ufw --force disable# Create some user so we can login lateru=$1useradd -m -s

1. ufw --force disable
2.  
3. # Create some user so we can login later
4. u=$1
5. useradd -m -s /bin/bash -U $u
6. usermod -aG docker $u
7. mkdir /home/$u/.ssh
8. chmod 700 /home/$u/.ssh
9. cp ~/.ssh/authorized_keys /home/$u/.ssh/
10. chmod 600 /home/$u/.ssh/authorized_keys
11. chown -R $u:$u /home/$u/.ssh
12. echo "$u ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/10-$u
13.  
14. # Harden SSH
15. sed -i -e '/^PermitRootLogin/d' /etc/ssh/sshd_config
16. sed -i -e '/^ChallengeResponseAuthentication/d' /etc/ssh/sshd_config
17. sed -i -e '/^PasswordAuthentication/d' /etc/ssh/sshd_config
18. sed -i -e '/^UsePAM/d' /etc/ssh/sshd_config
19. echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
20. echo 'DebianBanner no' >> /etc/ssh/sshd_config
21. echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config
22. echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config
23. echo 'UsePAM yes' >> /etc/ssh/sshd_config
24. echo 'AuthenticationMethods publickey' >> /etc/ssh/sshd_config
25. echo "AllowUsers $u" >> /etc/ssh/sshd_config
26. # Disable insecure algos
27. echo 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
28. echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
29. echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' >> /etc/ssh/sshd_config
30. service ssh restart
31.  
32. # Harden against TCP attacks
33. printf "
34. # Ignore ICMP broadcast requests
35. net.ipv4.icmp_echo_ignore_broadcasts = 1
36. # Disable source packet routing
37. net.ipv4.conf.all.accept_source_route = 0
38. net.ipv6.conf.all.accept_source_route = 0
39. net.ipv4.conf.default.accept_source_route = 0
40. net.ipv6.conf.default.accept_source_route = 0
41. # Ignore send redirects
42. net.ipv4.conf.all.send_redirects = 0
43. net.ipv4.conf.default.send_redirects = 0
44. # Block SYN attacks
45. net.ipv4.tcp_max_syn_backlog = 2048
46. net.ipv4.tcp_synack_retries = 2
47. net.ipv4.tcp_syn_retries = 5
48. # Log Martians
49. net.ipv4.conf.all.log_martians = 1
50. net.ipv4.icmp_ignore_bogus_error_responses = 1
51. # Ignore ICMP redirects
52. net.ipv4.conf.all.accept_redirects = 0
53. net.ipv6.conf.all.accept_redirects = 0
54. net.ipv4.conf.default.accept_redirects = 0
55. net.ipv6.conf.default.accept_redirects = 0
56. # Ignore Directed pings
57. net.ipv4.icmp_echo_ignore_all = 1
58. " >> /etc/sysctl.d/10-network-security.conf
59.  
60. echo 1 > /proc/sys/net/ipv4/ip_forward
61. echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/99-sysctl.conf
62. echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
63. echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
64. echo 'net.ipv6.conf.default.forwarding=1' >> /etc/sysctl.d/99-sysctl.conf
65. echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/99-sysctl.conf
66. sed -i -e '/DEFAULT_FORWARD_POLICY=/d' /etc/default/ufw
67. echo 'DEFAULT_FORWARD_POLICY="ACCEPT"' >> /etc/default/ufw
68. echo 'net/ipv4/ip_forward=1' >> /etc/ufw/sysctl.conf
69. echo 'net/ipv6/conf/default/forwarding=1' >> /etc/ufw/sysctl.conf
70. echo 'net/ipv6/conf/all/forwarding=1' >> /etc/ufw/sysctl.conf