diff options
author | nachoparker <nacho@ownyourbits.com> | 2017-12-17 16:47:54 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2017-12-17 16:48:09 +0300 |
commit | 34fc851c24fed71c324a888773234b822ccaec12 (patch) | |
tree | 6a6ef9f07664717aec258eb3c8fe937da9538b13 | |
parent | af54edb121da82f80975496cfd89a348e0f04caa (diff) |
security hardening part 3v0.41.13
-rw-r--r-- | changelog.md | 4 | ||||
-rw-r--r-- | nextcloudpi.sh | 33 | ||||
-rwxr-xr-x | update.sh | 5 |
3 files changed, 27 insertions, 15 deletions
diff --git a/changelog.md b/changelog.md index 4ab8b3e7..31529bdb 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/392ac9c) (2017-12-17) security hardening part 2 +[v0.41.13](https://github.com/nextcloud/nextcloudpi/commit/4daac1b) (2017-12-17) security hardening part 3 + +[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/672d233) (2017-12-17) security hardening part 2 [v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/b817b90) (2017-12-16) security hardening diff --git a/nextcloudpi.sh b/nextcloudpi.sh index 0d47ded6..c83c2cb7 100644 --- a/nextcloudpi.sh +++ b/nextcloudpi.sh @@ -214,21 +214,26 @@ EOF ## kernel hardening cat >> /etc/sysctl.conf <<EOF -sysctl fs.protected_hardlinks=1 -sysctl fs.protected_symlinks=1 -sysctl kernel.core_uses_pid=1 -sysctl kernel.dmesg_restrict=1 -sysctl kernel.kptr_restrict=2 -sysctl kernel.sysrq=0 -sysctl net.ipv4.conf.all.accept_redirects=0 -sysctl net.ipv4.conf.all.log_martians=1 -sysctl net.ipv4.conf.all.rp_filter=1 -sysctl net.ipv4.conf.all.send_redirects=0 -sysctl net.ipv4.conf.default.accept_redirects=0 -sysctl net.ipv4.conf.default.accept_source_route=0 -sysctl net.ipv4.conf.default.log_martians=1 -sysctl net.ipv4.tcp_timestamps=0 +fs.protected_hardlinks=1 +fs.protected_symlinks=1 +kernel.core_uses_pid=1 +kernel.dmesg_restrict=1 +kernel.kptr_restrict=2 +kernel.sysrq=0 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.default.log_martians=1 +net.ipv4.tcp_timestamps=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 EOF + + ## other tweaks + sed -i "s|^UMASK.*|UMASK 027|" /etc/login.defs fi } @@ -172,10 +172,15 @@ net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.log_martians=1 net.ipv4.tcp_timestamps=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 EOF + sysctl -p /etc/sysctl.conf # small tweaks cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + chmod go-x /usr/bin/arm-linux-gnueabihf-* &>/dev/null + sed -i "s|^UMASK.*|UMASK 027|" /etc/login.defs # secure mysql DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) |