From 843c1c9220c953e03fe0fae7b8a4d99deb7e2b0b Mon Sep 17 00:00:00 2001 From: Oxbian Date: Tue, 15 Oct 2024 15:00:35 -0400 Subject: ADD: firewall config + sysctl options for security --- secure.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'secure.sh') diff --git a/secure.sh b/secure.sh index 448b11b..0993070 100644 --- a/secure.sh +++ b/secure.sh @@ -100,6 +100,60 @@ sudo clamscan -i -r --remove / # Installing logwatch sudo apt install logwatch +echo -e "${TITLE}- Installing and configuring firewall ${RESET}" +# Install firewall +sudo apt install ufw +sudo ufw enable +sudo ufw default allow outgoing +sudo ufw default deny incoming +sudo ufw allow ssh + +echo -e "${TITLE}- Sysctl config for security ${RESET}" +sudo tee -a /etc/sysctl.conf << EOF +kernel.kptr_restrict=2 +kernel.dmesg_restrict=1 +kernel.printk=3 3 3 3 +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 +dev.tty.ldisc_autoload=0 +vm.unprivileged_userfaultfd=0 +kernel.kexec_load_disabled=1 +kernel.sysrq=4 +kernel.unprivileged_userns_clone=0 +kernel.perf_event_paranoid=3 +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_rfc1337=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.icmp_echo_ignore_all=1 +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 +kernel.yama.ptrace_scope=2 +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 +fs.protected_symlinks=1 +fs.protected_hardlinks=1 +fs.protected_fifos=2 +fs.protected_regular=2 +vm.swappiness=1 +EOF +sudo sysctl -p + echo -e "${INFO}[v] Configuration done ${RESET}" -- cgit v1.2.3