Skip to content

Instantly share code, notes, and snippets.

@MrGraversen
Last active October 21, 2024 11:25
Show Gist options
  • Save MrGraversen/734364483641afae903c8e86ce464868 to your computer and use it in GitHub Desktop.
Save MrGraversen/734364483641afae903c8e86ce464868 to your computer and use it in GitHub Desktop.
Base cloud-init for security hardening, SSH, Docker, etc.
#cloud-config
package_update: true
manage_resolv_conf: true
resolv_conf:
nameservers:
- '8.8.8.8'
- '8.8.4.4'
- '1.1.1.1'
users:
- name: martin
groups:
- docker
lock_passwd: true
shell: /bin/bash
ssh-authorized-keys:
- ssh-rsa ...
sudo:
- ALL=(ALL) NOPASSWD:ALL
write_files:
- path: /etc/ssh/sshd_config
content: |
Port 2222
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment yes
PasswordAuthentication no
StrictModes yes
DebianBanner no
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
MaxAuthTries 3
AllowAgentForwarding no
AllowUsers martin
packages:
- docker.io
- docker-compose
- fail2ban
- ufw
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- bat
- tree
- zip
- unzip
- openjdk-11-jdk-headless
runcmd:
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 2222/tcp
- ufw enable

Cloud Init

Initial YAML configuration file for initializing new cloud services, based on my preferences.

What It Does

Installations

  • fail2ban (uses system log files to ban potentially malicious IPs)
  • ufw (simple firewall, configured to allow HTTP/S)
  • Docker
  • SDKMAN!
  • Various dependencies

Users

User martin with appropriate public key.

Configuration

SSHD

  • Deactivate the root login
  • Enable user for SSH
  • Automatic disconnection in case of incorrect login
  • Deactivate unused functions

UFW

  • Allow TCP 80, 443
  • Allow SSH
curl -s "https://get.sdkman.io" | bash
sudo apt-get install -y maven
git config --global user.name "Martin ..."
git config --global user.email martin@...
cat /dev/zero | ssh-keygen -q -N ""
@dandrzejewski
Copy link

Thanks for this!

manage-resolv-conf should be manage_resolv_conf.

@MrGraversen
Copy link
Author

Great catch, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment