diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..007463b --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +indent_size = 2 +indent_style = space +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[*.md] +trim_trailing_whitespace = false diff --git a/etc/systemd/system/firewall.service b/etc/systemd/system/firewall.service new file mode 100644 index 0000000..747530f --- /dev/null +++ b/etc/systemd/system/firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Hardening TCP Stack +After=tcp_stack_hardening.service + +[Service] +ExecStart=/usr/local/bin/firewall.sh +TimeoutSec=30 +Restart=on-failure +RestartSec=30 +StartLimitInterval=350 +StartLimitBurst=10 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/etc/systemd/system/tcp_stack_hardening..service b/etc/systemd/system/tcp_stack_hardening..service new file mode 100644 index 0000000..71b3046 --- /dev/null +++ b/etc/systemd/system/tcp_stack_hardening..service @@ -0,0 +1,16 @@ +[Unit] +Description=Hardening TCP Stack +After=network.target +After=systemd-user-sessions.service +After=network-online.target + +[Service] +ExecStart=/usr/local/bin/tcp_stack_hardening.sh +TimeoutSec=30 +Restart=on-failure +RestartSec=30 +StartLimitInterval=350 +StartLimitBurst=10 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/install.sh b/install.sh new file mode 100644 index 0000000..219317d --- /dev/null +++ b/install.sh @@ -0,0 +1,74 @@ +#!/usr/bin/env bash + +echo "You want install the scipt and had read the Readme? yes|no" +read -r install + +if [[ "$install" = yes ]]; then + if [[ $EUID -ne 0 ]]; then + echo "To install the Script we need root access!" + exit 1 + else + install -D -m 755 -o root usr/local/bin/*.sh /usr/local/bin + install -D -m 644 -o root etc/systemd/system/*.service /etc/systemd/system + + echo "files are copied, you want activate now the script or at boot? now|boot" + + read -r activate + + if [[ "$activate" = now ]]; then + systemctl enable --now tcp_stack_hardening.service + systemctl enable --now firewall.service + fi + + if [[ "$activate" = boot ]]; then + systemctl enable tcp_stack_hardening.service + systemctl enable firewall.service + fi + fi + + exit 1 +fi + +case $1 in + deactivate) + echo "You want deactivate the firewall? yes|no" + read -r deactivate + + if [[ "$deactivate" = yes ]]; then + systemctl disable --now tcp_stack_hardening.service + systemctl disable --now firewall.service + fi + + echo "The Firewall is deactivated" + exit 1 + ;; + + uninstall) + echo "You want uninstall the script? yes|no" + read -r uninstall + + if [[ "$uninstall" = yes ]]; then + systemctl disable --now tcp_stack_hardening.service + systemctl disable --now firewall.service + fi + + if [[ -f "/etc/systemd/system/firewall.service" ]]; then + rm /etc/systemd/system/firewall.service + fi + + if [[ -f "/etc/systemd/system/tcp_stack_hardening.service" ]]; then + rm /etc/systemd/system/tcp_stack_hardening.service + fi + + if [[ -f "/usr/local/bin/iptables.sh" ]]; then + rm "/usr/local/bin/iptables.sh" + fi + + if [[ -f "/usr/local/bin/tcp_stack_hardening.sh" ]]; then + rm /usr/local/bin/tcp_stack_hardening.sh + fi + + echo "The script is uninstalled!" + exit 1 + ;; +esac \ No newline at end of file diff --git a/iptables.sh b/usr/local/bin/iptables.sh similarity index 98% rename from iptables.sh rename to usr/local/bin/iptables.sh index 0a248bf..9f020df 100644 --- a/iptables.sh +++ b/usr/local/bin/iptables.sh @@ -1,4 +1,6 @@ #!/usr/bin/env bash +# created 2020-02-11 +# Silvio Siefke ### network adapter out_ad=$(ip route get 8.8.8.8 | awk -- '{printf $5}') diff --git a/usr/local/bin/tcp_stack_hardening.sh b/usr/local/bin/tcp_stack_hardening.sh new file mode 100644 index 0000000..3c01f88 --- /dev/null +++ b/usr/local/bin/tcp_stack_hardening.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +### TCP/IP stack hardening +### create 2020-02-11 +### Silvio Siefke + +vpn_active='false' +ping_disable='false' + +if [[ "$vpn_active" = true ]]; then + echo 1 > /proc/sys/net/ipv4/ip_forward +fi + +# TCP SYN cookie protection +echo 1 > /proc/sys/net/ipv4/tcp_syncookies +echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog +echo 3 > /proc/sys/net/ipv4/tcp_synack_retries +echo 3 > /proc/sys/net/ipv4/tcp_syn_retries +echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout +echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time +echo 2 > /proc/sys/net/ipv4/tcp_keepalive_probes +echo 0 > /proc/sys/net/ipv4/tcp_window_scaling +echo 0 > /proc/sys/net/ipv4/tcp_sack +echo 0 > /proc/sys/net/ipv4/tcp_timestamps +echo 1 > /proc/sys/net/ipv4/tcp_orphan_retries +echo 1 > /proc/sys/net/ipv4/tcp_rfc1337 + +# Turn on Source Address Verification in all interfaces to prevent some spoofing attacks. +echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + +# Do not accept ICMP redirects (prevent MITM attacks) +echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects +echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/secure_redirects +echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects +echo 0 > /proc/sys/net/ipv6/conf/default/accept_redirects + +# Ignore ICMP broadcasts will stop gateway from responding to broadcast pings. +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Ignore bogus ICMP errors. +echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + +# Do not send ICMP redirects. +echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects + +if [[ "$ping_disable" = true ]]; then + echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all + echo 0 > /proc/sys/net/ipv6/icmp/echo_ignore_all +fi + +# Do not accept IP source route packets. +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route +echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route + +# Turn on log Martian Packets with impossible addresses. +echo 1 > /proc/sys/net/ipv4/conf/all/log_martians +echo 1 > /proc/sys/net/ipv4/conf/default/log_martians \ No newline at end of file