-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsysprep
More file actions
executable file
·190 lines (153 loc) · 8.9 KB
/
sysprep
File metadata and controls
executable file
·190 lines (153 loc) · 8.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#! /bin/bash
EmailAddress=FIX ME # The email address where alerts should go to
MailServer=FIX ME # The mail server in your environment
UserName=FIX ME # This should be the primary non-root username you expect to log in as
echo -n "MAKE SURE YOU'RE RUNNING AS ROOT! And make sure you've modified the mail server in this file -- currently $MailServer. If not, press Ctrl+C NOW."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
## Start with an update
apt-get update && apt-get upgrade -y
## Apps from fmarier at http://feeding.cloud.geek.nz/posts/usual-server-setup/
apt-get install sudo openssh-server ca-certificates aide lynis debsums haveged ntp fail2ban unattended-upgrades heirloom-mailx ssmtp unzip curl bash-completion auditd -y
## Tweaks from https://klaver.it/linux/debian-security.txt:
# Disable cron-jobs (exept for the root user)
echo root > /etc/cron.allow
service cron restart
# Let the server fix it's filesystem automatically when errors are found
echo "FSCKFIX=yes" >> /etc/default/rcS
# remove or take away permissions of all system tools that can be used to download files at the command-line
chmod 700 /usr/bin/wget /usr/bin/curl /usr/bin/GET /usr/bin/ftp /usr/bin/telnet 2> /dev/null
dpkg -P lynx links 2> /dev/null
# Set up SSMTP
echo -e "mailhub="$MailServer"\nroot="$EmailAddress"\nhostname="$(hostname -f) > /etc/ssmtp/ssmtp.conf
# most tools send e-mail to root@localhost; redirect this to a working e-mail address:
echo "root: "$EmailAddress >> /etc/aliases
echo "root:"$EmailAddress":"$MailServer >> /etc/ssmtp/revaliases
# Load required modules (particularly re iptables -- kernel tweak to disable module loading kills it)
echo virtio_balloon >> /etc/modules
echo tpm_rng >> /etc/modules
echo button >> /etc/modules
echo ipt_REJECT >> /etc/modules
echo nf_reject_ipv4 >> /etc/modules
echo nf_conntrack_ipv4 >> /etc/modules
echo nf_defrag_ipv4 >> /etc/modules
echo xt_multiport >> /etc/modules
echo xt_conntrack >> /etc/modules
echo nf_conntrack >> /etc/modules
echo xt_tcpudp >> /etc/modules
echo iptable_filter >> /etc/modules
echo ip_tables >> /etc/modules
echo x_tables >> /etc/modules
# Enable emailing in fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i 's/destemail = root@localhost/destemail = $EmailAddress/g' /etc/fail2ban/jail.local
sed -i 's/action = %(action_)s/action = %(action_mwl)s/g' /etc/fail2ban/jail.local
# Disable USB & Firewire storage
echo -e "blacklist usb-storage\nblacklist ohci1394\nblacklist sbp2\nblacklist dv1394\nblacklist raw1394\nblacklist video1394\nblacklist firewire-ohci\nblacklist firewire-sbp2" > /etc/modprobe.d/blacklist_storage.conf
# Have debsums check checksums daily
sed -i 's/CRON_CHECK=never/CRON_CHECK=daily/g' /etc/default/debsums
# Ignore the missing 'as' compiler
echo -e "^/usr/bin/as$" > /etc/debsums-ignore
addgroup ssh-user
usermod -aG ssh-user $UserName
usermod -aG sudo $UserName
# Configure Unattended-Upgrades. NOTE this config will reboot at 2am if reboot required
dpkg-reconfigure -plow unattended-upgrades
echo -e "Unattended-Upgrade::Origins-Pattern {\n\"o=Debian,n=jessie\";\n\"o=Debian,n=jessie-updates\";\n\"o=Debian,n=jessie,l=Debian-Security\";\n};\nUnattended-Upgrade::Mail \"alerts@forlongs.co.nz\";\nUnattended-Upgrade::MailOnlyOnError \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"02:00\";\n" > /etc/apt/apt.conf.d/50unattended-upgrades
# Install and enable AppArmor; disable IPv6 stack
apt-get install apparmor apparmor-profiles apparmor-utils -y
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor ipv6.disable=1",' /etc/default/grub
# Tweaks to sysctl.conf kernel settings
cd ~
wget --no-check-certificate https://klaver.it/linux/sysctl.conf
# Change Michiel Klaver's default settings
# Michiel uses fq instead of fq_codel; however for lower tcp-load servers, use fq_codel
# Ref http://www.bufferbloat.net/projects/codel/wiki#Binary-code-and-kernels-for-Linux-based-operating-systems
sed -i 's/net.core.default_qdisc = fq/net.core.default_qdisc = fq_codel/g' sysctl.conf
