@@ -0,0 +1,43 | |||||
|
1 | # For more options and information see | |||
|
2 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |||
|
3 | # Some settings may impact device functionality. See link above for details | |||
|
4 | ||||
|
5 | # uncomment if you get no picture on HDMI for a default "safe" mode | |||
|
6 | #hdmi_safe=1 | |||
|
7 | ||||
|
8 | # uncomment this if your display has a black border of unused pixels visible | |||
|
9 | # and your display can output without overscan | |||
|
10 | #disable_overscan=1 | |||
|
11 | ||||
|
12 | # uncomment the following to adjust overscan. Use positive numbers if console | |||
|
13 | # goes off screen, and negative if there is too much border | |||
|
14 | #overscan_left=16 | |||
|
15 | #overscan_right=16 | |||
|
16 | #overscan_top=16 | |||
|
17 | #overscan_bottom=16 | |||
|
18 | ||||
|
19 | # uncomment to force a console size. By default it will be display's size minus | |||
|
20 | # overscan. | |||
|
21 | #framebuffer_width=1280 | |||
|
22 | #framebuffer_height=720 | |||
|
23 | ||||
|
24 | # uncomment if hdmi display is not detected and composite is being output | |||
|
25 | #hdmi_force_hotplug=1 | |||
|
26 | ||||
|
27 | # uncomment to force a specific HDMI mode (this will force VGA) | |||
|
28 | #hdmi_group=1 | |||
|
29 | #hdmi_mode=1 | |||
|
30 | ||||
|
31 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |||
|
32 | # DMT (computer monitor) modes | |||
|
33 | #hdmi_drive=2 | |||
|
34 | ||||
|
35 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |||
|
36 | # no display | |||
|
37 | #config_hdmi_boost=4 | |||
|
38 | ||||
|
39 | # uncomment for composite PAL | |||
|
40 | #sdtv_mode=2 | |||
|
41 | ||||
|
42 | # uncomment to overclock the arm. 700 MHz is the default. | |||
|
43 | #arm_freq=800 |
@@ -0,0 +1,8 | |||||
|
1 | logger -t "rc.firstboot" "Generating SSH host keys" | |||
|
2 | rm -f /etc/ssh/ssh_host_* | |||
|
3 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |||
|
4 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |||
|
5 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |||
|
6 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |||
|
7 | ||||
|
8 | systemctl restart sshd |
@@ -0,0 +1,52 | |||||
|
1 | logger -t "rc.firstboot" "Expanding root" | |||
|
2 | ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') | |||
|
3 | PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') | |||
|
4 | case "${ROOT_PART}" in | |||
|
5 | mmcblk0*) ROOT_DEV=mmcblk0 ;; | |||
|
6 | sda*) ROOT_DEV=sda ;; | |||
|
7 | esac | |||
|
8 | if [ "$PART_NUM" = "$ROOT_PART" ]; then | |||
|
9 | logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" | |||
|
10 | return 0 | |||
|
11 | fi | |||
|
12 | ||||
|
13 | # NOTE: the NOOBS partition layout confuses parted. For now, let's only | |||
|
14 | # agree to work with a sufficiently simple partition layout | |||
|
15 | if [ "$PART_NUM" -gt 2 ]; then | |||
|
16 | logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." | |||
|
17 | return 0 | |||
|
18 | fi | |||
|
19 | LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) | |||
|
20 | if [ $LAST_PART_NUM -ne $PART_NUM ]; then | |||
|
21 | logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand" | |||
|
22 | return 0 | |||
|
23 | fi | |||
|
24 | ||||
|
25 | # Get the starting offset of the root partition | |||
|
26 | PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') | |||
|
27 | [ "$PART_START" ] || return 1 | |||
|
28 | ||||
|
29 | # Get the possible last sector for the root partition | |||
|
30 | PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') | |||
|
31 | [ "$PART_LAST" ] || return 1 | |||
|
32 | ||||
|
33 | # Return value will likely be error for fdisk as it fails to reload the | |||
|
