diff --git a/post-install.txt b/post-install.txt index 72a7c1b..04ce9fe 100755 --- a/post-install.txt +++ b/post-install.txt @@ -1,3 +1,6 @@ +#================================================================ +# Post install ssh configuration +#================================================================ echo "Changing ssh port..." sed -i "s/#Port 22/Port 2122/" /rootfs/etc/ssh/sshd_config @@ -6,7 +9,13 @@ sed -i "s/UsePAM yes/UsePAM no/" /rootfs/etc/ssh/sshd_config echo "Restarting ssh service..." systemctl restart sshd +#================================================================ + + +#================================================================ +# Post install fail2ban configuration +#================================================================ echo "Ensure fail2ban service is enabled..." systemctl enable fail2ban @@ -24,13 +33,54 @@ echo 'maxretry=3' >> /rootfs/etc/fail2ban/jail.local echo "Restart fail2ban service..." sudo systemctl restart fail2ban +#================================================================ + + +#================================================================ +# Post install bash configuration +#================================================================ echo "Configuring bash prompt..." echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/home/james/.bashrc +#================================================================ + + +#================================================================ +# Post install firewall configuration +#================================================================ +echo "Switch to legacy iptables for k3s support" +iptables -F +update-alternatives --set iptables /usr/sbin/iptables-legacy + +echo "Allowing local traffic in iptables" +iptables -A INPUT -i lo -j ACCEPT + +echo "Allow all established connections in iptables" +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +echo "Allow ssh connections in iptables" +iptables -A INPUT -p tcp --dport 2122 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 2122 -j ACCEPT + +echo "Drop all other traffic" +iptables -A INPUT -j DROP + +echo "Ensure iptables-persistent is started" +systemctl start iptables-persistent + +echo "Ensure iptables-persistent is enabled" +systemctl enable iptables-persistent +#================================================================ + + + +#================================================================ +# Post install knockd configuration +#================================================================ echo "Configuring port knocking..." -sed -i "/UseSysLog/ a\interface = wlan0" /rootfs/etc/knockd.conf -sed -i +sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \interface=wlan0' /rootfs/etc/knockd.conf +sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \logfile = /var/log/knockd.log' /rootfs/etc/knockd.conf sed -i "s/sequence = 7000,8000,9000/sequence = 6315,3315,1315,5315/" /rootfs/etc/knockd.conf sed -i "s/sequence = 9000,8000,7000/sequence = 5315,1315,3315,6315/" /rootfs/etc/knockd.conf @@ -39,3 +89,4 @@ systemctl enable knockd echo "Restarting knock service..." systemctl restart knockd +#================================================================ diff --git a/readme.org b/readme.org index 52069d8..c98fd27 100644 --- a/readme.org +++ b/readme.org @@ -142,7 +142,7 @@ raspberry pis. #+begin_example Copying in post-install.txt Display wordcount of file after copy to validate - 48 231 1894 installer/raspberrypi-ua-netinst/config/post-install.txt + 92 290 3483 installer/raspberrypi-ua-netinst/config/post-install.txt #+end_example