External-Mirrors/nextcloudpi
2
0
Fork 0
mirror of https://github.com/nextcloud/nextcloudpi.git synced 2026-01-09 14:42:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

security hardening part 2

Browse Source
This commit is contained in:
nachoparker 2017-12-17 13:46:18 +01:00
parent bd5cb8e2b3
commit af54edb121
7 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelog.md
View File

@ -1,5 +1,7 @@
[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/17af1ab) (2017-12-16) security hardening
[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/392ac9c) (2017-12-17) security hardening part 2
[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/b817b90) (2017-12-16) security hardening
[v0.41.10](https://github.com/nextcloud/nextcloudpi/commit/330df57) (2017-12-16) dnsmasq: added interface

1
etc/nextcloudpi-config.d/fail2ban.sh
View File

@ -155,6 +155,7 @@ filter = nextcloud
logpath = $NCLOG
maxretry = $MAXRETRY_
EOF
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
update-rc.d fail2ban defaults
update-rc.d fail2ban enable
service fail2ban restart

2
etc/nextcloudpi-config.d/nc-init.sh
View File

@ -55,7 +55,7 @@ configure()
# workaround to emulate DROP USER IF EXISTS ..;)
local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
mysql -u root <<EOF
mysql <<EOF
DROP DATABASE IF EXISTS nextcloud;
CREATE DATABASE nextcloud
CHARACTER SET utf8mb4

2
etc/nextcloudpi-config.d/nc-nextcloud.sh
View File

@ -111,7 +111,7 @@ configure()
# workaround to emulate DROP USER IF EXISTS ..;)
local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
mysql -u root -p"$DBPASSWD" <<EOF
mysql <<EOF
DROP DATABASE IF EXISTS nextcloud;
CREATE DATABASE nextcloud
CHARACTER SET utf8mb4

4
lamp.sh
View File

@ -124,7 +124,9 @@ EOF
mysql_secure_installation <<EOF
$DBPASSWD
n
y
$DBPASSWD
$DBPASSWD
y
y
y

6
nextcloudpi.sh
View File

@ -203,11 +203,13 @@ EOF
## SSH hardening
sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config
sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config
sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config
sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config
sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config
sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config
sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config
sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config
sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config
sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config
sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config
sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
## kernel hardening

22
update.sh
View File

@ -147,11 +147,13 @@ done
## harden SSH
sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config
sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config
sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config
sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config
sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config
sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config
sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config
sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config
sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config
sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config
sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config
sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
## harden kernel
@ -170,6 +172,22 @@ net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
EOF
# small tweaks
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# secure mysql
DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
mysql_secure_installation &>/dev/null <<EOF
$DBPASSWD
y
$DBPASSWD
$DBPASSWD
y
y
y
y
EOF
}