security hardening part 2v0.41.12

author: nachoparker <nacho@ownyourbits.com> 2017-12-17 15:46:18 +0300
committer: nachoparker <nacho@ownyourbits.com> 2017-12-17 15:46:35 +0300
commit: af54edb121da82f80975496cfd89a348e0f04caa (patch)
tree: 26ae7a172a95f2cf34142ff29b2971b89e03c1e6
parent: bd5cb8e2b38aea6672c1315c27c89b6442fa82cb (diff)
7 files changed, 33 insertions, 8 deletions
diff --git a/changelog.md b/changelog.md
index 55f3a99a..4ab8b3e7 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,7 @@
 
-[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/17af1ab) (2017-12-16) security hardening
+[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/392ac9c) (2017-12-17) security hardening part 2
+
+[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/b817b90) (2017-12-16) security hardening
 
 [v0.41.10](https://github.com/nextcloud/nextcloudpi/commit/330df57) (2017-12-16) dnsmasq: added interface
 
diff --git a/etc/nextcloudpi-config.d/fail2ban.sh b/etc/nextcloudpi-config.d/fail2ban.sh
index d240e747..c3426259 100644
--- a/etc/nextcloudpi-config.d/fail2ban.sh
+++ b/etc/nextcloudpi-config.d/fail2ban.sh
@@ -155,6 +155,7 @@ filter   = nextcloud
 logpath  = $NCLOG
 maxretry = $MAXRETRY_
 EOF
+  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
   update-rc.d fail2ban defaults
   update-rc.d fail2ban enable
   service fail2ban restart
diff --git a/etc/nextcloudpi-config.d/nc-init.sh b/etc/nextcloudpi-config.d/nc-init.sh
index 1e04c48e..427edab9 100644
--- a/etc/nextcloudpi-config.d/nc-init.sh
+++ b/etc/nextcloudpi-config.d/nc-init.sh
@@ -55,7 +55,7 @@ configure()
 
   # workaround to emulate DROP USER IF EXISTS ..;)
   local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
-  mysql -u root <<EOF
+  mysql <<EOF
 DROP DATABASE IF EXISTS nextcloud;
 CREATE DATABASE nextcloud
     CHARACTER SET utf8mb4
diff --git a/etc/nextcloudpi-config.d/nc-nextcloud.sh b/etc/nextcloudpi-config.d/nc-nextcloud.sh
index 098c0337..6b366f1a 100644
--- a/etc/nextcloudpi-config.d/nc-nextcloud.sh
+++ b/etc/nextcloudpi-config.d/nc-nextcloud.sh
@@ -111,7 +111,7 @@ configure()
 
   # workaround to emulate DROP USER IF EXISTS ..;)
   local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
-  mysql -u root -p"$DBPASSWD" <<EOF
+  mysql <<EOF
 DROP DATABASE IF EXISTS nextcloud;
 CREATE DATABASE nextcloud
     CHARACTER SET utf8mb4
diff --git a/lamp.sh b/lamp.sh
index d1c17fef..5559dd52 100644
--- a/lamp.sh
+++ b/lamp.sh
@@ -124,7 +124,9 @@ EOF
 
     mysql_secure_installation <<EOF
 $DBPASSWD
-n
+y
+$DBPASSWD
+$DBPASSWD
 y
 y
 y
diff --git a/nextcloudpi.sh b/nextcloudpi.sh
index 720153ed..0d47ded6 100644
--- a/nextcloudpi.sh
+++ b/nextcloudpi.sh
@@ -203,11 +203,13 @@ EOF
     ## SSH hardening
     sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|'     /etc/ssh/sshd_config
     sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|'    /etc/ssh/sshd_config
-    sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|'                  /etc/ssh/sshd_config
+    sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|'                   /etc/ssh/sshd_config
     sed -i 's|^#MaxSessions .*|MaxSessions 2|'                    /etc/ssh/sshd_config
     sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|'           /etc/ssh/sshd_config
     sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|'                 /etc/ssh/sshd_config
-    sed -i 's|^#X11Forwarding .*|X11Forwarding no|'               /etc/ssh/sshd_config
+    sed -i 's|^X11Forwarding .*|X11Forwarding no|'                /etc/ssh/sshd_config
+    sed -i 's|^#LogLevel .*|LogLevel VERBOSE|'                    /etc/ssh/sshd_config
+    sed -i 's|^#Compression .*|Compression no|'                   /etc/ssh/sshd_config
     sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
 
     ## kernel hardening
diff --git a/update.sh b/update.sh
index e0489f56..5fe70bdf 100755
--- a/update.sh
+++ b/update.sh
@@ -147,11 +147,13 @@ done
   ## harden SSH
   sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|'     /etc/ssh/sshd_config
   sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|'    /etc/ssh/sshd_config
-  sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|'                  /etc/ssh/sshd_config
+  sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|'                   /etc/ssh/sshd_config
   sed -i 's|^#MaxSessions .*|MaxSessions 2|'                    /etc/ssh/sshd_config
   sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|'           /etc/ssh/sshd_config
   sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|'                 /etc/ssh/sshd_config
-  sed -i 's|^#X11Forwarding .*|X11Forwarding no|'               /etc/ssh/sshd_config
+  sed -i 's|^X11Forwarding .*|X11Forwarding no|'                /etc/ssh/sshd_config
+  sed -i 's|^#LogLevel .*|LogLevel VERBOSE|'                    /etc/ssh/sshd_config
+  sed -i 's|^#Compression .*|Compression no|'                   /etc/ssh/sshd_config
   sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
 
   ## harden kernel
@@ -171,6 +173,22 @@ net.ipv4.conf.default.accept_source_route=0
 net.ipv4.conf.default.log_martians=1
 net.ipv4.tcp_timestamps=0
 EOF
+
+  # small tweaks
+  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+
+  # secure mysql
+  DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
+    mysql_secure_installation &>/dev/null <<EOF
+$DBPASSWD
+y
+$DBPASSWD
+$DBPASSWD
+y
+y
+y
+y
+EOF
 }
 
 exit 0
author	nachoparker <nacho@ownyourbits.com>	2017-12-17 15:46:18 +0300
committer	nachoparker <nacho@ownyourbits.com>	2017-12-17 15:46:35 +0300
commit	af54edb121da82f80975496cfd89a348e0f04caa (patch)
tree	26ae7a172a95f2cf34142ff29b2971b89e03c1e6
parent	bd5cb8e2b38aea6672c1315c27c89b6442fa82cb (diff)