34 | # partition table because the root fs is mounted | |||
|
35 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit | |||
|
36 | fdisk /dev/${ROOT_DEV} <<EOF2 || true | |||
|
37 | p | |||
|
38 | d | |||
|
39 | $PART_NUM | |||
|
40 | n | |||
|
41 | p | |||
|
42 | $PART_NUM | |||
|
43 | $PART_START | |||
|
44 | $PART_LAST | |||
|
45 | p | |||
|
46 | w | |||
|
47 | EOF2 | |||
|
48 | ||||
|
49 | # Reload the partition table, resize root filesystem then remove resizing code from this file | |||
|
50 | partprobe && | |||
|
51 | resize2fs /dev/${ROOT_PART} && | |||
|
52 | logger -t "rc.firstboot" "Root partition successfuly resized." |
@@ -0,0 +1,3 | |||||
|
1 | logger -t "rc.firstboot" "First boot actions finished" | |||
|
2 | rm -f /etc/rc.firstboot | |||
|
3 | sed -i '/.*rc.firstboot/d' /etc/rc.local |
@@ -0,0 +1,2 | |||||
|
1 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |||
|
2 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
@@ -0,0 +1,15 | |||||
|
1 | #!/bin/sh | |||
|
2 | ip6tables -F | |||
|
3 | ip6tables -X | |||
|
4 | ip6tables -Z | |||
|
5 | ||||
|
6 | for table in $(</proc/net/ip6_tables_names) | |||
|
7 | do | |||
|
8 | ip6tables -t \$table -F | |||
|
9 | ip6tables -t \$table -X | |||
|
10 | ip6tables -t \$table -Z | |||
|
11 | done | |||
|
12 | ||||
|
13 | ip6tables -P INPUT ACCEPT | |||
|
14 | ip6tables -P OUTPUT ACCEPT | |||
|
15 | ip6tables -P FORWARD ACCEPT |
@@ -0,0 +1,10 | |||||
|
1 | #!/bin/sh | |||
|
2 | iptables -F | |||
|
3 | iptables -X | |||
|
4 | iptables -t nat -F | |||
|
5 | iptables -t nat -X | |||
|
6 | iptables -t mangle -F | |||
|
7 | iptables -t mangle -X | |||
|
8 | iptables -P INPUT ACCEPT | |||
|
9 | iptables -P FORWARD ACCEPT | |||
|
10 | iptables -P OUTPUT ACCEPT |
@@ -0,0 +1,48 | |||||
|
1 | *filter | |||
|
2 | :INPUT DROP [0:0] | |||
|
3 | :FORWARD DROP [0:0] | |||
|
4 | :OUTPUT ACCEPT [0:0] | |||
|
5 | :TCP - [0:0] | |||
|
6 | :UDP - [0:0] | |||
|
7 | :SSH - [0:0] | |||
|
8 | ||||
|
9 | # Drop packets with RH0 headers | |||
|
10 | -A INPUT -m rt --rt-type 0 -j DROP | |||
|
11 | -A OUTPUT -m rt --rt-type 0 -j DROP | |||
|
12 | -A FORWARD -m rt --rt-type 0 -j DROP | |||
|
13 | ||||
|
14 | # Rate limit ping requests | |||
|
15 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |||
|
16 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |||
|
17 | ||||
|
18 | # Accept established connections | |||
|
19 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
|
20 | ||||
|
21 | # Accept all traffic on loopback interface | |||
|
22 | -A INPUT -i lo -j ACCEPT | |||
|
23 | ||||
|
24 | # Drop packets declared invalid | |||
|
25 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |||
|
26 | ||||
|
27 | # SSH rate limiting | |||
|
28 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |||
|
29 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
30 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
31 | -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
32 | ||||
|
33 | # Send TCP and UDP connections to their respective rules chain | |||
|
34 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |||
|
35 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |||
|
36 | ||||
|
37 | # Reject dropped packets with a RFC compliant responce | |||
|
38 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |||
|
39 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |||
|
40 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |||
|
41 | ||||
|
42 | ## TCP PORT RULES | |||
|
43 | # -A TCP -p tcp -j LOG | |||
|
44 | ||||
|
45 | ## UDP PORT RULES | |||
|
46 | # -A UDP -p udp -j LOG | |||
|
47 | ||||
|
48 | COMMIT |
@@ -0,0 +1,15 | |||||
|
1 | [Unit] | |||
|
2 | Description=Packet Filtering Framework | |||
|
3 | DefaultDependencies=no | |||
|
4 | After=systemd-sysctl.service | |||
