adajw/00-main.sh

## 00-main.sh
# script order:
# install.sh
# configure.sh
# harden.sh
# iptables.sh
# grub.sh

# TODO security:
# - grsec configure
# - sudo & root hardening
# - password hash hardening
# - firejail setup
# - change default umask
# - firewall (iptables)
# - ssh hardening
# - pacman hardening
# - bootloader hardening
#
# TODO other:
# - zsh
# - change boot process, no udev, manually listed modules?
# - Add user ada to group tpe
# - Samsung SSD firmware upgrade?
# - overclocking
# - CUPS

# set secure umask. this will be persisted later in harden.sh
umask 077

# download our other scripts
mkdir scripts
GIST_ROOT = "https://gist.githubusercontent.com/adajw/2ef987082ddce212f519bcf9fdf9c830/raw"
SC_01 = "$GIST_ROOT/01-install.sh"
SC_02 = "$GIST_ROOT/02-configure.sh"
SC_03 = "$GIST_ROOT/03-harden.sh"
SC_04 = "$GIST_ROOT/04-firewall.sh"
SC_05 = "$GIST_ROOT/05-grub.sh"
wget -P scripts $SC_01 $SC_02 $SC_03 $SC_04 $SC_05
chmod +x scripts/*

# create some config files to later copy into various places
mkdir confs
echo "[Unit]\n\
Description=Pacman mirrorlist update\n\
\n\
\n\
[Service]\n\
Type=oneshot\n\
ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist" > confs/reflector.service

echo "[Unit]\n\
Description=Run reflector weekly\n\
\n\
[Timer]\n\
OnCalendar=weekly\n\
RandomizedDelaySec=12h\n\
Persistent=true\n\
\n\
[Install]\n\
WantedBy=timers.target" > confs/reflector.timer

echo "#### ipv4 networking and equivalent ipv6 parameters ####\n\
\n\
## TCP SYN cookie protection (default)\n\
## helps protect against SYN flood attacks\n\
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached\n\
net.ipv4.tcp_syncookies = 1\n\
\n\
## protect against tcp time-wait assassination hazards\n\
## drop RST packets for sockets in the time-wait state\n\
## (not widely supported outside of linux, but conforms to RFC)\n\
net.ipv4.tcp_rfc1337 = 1\n\
\n\
## sets the kernels reverse path filtering mechanism to value 1(on)\n\
## will do source validation of the packet's recieved from all the interfaces on the machine\n\
## protects from attackers that are using ip spoofing methods to do harm\n\
net.ipv4.conf.all.rp_filter = 1\n\
net.ipv6.conf.all.rp_filter = 1\n\
\n\
## tcp timestamps\n\
## + protect against wrapping sequence numbers (at gigabit speeds)\n\
## + round trip time calculation implemented in TCP\n\
## - causes extra overhead and allows uptime detection by scanners like nmap\n\
## enable @ gigabit speeds\n\
net.ipv4.tcp_timestamps = 0\n\
#net.ipv4.tcp_timestamps = 1\n\
\n\
## log martian packets\n\
net.ipv4.conf.all.log_martians = 1\n\
\n\
## ignore echo broadcast requests to prevent being part of smurf attacks (default)\n\
net.ipv4.icmp_echo_ignore_broadcasts = 1\n\
\n\
## ignore bogus icmp errors (default)\n\
net.ipv4.icmp_ignore_bogus_error_responses = 1\n\
\n\
## send redirects (not a router, disable it)\n\
net.ipv4.conf.all.send_redirects = 0\n\
\n\
## ICMP routing redirects (only secure)\n\
#net.ipv4.conf.all.secure_redirects = 1 (default)\n\
net.ipv4.conf.default.accept_redirects=0\n\
net.ipv4.conf.all.accept_redirects=0\n\
net.ipv6.conf.default.accept_redirects=0\n\
net.ipv6.conf.all.accept_redirects=0\" > confs/sysctl-tcpip.append

echo "## enable grsecurity tpe ##\n\
kernel.grsecurity.tpe = 1" > confs/sysctl-grc.append

echo "# Reset environment by default\n\
Defaults env_reset\n\
# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.\n\
Defaults editor=/usr/bin/nano, !env_editor\n\
# require secure umask\n\
Defaults umask = 0022\n\
Defaults umask_override" > confs/sudoers.append

echo "Scripts and Config files downloaded. Now run them in order!"

