#================================================================ # Post install ssh configuration #================================================================ echo "Changing ssh port..." sed -i "s/#Port 22/Port 2122/" /rootfs/etc/ssh/sshd_config echo "Turning off ssh pam..." sed -i "s/UsePAM yes/UsePAM no/" /rootfs/etc/ssh/sshd_config echo "Restarting ssh service..." systemctl restart sshd #================================================================ #================================================================ # Post install fail2ban configuration #================================================================ echo "Ensure fail2ban service is enabled..." systemctl enable fail2ban echo "Configure fail2ban ssh jail..." touch /rootfs/etc/fail2ban/jail.local echo '[ssh]' >> /rootfs/etc/fail2ban/jail.local echo 'enabled=true' >> /rootfs/etc/fail2ban/jail.local echo 'port=2122' >> /rootfs/etc/fail2ban/jail.local echo 'filter=sshd' >> /rootfs/etc/fail2ban/jail.local echo 'logpath=/var/log/auth.log' >> /rootfs/etc/fail2ban/jail.local echo 'bantime=1800' >> /rootfs/etc/fail2ban/jail.local echo 'banaction=iptables-allports' >> /rootfs/etc/fail2ban/jail.local echo 'findtime=900' >> /rootfs/etc/fail2ban/jail.local echo 'maxretry=3' >> /rootfs/etc/fail2ban/jail.local echo "Restart fail2ban service..." sudo systemctl restart fail2ban #================================================================ #================================================================ # Post install bash configuration #================================================================ echo "Configuring bash prompt..." echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/home/james/.bashrc #================================================================ #================================================================ # Post install firewall configuration #================================================================ echo "Switch to legacy iptables for k3s support" #iptables -F #update-alternatives --set iptables /usr/sbin/iptables-legacy echo "Allowing local traffic in iptables" iptables -A INPUT -i lo -j ACCEPT echo "Allow all established connections in iptables" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT echo "Drop all other traffic" iptables -A INPUT -j DROP echo "Ensure iptables-persistent is started" systemctl start iptables-persistent echo "Ensure iptables-persistent is enabled" systemctl enable iptables-persistent #================================================================ #================================================================ # Post install knockd configuration #================================================================ echo "Writing port knocking configuration file..." cat << EOF > /rootfs/etc/knockd.conf [options] UseSysLog logfile = /var/log/knockd.log interface=wlan0 [ssh] sequence = 6315,3315,1315,5315 seq_timeout = 15 start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 2122 -j ACCEPT tcpflags = syn cmd_timeout = 60 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2122 -j ACCEPT EOF echo "Enabling port knocking..." sed -i "s/START_KNOCKD=0/START_KNOCKD=1/" /rootfs/etc/default/knockd systemctl enable knockd echo "Restarting knock service..." systemctl restart knockd #================================================================