|
5 | Before=sysinit.target | |||
|
6 | ||||
|
7 | [Service] | |||
|
8 | Type=oneshot | |||
|
9 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |||
|
10 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |||
|
11 | ExecStop=/etc/iptables/flush-ip6tables.sh | |||
|
12 | RemainAfterExit=yes | |||
|
13 | ||||
|
14 | [Install] | |||
|
15 | WantedBy=multi-user.target |
@@ -0,0 +1,43 | |||||
|
1 | *filter | |||
|
2 | :INPUT DROP [0:0] | |||
|
3 | :FORWARD DROP [0:0] | |||
|
4 | :OUTPUT ACCEPT [0:0] | |||
|
5 | :TCP - [0:0] | |||
|
6 | :UDP - [0:0] | |||
|
7 | :SSH - [0:0] | |||
|
8 | ||||
|
9 | # Rate limit ping requests | |||
|
10 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |||
|
11 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |||
|
12 | ||||
|
13 | # Accept established connections | |||
|
14 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
|
15 | ||||
|
16 | # Accept all traffic on loopback interface | |||
|
17 | -A INPUT -i lo -j ACCEPT | |||
|
18 | ||||
|
19 | # Drop packets declared invalid | |||
|
20 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |||
|
21 | ||||
|
22 | # SSH rate limiting | |||
|
23 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |||
|
24 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
25 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
26 | -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
27 | ||||
|
28 | # Send TCP and UDP connections to their respective rules chain | |||
|
29 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |||
|
30 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |||
|
31 | ||||
|
32 | # Reject dropped packets with a RFC compliant responce | |||
|
33 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |||
|
34 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |||
|
35 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |||
|
36 | ||||
|
37 | ## TCP PORT RULES | |||
|
38 | # -A TCP -p tcp -j LOG | |||
|
39 | ||||
|
40 | ## UDP PORT RULES | |||
|
41 | # -A UDP -p udp -j LOG | |||
|
42 | ||||
|
43 | COMMIT |
@@ -0,0 +1,15 | |||||
|
1 | [Unit] | |||
|
2 | Description=Packet Filtering Framework | |||
|
3 | DefaultDependencies=no | |||
|
4 | After=systemd-sysctl.service | |||
|
5 | Before=sysinit.target | |||
|
6 | ||||
|
7 | [Service] | |||
|
8 | Type=oneshot | |||
|
9 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |||
|
10 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |||
|
11 | ExecStop=/etc/iptables/flush-iptables.sh | |||
|
12 | RemainAfterExit=yes | |||
|
13 | ||||
|
14 | [Install] | |||
|
15 | WantedBy=multi-user.target |
@@ -0,0 +1,9 | |||||
|
1 | blacklist snd_soc_core | |||
|
2 | blacklist snd_pcm | |||
|
3 | blacklist snd_pcm_dmaengine | |||
|
4 | blacklist snd_timer | |||
|
5 | blacklist snd_compress | |||
|
6 | blacklist snd_soc_pcm512x_i2c | |||
|
7 | blacklist snd_soc_pcm512x | |||
|
8 | blacklist snd_soc_tas5713 | |||
|
9 | blacklist snd_soc_wm8804 |
@@ -0,0 +1,6 | |||||
|
1 | # Avoid swapping and increase cache sizes | |||
|
2 | vm.swappiness=1 | |||
|
3 | vm.dirty_background_ratio=20 | |||
|
4 | vm.dirty_ratio=40 | |||
|
5 | vm.dirty_writeback_centisecs=500 | |||
|
6 | vm.dirty_expire_centisecs=6000 |
@@ -0,0 +1,59 | |||||
|
1 | # Enable network stack hardening | |||
|
2 | net.ipv4.tcp_timestamps=0 | |||
|
3 | net.ipv4.tcp_syncookies=1 | |||
|
4 | net.ipv4.conf.all.rp_filter=1 | |||
|
5 | net.ipv4.conf.all.accept_redirects=0 | |||
|
6 | net.ipv4.conf.all.send_redirects=0 | |||
|
7 | net.ipv4.conf.all.accept_source_route=0 | |||
|
8 | net.ipv4.conf.default.rp_filter=1 | |||
|
9 | net.ipv4.conf.default.accept_redirects=0 | |||
|
10 | net.ipv4.conf.default.send_redirects=0 | |||
|
11 | net.ipv4.conf.default.accept_source_route=0 | |||
|
