yg-ht · February 28, 2020 15:36
diff --git a/buildscript.sh b/buildscript.sh
 #!/bin/bash
 passwd #reset root user password
 deluser --remove-all-files ubuntu -q 2>/dev/null # remove default user account
 sed -i 's/^# deb/deb/g' /etc/apt/sources.list # enable all default package sources
 apt update && apt upgrade -y # update all installed packages
 apt -y install fail2ban unattended-upgrades haveged htop apparmor-utils libpam-pwquality debsums apt-show-versions arpwatch # install some extra packages
 # create cron job that updates and reboots on a weekly basis (uptime is not critical)
 echo "# ┌───────────── minute (0 - 59)" > customcron
 echo "# │  ┌───────────── hour (0 - 23)" >> customcron
 echo "# │  │ ┌───────────── day of month (1 - 31)" >> customcron
 echo "# │  │ │ ┌───────────── month (1 - 12)" >> customcron
 echo "# │  │ │ │ ┌───────────── day of week (0 - 6) (Sunday to Saturday; 7 is also Sunday on some systems)" >> customcron
 echo "# │  │ │ │ │" >> customcron
 echo "# *  * * * *  command to execute" >> customcron
 echo "  0  0 * * * /usr/bin/apt update" >> customcron
 echo "  0  4 * * 6 /usr/bin/apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'" >> customcron
 echo "  30 5 * * 6 /usr/bin/purge-old-kernels  --keep 3 -qy" >> customcron
 echo "  0  6 * * 6 /usr/bin/apt autoremove -y" >> customcron
 echo "  30 6 * * 6 /sbin/reboot" >> customcron
 crontab customcron
 sed -i 's/^Port 22/Port [PORT]/g' /etc/ssh/sshd_config # change default SSH port
 sed -i '/^PermitRootLogin*/c\PermitRootLogin without-password' /etc/ssh/sshd_config # permitting root login, but only with an SSH key
 sed -i 's/^ServerKeyBits 1024/ServerKeyBits 4096/' /etc/ssh/sshd_config # shouldn't matter now because of rest of config, but upgrade key size anyway just in case
 sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # disallow password auth
 echo "" >> /etc/ssh/sshd_config # add a space into the file so it doesn't go mental
 echo "Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config # set permitted SSH ciphers
 echo "KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config # set permitted SSH key exchange ciphers
 echo "MACs [email protected],[email protected],[email protected]" >> /etc/ssh/sshd_config # set permitted SSH MACs
 echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
 echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
 echo "Compression no" >> /etc/ssh/sshd_config
 echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
 echo "MaxSessions 2" >> /etc/ssh/sshd_config
 echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
 sed -i '/^LogLevel*/c\LogLevel VERBOSE' /etc/ssh/sshd_config
 sed -i '/^TCPKeepAlive*/c\TCPKeepAlive no' /etc/ssh/sshd_config
 sed -i '/^X11Forwarding*/c\X11Forwarding no' /etc/ssh/sshd_config
 cp /etc/ssh/moduli /etc/ssh/moduli.bak # backup the original moduli file
 awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # remove any weak moduli
 mv "${HOME}/moduli" /etc/ssh/moduli # replace the original moduli file
 rm -v /etc/ssh/ssh_host_*key* # remove default SSH host keys
 ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null # recreate good SSH host key
 ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null # and again
 echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # use built-in package updater, I think only for critical patches, I want all patches but that is only weekly
 echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # and again
 sed -i 's/pam_pwquality.so retry=3/pam_pwquality.so try_first_pass retry=3/g' /etc/pam.d/common-password
 echo "minlen=24" >> /etc/security/pwquality.conf
 echo "dcredit=-1" >> /etc/security/pwquality.conf
 echo "ucredit=-1" >> /etc/security/pwquality.conf
 echo "ocredit=-1" >> /etc/security/pwquality.conf
 echo "lcredit=-1" >> /etc/security/pwquality.conf
 sed -i 's/99999$/365/g' /etc/login.defs # set a maximum age for passwords of one year
 sed -i '/^PASS_MIN_DAYS*/c\PASS_MIN_DAYS 2' /etc/login.defs # set a minimum number of days for each password greater than zero
 echo -e "blacklist uas\nblacklist usb_storage" > /etc/modprobe.d/blacklist_usbdrive.conf # disable USB storage
 echo 'install udf /bin/true' > /etc/modprobe.d/CIS.conf
 echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
 echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
 sed -i 's/#Banner \/etc\/issue.net/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config
 echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
 echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
 echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
 sed -i 's/#net.ipv4.conf.all.log_martians/net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf
 echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
 echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
 echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
 echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
 echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
 echo "alias nano='nano -c'" >> ~/.bashrc