## 01-install.sh
## Use packer to install an AUR helper
PKGS_GRC="linux-grsec paxd nvidia-grsec gradm"
PKGS_SEC="firejail iptables sudo openssh"
PKGS_BOOT="grub efibootmgr os-prober cryptboot efitools sbsigntools"
PKGS_NVIDIA="nvidia nvidia-settings"
PKGS_UTILS="nano zsh zsh-syntax-highlighting wget cups cups-pdf"
PKGS_UI="gnome vlc codecs64 noto-fonts-emoji ttf-monapo font-mathematica ttf-chromeos-fonts"
PKGS_BROWSER="firefox google-chrome-beta"
PKGS="$PKGS_GRC $PKGS_SEC $PKGS_BOOT $PKGS_NVIDIA $PKGS_UTILS $PKGS_UI $PKGS_BROWSER"

# initialise pacman key
pacman -Syu
pacman-key --init
pacman-key --refreshkeys
pacman-key --populate archlinux

# delta updates & automate mirror refreshing
pacman -S xdelta3 reflector
cp confs/reflector.service /etc/systemd/system/reflector.service
cp confs/reflector.timer /etc/systemd/system/reflector.timer
systemctl start reflector.timer
systemctl start reflector.service

# install packaur
PACKER="https://raw.githubusercontent.com/keenerd/packer/master/packer"
curl $PACKER -o packer.sh
chmod +x packer.sh
./packer.sh -S pacaur

# install packages including aur packages

pacaur -S $PKGS

## 02-configure.sh
# TODO: time

# locales
sed 's/#(en_US.UTF-8 UTF-8)/\1/' < /etc/locale.gen > /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
echo ada > /etc/hostname
echo 127.0.0.1 ada.localdomain ada >> /etc/hosts

# users
useradd -m -G wheel,sys -s /bin/zsh ada
useradd -m -G wheel,sys,log -s /usr/bin/nologin sysadm
useradd -m -G wheel,http -s /usr/bin/nologin devops

# TODO: passwords


## 03-harden.sh
# sysctl tcp/ip hardening
cat confs/sysctl-tcpip.append >> /etc/sysctl.d/99-sysctl.conf
# sysctl grc
cat confs/sysctl-grc.append >> /etc/sysctl.d/99-sysctl.conf
# permanently set umask 077
sed 's/umask 022/umask 077/' < /etc/profile > /etc/profile
# use nano for visudo & harden sudo umask
echo confs/sudoers.append >> /etc/sudoers

# some security groups
groupadd -r ssh
groupadd -r tpe
gpasswd -a ada ssh
gpasswd -a ada tpe

# hardening ssh & sudo
SSH_CONF = "/etc/ssh/sshd_config"
echo 'AllowGroups ssh' >> $SSH_CONF
# disable root login and require cert based auth
sed 's/(PermitRootLogin|PasswordAuthentication|ChallengeResponseAuthentication) [a-zA-Z\-]+/\1 no/g' < $SSH_CONF > $SSH_CONF
sudo systemctl restart sshd.service

## 04-firewall.sh

# iptables
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
systemctl start iptables
systemctl enable iptables
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables-save > /etc/iptables/iptables.rules

## 05-grub.sh
echo "efi directory?: "
read $EFI_DIR
grub-install --target=x86_64-efi --efi-directory=$EFI_DIR --bootloader-id=GRUB
	# script order:
	# install.sh
	# configure.sh
	# harden.sh
	# iptables.sh
	# grub.sh

