update

2022-06-19 16:02:00 +00:00 · 2022-06-19 16:02:00 +00:00 · ff3dbfc8d9
commit ff3dbfc8d9
9 changed files with 486 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,9 @@
+### Example user template template
+### Example user template
+
+# IntelliJ project files
+.idea
+*.iml
+out
+gen
+.vscode/
--- a/0
+++ b/0
--- a/README.md
+++ b/README.md
@ -0,0 +1,193 @@
+![logo](./security-default.png)
+<h1 align="center">Welcome to SecurityVPS 👋</h1>
+<p>
+  <img alt="Version" src="https://img.shields.io/badge/version-1.0-blue.svg?cacheSeconds=2592000" />
+  <a href="#" target="_blank">
+    <img alt="License: GPLv3" src="https://img.shields.io/badge/License-GPLv3-yellow.svg" />
+  </a>
+</p>
+
+
+> Security Default VPS Debian 11 / Guide by Свободный Волк ;)
+
+#### Создаем ключи ssh (Пароль должен быть стойким)
+
+```sh
+~$ ssh-keygen -a 32 -t rsa -b 4096 -C 'libre'
+```
+
+#### Копируем наши созданные ключи на тачку
+
+```sh
+~$ ssh-copy-id root@195.0.0.201
+```
+
+#### Коннектимся к нашей тачке
+
+```sh
+~$ ssh root@195.0.0.201
+```
+
+#### Обновляем нашу тачку
+
+```sh
+~$ apt update && apt upgrade -y
+~$ apt -y install sudo whois curl mc git autoconf make tcpdump \
+   tree screen htop tree apt-transport-https neofetch net-tools macchanger \
+   debsums debsecan fail2ban rkhunter ufw unattended-upgrades
+```
+
+#### Включить автоматическое обновление
+
+```sh
+~$ apt update && apt -y dist-upgrade
+~$ dpkg-reconfigure --priority=low unattended-upgrades
+```
+
+#### Редактируем наш баннер
+
+```sh
+~$ nano /etc/motd
+```
+
+#### Редактируем наш issue на Windows Server
+
+```sh
+~$ echo 'Windows Server 2016' > /etc/issue.net
+```
+
+#### Создаем нового юзера для входа из под него
+
+```sh
+~$ adduser libre
+~$ usermod -aG sudo libre
+~$ reboot
+```
+#### В отдельном терминале копируем ключи для нового юзера
+
+```sh
+~$ ssh-copy-id libre@195.0.0.201
+```
+
+#### Коннектимся к нашей тачке
+
+```sh
+~$ ssh root@195.0.0.201
+```
+#### Редактируем наш sshd config
+
+```sh
+# https://man.openbsd.org/sshd_config.5
+
+~$ sshd -T 
+
+~$ nano /etc/ssh/sshd_config
+```
+
+Заменяем на: [sshd_config](./sshd_config)
+
+```sh
+# перезагружаем sshd
+
+~$ service sshd reload
+```
+
+#### Редактируем наш sysctl.conf
+
+```sh
+~$ nano /etc/sysctl.conf
+```
+
+Заменяем на: [sysctl.conf](./sysctl.conf)
+
+```sh
+~$ sysctl -p
+```
+
+#### Удалить все ключи Диффи-Хеллмана длиной менее 3072 бит
+
+```sh
+~$ sudo cp --archive /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S")
+~$ sudo awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
+~$ sudo mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+```
+
+#### Создаем конфиг для удобного коннекта
+
+```sh
+Host libre
+User libre
+port 1337
+HostName 195.0.0.201
+MACs hmac-sha2-512
+KexAlgorithms curve25519-sha256@libssh.org
+VisualHostKey no
+IdentityFile ~/.ssh/id_rsa
+
+~$ nano ~/.ssh/config
+
+~$ chmod 644 ~/.ssh/config
+```
+
+#### Коннектимся к нашей тачке
+
+```sh
+~$ ssh libre@195.0.0.201
+```
+
+#### Закройте не нужные порты если они есть
+
+```sh
+~$ sudo ss -tulpn
+```
+
+#### Установите Rkhunter
+
+```sh
+Отредактируйте /etc/rkhunter.conf файл с помощью nano
+
+#Enable the mirror checks.
+UPDATE_MIRRORS=1
+
+#Tells rkhunter to use any mirror.
