zeheater/00.sshd.sh

## 00.sshd.sh
#!/bin/bash
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cat << EOF > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
LogLevel INFO
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 20
UsePAM yes
ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
KerberosAuthentication no
GSSAPIAuthentication no
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
EOF

if [[ $? -eq 0  ]]; then
	# something
	systemctl restart sshd.service
	echo 'Success: sshd configuration'
else
	# something else
	echo 'Failed: can not write to /etc/ssh/sshd_config'
	exit -1
fi

## 01.firewall.sh
#!/bin/bash
cat << EOF > /etc/ufw/ufw.conf
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes

# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low
EOF

if [[ $? -eq 0 ]]; then
	# success
	ufw enable
	ufw allow OpenSSH
	echo 'Success: Enabled ufw firewall'
else
	# fail
	echo 'Failed: Can not write to /etc/ufw/ufw.conf'
	exit -1
fi

## 02.enforce-strong-pass.sh
#!/bin/bash

# https://linuxhint.com/secure_password_policies_ubuntu/
#
# replace password requisite pam_pwquality.so retry=3
# with
# password requisite pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root

libpwquality=$(dpkg -l libpam-pwquality)
if [[ $? -eq 0 ]]; then
	# lib installed, do nothing
	printf ''
else
	apt-get install libpam-pwquality
	if [[ $? -ne 0 ]]; then
		echo 'Failed to install libpam-pwquality'
		exit -1
	fi
fi

lines=$(grep -E 'password.+pam_pwquality.so.+$' /etc/pam.d/common-password | wc -l)
if [[ $lines -gt 1 ]]; then
	echo 'Replace match more than one line, please replace manualy'
	exit -1
elif [[ $lines -eq 1 ]]; then
	sed -i -E 's/pam_pwquality.so.+$/pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root/g' /etc/pam.d/common-password
	if [[ $? -eq 0 ]]; then
		sed -i -E 's/^PASS_MAX_DAYS.+$/PASS_MAX_DAYS 120/g' /etc/login.defs
		sed -i -E 's/^PASS_WARN_AGE.+$/PASS_WARN_AGE   8/g' /etc/login.defs
		echo 'Strong password is enforced'
	else
		echo 'Failed to replace.'
		exit -1
	fi
else
	echo 'Line not found, please replace manualy'
	exit -1
fi

## 03.sysctl.sh
#!/bin/bash

cat << EOF > /etc/sysctl.d/99-sysctl.conf
# https://www.tenable.com/audits/CIS_Ubuntu_20.04_LTS_v1.1.0_Server_L1

# Disable IP Forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding=0

# Ensure packet redirect sending is disabled
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Ensure ICMP redirects are not accepted
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Ensure secure ICMP redirects are not accepted
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ensure broadcast ICMP requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ensure bogus ICMP responses are ignored
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ensure TCP SYN Cookies is enabled
net.ipv4.tcp_syncookies = 1

# Disable core dump
fs.suid_dumpable=0
kernel.core_pattern=|/bin/false

# Limit ptrace
kernel.yama.ptrace_scope = 3
EOF

# Reload all configuration
sysctl --system

## 04.netplan.sh
#!/bin/bash

cat << EOF > /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    eno1:
     dhcp4: no
     addresses:
             - 172.19.46.4/24
     gateway4: 172.19.46.1
     nameservers:
             addresses: [1.1.1.1, 8.8.8.8]
    eno2:
     optional: true
  version: 2
EOF

if [[ $? -eq 0  ]]; then
	# something
	netplan apply
	echo 'Success: netplan configuration'
else
	# something else
	echo 'Failed: can not write to /etc/netplan/00-installer-config.yaml'
	exit -1
fi

## 05.coredump.sh
#!/bin/bash
## Disable coredump

sed -i -E 's/\#\ End\ of\ file//g' /etc/security/limits.conf
cat << EOF >> /etc/security/limits.conf
* hard core 0
* soft core 0
# End of file
EOF

if [[ $? -eq 0  ]]; then
	# something
  echo 'Success: Disable core dump'
else
	# something else
  echo 'Fail: Disable core dump'
  exit -1
fi

mkdir -p /etc/systemd/coredump.conf.d/
cat << EOF > /etc/systemd/coredump.conf.d/custom.conf
[Coredump]
Storage=none
ProcessSizeMax=0
EOF

if [[ $? -eq 0  ]]; then
	# something
  echo 'Success: Disable systemd core dump'
else
	# something else
  echo 'Fail: Disable systemd core dump'
  exit -1
fi
	#!/bin/bash
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
	cat << EOF > /etc/ssh/sshd_config
	Include /etc/ssh/sshd_config.d/*.conf
	Protocol 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key
	LogLevel INFO
	PermitRootLogin no
	MaxAuthTries 3
	LoginGraceTime 20
	UsePAM yes
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	PermitEmptyPasswords no
	KerberosAuthentication no
	GSSAPIAuthentication no
	X11Forwarding no
	PermitUserEnvironment no
	AllowAgentForwarding no
	AllowTcpForwarding no
	PermitTunnel no
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	systemctl restart sshd.service
	echo 'Success: sshd configuration'
	else
	# something else
	echo 'Failed: can not write to /etc/ssh/sshd_config'
	exit -1
	fi
	#!/bin/bash
	cat << EOF > /etc/ufw/ufw.conf
	# Set to yes to start on boot. If setting this remotely, be sure to add a rule
	# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
	ENABLED=yes

	# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
	# See 'man ufw' for details.
	LOGLEVEL=low
	EOF

	if [[ $? -eq 0 ]]; then
	# success
	ufw enable
	ufw allow OpenSSH
	echo 'Success: Enabled ufw firewall'
	else
	# fail
	echo 'Failed: Can not write to /etc/ufw/ufw.conf'
	exit -1
	fi
	#!/bin/bash

	# https://linuxhint.com/secure_password_policies_ubuntu/
	#
	# replace password requisite pam_pwquality.so retry=3
	# with
	# password requisite pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root

	libpwquality=$(dpkg -l libpam-pwquality)
	if [[ $? -eq 0 ]]; then
	# lib installed, do nothing
	printf ''
	else
	apt-get install libpam-pwquality
	if [[ $? -ne 0 ]]; then
	echo 'Failed to install libpam-pwquality'
	exit -1
	fi
	fi

	lines=$(grep -E 'password.+pam_pwquality.so.+$' /etc/pam.d/common-password \| wc -l)
	if [[ $lines -gt 1 ]]; then
	echo 'Replace match more than one line, please replace manualy'
	exit -1
	elif [[ $lines -eq 1 ]]; then
	sed -i -E 's/pam_pwquality.so.+$/pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root/g' /etc/pam.d/common-password
	if [[ $? -eq 0 ]]; then
	sed -i -E 's/^PASS_MAX_DAYS.+$/PASS_MAX_DAYS 120/g' /etc/login.defs
	sed -i -E 's/^PASS_WARN_AGE.+$/PASS_WARN_AGE 8/g' /etc/login.defs
	echo 'Strong password is enforced'
	else
	echo 'Failed to replace.'
	exit -1
	fi
	else
	echo 'Line not found, please replace manualy'
	exit -1
	fi
	#!/bin/bash

	cat << EOF > /etc/sysctl.d/99-sysctl.conf
	# https://www.tenable.com/audits/CIS_Ubuntu_20.04_LTS_v1.1.0_Server_L1

	# Disable IP Forwarding
	net.ipv4.ip_forward = 0
	net.ipv6.conf.all.forwarding=0

	# Ensure packet redirect sending is disabled
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Ensure source routed packets are not accepted
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0

	# Ensure ICMP redirects are not accepted
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0

	# Ensure secure ICMP redirects are not accepted
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0

	# Ensure broadcast ICMP requests are ignored
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Ensure bogus ICMP responses are ignored
	# Enable bad error message Protection
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ensure TCP SYN Cookies is enabled
	net.ipv4.tcp_syncookies = 1

	# Disable core dump
	fs.suid_dumpable=0
	kernel.core_pattern=\|/bin/false

	# Limit ptrace
	kernel.yama.ptrace_scope = 3
	EOF

	# Reload all configuration
	sysctl --system
	#!/bin/bash

	cat << EOF > /etc/netplan/00-installer-config.yaml
	# This is the network config written by 'subiquity'
	network:
	ethernets:
	eno1:
	dhcp4: no
	addresses:
	- 172.19.46.4/24
	gateway4: 172.19.46.1
	nameservers:
	addresses: [1.1.1.1, 8.8.8.8]
	eno2:
	optional: true
	version: 2
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	netplan apply
	echo 'Success: netplan configuration'
	else
	# something else
	echo 'Failed: can not write to /etc/netplan/00-installer-config.yaml'
	exit -1
	fi
	#!/bin/bash
	## Disable coredump

	sed -i -E 's/\#\ End\ of\ file//g' /etc/security/limits.conf
	cat << EOF >> /etc/security/limits.conf
	* hard core 0
	* soft core 0
	# End of file
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	echo 'Success: Disable core dump'
	else
	# something else
	echo 'Fail: Disable core dump'
	exit -1
	fi

	mkdir -p /etc/systemd/coredump.conf.d/
	cat << EOF > /etc/systemd/coredump.conf.d/custom.conf
	[Coredump]
	Storage=none
	ProcessSizeMax=0
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	echo 'Success: Disable systemd core dump'
	else
	# something else
	echo 'Fail: Disable systemd core dump'
	exit -1
	fi