	# TODO security:
	# - grsec configure
	# - sudo & root hardening
	# - password hash hardening
	# - firejail setup
	# - change default umask
	# - firewall (iptables)
	# - ssh hardening
	# - pacman hardening
	# - bootloader hardening
	#
	# TODO other:
	# - zsh
	# - change boot process, no udev, manually listed modules?
	# - Add user ada to group tpe
	# - Samsung SSD firmware upgrade?
	# - overclocking
	# - CUPS

	# set secure umask. this will be persisted later in harden.sh
	umask 077

	# download our other scripts
	mkdir scripts
	GIST_ROOT = "https://gist.githubusercontent.com/adajw/2ef987082ddce212f519bcf9fdf9c830/raw"
	SC_01 = "$GIST_ROOT/01-install.sh"
	SC_02 = "$GIST_ROOT/02-configure.sh"
	SC_03 = "$GIST_ROOT/03-harden.sh"
	SC_04 = "$GIST_ROOT/04-firewall.sh"
	SC_05 = "$GIST_ROOT/05-grub.sh"
	wget -P scripts $SC_01 $SC_02 $SC_03 $SC_04 $SC_05
	chmod +x scripts/*

	# create some config files to later copy into various places
	mkdir confs
	echo "[Unit]\n\
	Description=Pacman mirrorlist update\n\
	\n\
	\n\
	[Service]\n\
	Type=oneshot\n\
	ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist" > confs/reflector.service

	echo "[Unit]\n\
	Description=Run reflector weekly\n\
	\n\
	[Timer]\n\
	OnCalendar=weekly\n\
	RandomizedDelaySec=12h\n\
	Persistent=true\n\
	\n\
	[Install]\n\
	WantedBy=timers.target" > confs/reflector.timer

	echo "#### ipv4 networking and equivalent ipv6 parameters ####\n\
	\n\
	## TCP SYN cookie protection (default)\n\
	## helps protect against SYN flood attacks\n\
	## only kicks in when net.ipv4.tcp_max_syn_backlog is reached\n\
	net.ipv4.tcp_syncookies = 1\n\
	\n\
	## protect against tcp time-wait assassination hazards\n\
	## drop RST packets for sockets in the time-wait state\n\
	## (not widely supported outside of linux, but conforms to RFC)\n\
	net.ipv4.tcp_rfc1337 = 1\n\
	\n\
	## sets the kernels reverse path filtering mechanism to value 1(on)\n\
	## will do source validation of the packet's recieved from all the interfaces on the machine\n\
	## protects from attackers that are using ip spoofing methods to do harm\n\
	net.ipv4.conf.all.rp_filter = 1\n\
	net.ipv6.conf.all.rp_filter = 1\n\
	\n\
	## tcp timestamps\n\
	## + protect against wrapping sequence numbers (at gigabit speeds)\n\
	## + round trip time calculation implemented in TCP\n\
	## - causes extra overhead and allows uptime detection by scanners like nmap\n\
	## enable @ gigabit speeds\n\
	net.ipv4.tcp_timestamps = 0\n\
	#net.ipv4.tcp_timestamps = 1\n\
	\n\
	## log martian packets\n\
	net.ipv4.conf.all.log_martians = 1\n\
	\n\
	## ignore echo broadcast requests to prevent being part of smurf attacks (default)\n\
	net.ipv4.icmp_echo_ignore_broadcasts = 1\n\
	\n\
	## ignore bogus icmp errors (default)\n\
	net.ipv4.icmp_ignore_bogus_error_responses = 1\n\
	\n\
	## send redirects (not a router, disable it)\n\
	net.ipv4.conf.all.send_redirects = 0\n\
	\n\
	## ICMP routing redirects (only secure)\n\
	#net.ipv4.conf.all.secure_redirects = 1 (default)\n\
	net.ipv4.conf.default.accept_redirects=0\n\
	net.ipv4.conf.all.accept_redirects=0\n\
	net.ipv6.conf.default.accept_redirects=0\n\
	net.ipv6.conf.all.accept_redirects=0\" > confs/sysctl-tcpip.append

	echo "## enable grsecurity tpe ##\n\
	kernel.grsecurity.tpe = 1" > confs/sysctl-grc.append

	echo "# Reset environment by default\n\
	Defaults env_reset\n\
	# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.\n\
	Defaults editor=/usr/bin/nano, !env_editor\n\
	# require secure umask\n\
	Defaults umask = 0022\n\
	Defaults umask_override" > confs/sudoers.append

	echo "Scripts and Config files downloaded. Now run them in order!"
	## Use packer to install an AUR helper
	PKGS_GRC="linux-grsec paxd nvidia-grsec gradm"
	PKGS_SEC="firejail iptables sudo openssh"
	PKGS_BOOT="grub efibootmgr os-prober cryptboot efitools sbsigntools"
	PKGS_NVIDIA="nvidia nvidia-settings"
	PKGS_UTILS="nano zsh zsh-syntax-highlighting wget cups cups-pdf"
	PKGS_UI="gnome vlc codecs64 noto-fonts-emoji ttf-monapo font-mathematica ttf-chromeos-fonts"
	PKGS_BROWSER="firefox google-chrome-beta"
	PKGS="$PKGS_GRC $PKGS_SEC $PKGS_BOOT $PKGS_NVIDIA $PKGS_UTILS $PKGS_UI $PKGS_BROWSER"

	# initialise pacman key
	pacman -Syu
	pacman-key --init
	pacman-key --refreshkeys
	pacman-key --populate archlinux

	# delta updates & automate mirror refreshing
	pacman -S xdelta3 reflector
	cp confs/reflector.service /etc/systemd/system/reflector.service
	cp confs/reflector.timer /etc/systemd/system/reflector.timer
	systemctl start reflector.timer
	systemctl start reflector.service

	# install packaur
	PACKER="https://raw.githubusercontent.com/keenerd/packer/master/packer"
	curl $PACKER -o packer.sh
	chmod +x packer.sh
	./packer.sh -S pacaur

	# install packages including aur packages

	pacaur -S $PKGS
	# TODO: time

	# locales
	sed 's/#(en_US.UTF-8 UTF-8)/\1/' < /etc/locale.gen > /etc/locale.gen
	locale-gen
	echo LANG=en_US.UTF-8 > /etc/locale.conf
	echo ada > /etc/hostname
	echo 127.0.0.1 ada.localdomain ada >> /etc/hosts

	# users
	useradd -m -G wheel,sys -s /bin/zsh ada
	useradd -m -G wheel,sys,log -s /usr/bin/nologin sysadm
	useradd -m -G wheel,http -s /usr/bin/nologin devops

	# TODO: passwords
	# sysctl tcp/ip hardening
	cat confs/sysctl-tcpip.append >> /etc/sysctl.d/99-sysctl.conf
	# sysctl grc
	cat confs/sysctl-grc.append >> /etc/sysctl.d/99-sysctl.conf
	# permanently set umask 077
	sed 's/umask 022/umask 077/' < /etc/profile > /etc/profile
	# use nano for visudo & harden sudo umask
	echo confs/sudoers.append >> /etc/sudoers

	# some security groups
	groupadd -r ssh
	groupadd -r tpe
	gpasswd -a ada ssh
	gpasswd -a ada tpe

	# hardening ssh & sudo
	SSH_CONF = "/etc/ssh/sshd_config"
	echo 'AllowGroups ssh' >> $SSH_CONF
	# disable root login and require cert based auth
	sed 's/(PermitRootLogin\|PasswordAuthentication\|ChallengeResponseAuthentication) [a-zA-Z\-]+/\1 no/g' < $SSH_CONF > $SSH_CONF
	sudo systemctl restart sshd.service

	# iptables
	iptables -N TCP
	iptables -N UDP
	iptables -P FORWARD DROP
	iptables -P OUTPUT ACCEPT
	iptables -P INPUT DROP
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
	iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
	iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
	systemctl start iptables
	systemctl enable iptables
	iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
	iptables-save > /etc/iptables/iptables.rules
	echo "efi directory?: "
	read $EFI_DIR
	grub-install --target=x86_64-efi --efi-directory=$EFI_DIR --bootloader-id=GRUB