apt install -y netscript-ipfilter vim open-vm-tools
sudo useradd steve -c "Borba, Steven J Jr" -m -G sudo -s /bin/bash
sudo -usteve mkdir -p -m=0700 ~steve/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDm17k7lt1wuRsDGTs/xRCHtgy5byA2/EYmd0pJ0hmaYQns5D8XMXf6QsxQ6TBO1lkhZI8Nb1+V/An4Pc3M8R4Ftt5QIb8oyQqMOjRN8K8fFawK62eSgkDLmULb0Su3MFy9uSdbmDSaFGvK5dCNnUQKbViXLTHp7WFl/CR8NvD1ZCGtuU4FCQtpaLhL80AwwdcSXNXo5dKExG5XLSNHJdwk1lvEOMQz2VRqZbbvCgi2Aol+JWN97OLEnZBWhQjLksVwsbgHrgbtquwmQdjMX1WLBSgkhUo7i4+I0BgOdkdwSLdk7ZGq9a0syOIgvsaMkKt4T/fp/MAAiHtKgOGYsSTrcIcKm9BHbnuxjHPllKsivq22cTyguLQd/2hMdl/IWJhB675+C3v4uCKgm9RjSj72Iczmr1xODTEQNHO71v9Vxj3JVrk72umJMUCVYW0PxdfHDnihOwej39z45aLXz3UhrjUVHmWtFdhox7NThV7HYHlOVWaL9KLjJihPCDJ84/8= steve@sborba" | sudo -usteve tee ~steve/.ssh/authorized_keys
sudo chmod 600 ~steve/.ssh/authorized_keys
echo "net.ipv4.tcp_timestamps = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
echo "*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT ! -i lo -j DROP
COMMIT" > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
echo '#!/bin/sh
iptables-restore < /etc/iptables.rules' > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
echo "UseDNS no" >> /etc/ssh/sshd_config
echo "This system is considered private and proprietary and is subject to audit.
The unauthorized access, use or modification of this or any other computer
systems or networks or of the data contained therein or in transit
thereto/therefrom is a criminal violation of federal and state laws and will
be prosecuted to the fullest extent of the law." > /etc/issue
rm /etc/issue.net
ln -s /etc/issue /etc/issue.net
sed s_#Banner_Banner_ /etc/ssh/sshd_config -i
echo "
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
" >> /etc/apt/apt.conf.d/20auto-upgrades
sed -E 's_//(.*)-updates";_\1-updates";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
systemctl disable atd
systemctl disable lvm2-lvmetad
systemctl mask lvm2-lvmetad
vmware-toolbox-cmd timesync enable
apt-get update && apt-get dist-upgrade -y && apt-get -y autoremove && reboot
To authenticate against radius (ACS server)
apt install libpam-radius-auth
vim /etc/pam_radius_auth.conf
(update settings)
vim /etc/pam.d/sshd /etc/pam.d/sudo
add: auth sufficient pam_radius_auth.so
To Authenticate agains TACACS:
apt install libpam-tacplus
vim /etc/pam.d/sshd /etc/pam.d/sudo
Add:
auth sufficient pam_tacplus.so server=IP/HOST secret=SECRET
To Authenticate against Kerberos (AD)
apt install libpam-krb5
vi /etc/krb5.conf
Example configuration file (you may need edit pam, but I didn’t on 16.04):
[libdefaults]
default_realm = EXAMPLE.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
EXAMPLE.COM = {
kdc = dc.example.com:88
admin_server = dc1.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Another thing I like to do is add OTP for sudo (also, instead of generating multiple tokens, you can copy that file to other instances).
apt install libpam-google-authenticator
google-authenticator -t -D -f -w 3 -r 10 -R 15 -s /root/.google_authenticator_sudo
echo "
auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/root/.google_authenticator_sudo user=root" >> /etc/pam.d/sudo
sudo useradd steve -c "Borba, Steven J Jr" -m -G sudo -s /bin/bash
sudo su steve
cd ~
mkdir .ssh
chmod 700 .ssh
vi .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
exit
echo 'steve ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers.d/90-cloud-init-users
sudo apt -y update
sudo apt -y dist-upgrade
sudo rm /etc/update-motd.d/10-help-text /etc/update-motd.d/50-motd-news /etc/update-motd.d/91-release-upgrade
sudo vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub
THESE="multipathd.service atd.service fwupd.service fwupd-refresh.service upower.service udisks2.service motd-news.service"
for Service in $THESE; do sudo systemctl stop $Service; sudo systemctl disable $Service ; done
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -E 's_//(.*)-updates";_\1-updates";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::AutoFixInterruptedDpkg "true";_Unattended-Upgrade::AutoFixInterruptedDpkg "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";_Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";_Unattended-Upgrade::Remove-New-Unused-Dependencies "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Remove-Unused-Dependencies "false";_Unattended-Upgrade::Remove-Unused-Dependencies "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot "false";_Unattended-Upgrade::Automatic-Reboot "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";_Unattended-Upgrade::Automatic-Reboot-WithUsers "true";_' /etc/apt/apt.conf.d/50unattended-upgrades -i
sudo sed 's_//Unattended-Upgrade::Automatic-Reboot-Time "02:00";_Unattended-Upgrade::Automatic-Reboot-Time "02:00";_' /etc/apt/apt.conf.d/50unattended-upgrades -i