#================================================================ # Post install ssh configuration #================================================================ echo "Changing ssh port..." sed -i "s/#Port 22/Port 2122/" /rootfs/etc/ssh/sshd_config echo "Turning off ssh pam..." sed -i "s/UsePAM yes/UsePAM no/" /rootfs/etc/ssh/sshd_config echo "Restarting ssh service..." systemctl restart sshd #================================================================ #================================================================ # Post install fail2ban configuration #================================================================ echo "Ensure fail2ban service is enabled..." systemctl enable fail2ban echo "Configure fail2ban ssh jail..." touch /rootfs/etc/fail2ban/jail.local echo '[ssh]' >> /rootfs/etc/fail2ban/jail.local echo 'enabled=true' >> /rootfs/etc/fail2ban/jail.local echo 'port=2122' >> /rootfs/etc/fail2ban/jail.local echo 'filter=sshd' >> /rootfs/etc/fail2ban/jail.local echo 'logpath=/var/log/auth.log' >> /rootfs/etc/fail2ban/jail.local echo 'bantime=1800' >> /rootfs/etc/fail2ban/jail.local echo 'banaction=iptables-allports' >> /rootfs/etc/fail2ban/jail.local echo 'findtime=900' >> /rootfs/etc/fail2ban/jail.local echo 'maxretry=3' >> /rootfs/etc/fail2ban/jail.local echo "Restart fail2ban service..." sudo systemctl restart fail2ban #================================================================ #================================================================ # Post install bash configuration #================================================================ echo "Configuring bash prompt..." echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/home/james/.bashrc #================================================================ #================================================================ # Post install firewall configuration #================================================================ echo "Allowing local traffic in iptables" iptables -A INPUT -i lo -j ACCEPT echo "Allow all established connections in iptables" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT echo "Drop all other traffic" iptables -A INPUT -j DROP echo "Ensure iptables-persistent is started" systemctl start netfilter-persistent echo "Ensure iptables-persistent is enabled" systemctl enable netfilter-persistent echo "Ensure firewall rules are saved" netfilter-persistent save #================================================================ #================================================================ # Post install knockd configuration #================================================================ echo "Writing port knocking configuration file..." cat << EOF > /rootfs/etc/knockd.conf [options] UseSysLog logfile = /var/log/knockd.log interface=wlan0 [ssh] sequence = 6315,3315,1315,5315 seq_timeout = 15 start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 2122 -j ACCEPT tcpflags = syn cmd_timeout = 60 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2122 -j ACCEPT EOF echo "Enabling knockd.service ..." sed -i "s/START_KNOCKD=0/START_KNOCKD=1/" /rootfs/etc/default/knockd cat << EOF >> /rootfs/lib/systemd/system/knockd.service [Install] WantedBy=multi-user.target Alias=knockd.service EOF systemctl enable knockd.service echo "Start knockd service..." systemctl start knockd.service #================================================================