Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # https://wiki.archlinux.org/index.php/Security#Kernel_hardening
- # https://wiki.archlinux.org/index.php/Sysctl#TCP.2FIP_stack_hardening
- # https://wiki.archlinux.org/index.php/Simple_stateful_firewall
- # https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_2:_macchanger
- dpkg --add-architecture i386
- echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/50-dmesg-restrict.conf
- echo "kernel.kptr_restrict=1" > /etc/sysctl.d/50-kptr-restrict.conf
- echo "net.ipv4.tcp_syncookies=1" > /etc/sysctl.d/51-net.conf
- echo "net.ipv4.tcp_rfc1337=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.default.rp_filter=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.default.log_martians=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/51-net.conf
- echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.d/51-net.conf
- sysctl --system
- systemctl daemon-reload
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t raw -F
- iptables -t raw -X
- iptables -t security -F
- iptables -t security -X
- iptables -N TCP
- iptables -N UDP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- iptables -P INPUT DROP
- iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
- iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
- iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
- iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
- iptables -nvL --line-numbers
- #iptables -A TCP -p tcp --dport 80 -j ACCEPT # To accept incoming TCP connections on port 80 for a web server
- #iptables -A TCP -p tcp --dport 443 -j ACCEPT # To accept incoming TCP connections on port 443 for a web server (HTTPS)
- #iptables -A TCP -p tcp --dport 22 -j ACCEPT # To allow remote SSH connections (on port 22)
- #iptables -A TCP -p tcp --dport 53 -j ACCEPT # To accept incoming TCP requests for a DNS server (port 53)
- #iptables -A UDP -p udp --dport 53 -j ACCEPT # To accept incoming UDP requests for a DNS server (port 53)
- #iptables -nvL --line-numbers
- iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
- iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
- iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
- iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
- iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
- iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
- iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
- iptables -nvL --line-numbers
- iptables -N IN_SSH
- iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
- iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
- iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
- iptables -nvL --line-numbers
- iptables-save > /etc/iptables.up.rules
- echo "#!/bin/sh" > /etc/network/if-pre-up.d/iptables
- echo "/sbin/iptables-restore < /etc/iptables.up.rules" >> /etc/network/if-pre-up.d/iptables
- chmod +x /etc/network/if-pre-up.d/iptables
- apt update -y && apt autoremove -y && apt dist-upgrade -y && apt install arc-theme tilda tilix macchanger openvpn network-manager-openvpn network-manager-openvpn-gnome obfsproxy obfs4proxy apt-transport-https snapd pulseaudio debian-keyring synaptic gdebi git libpam-yubico qrencode gpa mat gtkhash deja-dup dconf-editor synapse firejail firetools bleachbit firefox thunderbird corebird pidgin pidgin-otr mumble syncthing liferea catfish mpv cheese obs-studio openshot handbrake rhythmbox audacity gimp inkscape darktable blender xfburn steam wine64 ttf-mscorefonts-installer playonlinux retroarch putty filezilla qemu virt-manager virt-viewer -y
- snap refresh
- snap install bitwarden
- snap refresh
- reboot
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement