adajw · September 16, 2021 08:14
diff --git a/00-main.sh b/00-main.sh
 # script order:
 # install.sh
 # configure.sh
 # harden.sh
 # iptables.sh
 # grub.sh

 # TODO security: 
 # - grsec configure
 # - sudo & root hardening
 # - password hash hardening
 # - firejail setup
 # - change default umask
 # - firewall (iptables)
 # - ssh hardening
 # - pacman hardening
 # - bootloader hardening
 # 
 # TODO other: 
 # - zsh
 # - change boot process, no udev, manually listed modules?
 # - Add user ada to group tpe
 # - Samsung SSD firmware upgrade?
 # - overclocking
 # - CUPS

 # set secure umask. this will be persisted later in harden.sh
 umask 077

 # download our other scripts
 mkdir scripts
 GIST_ROOT = "https://gist.githubusercontent.com/adajw/2ef987082ddce212f519bcf9fdf9c830/raw"
 SC_01 = "$GIST_ROOT/01-install.sh"
 SC_02 = "$GIST_ROOT/02-configure.sh"
 SC_03 = "$GIST_ROOT/03-harden.sh"
 SC_04 = "$GIST_ROOT/04-firewall.sh"
 SC_05 = "$GIST_ROOT/05-grub.sh"
 wget -P scripts $SC_01 $SC_02 $SC_03 $SC_04 $SC_05 
 chmod +x scripts/*

 # create some config files to later copy into various places
 mkdir confs
 echo "[Unit]\n\
 Description=Pacman mirrorlist update\n\
 \n\
 \n\
 [Service]\n\
 Type=oneshot\n\
 ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist" > confs/reflector.service

 echo "[Unit]\n\
 Description=Run reflector weekly\n\
 \n\
 [Timer]\n\
 OnCalendar=weekly\n\
 RandomizedDelaySec=12h\n\
 Persistent=true\n\
 \n\
 [Install]\n\
 WantedBy=timers.target" > confs/reflector.timer

 echo "#### ipv4 networking and equivalent ipv6 parameters ####\n\
 \n\
 ## TCP SYN cookie protection (default)\n\
 ## helps protect against SYN flood attacks\n\
 ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached\n\
 net.ipv4.tcp_syncookies = 1\n\
 \n\
 ## protect against tcp time-wait assassination hazards\n\
 ## drop RST packets for sockets in the time-wait state\n\
 ## (not widely supported outside of linux, but conforms to RFC)\n\
 net.ipv4.tcp_rfc1337 = 1\n\
 \n\
 ## sets the kernels reverse path filtering mechanism to value 1(on)\n\
 ## will do source validation of the packet's recieved from all the interfaces on the machine\n\
 ## protects from attackers that are using ip spoofing methods to do harm\n\
 net.ipv4.conf.all.rp_filter = 1\n\
 net.ipv6.conf.all.rp_filter = 1\n\
 \n\
 ## tcp timestamps\n\
 ## + protect against wrapping sequence numbers (at gigabit speeds)\n\
 ## + round trip time calculation implemented in TCP\n\
 ## - causes extra overhead and allows uptime detection by scanners like nmap\n\
 ## enable @ gigabit speeds\n\
 net.ipv4.tcp_timestamps = 0\n\
 #net.ipv4.tcp_timestamps = 1\n\
 \n\
 ## log martian packets\n\
 net.ipv4.conf.all.log_martians = 1\n\
 \n\
 ## ignore echo broadcast requests to prevent being part of smurf attacks (default)\n\
 net.ipv4.icmp_echo_ignore_broadcasts = 1\n\
 \n\
 ## ignore bogus icmp errors (default)\n\
 net.ipv4.icmp_ignore_bogus_error_responses = 1\n\
 \n\
 ## send redirects (not a router, disable it)\n\
 net.ipv4.conf.all.send_redirects = 0\n\
 \n\
 ## ICMP routing redirects (only secure)\n\
 #net.ipv4.conf.all.secure_redirects = 1 (default)\n\
 net.ipv4.conf.default.accept_redirects=0\n\
 net.ipv4.conf.all.accept_redirects=0\n\
 net.ipv6.conf.default.accept_redirects=0\n\
 net.ipv6.conf.all.accept_redirects=0\" > confs/sysctl-tcpip.append

