From 6691410f945719e62601c3d69d9b2ff9c4cfb4fb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 4 Jan 2024 12:59:39 +0100 Subject: Base system. --- files/etc/apt/listchanges.conf | 9 ++++ files/etc/nftables.conf | 59 +++++++++++++++++++++++++++ files/etc/ssh/sshd_config.d/local.conf | 10 +++++ files/etc/systemd/resolved.conf.d/local.conf | 3 ++ files/etc/systemd/timesyncd.conf.d/local.conf | 2 + 5 files changed, 83 insertions(+) create mode 100644 files/etc/apt/listchanges.conf create mode 100644 files/etc/nftables.conf create mode 100644 files/etc/ssh/sshd_config.d/local.conf create mode 100644 files/etc/systemd/resolved.conf.d/local.conf create mode 100644 files/etc/systemd/timesyncd.conf.d/local.conf (limited to 'files') diff --git a/files/etc/apt/listchanges.conf b/files/etc/apt/listchanges.conf new file mode 100644 index 0000000..96910a0 --- /dev/null +++ b/files/etc/apt/listchanges.conf @@ -0,0 +1,9 @@ +[apt] +frontend=mail +which=news +email_address=root +email_format=text +confirm=false +headers=false +reverse=false +save_seen=/var/lib/apt/listchanges.db diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf new file mode 100644 index 0000000..e8784ab --- /dev/null +++ b/files/etc/nftables.conf @@ -0,0 +1,59 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet raw { + chain PREROUTING-stateless { + # XXX can't add that to the ingress hook as that happens before IP defragmentation + # so we don't have the TCP header in later fragments (we don't want to drop IP + # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ ) + type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400) + policy accept + + # stateless filter for bogus TCP packets + tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet + tcp flags & (fin|psh|urg) == fin|psh|urg counter drop # XMAS packet + tcp flags & (syn|rst) == syn|rst counter drop + tcp flags & (fin|rst) == fin|rst counter drop + tcp flags & (fin|syn) == fin|syn counter drop + tcp flags & (fin|psh|ack) == fin|psh counter drop + } + + chain PREROUTING { + type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200) + policy accept + + # stateful filter + ct state invalid counter drop + } +} + +table inet filter { + chain input { + type filter hook input priority 0 + policy drop + + iif lo accept + + ct state related,established accept + meta l4proto { icmp, icmpv6 } counter accept + + tcp dport 22 ct state new counter accept + } + + chain output { + type filter hook output priority 0 + policy drop + + oif lo accept + ct state related,established accept + meta l4proto { icmp, icmpv6 } counter accept + + ct state new counter accept + + # graceful reject + meta l4proto tcp counter reject with tcp reset + meta l4proto udp counter reject + counter reject + } +} diff --git a/files/etc/ssh/sshd_config.d/local.conf b/files/etc/ssh/sshd_config.d/local.conf new file mode 100644 index 0000000..3a5323f --- /dev/null +++ b/files/etc/ssh/sshd_config.d/local.conf @@ -0,0 +1,10 @@ +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +PermitRootLogin no +AllowGroups ssh-login + +PasswordAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +X11Forwarding no diff --git a/files/etc/systemd/resolved.conf.d/local.conf b/files/etc/systemd/resolved.conf.d/local.conf new file mode 100644 index 0000000..812e6b5 --- /dev/null +++ b/files/etc/systemd/resolved.conf.d/local.conf @@ -0,0 +1,3 @@ +[Resolve] +# Quad9 +DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net diff --git a/files/etc/systemd/timesyncd.conf.d/local.conf b/files/etc/systemd/timesyncd.conf.d/local.conf new file mode 100644 index 0000000..632cd3f --- /dev/null +++ b/files/etc/systemd/timesyncd.conf.d/local.conf @@ -0,0 +1,2 @@ +[Time] +NTP=ntp.hetzner.com -- cgit v1.2.3