12 | net.ipv4.conf.lo.accept_redirects=0 | |||
|
13 | net.ipv4.conf.lo.send_redirects=0 | |||
|
14 | net.ipv4.conf.lo.accept_source_route=0 | |||
|
15 | net.ipv4.conf.eth0.accept_redirects=0 | |||
|
16 | net.ipv4.conf.eth0.send_redirects=0 | |||
|
17 | net.ipv4.conf.eth0.accept_source_route=0 | |||
|
18 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |||
|
19 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |||
|
20 | ||||
|
21 | net.ipv6.conf.all.accept_redirects=0 | |||
|
22 | net.ipv6.conf.all.accept_source_route=0 | |||
|
23 | net.ipv6.conf.all.router_solicitations=0 | |||
|
24 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |||
|
25 | net.ipv6.conf.all.accept_ra_pinfo=0 | |||
|
26 | net.ipv6.conf.all.accept_ra_defrtr=0 | |||
|
27 | net.ipv6.conf.all.autoconf=0 | |||
|
28 | net.ipv6.conf.all.dad_transmits=0 | |||
|
29 | net.ipv6.conf.all.max_addresses=1 | |||
|
30 | ||||
|
31 | net.ipv6.conf.default.accept_redirects=0 | |||
|
32 | net.ipv6.conf.default.accept_source_route=0 | |||
|
33 | net.ipv6.conf.default.router_solicitations=0 | |||
|
34 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |||
|
35 | net.ipv6.conf.default.accept_ra_pinfo=0 | |||
|
36 | net.ipv6.conf.default.accept_ra_defrtr=0 | |||
|
37 | net.ipv6.conf.default.autoconf=0 | |||
|
38 | net.ipv6.conf.default.dad_transmits=0 | |||
|
39 | net.ipv6.conf.default.max_addresses=1 | |||
|
40 | ||||
|
41 | net.ipv6.conf.lo.accept_redirects=0 | |||
|
42 | net.ipv6.conf.lo.accept_source_route=0 | |||
|
43 | net.ipv6.conf.lo.router_solicitations=0 | |||
|
44 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |||
|
45 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |||
|
46 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |||
|
47 | net.ipv6.conf.lo.autoconf=0 | |||
|
48 | net.ipv6.conf.lo.dad_transmits=0 | |||
|
49 | net.ipv6.conf.lo.max_addresses=1 | |||
|
50 | ||||
|
51 | net.ipv6.conf.eth0.accept_redirects=0 | |||
|
52 | net.ipv6.conf.eth0.accept_source_route=0 | |||
|
53 | net.ipv6.conf.eth0.router_solicitations=0 | |||
|
54 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |||
|
55 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |||
|
56 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |||
|
57 | net.ipv6.conf.eth0.autoconf=0 | |||
|
58 | net.ipv6.conf.eth0.dad_transmits=0 | |||
|
59 | net.ipv6.conf.eth0.max_addresses=1 |
@@ -422,51 +422,7 fi | |||||
422 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
422 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
423 |
|
423 | |||
424 | # Set up firmware config |
|
424 | # Set up firmware config | |
425 | cat <<EOM >$R/boot/firmware/config.txt |
|
425 | install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt | |
426 | # For more options and information see |
|
|||
427 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
|||
428 | # Some settings may impact device functionality. See link above for details |
|
|||
429 |
|
||||
430 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
|||
431 | #hdmi_safe=1 |
|
|||
432 |
|
||||
433 | # uncomment this if your display has a black border of unused pixels visible |
|
|||
434 | # and your display can output without overscan |
|
|||
435 | #disable_overscan=1 |
|
|||
436 |
|
||||
437 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
|||
438 | # goes off screen, and negative if there is too much border |
|
|||
439 | #overscan_left=16 |
|
|||
440 | #overscan_right=16 |
|
|||
441 | #overscan_top=16 |
|
|||
442 | #overscan_bottom=16 |
|
|||
443 |
|
||||
444 | # uncomment to force a console size. By default it will be display's size minus |
|
|||
445 | # overscan. |
|
|||
446 | #framebuffer_width=1280 |
|
|||
447 | #framebuffer_height=720 |
|
|||
448 |
|
||||