# Looks like cubic congestion control is better than HTCP for modern servers:
# https://fasterdata.es.net/host-tuning/linux/#toc-anchor-2
sed -i 's/net.ipv4.tcp_congestion_control = htcp/net.ipv4.tcp_congestion_control = cubic/g' sysctl.conf
# Michiel Klaver's ipfrag settings don't work for me
sed -i 's/net.ipv4.ipfrag/# net.ipv4.ipfrag/g' sysctl.conf
# Prevent users from loading Kernel modules
echo -e "kernel.modules_disabled=1\n" >> sysctl.conf
# Remove ipv6 references from sysctl.conf, since it's disabled
sed -i '/ipv6/d' sysctl.conf
mv sysctl.conf /etc -f
# Commit kernel changes
update-grub
# Set permissions for /etc/shadow
chmod 400 /etc/shadow
# Create 4096-bit RSA key
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa4096 < /dev/null
# Create ~/.ssh/authorized_keys
mkdir /home/$UserName/.ssh
touch /home/$UserName/.ssh/authorized_keys
chown $UserName:$UserName /home/$UserName/.ssh
chown $UserName:$UserName /home/$UserName/.ssh/*
chmod 600 /home/$UserName/.ssh/authorized_keys
# Download and overwrite SSHD config file
wget https://raw.githubusercontent.com/rhyven/ssh/master/sshd_config
mv sshd_config /etc/ssh/sshd_config -f
service ssh restart
# Security tweaks for /etc/profile
echo -e "TMOUT=300\nreadonly TMOUT\nexport TMOUT\numask 027" >> /etc/profile
sed -i 's/UMASK\t\t022/UMASK\t\t027/g' /etc/login.defs
sed -i 's/umask 022/umask 027/g' /etc/init.d/rc
# Set up NTP
echo "driftfile /var/lib/ntp/ntp.drift" > /etc/ntp.conf
echo "statistics loopstats peerstats clockstats" >> /etc/ntp.conf
echo "filegen loopstats file loopstats type day enable" >> /etc/ntp.conf
echo "filegen peerstats file peerstats type day enable" >> /etc/ntp.conf
echo "filegen clockstats file clockstats type day enable" >> /etc/ntp.conf
echo "server 0.nz.pool.ntp.org iburst" >> /etc/ntp.conf
echo "server 1.nz.pool.ntp.org iburst" >> /etc/ntp.conf
echo "server 2.nz.pool.ntp.org iburst" >> /etc/ntp.conf
echo "restrict -4 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
echo "restrict 127.0.0.1" >> /etc/ntp.conf
echo "interface ignore wildcard" >> /etc/ntp.conf
echo "interface listen eth0" >> /etc/ntp.conf
# Set up some basic rules for auditd
echo "-a always,exit -S all -F dir=/bin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/sbin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/bin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/local/bin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/local/sbin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/sbin -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/lib/systemd -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/etc -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/lib -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/lib64 -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F dir=/usr/lib -F perm=aw -k system-objects" >> /etc/audit/rules.d/audit.rules
# Build sysprep2
# Purge unwanted packages
echo "apt-get purge john john-data rpcbind exim4 sendmail sendmail-* postfix -y 2> /dev/null" >> sysprep2
# Enable AllowGroups under sshd_config (you're using SSH already, right???)
echo "sudo sed -i 's/# AllowGroups/AllowGroups/g' /etc/ssh/sshd_config" >> sysprep2
# Knobble auto-installed compiler
echo "sudo mv /usr/bin/as ~" >> sysprep2
# Apply AppArmour profiles after reboot
# The logrotate apparmor profile has a bug; set this one to complain instead of enforce
echo -e "for f in /etc/apparmor.d/*.* ; do aa-enforce \$f; done" >> sysprep2
echo -e "cp -n /usr/share/doc/apparmor-profiles/extras/* /etc/apparmor.d/" >> sysprep2
echo -e "for f in /usr/share/doc/apparmor-profiles/extras/*.* ; do aa-complain \$f; done" >> sysprep2
echo -e "aa-complain /etc/apparmor.d/etc.cron.daily.logrotate" >> sysprep2
echo -e "aa-complain /etc/apparmor.d/usr.sbin.sshd" >> sysprep2
echo -e "aa-complain /etc/apparmor.d/usr.sbin.man" >> sysprep2
echo -e "aa-complain /etc/apparmor.d/usr.sbin.useradd" >> sysprep2
echo -e "aa-complain /etc/apparmor.d/usr.sbin.userdel" >> sysprep2
# Notes for next boot
echo "echo -e Execute ./moduli when you've got some time to kill." >> sysprep2
echo "echo -e Make sure you run aideinit once your system is fully configured" >> sysprep2
echo -e "ssh-keygen -G /tmp/moduli -b 4096 && ssh-keygen -T /etc/ssh/moduli -f /tmp/moduli" > moduli
echo -e "rm ./moduli" >> moduli
chmod a+x moduli
echo "REBOOT NOW, and then run bash ./sysprep2"
rm ./sysprep