 echo "## enable grsecurity tpe ##\n\
 kernel.grsecurity.tpe = 1" > confs/sysctl-grc.append

 echo "# Reset environment by default\n\
 Defaults env_reset\n\
 # Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.\n\
 Defaults editor=/usr/bin/nano, !env_editor\n\
 # require secure umask\n\
 Defaults umask = 0022\n\
 Defaults umask_override" > confs/sudoers.append

 echo "Scripts and Config files downloaded. Now run them in order!"
diff --git a/01-install.sh b/01-install.sh
 ## Use packer to install an AUR helper
 PKGS_GRC="linux-grsec paxd nvidia-grsec gradm"
 PKGS_SEC="firejail iptables sudo openssh"
 PKGS_BOOT="grub efibootmgr os-prober cryptboot efitools sbsigntools"
 PKGS_NVIDIA="nvidia nvidia-settings"
 PKGS_UTILS="nano zsh zsh-syntax-highlighting wget cups cups-pdf"
 PKGS_UI="gnome vlc codecs64 noto-fonts-emoji ttf-monapo font-mathematica ttf-chromeos-fonts"
 PKGS_BROWSER="firefox google-chrome-beta"
 PKGS="$PKGS_GRC $PKGS_SEC $PKGS_BOOT $PKGS_NVIDIA $PKGS_UTILS $PKGS_UI $PKGS_BROWSER" 

 # initialise pacman key
 pacman -Syu
 pacman-key --init
 pacman-key --refreshkeys
 pacman-key --populate archlinux

 # delta updates & automate mirror refreshing
 pacman -S xdelta3 reflector
 cp confs/reflector.service /etc/systemd/system/reflector.service
 cp confs/reflector.timer /etc/systemd/system/reflector.timer
 systemctl start reflector.timer
 systemctl start reflector.service

 # install packaur
 PACKER="https://raw.githubusercontent.com/keenerd/packer/master/packer"
 curl $PACKER -o packer.sh
 chmod +x packer.sh
 ./packer.sh -S pacaur

 # install packages including aur packages

 pacaur -S $PKGS
diff --git a/02-configure.sh b/02-configure.sh
 # TODO: time

 # locales
 sed 's/#(en_US.UTF-8 UTF-8)/\1/' < /etc/locale.gen > /etc/locale.gen
 locale-gen
 echo LANG=en_US.UTF-8 > /etc/locale.conf
 echo ada > /etc/hostname
 echo 127.0.0.1 ada.localdomain ada >> /etc/hosts

 # users
 useradd -m -G wheel,sys -s /bin/zsh ada
 useradd -m -G wheel,sys,log -s /usr/bin/nologin sysadm
 useradd -m -G wheel,http -s /usr/bin/nologin devops

 # TODO: passwords



diff --git a/03-harden.sh b/03-harden.sh
 # sysctl tcp/ip hardening
 cat confs/sysctl-tcpip.append >> /etc/sysctl.d/99-sysctl.conf
 # sysctl grc
 cat confs/sysctl-grc.append >> /etc/sysctl.d/99-sysctl.conf
 # permanently set umask 077
 sed 's/umask 022/umask 077/' < /etc/profile > /etc/profile
 # use nano for visudo & harden sudo umask
 echo confs/sudoers.append >> /etc/sudoers

 # some security groups
 groupadd -r ssh
 groupadd -r tpe
 gpasswd -a ada ssh
 gpasswd -a ada tpe

 # hardening ssh & sudo
 SSH_CONF = "/etc/ssh/sshd_config"
 echo 'AllowGroups ssh' >> $SSH_CONF
 # disable root login and require cert based auth
 sed 's/(PermitRootLogin|PasswordAuthentication|ChallengeResponseAuthentication) [a-zA-Z\-]+/\1 no/g' < $SSH_CONF > $SSH_CONF
 sudo systemctl restart sshd.service
diff --git a/04-firewall.sh b/04-firewall.sh

 # iptables
 iptables -N TCP
 iptables -N UDP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -P INPUT DROP
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
 iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
 iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
 systemctl start iptables
 systemctl enable iptables
 iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
 iptables-save > /etc/iptables/iptables.rules
diff --git a/05-grub.sh b/05-grub.sh
 echo "efi directory?: "
 read $EFI_DIR
 grub-install --target=x86_64-efi --efi-directory=$EFI_DIR --bootloader-id=GRUB
	# script order:
	# install.sh
	# configure.sh
	# harden.sh
	# iptables.sh
	# grub.sh

