From 3144412af9e54a16b283faf550635eb1e8b08dbb Mon Sep 17 00:00:00 2001
From: Martijn de Boer <git@sexybiggetje.nl>
Date: Sat, 5 Aug 2023 16:44:41 +0200
Subject: [PATCH] Update install.sh

---
 install.sh | 84 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 44 insertions(+), 40 deletions(-)

diff --git a/install.sh b/install.sh
index f29806f..b9f9c80 100644
--- a/install.sh
+++ b/install.sh
@@ -47,57 +47,56 @@ apt -y upgrade
 echo "Hardening system..."
 
 ## Disable info packets 
-echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf
+echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Track bad attempts
-echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
+echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Harden ip options
-echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf
+echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Disable routing functionality
-echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf
+echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Network optimisation
 echo "Optimising network settings..."
-echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf
-echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf
-echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf
-echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf
-echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf
+echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Kernel hardening
-echo "kernel.exec-shield = 1" >> /etc/sysctl.d/99-custom.conf
-echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf
+echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Kernel optimisation
-echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf
+echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 ## Filesystem protected
 echo "Hardening filesystem..."
-echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf
-echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf
+echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
+echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
 
 # Write sysctl values
 sysctl -p /etc/sysctl.d/99-custom.conf
@@ -105,14 +104,14 @@ sysctl -p /etc/sysctl.d/99-custom.conf
 # Set limits
 echo "Setting security limits..."
 touch /etc/securitiy/limits.d/99-custom.conf
-echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf
-echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf
-echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf
-echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf
+echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
+echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
+echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
+echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
 
 # Install common packages
 echo "Installing common packages..."
-apt install -y vim git ufw
+apt install -y debian-archive-keyring apt-transport-https vim git ufw &> /dev/null
 
 # Configure SSH
 echo "Configuring SSH..."
@@ -140,6 +139,11 @@ ufw allow http
 ufw allow https
 ufw enable
 
+# Install crowdsec
+echo "Installing crowdsec..."
+curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
+apt install crowdsec crowdsec-firewall-bouncer crowdsec-firewall-bouncer-iptables -y &> /dev/null
+
 echo "Done configuring!"
 
 # Reboot