1779491965
This commit is contained in:
@@ -0,0 +1,123 @@
|
||||
#IPTABLES RULES
|
||||
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
||||
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
|
||||
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
|
||||
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
|
||||
iptables -t mangle -A PREROUTING -p icmp -j DROP
|
||||
iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
|
||||
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
||||
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
||||
iptables -t mangle -A PREROUTING -f -j DROP
|
||||
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
||||
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
|
||||
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
|
||||
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
|
||||
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
|
||||
iptables -N port-scanning
|
||||
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
|
||||
iptables -A port-scanning -j DROP
|
||||
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
|
||||
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
|
||||
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
|
||||
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
|
||||
iptables -A INPUT -m recent --name portscan --remove
|
||||
iptables -A FORWARD -m recent --name portscan --remove
|
||||
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
|
||||
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
|
||||
|
||||
#KERNEL RULES
|
||||
kernel.printk = 4 4 1 7
|
||||
kernel.panic = 10
|
||||
kernel.sysrq = 0
|
||||
kernel.shmmax = 4294967296
|
||||
kernel.shmall = 4194304
|
||||
kernel.core_uses_pid = 1
|
||||
kernel.msgmnb = 65536
|
||||
kernel.msgmax = 65536
|
||||
vm.swappiness = 20
|
||||
vm.dirty_ratio = 80
|
||||
vm.dirty_background_ratio = 5
|
||||
fs.file-max = 2097152
|
||||
net.core.netdev_max_backlog = 262144
|
||||
net.core.rmem_default = 31457280
|
||||
net.core.rmem_max = 67108864
|
||||
net.core.wmem_default = 31457280
|
||||
net.core.wmem_max = 67108864
|
||||
net.core.somaxconn = 65535
|
||||
net.core.optmem_max = 25165824
|
||||
net.ipv4.neigh.default.gc_thresh1 = 4096
|
||||
net.ipv4.neigh.default.gc_thresh2 = 8192
|
||||
net.ipv4.neigh.default.gc_thresh3 = 16384
|
||||
net.ipv4.neigh.default.gc_interval = 5
|
||||
net.ipv4.neigh.default.gc_stale_time = 120
|
||||
net.netfilter.nf_conntrack_max = 10000000
|
||||
net.netfilter.nf_conntrack_tcp_loose = 0
|
||||
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
|
||||
net.netfilter.nf_conntrack_tcp_timeout_close = 10
|
||||
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
|
||||
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20
|
||||
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20
|
||||
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
|
||||
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
|
||||
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
net.ipv4.ip_local_port_range = 1024 65000
|
||||
net.ipv4.ip_no_pmtu_disc = 1
|
||||
net.ipv4.route.flush = 1
|
||||
net.ipv4.route.max_size = 8048576
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
net.ipv4.tcp_congestion_control = htcp
|
||||
net.ipv4.tcp_mem = 65536 131072 262144
|
||||
net.ipv4.udp_mem = 65536 131072 262144
|
||||
net.ipv4.tcp_rmem = 4096 87380 33554432
|
||||
net.ipv4.udp_rmem_min = 16384
|
||||
net.ipv4.tcp_wmem = 4096 87380 33554432
|
||||
net.ipv4.udp_wmem_min = 16384
|
||||
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||
