ADD: firewall config + sysctl options for securitymain

1 files changed, 54 insertions, 0 deletions

diff --git a/secure.sh b/secure.sh
index 448b11b..0993070 100644
--- a/secure.sh
+++ b/secure.sh
@@ -100,6 +100,60 @@ sudo clamscan -i -r --remove /
 # Installing logwatch
 sudo apt install logwatch
 
+echo -e "${TITLE}- Installing and configuring firewall ${RESET}"
+# Install firewall
+sudo apt install ufw
+sudo ufw enable
+sudo ufw default allow outgoing
+sudo ufw default deny incoming
+sudo ufw allow ssh
+
+echo -e "${TITLE}- Sysctl config for security ${RESET}"
+sudo tee -a /etc/sysctl.conf << EOF
+kernel.kptr_restrict=2
+kernel.dmesg_restrict=1
+kernel.printk=3 3 3 3
+kernel.unprivileged_bpf_disabled=1
+net.core.bpf_jit_harden=2
+dev.tty.ldisc_autoload=0
+vm.unprivileged_userfaultfd=0
+kernel.kexec_load_disabled=1
+kernel.sysrq=4
+kernel.unprivileged_userns_clone=0
+kernel.perf_event_paranoid=3
+net.ipv4.tcp_syncookies=1
+net.ipv4.tcp_rfc1337=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.icmp_echo_ignore_all=1
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.default.accept_source_route=0
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.default.accept_ra=0
+net.ipv4.tcp_sack=0
+net.ipv4.tcp_dsack=0
+net.ipv4.tcp_fack=0
+kernel.yama.ptrace_scope=2
+vm.mmap_rnd_bits=32
+vm.mmap_rnd_compat_bits=16
+fs.protected_symlinks=1
+fs.protected_hardlinks=1
+fs.protected_fifos=2
+fs.protected_regular=2
+vm.swappiness=1
+EOF
+sudo sysctl -p
+
 
 echo -e "${INFO}[v] Configuration done ${RESET}"