diff options
| author | Oxbian <oxbian@mailbox.org> | 2024-10-15 15:00:35 -0400 |
|---|---|---|
| committer | Oxbian <oxbian@mailbox.org> | 2024-10-15 15:00:35 -0400 |
| commit | 843c1c9220c953e03fe0fae7b8a4d99deb7e2b0b (patch) | |
| tree | e4b4ec79a2543b8bd7c2a6638535eb9ac6ad5cac | |
| parent | 16541e279c0a7cc3f6ae1efea3c8d8a44a424cf1 (diff) | |
| download | secure-server.sh-843c1c9220c953e03fe0fae7b8a4d99deb7e2b0b.tar.gz secure-server.sh-843c1c9220c953e03fe0fae7b8a4d99deb7e2b0b.zip | |
ADD: firewall config + sysctl options for securitymain
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | custom.conf | 2 | ||||
| -rw-r--r-- | secure.sh | 54 |
3 files changed, 56 insertions, 2 deletions
@@ -2,7 +2,7 @@ --- This repo contain a script that does basic security on a server. -The script add automatic security update, hardened ssh and add logwatch / rkhunter / clamav to check for virus/malware... +The script add automatic security update, hardened ssh, firewall and add logwatch / rkhunter / clamav to check for virus/malware... This is the strict minimum to use for every server you owm, I also recommand to use a firewall and a vpn if you want to open some port to any some networks. diff --git a/custom.conf b/custom.conf index dedce96..4b2e09f 100644 --- a/custom.conf +++ b/custom.conf @@ -54,7 +54,7 @@ LoginGraceTime 2m StrictModes yes MaxAuthTries 3 MaxSessions 3 -AllowUsers debian +#AllowUsers debian # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 @@ -100,6 +100,60 @@ sudo clamscan -i -r --remove / # Installing logwatch sudo apt install logwatch +echo -e "${TITLE}- Installing and configuring firewall ${RESET}" +# Install firewall +sudo apt install ufw +sudo ufw enable +sudo ufw default allow outgoing +sudo ufw default deny incoming +sudo ufw allow ssh + +echo -e "${TITLE}- Sysctl config for security ${RESET}" +sudo tee -a /etc/sysctl.conf << EOF +kernel.kptr_restrict=2 +kernel.dmesg_restrict=1 +kernel.printk=3 3 3 3 +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 +dev.tty.ldisc_autoload=0 +vm.unprivileged_userfaultfd=0 +kernel.kexec_load_disabled=1 +kernel.sysrq=4 +kernel.unprivileged_userns_clone=0 +kernel.perf_event_paranoid=3 +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_rfc1337=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.icmp_echo_ignore_all=1 +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 +kernel.yama.ptrace_scope=2 +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 +fs.protected_symlinks=1 +fs.protected_hardlinks=1 +fs.protected_fifos=2 +fs.protected_regular=2 +vm.swappiness=1 +EOF +sudo sysctl -p + echo -e "${INFO}[v] Configuration done ${RESET}" |