449 | # uncomment if hdmi display is not detected and composite is being output |
|
|||
450 | #hdmi_force_hotplug=1 |
|
|||
451 |
|
||||
452 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
|||
453 | #hdmi_group=1 |
|
|||
454 | #hdmi_mode=1 |
|
|||
455 |
|
||||
456 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
|||
457 | # DMT (computer monitor) modes |
|
|||
458 | #hdmi_drive=2 |
|
|||
459 |
|
||||
460 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
|||
461 | # no display |
|
|||
462 | #config_hdmi_boost=4 |
|
|||
463 |
|
||||
464 | # uncomment for composite PAL |
|
|||
465 | #sdtv_mode=2 |
|
|||
466 |
|
||||
467 | # uncomment to overclock the arm. 700 MHz is the default. |
|
|||
468 | #arm_freq=800 |
|
|||
469 | EOM |
|
|||
470 |
|
426 | |||
471 | # Load snd_bcm2835 kernel module at boot time |
|
427 | # Load snd_bcm2835 kernel module at boot time | |
472 | if [ "$ENABLE_SOUND" = true ] ; then |
|
428 | if [ "$ENABLE_SOUND" = true ] ; then | |
@@ -496,99 +452,17 fi | |||||
496 | mkdir -p $R/etc/modprobe.d/ |
|
452 | mkdir -p $R/etc/modprobe.d/ | |
497 |
|
453 | |||
498 | # Blacklist sound modules |
|
454 | # Blacklist sound modules | |
499 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
455 | install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf | |
500 | blacklist snd_soc_core |
|
|||
501 | blacklist snd_pcm |
|
|||
502 | blacklist snd_pcm_dmaengine |
|
|||
503 | blacklist snd_timer |
|
|||
504 | blacklist snd_compress |
|
|||
505 | blacklist snd_soc_pcm512x_i2c |
|
|||
506 | blacklist snd_soc_pcm512x |
|
|||
507 | blacklist snd_soc_tas5713 |
|
|||
508 | blacklist snd_soc_wm8804 |
|
|||
509 | EOM |
|
|||
510 |
|
456 | |||
511 | # Create default fstab |
|
457 | # Create default fstab | |
512 | cat <<EOM >$R/etc/fstab |
|
458 | install -o root -g root -m 644 files/fstab $R/etc/fstab | |
513 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
|||
514 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
|||
515 | EOM |
|
|||
516 |
|
459 | |||
517 | # Avoid swapping and increase cache sizes |
|
460 | # Avoid swapping and increase cache sizes | |
518 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
461 | install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf | |
519 |
|
||||
520 | # Avoid swapping and increase cache sizes |
|
|||
521 | vm.swappiness=1 |
|
|||
522 | vm.dirty_background_ratio=20 |
|
|||
523 | vm.dirty_ratio=40 |
|
|||
524 | vm.dirty_writeback_centisecs=500 |
|
|||
525 | vm.dirty_expire_centisecs=6000 |
|
|||
526 | EOM |
|
|||
527 |
|
462 | |||
528 | # Enable network stack hardening |
|
463 | # Enable network stack hardening | |
529 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
464 | if [ "$ENABLE_HARDNET" = true ] ; then | |
530 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
465 | install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf | |
531 |
|
||||
532 | # Enable network stack hardening |
|
|||
533 | net.ipv4.tcp_timestamps=0 |
|
|||
534 | net.ipv4.tcp_syncookies=1 |
|
|||
535 | net.ipv4.conf.all.rp_filter=1 |
|
|||
536 | net.ipv4.conf.all.accept_redirects=0 |
|
|||
537 | net.ipv4.conf.all.send_redirects=0 |
|
|||
538 | net.ipv4.conf.all.accept_source_route=0 |
|
|||
539 | net.ipv4.conf.default.rp_filter=1 |
|
|||
540 | net.ipv4.conf.default.accept_redirects=0 |
|
|||
541 | net.ipv4.conf.default.send_redirects=0 |
|
|||
542 | net.ipv4.conf.default.accept_source_route=0 |
|
|||
543 | net.ipv4.conf.lo.accept_redirects=0 |
|
|||
544 | net.ipv4.conf.lo.send_redirects=0 |
|
|||
545 | net.ipv4.conf.lo.accept_source_route=0 |
|
|||
546 | net.ipv4.conf.eth0.accept_redirects=0 |
|
|||
547 | net.ipv4.conf.eth0.send_redirects=0 |
|
|||
548 | net.ipv4.conf.eth0.accept_source_route=0 |
|
|||
549 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
