#!/bin/sh# https://wiki.archlinux.org/index.php/Security#Kernel_hardening

1. #!/bin/sh
2.  
3. # https://wiki.archlinux.org/index.php/Security#Kernel_hardening
4.  
5. # https://wiki.archlinux.org/index.php/Sysctl#TCP.2FIP_stack_hardening
6.  
7. # https://wiki.archlinux.org/index.php/Simple_stateful_firewall
8.  
9. # https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_2:_macchanger
10.  
11. dpkg --add-architecture i386
12.  
13. echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/50-dmesg-restrict.conf
14. echo "kernel.kptr_restrict=1" > /etc/sysctl.d/50-kptr-restrict.conf
15. echo "net.ipv4.tcp_syncookies=1" > /etc/sysctl.d/51-net.conf
16. echo "net.ipv4.tcp_rfc1337=1" >> /etc/sysctl.d/51-net.conf
17. echo "net.ipv4.conf.default.rp_filter=1" >> /etc/sysctl.d/51-net.conf
18. echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.d/51-net.conf
19. echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.d/51-net.conf
20. echo "net.ipv4.conf.default.log_martians=1" >> /etc/sysctl.d/51-net.conf
21. echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.d/51-net.conf
22. echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/51-net.conf
23. echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.d/51-net.conf
24. echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/51-net.conf
25. echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/51-net.conf
26. echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/51-net.conf
27. echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/51-net.conf
28. echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.d/51-net.conf
29.  
30. sysctl --system
31. systemctl daemon-reload
32.  
33. iptables -F
34. iptables -X
35. iptables -t nat -F
36. iptables -t nat -X
37. iptables -t mangle -F
38. iptables -t mangle -X
39. iptables -t raw -F
40. iptables -t raw -X
41. iptables -t security -F
42. iptables -t security -X
43. iptables -N TCP
44. iptables -N UDP
45. iptables -P FORWARD DROP
46. iptables -P OUTPUT ACCEPT
47. iptables -P INPUT DROP
48. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
49. iptables -A INPUT -i lo -j ACCEPT
50. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
51. iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
52. iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
53. iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
54. iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
55. iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
56. iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
57. iptables -nvL --line-numbers
58.  
59. #iptables -A TCP -p tcp --dport 80 -j ACCEPT # To accept incoming TCP connections on port 80 for a web server
60. #iptables -A TCP -p tcp --dport 443 -j ACCEPT # To accept incoming TCP connections on port 443 for a web server (HTTPS)
61. #iptables -A TCP -p tcp --dport 22 -j ACCEPT # To allow remote SSH connections (on port 22)
62. #iptables -A TCP -p tcp --dport 53 -j ACCEPT # To accept incoming TCP requests for a DNS server (port 53)
63. #iptables -A UDP -p udp --dport 53 -j ACCEPT # To accept incoming UDP requests for a DNS server (port 53)
64. #iptables -nvL --line-numbers
65.  
66. iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
67. iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
68. iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset
69. iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
70. iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
71. iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
72. iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
73. iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
74. iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
75. iptables -nvL --line-numbers
76.  
77. iptables -N IN_SSH
78. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
79. iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
80. iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
81. iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
82. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
83. iptables -nvL --line-numbers
84.  
85. iptables-save > /etc/iptables.up.rules
86.  
87. echo "#!/bin/sh" > /etc/network/if-pre-up.d/iptables
88. echo "/sbin/iptables-restore < /etc/iptables.up.rules" >> /etc/network/if-pre-up.d/iptables
89.  
90. chmod +x /etc/network/if-pre-up.d/iptables
91.  
92. apt update -y && apt autoremove -y && apt dist-upgrade -y && apt install arc-theme tilda tilix macchanger openvpn network-manager-openvpn network-manager-openvpn-gnome obfsproxy obfs4proxy apt-transport-https snapd pulseaudio debian-keyring synaptic gdebi git libpam-yubico qrencode gpa mat gtkhash deja-dup dconf-editor synapse firejail firetools bleachbit firefox thunderbird corebird pidgin pidgin-otr mumble syncthing liferea catfish mpv cheese obs-studio openshot handbrake rhythmbox audacity gimp inkscape darktable blender xfburn steam wine64 ttf-mscorefonts-installer playonlinux retroarch putty filezilla qemu virt-manager virt-viewer -y
93.  
94. snap refresh
95. snap install bitwarden
96. snap refresh
97.  
98. reboot