diff options
-rw-r--r-- | changelog.md | 4 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/fail2ban.sh | 1 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-init.sh | 2 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-nextcloud.sh | 2 | ||||
-rw-r--r-- | lamp.sh | 4 | ||||
-rw-r--r-- | nextcloudpi.sh | 6 | ||||
-rwxr-xr-x | update.sh | 22 |
7 files changed, 33 insertions, 8 deletions
diff --git a/changelog.md b/changelog.md index 55f3a99a..4ab8b3e7 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/17af1ab) (2017-12-16) security hardening +[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/392ac9c) (2017-12-17) security hardening part 2 + +[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/b817b90) (2017-12-16) security hardening [v0.41.10](https://github.com/nextcloud/nextcloudpi/commit/330df57) (2017-12-16) dnsmasq: added interface diff --git a/etc/nextcloudpi-config.d/fail2ban.sh b/etc/nextcloudpi-config.d/fail2ban.sh index d240e747..c3426259 100644 --- a/etc/nextcloudpi-config.d/fail2ban.sh +++ b/etc/nextcloudpi-config.d/fail2ban.sh @@ -155,6 +155,7 @@ filter = nextcloud logpath = $NCLOG maxretry = $MAXRETRY_ EOF + cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local update-rc.d fail2ban defaults update-rc.d fail2ban enable service fail2ban restart diff --git a/etc/nextcloudpi-config.d/nc-init.sh b/etc/nextcloudpi-config.d/nc-init.sh index 1e04c48e..427edab9 100644 --- a/etc/nextcloudpi-config.d/nc-init.sh +++ b/etc/nextcloudpi-config.d/nc-init.sh @@ -55,7 +55,7 @@ configure() # workaround to emulate DROP USER IF EXISTS ..;) local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) - mysql -u root <<EOF + mysql <<EOF DROP DATABASE IF EXISTS nextcloud; CREATE DATABASE nextcloud CHARACTER SET utf8mb4 diff --git a/etc/nextcloudpi-config.d/nc-nextcloud.sh b/etc/nextcloudpi-config.d/nc-nextcloud.sh index 098c0337..6b366f1a 100644 --- a/etc/nextcloudpi-config.d/nc-nextcloud.sh +++ b/etc/nextcloudpi-config.d/nc-nextcloud.sh @@ -111,7 +111,7 @@ configure() # workaround to emulate DROP USER IF EXISTS ..;) local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) - mysql -u root -p"$DBPASSWD" <<EOF + mysql <<EOF DROP DATABASE IF EXISTS nextcloud; CREATE DATABASE nextcloud CHARACTER SET utf8mb4 @@ -124,7 +124,9 @@ EOF mysql_secure_installation <<EOF $DBPASSWD -n +y +$DBPASSWD +$DBPASSWD y y y diff --git a/nextcloudpi.sh b/nextcloudpi.sh index 720153ed..0d47ded6 100644 --- a/nextcloudpi.sh +++ b/nextcloudpi.sh @@ -203,11 +203,13 @@ EOF ## SSH hardening sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config - sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config + sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config - sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config + sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config ## kernel hardening @@ -147,11 +147,13 @@ done ## harden SSH sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config - sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config + sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config - sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config + sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config ## harden kernel @@ -171,6 +173,22 @@ net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.log_martians=1 net.ipv4.tcp_timestamps=0 EOF + + # small tweaks + cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + + # secure mysql + DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) + mysql_secure_installation &>/dev/null <<EOF +$DBPASSWD +y +$DBPASSWD +$DBPASSWD +y +y +y +y +EOF } exit 0 |