 cd /opt && git clone https://github.com/CISOfy/lynis.git
 ufw allow from [IP]/32 to any port [SSHPORT] proto tcp # FW rule for non-standard SSH, only permittable from my VPN server
 ufw --force enable # reload FW
 reboot # bounce it
	#!/bin/bash
	passwd #reset root user password
	deluser --remove-all-files ubuntu -q 2>/dev/null # remove default user account
	sed -i 's/^# deb/deb/g' /etc/apt/sources.list # enable all default package sources
	apt update && apt upgrade -y # update all installed packages
	apt -y install fail2ban unattended-upgrades haveged htop apparmor-utils libpam-pwquality debsums apt-show-versions arpwatch # install some extra packages
	# create cron job that updates and reboots on a weekly basis (uptime is not critical)
	echo "# ┌───────────── minute (0 - 59)" > customcron
	echo "# │ ┌───────────── hour (0 - 23)" >> customcron
	echo "# │ │ ┌───────────── day of month (1 - 31)" >> customcron
	echo "# │ │ │ ┌───────────── month (1 - 12)" >> customcron
	echo "# │ │ │ │ ┌───────────── day of week (0 - 6) (Sunday to Saturday; 7 is also Sunday on some systems)" >> customcron
	echo "# │ │ │ │ │" >> customcron
	echo "# * * * * * command to execute" >> customcron
	echo " 0 0 * * * /usr/bin/apt update" >> customcron
	echo " 0 4 * * 6 /usr/bin/apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'" >> customcron
	echo " 30 5 * * 6 /usr/bin/purge-old-kernels --keep 3 -qy" >> customcron
	echo " 0 6 * * 6 /usr/bin/apt autoremove -y" >> customcron
	echo " 30 6 * * 6 /sbin/reboot" >> customcron
	crontab customcron
	sed -i 's/^Port 22/Port [PORT]/g' /etc/ssh/sshd_config # change default SSH port
	sed -i '/^PermitRootLogin*/c\PermitRootLogin without-password' /etc/ssh/sshd_config # permitting root login, but only with an SSH key
	sed -i 's/^ServerKeyBits 1024/ServerKeyBits 4096/' /etc/ssh/sshd_config # shouldn't matter now because of rest of config, but upgrade key size anyway just in case
	sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # disallow password auth
	echo "" >> /etc/ssh/sshd_config # add a space into the file so it doesn't go mental
	echo "Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config # set permitted SSH ciphers
	echo "KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config # set permitted SSH key exchange ciphers
	echo "MACs [email protected],[email protected],[email protected]" >> /etc/ssh/sshd_config # set permitted SSH MACs
	echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
	echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
	echo "Compression no" >> /etc/ssh/sshd_config
	echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
	echo "MaxSessions 2" >> /etc/ssh/sshd_config
	echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
	sed -i '/^LogLevel*/c\LogLevel VERBOSE' /etc/ssh/sshd_config
	sed -i '/^TCPKeepAlive*/c\TCPKeepAlive no' /etc/ssh/sshd_config
	sed -i '/^X11Forwarding*/c\X11Forwarding no' /etc/ssh/sshd_config
	cp /etc/ssh/moduli /etc/ssh/moduli.bak # backup the original moduli file
	awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # remove any weak moduli
	mv "${HOME}/moduli" /etc/ssh/moduli # replace the original moduli file
	rm -v /etc/ssh/ssh_host_key # remove default SSH host keys
	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null # recreate good SSH host key
	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null # and again
	echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # use built-in package updater, I think only for critical patches, I want all patches but that is only weekly
	echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # and again
	sed -i 's/pam_pwquality.so retry=3/pam_pwquality.so try_first_pass retry=3/g' /etc/pam.d/common-password
	echo "minlen=24" >> /etc/security/pwquality.conf
	echo "dcredit=-1" >> /etc/security/pwquality.conf
	echo "ucredit=-1" >> /etc/security/pwquality.conf
	echo "ocredit=-1" >> /etc/security/pwquality.conf
	echo "lcredit=-1" >> /etc/security/pwquality.conf
	sed -i 's/99999$/365/g' /etc/login.defs # set a maximum age for passwords of one year
	sed -i '/^PASS_MIN_DAYS*/c\PASS_MIN_DAYS 2' /etc/login.defs # set a minimum number of days for each password greater than zero
	echo -e "blacklist uas\nblacklist usb_storage" > /etc/modprobe.d/blacklist_usbdrive.conf # disable USB storage
	echo 'install udf /bin/true' > /etc/modprobe.d/CIS.conf
	echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
	echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
	sed -i 's/#Banner \/etc\/issue.net/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config
	echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
	sed -i 's/#net.ipv4.conf.all.log_martians/net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf
	echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
	echo "alias nano='nano -c'" >> ~/.bashrc
	cd /opt && git clone https://github.com/CISOfy/lynis.git
	ufw allow from [IP]/32 to any port [SSHPORT] proto tcp # FW rule for non-standard SSH, only permittable from my VPN server
	ufw --force enable # reload FW
	reboot # bounce it