From 2aa8db968442a60b337a76e39b08767c510b1c41 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 22 Sep 2017 15:40:30 +0100 Subject: [PATCH 1/4] Ensure that motd gets locked down --- src/freedombone-utils-setup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 0be4fe65..7849cfea 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -646,6 +646,8 @@ function lockdown_permissions { chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt fi + chown -f root:root /etc/motd /etc/issue* + chmod -f 0444 /etc/motd /etc/issue* } function disable_core_dumps { From 624a6b4f978d697f81f5527b54879db1c430be86 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 22 Sep 2017 16:30:57 +0100 Subject: [PATCH 2/4] Ensure address space layout randomization --- src/freedombone-utils-firewall | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index d82306ac..7f9ec36f 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -290,6 +290,11 @@ function configure_internet_protocol { sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf fi + if ! grep -q "kernel.randomize_va_space" /etc/sysctl.conf; then + echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf + else + sed -i 's|kernel.randomize_va_space.*|kernel.randomize_va_space=2|g' /etc/sysctl.conf + fi mark_completed $FUNCNAME } From 980689992a92e3f93e7d22b63916c7b0bc71c8e9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 22 Sep 2017 17:00:40 +0100 Subject: [PATCH 3/4] Turn off tcp timestamps --- src/freedombone-utils-firewall | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 7f9ec36f..6f788bb1 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -290,11 +290,20 @@ function configure_internet_protocol { sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf fi + + # Randomize kernel if ! grep -q "kernel.randomize_va_space" /etc/sysctl.conf; then echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf else sed -i 's|kernel.randomize_va_space.*|kernel.randomize_va_space=2|g' /etc/sysctl.conf fi + + # Turn off the tcp_timestamps + if ! grep -q "net.ipv4.tcp_timestamps" /etc/sysctl.conf; then + echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.conf + else + sed -i 's|net.ipv4.tcp_timestamps.*|net.ipv4.tcp_timestamps=0|g' /etc/sysctl.conf + fi mark_completed $FUNCNAME } From 30a181f7fc38b06a2134d09d2229cd24716319dc Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 22 Sep 2017 17:02:29 +0100 Subject: [PATCH 4/4] Relead after sysctl changes --- src/freedombone-utils-firewall | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 6f788bb1..56460df7 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -304,6 +304,7 @@ function configure_internet_protocol { else sed -i 's|net.ipv4.tcp_timestamps.*|net.ipv4.tcp_timestamps=0|g' /etc/sysctl.conf fi + /sbin/sysctl -p mark_completed $FUNCNAME }