+MIRRORS_MODE=0
+
+#Specify a command which rkhunter will use when downloading files from the Internet
+WEB_CMD=""
+
+~$ sed -i -r -e '/^#|^$/ d' /etc/rkhunter.conf
+~$ sudo nano /etc/rkhunter.conf
+~$ sudo rkhunter -C
+~$ sudo rkhunter --update
+~$ sudo rkhunter --propupd 
+~$ sudo rkhunter --check --sk 
+```
+
+#### Installation Lynis
+
+```sh
+~$ cd /usr/local
+~$ git clone https://github.com/CISOfy/lynis
+~$ cd lynis
+~$ ./lynis audit system --quick
+```
+### TODO:
+
+ * Add script autoInstall  
+ * Add Firewall configuration
+ * Add Traffic Noisy  
+ * More Security  
+ * ClamAV
+
+### Author
+👤 **Librewolf**
+
+* Open Source: https://t.me/ThisOpenSource
+
+### Show your support
+
+Give a ⭐️ if this project helped you!
+
+### License
+
+`Distributed under the GPL V3 License. See LICENSE for more information`
--- a/7
+++ b/7
@ -0,0 +1,7 @@
+Host libre
+User libre
+port 1337
+HostName 195.0.0.201
+MACs hmac-sha2-512
+KexAlgorithms curve25519-sha256@libssh.org
+IdentityFile ~/.ssh/id_rsa
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+  _    _ _                       _  __
+ | |  (_) |__ _ _ _____ __ _____| |/ _|
+ | |__| | '_ \ '_/ -_) V  V / _ \ |  _|
+ |____|_|_.__/_| \___|\_/\_/\___/_|_|
+  ----- Mail: secven@riseup.net -----
+
--- a/security-default.png
+++ b/security-default.png
--- a/shmsetup.sh
+++ b/shmsetup.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+
+func_check_for_root() {
+    if [ ! $( id -u ) -eq 0 ]; then
+        echo "ERROR: $0 Must be run as root, Script terminating" ;exit 7
+    fi
+}
+
+fn_limits() {
+cat >>/etc/security/limits.conf <<EOL
+*          soft     nproc          999999
+*          hard     nproc          999999
+*          soft     nofile         999999
+*          hard     nofile         999999
+EOL
+}
+
+func_check_for_root
+#fn_limits
+
+page_size=$(getconf PAGE_SIZE)
+phys_pages=$(getconf _PHYS_PAGES)
+shmall=$(expr $phys_pages / 2)
+shmmax=$(expr $shmall \* $page_size)
+echo kernel.shmmax = $shmmax
+echo kernel.shmall = $shmall
--- a/45
+++ b/45
@ -0,0 +1,45 @@
+#  _    _ _                       _  __
+# | |  (_) |__ _ _ _____ __ _____| |/ _|
+# | |__| | '_ \ '_/ -_) V  V / _ \ |  _|
+# |____|_|_.__/_| \___|\_/\_/\___/_|_|
+#  ----- Mail: secven@riseup.net -----
+
+Protocol 2
+Port 1337
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+UsePAM yes
+MaxAuthTries 2
+LoginGraceTime 20
+MaxSessions 2
+Compression no
+PermitRootLogin no
+LogLevel VERBOSE
+TCPKeepAlive no
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+X11Forwarding no
+ClientAliveCountMax 2
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# disable port forwarding
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+AllowAgentForwarding no
+GatewayPorts no
+PermitTunnel no
+
+# ignore .rhosts and .shosts
+IgnoreRhosts yes
+
+ChallengeResponseAuthentication no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+# Cipher selection
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
--- a/sysctl.conf
+++ b/sysctl.conf
@ -0,0 +1,200 @@
+#  _    _ _                       _  __
+# | |  (_) |__ _ _ _____ __ _____| |/ _|
+# | |__| | '_ \ '_/ -_) V  V / _ \ |  _|
+# |____|_|_.__/_| \___|\_/\_/\___/_|_|
+# Mail: secven@riseup.net
+# use sudo sysctl -p
+
+# Set maximum amount of memory allocated to shm to 256MB
+#kernel.shmmax = 268435456
+#kernel.shmall = 268435456
+
+# Prefer caching pages over inodes/dentries
+vm.dirty_bytes = 2097152
+vm.dirty_background_bytes = 2097152
+vm.vfs_cache_pressure = 1000
+
+# ("Too many open files fix")
+fs.file-max = 2097152
+
+# Prevent setuid processes from creating coredumps.
+fs.suid_dumpable=0
+
+# Prohibit unreferencing links to files
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# Don't allow writes to files that we don't own
+# in world writable sticky directories, unless
+# they are owned by the owner of the directory.
