Update install.sh
This commit is contained in:
parent
fc1d57ef86
commit
3144412af9
1 changed files with 44 additions and 40 deletions
84
install.sh
84
install.sh
|
|
@ -47,57 +47,56 @@ apt -y upgrade
|
||||||
echo "Hardening system..."
|
echo "Hardening system..."
|
||||||
|
|
||||||
## Disable info packets
|
## Disable info packets
|
||||||
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Track bad attempts
|
## Track bad attempts
|
||||||
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Harden ip options
|
## Harden ip options
|
||||||
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Disable routing functionality
|
## Disable routing functionality
|
||||||
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Network optimisation
|
## Network optimisation
|
||||||
echo "Optimising network settings..."
|
echo "Optimising network settings..."
|
||||||
echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf
|
echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf
|
echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf
|
echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Kernel hardening
|
## Kernel hardening
|
||||||
echo "kernel.exec-shield = 1" >> /etc/sysctl.d/99-custom.conf
|
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf
|
|
||||||
|
|
||||||
## Kernel optimisation
|
## Kernel optimisation
|
||||||
echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf
|
echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
## Filesystem protected
|
## Filesystem protected
|
||||||
echo "Hardening filesystem..."
|
echo "Hardening filesystem..."
|
||||||
echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf
|
echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf
|
echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
# Write sysctl values
|
# Write sysctl values
|
||||||
sysctl -p /etc/sysctl.d/99-custom.conf
|
sysctl -p /etc/sysctl.d/99-custom.conf
|
||||||
|
|
@ -105,14 +104,14 @@ sysctl -p /etc/sysctl.d/99-custom.conf
|
||||||
# Set limits
|
# Set limits
|
||||||
echo "Setting security limits..."
|
echo "Setting security limits..."
|
||||||
touch /etc/securitiy/limits.d/99-custom.conf
|
touch /etc/securitiy/limits.d/99-custom.conf
|
||||||
echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf
|
echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
||||||
echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf
|
echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
||||||
echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf
|
echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
||||||
echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf
|
echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
||||||
|
|
||||||
# Install common packages
|
# Install common packages
|
||||||
echo "Installing common packages..."
|
echo "Installing common packages..."
|
||||||
apt install -y vim git ufw
|
apt install -y debian-archive-keyring apt-transport-https vim git ufw &> /dev/null
|
||||||
|
|
||||||
# Configure SSH
|
# Configure SSH
|
||||||
echo "Configuring SSH..."
|
echo "Configuring SSH..."
|
||||||
|
|
@ -140,6 +139,11 @@ ufw allow http
|
||||||
ufw allow https
|
ufw allow https
|
||||||
ufw enable
|
ufw enable
|
||||||
|
|
||||||
|
# Install crowdsec
|
||||||
|
echo "Installing crowdsec..."
|
||||||
|
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
|
||||||
|
apt install crowdsec crowdsec-firewall-bouncer crowdsec-firewall-bouncer-iptables -y &> /dev/null
|
||||||
|
|
||||||
echo "Done configuring!"
|
echo "Done configuring!"
|
||||||
|
|
||||||
# Reboot
|
# Reboot
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue