write some stuff ne

sisihagen · Jun 28, 2020 · 8206f68 · 8206f68
1 parent 9cb8182
commit 8206f68
Show file tree

Hide file tree

Showing 6 changed files with 178 additions and 0 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_size = 2
+indent_style = space
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
diff --git a/etc/systemd/system/firewall.service b/etc/systemd/system/firewall.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Hardening TCP Stack
+After=tcp_stack_hardening.service
+
+[Service]
+ExecStart=/usr/local/bin/firewall.sh
+TimeoutSec=30
+Restart=on-failure
+RestartSec=30
+StartLimitInterval=350
+StartLimitBurst=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/etc/systemd/system/tcp_stack_hardening..service b/etc/systemd/system/tcp_stack_hardening..service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Hardening TCP Stack
+After=network.target
+After=systemd-user-sessions.service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/tcp_stack_hardening.sh
+TimeoutSec=30
+Restart=on-failure
+RestartSec=30
+StartLimitInterval=350
+StartLimitBurst=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/install.sh b/install.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+echo "You want install the scipt and had read the Readme? yes|no"
+read -r install
+
+if [[ "$install" = yes ]]; then
+	if [[ $EUID -ne 0 ]]; then
+		echo "To install the Script we need root access!"
+		exit 1
+	else
+		install -D -m 755 -o root usr/local/bin/*.sh /usr/local/bin
+		install -D -m 644 -o root etc/systemd/system/*.service /etc/systemd/system
+
+		echo "files are copied, you want activate now the script or at boot? now|boot"
+
+		read -r activate
+
+		if [[ "$activate" = now ]]; then
+			systemctl enable --now tcp_stack_hardening.service
+			systemctl enable --now firewall.service
+		fi
+
+		if [[ "$activate" = boot ]]; then
+			systemctl enable tcp_stack_hardening.service
+			systemctl enable firewall.service
+		fi
+	fi
+
+	exit 1
+fi
+
+case $1 in
+	deactivate)
+		echo "You want deactivate the firewall? yes|no"
+		read -r deactivate
+
+		if [[ "$deactivate" = yes ]]; then
+			systemctl disable --now tcp_stack_hardening.service
+			systemctl disable --now firewall.service
+		fi
+
+		echo "The Firewall is deactivated"
+		exit 1
+	;;
+
+	uninstall)
+		echo "You want uninstall the script? yes|no"
+		read -r uninstall
+
+		if [[ "$uninstall" = yes ]]; then
+			systemctl disable --now tcp_stack_hardening.service
+			systemctl disable --now firewall.service
+		fi
+
+		if [[ -f "/etc/systemd/system/firewall.service" ]]; then
+			rm /etc/systemd/system/firewall.service
+		fi
+
+		if [[ -f "/etc/systemd/system/tcp_stack_hardening.service" ]]; then
+			rm /etc/systemd/system/tcp_stack_hardening.service
+		fi
+
+		if [[ -f "/usr/local/bin/iptables.sh" ]]; then
+			rm "/usr/local/bin/iptables.sh"
+		fi
+
+		if [[ -f "/usr/local/bin/tcp_stack_hardening.sh" ]]; then
+			rm /usr/local/bin/tcp_stack_hardening.sh
+		fi
+
+		echo "The script is uninstalled!"
+		exit 1
+	;;
+esac
diff --git a/iptables.sh → usr/local/bin/iptables.sh b/iptables.sh → usr/local/bin/iptables.sh
@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+# created 2020-02-11
+# Silvio Siefke <[email protected]>
 
 ### network adapter 
 out_ad=$(ip route get 8.8.8.8 | awk -- '{printf $5}')

diff --git a/usr/local/bin/tcp_stack_hardening.sh b/usr/local/bin/tcp_stack_hardening.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+### TCP/IP stack hardening
+### create 2020-02-11
+### Silvio Siefke <[email protected]>
+
+vpn_active='false'
+ping_disable='false'
+
+if [[ "$vpn_active" = true ]]; then
+	echo 1 > /proc/sys/net/ipv4/ip_forward	
+fi
+
+# TCP SYN cookie protection
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
+echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
+echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
+echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
+echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
+echo 2 > /proc/sys/net/ipv4/tcp_keepalive_probes
+echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
+echo 0 > /proc/sys/net/ipv4/tcp_sack
+echo 0 > /proc/sys/net/ipv4/tcp_timestamps
+echo 1 > /proc/sys/net/ipv4/tcp_orphan_retries
+echo 1 > /proc/sys/net/ipv4/tcp_rfc1337
+
+# Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
+
+# Do not accept ICMP redirects (prevent MITM attacks)
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
+echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects
+echo 0 > /proc/sys/net/ipv4/conf/default/secure_redirects
+echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
+echo 0 > /proc/sys/net/ipv6/conf/default/accept_redirects
+
+# Ignore ICMP broadcasts will stop gateway from responding to broadcast pings.
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Ignore bogus ICMP errors.
+echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+
+# Do not send ICMP redirects.
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
+
+if [[ "$ping_disable" = true ]]; then
+	echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
+	echo 0 > /proc/sys/net/ipv6/icmp/echo_ignore_all
+fi
+
+# Do not accept IP source route packets.
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
+
+# Turn on log Martian Packets with impossible addresses.
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 > /proc/sys/net/ipv4/conf/default/log_martians