	# TODO security:
	# - grsec configure
	# - sudo & root hardening
	# - password hash hardening
	# - firejail setup
	# - change default umask
	# - firewall (iptables)
	# - ssh hardening
	# - pacman hardening
	# - bootloader hardening
	#
	# TODO other:
	# - zsh
	# - change boot process, no udev, manually listed modules?
	# - Add user ada to group tpe
	# - Samsung SSD firmware upgrade?
	# - overclocking
	# - CUPS

	# set secure umask. this will be persisted later in harden.sh
	umask 077

	# download our other scripts
	mkdir scripts
	GIST_ROOT = "https://gist.githubusercontent.com/adajw/2ef987082ddce212f519bcf9fdf9c830/raw"
	SC_01 = "$GIST_ROOT/01-install.sh"
	SC_02 = "$GIST_ROOT/02-configure.sh"
	SC_03 = "$GIST_ROOT/03-harden.sh"
	SC_04 = "$GIST_ROOT/04-firewall.sh"
	SC_05 = "$GIST_ROOT/05-grub.sh"
	wget -P scripts $SC_01 $SC_02 $SC_03 $SC_04 $SC_05
	chmod +x scripts/*

	# create some config files to later copy into various places
	mkdir confs
	echo "[Unit]\n\
	Description=Pacman mirrorlist update\n\
	\n\
	\n\
	[Service]\n\
	Type=oneshot\n\
	ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist" > confs/reflector.service

	echo "[Unit]\n\
	Description=Run reflector weekly\n\
	\n\
	[Timer]\n\
	OnCalendar=weekly\n\
	RandomizedDelaySec=12h\n\
	Persistent=true\n\
	\n\
	[Install]\n\
	WantedBy=timers.target" > confs/reflector.timer

	echo "#### ipv4 networking and equivalent ipv6 parameters ####\n\
	\n\
	## TCP SYN cookie protection (default)\n\
	## helps protect against SYN flood attacks\n\
	## only kicks in when net.ipv4.tcp_max_syn_backlog is reached\n\
	net.ipv4.tcp_syncookies = 1\n\
	\n\
	## protect against tcp time-wait assassination hazards\n\
	## drop RST packets for sockets in the time-wait state\n\
	## (not widely supported outside of linux, but conforms to RFC)\n\
	net.ipv4.tcp_rfc1337 = 1\n\
	\n\
	## sets the kernels reverse path filtering mechanism to value 1(on)\n\
	## will do source validation of the packet's recieved from all the interfaces on the machine\n\
	## protects from attackers that are using ip spoofing methods to do harm\n\
	net.ipv4.conf.all.rp_filter = 1\n\
	net.ipv6.conf.all.rp_filter = 1\n\
	\n\
	## tcp timestamps\n\
	## + protect against wrapping sequence numbers (at gigabit speeds)\n\
	## + round trip time calculation implemented in TCP\n\
	## - causes extra overhead and allows uptime detection by scanners like nmap\n\
	## enable @ gigabit speeds\n\
	net.ipv4.tcp_timestamps = 0\n\
	#net.ipv4.tcp_timestamps = 1\n\
	\n\
	## log martian packets\n\
	net.ipv4.conf.all.log_martians = 1\n\
	\n\
	## ignore echo broadcast requests to prevent being part of smurf attacks (default)\n\
	net.ipv4.icmp_echo_ignore_broadcasts = 1\n\
	\n\
	## ignore bogus icmp errors (default)\n\
	net.ipv4.icmp_ignore_bogus_error_responses = 1\n\
	\n\
	## send redirects (not a router, disable it)\n\
	net.ipv4.conf.all.send_redirects = 0\n\
	\n\
	## ICMP routing redirects (only secure)\n\
	#net.ipv4.conf.all.secure_redirects = 1 (default)\n\
	net.ipv4.conf.default.accept_redirects=0\n\
	net.ipv4.conf.all.accept_redirects=0\n\
	net.ipv6.conf.default.accept_redirects=0\n\
	net.ipv6.conf.all.accept_redirects=0\" > confs/sysctl-tcpip.append

