Not So Minimal ArchLinux

by methou
16 deployments · 5 still active · last rev. 1 month ago

ArchLinux with:
UFW: allow ssh (only)
IPv4: forwarding enabled
bbr: tc qdisc fair queue 100Mbit per stream
root user: locked out.

Compatible with: Arch 2017.04.01
						#!/bin/bash

# <UDF name="username" label="Admin user name" example="This will be the user who will be able to SSH into the server. with Passwordless sudo" />
# <UDF name="userpubkey" label="Public key for the user" default="" example="Should look like 'ssh-rsa AAABBB1x2y3z...'" />
# <UDF name="userpubkey_uri" label="Or a url to your pubkeys" default="" example="Should look like 'https://gist.github.com/...'" />
# <UDF name="hostname" label="Host name" example="This is the name of your server."/>

# Update system
pacman -Syyu --noconfirm

# <---------------------------- Networking Setup ------------------------------->
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname
# setup hosts
echo -e "127.0.0.1\t$HOSTNAME"
echo -e "::1\t$HOSTNAME"
# Setup Timezone
TZ="UTC"
ln -sf /usr/share/zoneinfo/$TZ /etc/localtime

# <------------------------------ User Creation --------------------------------->
useradd $USERNAME
groupadd sudo
usermod -a -G sudo $USERNAME
echo "%sudo ALL = NOPASSWD: ALL" >> /etc/sudoers

# Allow only the unprivileged user to log on
if [ -n "$USERPUBKEY" ]; then
    passwd -d "$USERNAME"
    mkdir -p /home/$USERNAME/.ssh
    echo "$USERPUBKEY" >> /home/$USERNAME/.ssh/authorized_keys
    chown -R "$USERNAME":"$USERNAME" /home/$USERNAME
fi
if [ -n "$USERPUBKEY_URI" ]; then
    mkdir -p /home/$USERNAME/.ssh
    passwd -d "$USERNAME"
    curl "$USERPUBKEY_URI" -ko /home/$USERNAME/.ssh/authorized_keys
    chown -R "$USERNAME":"$USERNAME" /home/$USERNAME
    chmod 700 /home/$USERNAME/.ssh
    chmod 600 /home/$USERNAME/.ssh/*
fi
# <------------------------------ OpenSSH Setup ------------------------------->
cat << _EOF_ > /etc/ssh/ssh_config
Host *
Protocol 2
ForwardAgent no
ForwardX11 no
HostbasedAuthentication no
StrictHostKeyChecking no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Tunnel no
_EOF_
cat << _EOF_ > /etc/ssh/sshd_config
Port 22
ListenAddress 0.0.0.0
ListenAddress ::
Protocol 2

# Disable PasswordAuthentication as ssh keys are more secure.
PasswordAuthentication no
PermitRootLogin no
PermitTunnel no
AllowTcpForwarding yes
X11Forwarding no

# Disable root login, using sudo provides better auditing.
PermitRootLogin no
PermitTunnel no
AllowTcpForwarding yes
X11Forwarding no

# Compute times out connections after 10 minutes of inactivity.  Keep alive
# ssh connections by sending a packet every 7 minutes.
ClientAliveInterval 420
_EOF_
systemctl restart sshd

# <------------------------------ System Tweak -------------------------------->
cat << _EOF_ > /etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 1
_EOF_

sysctl --system

# Set up a firewall (UFW)
pacman -S --noconfirm ufw
ufw default deny
ufw allow ssh
systemctl enable ufw
yes|ufw enable

# lockout root
usermod -L root

# BBR
tc qdisc add dev eth0 root fq maxrate 100Mbit