|||
550 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
|||
551 |
|
||||
552 | net.ipv6.conf.all.accept_redirects=0 |
|
|||
553 | net.ipv6.conf.all.accept_source_route=0 |
|
|||
554 | net.ipv6.conf.all.router_solicitations=0 |
|
|||
555 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
|||
556 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
|||
557 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
|||
558 | net.ipv6.conf.all.autoconf=0 |
|
|||
559 | net.ipv6.conf.all.dad_transmits=0 |
|
|||
560 | net.ipv6.conf.all.max_addresses=1 |
|
|||
561 |
|
||||
562 | net.ipv6.conf.default.accept_redirects=0 |
|
|||
563 | net.ipv6.conf.default.accept_source_route=0 |
|
|||
564 | net.ipv6.conf.default.router_solicitations=0 |
|
|||
565 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
|||
566 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
|||
567 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
|||
568 | net.ipv6.conf.default.autoconf=0 |
|
|||
569 | net.ipv6.conf.default.dad_transmits=0 |
|
|||
570 | net.ipv6.conf.default.max_addresses=1 |
|
|||
571 |
|
||||
572 | net.ipv6.conf.lo.accept_redirects=0 |
|
|||
573 | net.ipv6.conf.lo.accept_source_route=0 |
|
|||
574 | net.ipv6.conf.lo.router_solicitations=0 |
|
|||
575 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
|||
576 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
|||
577 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
|||
578 | net.ipv6.conf.lo.autoconf=0 |
|
|||
579 | net.ipv6.conf.lo.dad_transmits=0 |
|
|||
580 | net.ipv6.conf.lo.max_addresses=1 |
|
|||
581 |
|
||||
582 | net.ipv6.conf.eth0.accept_redirects=0 |
|
|||
583 | net.ipv6.conf.eth0.accept_source_route=0 |
|
|||
584 | net.ipv6.conf.eth0.router_solicitations=0 |
|
|||
585 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
|||
586 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
|||
587 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
|||
588 | net.ipv6.conf.eth0.autoconf=0 |
|
|||
589 | net.ipv6.conf.eth0.dad_transmits=0 |
|
|||
590 | net.ipv6.conf.eth0.max_addresses=1 |
|
|||
591 | EOM |
|
|||
592 |
|
466 | |||
593 | # Enable resolver warnings about spoofed addresses |
|
467 | # Enable resolver warnings about spoofed addresses | |
594 | cat <<EOM >>$R/etc/host.conf |
|
468 | cat <<EOM >>$R/etc/host.conf | |
@@ -596,84 +470,25 spoof warn | |||||
596 | EOM |
|
470 | EOM | |
597 | fi |
|
471 | fi | |
598 |
|
472 | |||
|
473 | # First boot actions | |||
|
474 | cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot | |||
|
475 | ||||
599 | # Ensure openssh server host keys are regenerated on first boot |
|
476 | # Ensure openssh server host keys are regenerated on first boot | |
600 | if [ "$ENABLE_SSHD" = true ] ; then |
|
477 | if [ "$ENABLE_SSHD" = true ] ; then | |
601 | cat <<EOM >>$R/etc/rc.firstboot |
|
478 | cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot | |
602 | #!/bin/sh |
|
|||
603 | rm -f /etc/ssh/ssh_host_* |
|
|||
604 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key |
|
|||
605 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key |
|
|||
606 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key |
|
|||
607 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key |
|
|||
608 | sync |
|
|||
609 |
|
||||
610 | systemctl restart sshd |
|
|||
611 | sed -i '/.*rc.firstboot/d' /etc/rc.local |
|
|||
612 | rm -f /etc/rc.firstboot |
|
|||
613 | EOM |
|
|||
614 | chmod +x $R/etc/rc.firstboot |
|
|||
615 | sed -i '/exit 0/d' $R/etc/rc.local |
|
|||
616 | echo /etc/rc.firstboot >> $R/etc/rc.local |
|
|||
617 | rm -f $R/etc/ssh/ssh_host_* |
|
479 | rm -f $R/etc/ssh/ssh_host_* | |
618 | fi |
|
480 | fi | |
619 |
|
481 | |||
620 | if [ "$EXPANDROOT" = true ] ; then |
|