net.ipv4.tcp_tw_recycle = 0
|
||||
net.ipv4.tcp_tw_reuse = 1
|
||||
net.ipv4.tcp_max_orphans = 400000
|
||||
net.ipv4.tcp_window_scaling = 1
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_synack_retries = 1
|
||||
net.ipv4.tcp_syn_retries = 2
|
||||
net.ipv4.tcp_max_syn_backlog = 16384
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
net.ipv4.tcp_sack = 1
|
||||
net.ipv4.tcp_fack = 1
|
||||
net.ipv4.tcp_ecn = 2
|
||||
net.ipv4.tcp_fin_timeout = 10
|
||||
net.ipv4.tcp_keepalive_time = 600
|
||||
net.ipv4.tcp_keepalive_intvl = 60
|
||||
net.ipv4.tcp_keepalive_probes = 10
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
@@ -0,0 +1,16 @@
|
||||
<VirtualHost $IP:443>
|
||||
DocumentRoot /var/www/$DOMAIN
|
||||
ServerName $DOMAIN
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/letsencrypt/live/$DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN/privkey.pem
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
|
||||
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost $IP:80>
|
||||
ServerName $DOMAIN
|
||||
Redirect permanent / https://$DOMAIN/
|
||||
</VirtualHost>
|
||||
@@ -0,0 +1,3 @@
|
||||
0 8 * * * chkrootkit -q
|
||||
0 11 * * 0 lynis -q
|
||||
0 0 * * * apt update; apt upgrade -y
|
||||
@@ -0,0 +1,148 @@
|
||||
Ubuntu 24.04.3LTS
|
||||
PHP-default
|
||||
Apache2
|
||||
MySQL+phpmyadmin
|
||||
|
||||
# Step 1
|
||||
sudo -i
|
||||
apt update
|
||||
apt -y upgrade
|
||||
reboot
|
||||
|
||||
# Step 2
|
||||
nano /etc/ssh/sshd_config
|
||||
Change `#PasswordAuthentication yes` to `PasswordAuthentication no`
|
||||
Add line
|
||||
`AllowUsers <username>`
|
||||
|
||||
# Step 3
|
||||
ON WINDOWS:
|
||||
Via PowerShell
|
||||
enable OpenSSH in PowerShell: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
|
||||
ssh-keygen -t ed25519 -C "<your email address>"
|
||||
use a STRONG PASSPHRASE
|
||||
Hit [Enter] to save keys at DEFAULT location
|
||||
to get your rsa PUBLIC key, do:
|
||||
Press [Windows Logo Key/Start]+R
|
||||
Put in `notepad %USERPROFILE%/.ssh/id_ed25519.pub`
|
||||
hit Enter
|
||||
copy all the text in that file
|
||||
# Technical details: it saves private key at %USERPROFILE%/.ssh/id_ed25519
|
||||
# private key example: C:\Users\potatouser\.ssh\id_ed25519
|
||||
# public key example: C:\Users\potatouser\.ssh\id_ed25519.pub
|
||||
|
||||
|
||||
ON UBUNTU
|
||||
mkdir ~/.ssh
|
||||
chmod 700 ~/.ssh
|
||||
nano ~/.ssh/authorized_keys
|
||||
<paste rsa PUBLIC key>
|
||||
chmod 600 ~/.ssh/authorized_keys
|
||||
sudo systemctl reload sshd
|
||||
|
||||
TO CONNECT
|
||||
SSH with Windows PowerShell
|
||||
Powershell is installed by default on Windows 10/11
|
||||
ssh <username>@<ipaddress>
|
||||
|
||||
Manage Files with WinSCP:
|
||||
install winscp https://winscp.net/eng/download.php
|
||||
install puttygen https://www.puttygen.com/download.php?val=4
|
||||
run puttygen
|
||||
Click Load
|
||||
Select private key at %USERPROFILE%/.ssh/id_ed25519
|
||||
copy and paste the string of text beginning in ssh-ed25519 and paste
|
||||
save public and private key to %USERPROFILE%/.ssh/ under a %USERPROFILE%/.ssh/id_ed25519.ppk (private)
|
||||
and %USERPROFILE%/.ssh/id_ed25519.ppk.pub (public)
|
||||
run winscp
|
||||
click new site
|
||||
protocol: SFTP
|
||||
host name: <server/ip>
|
||||
username: <username>
|
||||
port number: 22
|
||||
click Advanced
|
||||
on left panel under SSH click Authentication
|
||||
Browse for private key at %USERPROFILE%/.ssh/id_ed25519.ppk
|
||||
ok
|
||||
save
|
||||
|
||||
# Step 4
|
||||
sudo apt install -y git
|
||||
# download and install scripts and tools
|
