-
-
Save MitsuhaMiyamizu/a4178d9f8f17caca6618a806307d4d97 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Update the GCC and the whole system, using hardened GCC to get every package hardened. | |
| # emerge --sync | |
| # eselect news read new | |
| # emerge eix | |
| # eix-update | |
| # screen -R eme | |
| # eselect profile list | |
| # eselect profile set [hardening profile number] | |
| # source /etc/profile | |
| # emerge --oneshot gcc | |
| # emerge --oneshot binutils virtual/libc | |
| # emerge --update --deep --with-bdeps=y --newuse --autounmask-write world | |
| 修改防火墙设置,禁止ping,以及只允许http/https连入,默认放行SSH/tcp | |
| # ufw default reject | |
| # ufw allow 22/tcp | |
| # ufw allow in http | |
| # ufw allow in https | |
| # vim /etc/ufw/before.rules | |
| #修改配置#允许ping | |
| # -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT | |
| #禁止ping | |
| # -A ufw-before-input -p icmp --icmp-type echo-request -j DROP | |
| # nano /etc/conf.d/hostname | |
| # echo clock="local" >> /etc/conf.d/hwclock | |
| # echo 'LANG="en_US.UTF-8"' > /etc/env.d/02local | |
| # echo 'LC_COLLATE="C"' >> /etc/env.d/02local | |
| # locale-gen | |
| # echo "gem: --no-ri --no-rdoc" > /etc/skel/.gemrc | |
| # echo "umask 002" >> /etc/skel/.bashrc | |
| # echo "export RBENV_ROOT=/usr/local/rbenv" >> /etc/skel/.bashrc | |
| # echo 'export PATH="$RBENV_ROOT/shims:$RBENV_ROOT/bin:$PATH"' >> /etc/skel/.bashrc | |
| # groupadd web, sftponly | |
| # useradd -m -g web -G users,wheel,cron -s /bin/bash your_regular_user | |
| # passwd your_regular_user | |
| # useradd -m -g web -G users,cron -s /bin/bash deployer | |
| # passwd deployer | |
| # useradd -m -g web -G users,[wheel],[sftponly],[cron] -s /bin/bash hosted_site_user | |
| # passwd hosted_site_user | |
| # chgrp root /home/hosted_site_user | |
| # chown root /home/hosted_site_user | |
| # mkdir /home/hosted_site_user/www | |
| # mkdir /home/hosted_site_user/www/app | |
| # chmod g+w /home/hosted_site_user/www/app | |
| # chgrp web /home/hosted_site_user/www/app | |
| # chown hosted_site_user /home/hosted_site_user/www/app | |
| [sftponly] -> add sftp access and blocks remote ssh login | |
| # cp /usr/share/zoneinfo/Europe/Rome /etc/localtime | |
| # echo "Europe/Rome" > /etc/timezone | |
| # netselect -s 3 pool.ntp.org >> /etc/ntp.conf | |
| # USE="-perl nginx_modules_http_gzip_static -nginx_modules_http_geo -X -alsa -cups -ant" >> /etc/make.conf | |
| # emerge nginx sqlite git | |
| # nano /etc/ssh/sshd_config | |
| Subsystem sftp internal-sftp | |
| Match Group sftponly | |
| ChrootDirectory %h/www/ | |
| AllowTCPForwarding no | |
| X11Forwarding no | |
| ForceCommand internal-sftp -u 0002 | |
| # emerge -a --depclean | |
| # emerge -uDNa --with-bdeps=y world | |
| # revdep-rebuild | |
| # Shared rbenv | |
| # cd /usr/local | |
| # git clone git://github.com/sstephenson/rbenv.git rbenv | |
| # chgrp -R web rbenv/ | |
| # chmod g+w rbenv/ | |
| # mkdir /usr/local/rbenv/plugins | |
| # cd /usr/local/rbenv/plugins | |
| # git clone git://github.com/sstephenson/ruby-build.git | |
| # chgrp -R web ruby-build | |
| # emerge libyaml | |
| $ rbenv install --list | |
| $ rbenv install 1.9.3-p362 | |
| $ rbenv rehash | |
| $ rbenv global 1.9.3-p362 | |
| $ gem install bundler |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OK, today I have modified this script to make it only allows specifical incoming and outcoming & forbids any client to ping my server.