482 | if [ "$EXPANDROOT" = true ] ; then | |
621 | cat <<EOF > $R/etc/rc.expandroot |
|
483 | cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot | |
622 | #!/bin/sh |
|
484 | fi | |
|
485 | ||||
|
486 | cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot | |||
|
487 | chmod +x $R/etc/rc.firstboot | |||
623 |
|
488 | |||
624 | ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') |
|
|||
625 | PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$') |
|
|||
626 | case "\${ROOT_PART}" in |
|
|||
627 | mmcblk0*) ROOT_DEV=mmcblk0 ;; |
|
|||
628 | sda*) ROOT_DEV=sda ;; |
|
|||
629 | esac |
|
|||
630 | if [ "\$PART_NUM" = "\$ROOT_PART" ]; then |
|
|||
631 | logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand" |
|
|||
632 | return 0 |
|
|||
633 | fi |
|
|||
634 | # NOTE: the NOOBS partition layout confuses parted. For now, let's only |
|
|||
635 | # agree to work with a sufficiently simple partition layout |
|
|||
636 | if [ "\$PART_NUM" -gt 2 ]; then |
|
|||
637 | logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool." |
|
|||
638 | return 0 |
|
|||
639 | fi |
|
|||
640 | LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) |
|
|||
641 | if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then |
|
|||
642 | logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand" |
|
|||
643 | return 0 |
|
|||
644 | fi |
|
|||
645 | # Get the starting offset of the root partition |
|
|||
646 | PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') |
|
|||
647 | [ "\$PART_START" ] || return 1 |
|
|||
648 | # Get the possible last sector for the root partition |
|
|||
649 | PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }') |
|
|||
650 | [ "\$PART_LAST" ] || return 1 |
|
|||
651 | # Return value will likely be error for fdisk as it fails to reload the |
|
|||
652 | # partition table because the root fs is mounted |
|
|||
653 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit |
|
|||
654 | fdisk /dev/\${ROOT_DEV} <<EOF2 || true |
|
|||
655 | p |
|
|||
656 | d |
|
|||
657 | \$PART_NUM |
|
|||
658 | n |
|
|||
659 | p |
|
|||
660 | \$PART_NUM |
|
|||
661 | \$PART_START |
|
|||
662 | \$PART_LAST |
|
|||
663 | p |
|
|||
664 | w |
|
|||
665 | EOF2 |
|
|||
666 | # Reload the partition table, resize root filesystem then remove resizing code from this file |
|
|||
667 | partprobe && |
|
|||
668 | resize2fs /dev/\${ROOT_PART} && |
|
|||
669 | logger -t "rc.expandroot" "Root partition successfuly resized." && |
|
|||
670 | sed -i '/.*rc.expandroot/d' /etc/rc.local |
|
|||
671 | rm -f /etc/rc.expandroot |
|
|||
672 | EOF |
|
|||
673 | chmod +x $R/etc/rc.expandroot |
|
|||
674 |
|
|
489 | sed -i '/exit 0/d' $R/etc/rc.local | |
675 |
|
|
490 | echo /etc/rc.firstboot >> $R/etc/rc.local | |
676 | fi |
|
491 | echo exit 0 >> $R/etc/rc.local | |
677 |
|
492 | |||
678 | # Disable rsyslog |
|
493 | # Disable rsyslog | |
679 | if [ "$ENABLE_RSYSLOG" = false ]; then |
|
494 | if [ "$ENABLE_RSYSLOG" = false ]; then | |
@@ -693,82 +508,13 if [ "$ENABLE_IPTABLES" = true ] ; then | |||||
693 | mkdir -p "$R/etc/iptables" |
|
508 | mkdir -p "$R/etc/iptables" | |
694 |
|
509 | |||
695 | # Create iptables systemd service |
|
510 | # Create iptables systemd service | |
696 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
511 | install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service | |
697 | [Unit] |
|
|||
698 | Description=Packet Filtering Framework |
|
|||
699 | DefaultDependencies=no |
|
|||
700 | After=systemd-sysctl.service |
|
|||
701 | Before=sysinit.target |
|
|||
702 | [Service] |
|
|||
703 | Type=oneshot |
|
|||
704 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
|||
705 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
|||
706 | ExecStop=/etc/iptables/flush-iptables.sh |