||||
cd ~
|
||||
git clone https://github.com/PrincessPi3/general-scripts-and-system-ssssssetup.git
|
||||
sudo -i
|
||||
apt install -y apache2 snapd mysql-server byobu nmap screen iotop zip unzip lynx htop php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath unattended-upgrades net-tools python3 python3-pip unison
|
||||
snap install btop
|
||||
# secure mysql
|
||||
mysql_secure_installation
|
||||
# follow directions, defaults are fine just remember what you set as the root password
|
||||
# install and config phpmyadmin
|
||||
apt install -y phpmyadmin
|
||||
ln -s /usr/share/phpmyadmin /var/www/html/pma
|
||||
# phpmyadmin will be accessable from the public internet at http://<your server ip>/pma
|
||||
# ensure your passwords are up to snuff
|
||||
// TODO: prolly should do some other security shit to protect phpmyadmin
|
||||
systemctl restart apache2
|
||||
systemctl restart mysql
|
||||
# add user to web server group
|
||||
usermod -a -G www-data <username>
|
||||
# unattended upgrades
|
||||
dpkg-reconfigure unattended-upgrades
|
||||
nano /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
change `//Unattended-Upgrade::Automatic-Reboot "false";` to `Unattended-Upgrade::Automatic-Reboot "true";`
|
||||
change `//Unattended-Upgrade::Remove-Unused-Dependencies "false";` to `Unattended-Upgrade::Remove-Unused-Dependencies "true";`
|
||||
change `//Unattended-Upgrade::Mail "root@localhost";` to Unattended-Upgrade::Mail "<your admin email>";`
|
||||
systemctl start unattended-upgrades && systemctl enable unattended-upgrades
|
||||
unattended-upgrade -d -v //test unattended upgrades
|
||||
# uncomplicated firewall setup
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow ssh
|
||||
ufw enable
|
||||
reboot
|
||||
|
||||
|
||||
// TODO: backups setup needs more work, not working at current
|
||||
// make unison script pls
|
||||
// SKIP backups section for now
|
||||
# backups
|
||||
sudo -i
|
||||
mkdir -p /backups/log
|
||||
mkdir /backups/backups
|
||||
ln -s /var/backups /backups/system
|
||||
cp -r /home/<user>/general-scripts-and-system-ssssssetup/customscripts /usr/share
|
||||
chmod +x /usr/share/customscripts/*sh
|
||||
nano /usr/share/customscripts/backup.sh //edit to add dirs to back up
|
||||
sh /usr/share/customscripts/crowdsec.sh
|
||||
screen -R backups
|
||||
sh /usr/share/customscripts/backup.sh
|
||||
Ctrl+A+D
|
||||
sh /usr/share/customscripts/fix_permissions.sh
|
||||
|
||||
# Step 5
|
||||
# install some cool securiy tools
|
||||
apt install -y chkrootkit lynis certbot fail2ban
|
||||
crontab -e //instal crons from /home/<user>/general-scripts-and-system-ssssssetup/crontab.txt
|
||||
apt install -y tripwire
|
||||
Follow directions and utilize secure passphrase DO NOT LOSE PASSPHRASE
|
||||
# as primary user (NOT root or sudo, run `exit` if in doubt)
|
||||
pip3 install thefuck
|
||||
echo "# user addons" >> ~/.bashrc
|
||||
echo "PATH=~/.local/bin/:$PATH" >> ~/.bashrc
|
||||
echo 'eval "$(thefuck --alias)"' >> ~/.bashrc
|
||||
echo 'HISTTIMEFORMAT="%Y-%m-%d %T "' >> ~/.bashrc
|
||||
source ~/.bashrc
|
||||
|
||||
Step 6: # optional
|
||||
IF you want to use sudo without password check:
|
||||
sudo visudo
|
||||
for ONE user:
|
||||
select editor of your choice
|
||||
add `<username> ALL=(ALL) NOPASSWD: ALL`
|
||||
|
||||
OR for all users in the sudo group
|
||||
comment out the line beginning with %sudo soi it looks like #%sudo
|
||||
add `%sudo ALL=(ALL) NOPASSWD: ALL` on any new line
|
||||
save and exit
|
||||
sudo reboot
|
||||
Reference in New Issue
Block a user