7 @@ |
|
|
|
#!/bin/sh |
|
|
|
#!/bin/sh |
|
|
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
|
|
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# General hardening |
|
|
|
echo "umask 027" >> /etc/profile |
|
|
|
echo "umask 027" >> /etc/profile |
|
|
|
rm /etc/cron.deny 2> /dev/null |
|
|
|
rm /etc/cron.deny 2> /dev/null |
|
|
|
rm /etc/at.deny 2> /dev/null |
|
|
|
rm /etc/at.deny 2> /dev/null |
|
|
|
@ -15,15 +16,63 @@ echo 'ALL: PARANOID' > /etc/hosts.deny |
|
|
|
chmod 644 /etc/hosts.allow |
|
|
|
chmod 644 /etc/hosts.allow |
|
|
|
chmod 644 /etc/hosts.deny |
|
|
|
chmod 644 /etc/hosts.deny |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Hide PID 2 |
|
|
|
echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab |
|
|
|
echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Backup SSH_CONFIG |
|
|
|
|
|
|
|
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Harden SSH Settings |
|
|
|
|
|
|
|
cat <<-EOF > /etc/ssh/sshd_config |
|
|
|
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key |
|
|
|
|
|
|
|
HostKey /etc/ssh/ssh_host_rsa_key |
|
|
|
|
|
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key |
|
|
|
|
|
|
|
AcceptEnv LANG LC_* |
|
|
|
|
|
|
|
AllowGroups root sudo |
|
|
|
|
|
|
|
Banner /etc/issue.net |
|
|
|
|
|
|
|
ChallengeResponseAuthentication no |
|
|
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr |
|
|
|
|
|
|
|
ClientAliveCountMax 0 |
|
|
|
|
|
|
|
ClientAliveInterval 300 |
|
|
|
|
|
|
|
Compression no |
|
|
|
|
|
|
|
HostbasedAuthentication no |
|
|
|
|
|
|
|
IgnoreUserKnownHosts yes |
|
|
|
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 |
|
|
|
|
|
|
|
LoginGraceTime 20 |
|
|
|
|
|
|
|
LogLevel VERBOSE |
|
|
|
|
|
|
|
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 |
|
|
|
|
|
|
|
MaxAuthTries 3 |
|
|
|
|
|
|
|
MaxSessions 3 |
|
|
|
|
|
|
|
MaxStartups 10:30:60 |
|
|
|
|
|
|
|
PermitEmptyPasswords no |
|
|
|
|
|
|
|
PermitRootLogin no |
|
|
|
|
|
|
|
PubkeyAuthentication yes |
|
|
|
|
|
|
|
PasswordAuthentication no |
|
|
|
|
|
|
|
PermitUserEnvironment no |
|
|
|
|
|
|
|
PrintLastLog yes |
|
|
|
|
|
|
|
PrintMotd no |
|
|
|
|
|
|
|
StrictModes yes |
|
|
|
|
|
|
|
Subsystem sftp internal-sftp |
|
|
|
|
|
|
|
UseDNS no |
|
|
|
|
|
|
|
UsePAM yes |
|
|
|
|
|
|
|
X11Forwarding no |
|
|
|
|
|
|
|
AllowTcpForwarding yes |
|
|
|
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock |
|
|
|
|
|
|
|
sudo systemctl disable unattended-upgrades.service |
|
|
|
|
|
|
|
sudo systemctl stop unattended-upgrades.service |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Install needed programs |
|
|
|
apt install curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make dh-systemd neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor libpam-tmpdir apparmor-utils apparmor-easyprof haveged auditd libpam-cracklib |
|
|
|
apt install curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make dh-systemd neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor libpam-tmpdir apparmor-utils apparmor-easyprof haveged auditd libpam-cracklib |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Setup NTP |
|
|
|
timedatectl set-ntp true |
|
|
|
timedatectl set-ntp true |
|
|
|
timedatectl set-timezone America/Los_Angeles |
|
|
|
timedatectl set-timezone America/Los_Angeles |
|
|
|
echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf |
|
|
|
echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf |
|
|
|
date |
|
|
|
date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Setup Auditd Rules |
|
|
|
cat <<-EOF > /etc/audit/rules.d/server.rules |
|
|
|
cat <<-EOF > /etc/audit/rules.d/server.rules |
|
|
|
# Remove any existing rules |
|
|
|
# Remove any existing rules |
|
|
|
-D |
|
|
|
-D |
|
|
|
@ -186,12 +235,16 @@ cat <<-EOF > /etc/audit/rules.d/server.rules |
|
|
|
-e 2 |
|
|
|
-e 2 |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Setup Apparmor |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Enable Services |
|
|
|
systemctl enable auditd |
|
|
|
systemctl enable auditd |
|
|
|
systemctl enable apparmor |
|
|
|
systemctl enable apparmor |
|
|
|
systemctl enable haveged |
|
|
|
systemctl enable haveged |
|
|
|
|
|
|
|
systemctl enable unattended-upgrades |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Setup SSH Host Keys |
|
|
|
rm /etc/ssh/ssh_host_* |
|
|
|
rm /etc/ssh/ssh_host_* |
|
|
|
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N "" |
|
|
|
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N "" |
|
|
|
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" |
|
|
|
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" |
|
|
|
|