	echo "## enable grsecurity tpe ##\n\
	kernel.grsecurity.tpe = 1" > confs/sysctl-grc.append

	echo "# Reset environment by default\n\
	Defaults env_reset\n\
	# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.\n\
	Defaults editor=/usr/bin/nano, !env_editor\n\
	# require secure umask\n\
	Defaults umask = 0022\n\
	Defaults umask_override" > confs/sudoers.append

	echo "Scripts and Config files downloaded. Now run them in order!"
	## Use packer to install an AUR helper
	PKGS_GRC="linux-grsec paxd nvidia-grsec gradm"
	PKGS_SEC="firejail iptables sudo openssh"
	PKGS_BOOT="grub efibootmgr os-prober cryptboot efitools sbsigntools"
	PKGS_NVIDIA="nvidia nvidia-settings"
	PKGS_UTILS="nano zsh zsh-syntax-highlighting wget cups cups-pdf"
	PKGS_UI="gnome vlc codecs64 noto-fonts-emoji ttf-monapo font-mathematica ttf-chromeos-fonts"
	PKGS_BROWSER="firefox google-chrome-beta"
	PKGS="$PKGS_GRC $PKGS_SEC $PKGS_BOOT $PKGS_NVIDIA $PKGS_UTILS $PKGS_UI $PKGS_BROWSER"

	# initialise pacman key
	pacman -Syu
	pacman-key --init
	pacman-key --refreshkeys
	pacman-key --populate archlinux

	# delta updates & automate mirror refreshing
	pacman -S xdelta3 reflector
	cp confs/reflector.service /etc/systemd/system/reflector.service
	cp confs/reflector.timer /etc/systemd/system/reflector.timer
	systemctl start reflector.timer
	systemctl start reflector.service

	# install packaur
	PACKER="https://raw.githubusercontent.com/keenerd/packer/master/packer"
	curl $PACKER -o packer.sh
	chmod +x packer.sh
	./packer.sh -S pacaur

	# install packages including aur packages

	pacaur -S $PKGS
	# TODO: time

	# locales
	sed 's/#(en_US.UTF-8 UTF-8)/\1/' < /etc/locale.gen > /etc/locale.gen
	locale-gen
	echo LANG=en_US.UTF-8 > /etc/locale.conf
	echo ada > /etc/hostname
	echo 127.0.0.1 ada.localdomain ada >> /etc/hosts

	# users
	useradd -m -G wheel,sys -s /bin/zsh ada
	useradd -m -G wheel,sys,log -s /usr/bin/nologin sysadm
	useradd -m -G wheel,http -s /usr/bin/nologin devops

	# TODO: passwords
	# sysctl tcp/ip hardening
	cat confs/sysctl-tcpip.append >> /etc/sysctl.d/99-sysctl.conf
	# sysctl grc
	cat confs/sysctl-grc.append >> /etc/sysctl.d/99-sysctl.conf
	# permanently set umask 077
	sed 's/umask 022/umask 077/' < /etc/profile > /etc/profile
	# use nano for visudo & harden sudo umask
	echo confs/sudoers.append >> /etc/sudoers

	# some security groups
	groupadd -r ssh
	groupadd -r tpe
	gpasswd -a ada ssh
	gpasswd -a ada tpe

	# hardening ssh & sudo
	SSH_CONF = "/etc/ssh/sshd_config"
	echo 'AllowGroups ssh' >> $SSH_CONF
	# disable root login and require cert based auth
	sed 's/(PermitRootLogin\|PasswordAuthentication\|ChallengeResponseAuthentication) [a-zA-Z\-]+/\1 no/g' < $SSH_CONF > $SSH_CONF
	sudo systemctl restart sshd.service

	# iptables
	iptables -N TCP
	iptables -N UDP
	iptables -P FORWARD DROP
	iptables -P OUTPUT ACCEPT
	iptables -P INPUT DROP
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
	iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
	iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
	systemctl start iptables
	systemctl enable iptables
	iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
	iptables-save > /etc/iptables/iptables.rules
	echo "efi directory?: "
	read $EFI_DIR
	grub-install --target=x86_64-efi --efi-directory=$EFI_DIR --bootloader-id=GRUB