+fs.protected_fifos=2
+fs.protected_regular=2
+
+# Only allow the SysRq key to be used for shutdowns and the
+# Secure Attention Key (SAK).
+kernel.sysrq=132
+
+# Activate ASLR
+kernel.randomize_va_space = 2
+
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
+# unprivileged attackers from loading vulnerable line disciplines
+# with the TIOCSETD ioctl which has been used in exploits before
+# such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
+#
+# https://lkml.org/lkml/2019/4/15/890
+dev.tty.ldisc_autoload=0
+
+# Restrict the userfaultfd() syscall to root as it can make heap sprays
+vm.unprivileged_userfaultfd=0
+
+# Prohibit mapping of memory in low addresses (0)
+vm.mmap_min_addr = 65536
+
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+kernel.panic = 10
+
+# Controls the maximum size of a message, in bytes
+kernel.msgmnb = 65535
+
+# Controls the default maxmimum size of a mesage queue
+kernel.msgmax = 65535
+
+# Prevent kernel info leaks in console during boot.
+# https://phabricator.whonix.org/T950
+kernel.printk = 3 3 3 3
+
+# Obfuscation of addresses memory kernel
+kernel.kptr_restrict = 1
+
+# Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+kernel.core_pattern=|/bin/false
+
+# Restricts the kernel log to root only.
+kernel.dmesg_restrict=1
+
+# Restricts the use of the perf system
+kernel.perf_event_paranoid = 3
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
+# Restricts the use of ptrace to root. This might break some programs running under WINE.
+# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+#
+# sudo apt-get install libcap2-bin
+# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
+# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
+kernel.yama.ptrace_scope=2
+
+# Disables kexec which can be used to replace the running kernel.
+kernel.kexec_load_disabled=1
+
+# Improves ASLR effectiveness for mmap.
+vm.mmap_rnd_bits=32
+vm.mmap_rnd_compat_bits=16
+
+# Disable User Namespaces
+user.max_user_namespaces = 0
+
+# Hardens the BPF JIT compiler and restricts it to root.
+kernel.unprivileged_bpf_disabled=1
+net.core.bpf_jit_harden=2
+
+# TCP SYN cookie protection
+net.ipv4.tcp_syncookies = 1
+
+# TCP rfc1337
+net.ipv4.tcp_rfc1337 = 1
+
+# Reverse path filtering
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Log martian packets
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.log_martians = 1
+
+# Disables ICMP redirect acceptance.
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+
+# Disables ICMP redirect sending.
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+
+# Disable IP source routing
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_source_route = 0
+
+# Ignore ICMP echo requests
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# An illicit router advertisement message could result in a man-in-the-middle attack.
+net.ipv6.conf.default.accept_ra = 0
+net.ipv6.conf.all.accept_ra = 0
+
+# Disable ipv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+
+# Ignore bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# IP forwarding
+net.ipv4.ip_forward = 0
+
+# Keepalive packets to keep an connection alive
+net.ipv4.tcp_keepalive_time = 180
+net.ipv4.tcp_keepalive_intvl = 10
+net.ipv4.tcp_keepalive_probes = 3
+
+# TUNING NETWORK PERFORMANCE
+net.ipv4.ip_local_port_range = 2000 65000
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+net.core.somaxconn = 65535
+net.netfilter.nf_conntrack_max = 10000000
+net.netfilter.nf_conntrack_tcp_loose = 0
+net.netfilter.nf_conntrack_tcp_timeout_established = 800
+net.netfilter.nf_conntrack_tcp_timeout_close = 10
+net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
+net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10
+net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10
+net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10
+net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
+net.ipv4.tcp_slow_start_after_idle = 0
+net.ipv4.ip_no_pmtu_disc = 1
+net.ipv4.route.flush = 1
+net.ipv4.route.max_size = 8048576
+net.ipv4.tcp_mem = 65536 131072 262144
+net.ipv4.udp_mem = 65536 131072 262144
+net.ipv4.udp_rmem_min = 16384
+net.ipv4.udp_wmem_min = 16384
+net.ipv4.tcp_max_tw_buckets = 1440000
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_orphans = 400000
+net.ipv4.tcp_syn_retries = 2
+net.ipv4.tcp_timestamps = 1
+net.ipv4.tcp_sack = 1
+net.ipv4.tcp_fack = 1
+net.ipv4.tcp_ecn = 2
+net.ipv4.tcp_fin_timeout = 10
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_mtu_probing = 1
+net.ipv4.tcp_fastopen = 3
+net.ipv4.tcp_congestion_control = hybla