diff --git a/ubuntu-vps-setup.sh b/ubuntu-vps-setup.sh index 5929d3b..20059c1 100644 --- a/ubuntu-vps-setup.sh +++ b/ubuntu-vps-setup.sh @@ -34,21 +34,18 @@ kernel.perf_event_paranoid = 2 kernel.randomize_va_space = 2 kernel.sysrq = 0 kernel.yama.ptrace_scope = 2 -net.ipv4.conf.wg0.forwarding = 1 -net.ipv4.conf.wg0.accept_source_route = 1 -net.ipv4.conf.wg0.secure_redirects = 1 -net.ipv4.conf.wg0.send_redirects = 0 +net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.rp_filter = 1 -net.ipv4.conf.all.secure_redirects = 1 +net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.default.rp_filter= 1 -net.ipv4.conf.default.secure_redirects = 1 +net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 @@ -61,21 +58,22 @@ net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_timestamps = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.all.accept_redirects = 0 -net.ipv6.conf.all.use_tempaddr = 1 -net.ipv6.conf.default.accept_ra = 0 +net.ipv6.conf.all.use_tempaddr = 2 +net.ipv6.conf.all.forwarding = 1 +net.ipv6.conf.default.forwarding = 1 +net.ipv6.conf.default.accept_ra = 2 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_source_route = 0 -net.ipv6.conf.default.autoconf = 1 +net.ipv6.conf.default.autoconf = 2 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 net.ipv6.conf.default.router_solicitations = 1 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.ens3.accept_ra_rtr_pref = 2 -net.ipv6.conf.ens3.accept_ra = 2 -net.ipv6.conf.all.forwarding = 1 -net.ipv6.conf.default.forwarding = 1 +net.bridge.bridge-nf-call-iptables = 1 +net.bridge.bridge-nf-call-ip6tables = 1 net.netfilter.nf_conntrack_max = 2000000 net.netfilter.nf_conntrack_tcp_loose = 0 vm.swappiness = 0 @@ -87,12 +85,6 @@ net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 EOF -cat <<-EOF > /etc/sysctl.d/10-bridge.conf -net.bridge.bridge-nf-call-iptables = 1 -net.bridge.bridge-nf-call-ip6tables = 1 -net.ipv4.ip_forward = 1 -EOF - # Backup SSH_CONFIG mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak @@ -628,6 +620,19 @@ RestartSec=5 WantedBy=multi-user.target EOF +## Update ssh_host keys +rm /etc/ssh/ssh_host_* +ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N "" +ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" +ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + +awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe +mv /etc/ssh/moduli.safe /etc/ssh/moduli + +# GRUB enable swap and disable root recovery +echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub +echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub + systemctl enable auditd systemctl enable apparmor systemctl enable haveged