|
|||
707 | RemainAfterExit=yes |
|
|||
708 | [Install] |
|
|||
709 | WantedBy=multi-user.target |
|
|||
710 | EOM |
|
|||
711 |
|
512 | |||
712 | # Create flush-table script called by iptables service |
|
513 | # Create flush-table script called by iptables service | |
713 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
514 | install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh | |
714 | #!/bin/sh |
|
|||
715 | iptables -F |
|
|||
716 | iptables -X |
|
|||
717 | iptables -t nat -F |
|
|||
718 | iptables -t nat -X |
|
|||
719 | iptables -t mangle -F |
|
|||
720 | iptables -t mangle -X |
|
|||
721 | iptables -P INPUT ACCEPT |
|
|||
722 | iptables -P FORWARD ACCEPT |
|
|||
723 | iptables -P OUTPUT ACCEPT |
|
|||
724 | EOM |
|
|||
725 |
|
515 | |||
726 | # Create iptables rule file |
|
516 | # Create iptables rule file | |
727 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
517 | install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules | |
728 | *filter |
|
|||
729 | :INPUT DROP [0:0] |
|
|||
730 | :FORWARD DROP [0:0] |
|
|||
731 | :OUTPUT ACCEPT [0:0] |
|
|||
732 | :TCP - [0:0] |
|
|||
733 | :UDP - [0:0] |
|
|||
734 | :SSH - [0:0] |
|
|||
735 |
|
||||
736 | # Rate limit ping requests |
|
|||
737 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
|||
738 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
|||
739 |
|
||||
740 | # Accept established connections |
|
|||
741 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
|||
742 |
|
||||
743 | # Accept all traffic on loopback interface |
|
|||
744 | -A INPUT -i lo -j ACCEPT |
|
|||
745 |
|
||||
746 | # Drop packets declared invalid |
|
|||
747 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
|||
748 |
|
||||
749 | # SSH rate limiting |
|
|||
750 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
|||
751 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
|||
752 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
|||
753 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
|||
754 |
|
||||
755 | # Send TCP and UDP connections to their respective rules chain |
|
|||
756 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
|||
757 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
|||
758 |
|
||||
759 | # Reject dropped packets with a RFC compliant responce |
|
|||
760 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
|||
761 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
|||
762 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
|||
763 |
|
||||
764 | ## TCP PORT RULES |
|
|||
765 | # -A TCP -p tcp -j LOG |
|
|||
766 |
|
||||
767 | ## UDP PORT RULES |
|
|||
768 | # -A UDP -p udp -j LOG |
|
|||
769 |
|
||||
770 | COMMIT |
|
|||
771 | EOM |
|
|||
772 |
|
518 | |||
773 | # Reload systemd configuration and enable iptables service |
|
519 | # Reload systemd configuration and enable iptables service | |
774 | chroot_exec systemctl daemon-reload |
|
520 | chroot_exec systemctl daemon-reload | |
@@ -776,90 +522,12 EOM | |||||
776 |
|
522 | |||
777 | if [ "$ENABLE_IPV6" = true ] ; then |
|
523 | if [ "$ENABLE_IPV6" = true ] ; then | |
778 | # Create ip6tables systemd service |
|
524 | # Create ip6tables systemd service | |
779 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
525 | install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service | |
780 | [Unit] |
|
|||
781 | Description=Packet Filtering Framework |
|
|||
782 | DefaultDependencies=no |
|
|||
783 | After=systemd-sysctl.service |
|
|||
784 | Before=sysinit.target |
|
|||
785 | [Service] |
|
|||
786 | Type=oneshot |
|
|||
787 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
|||
788 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
|||
789 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
|||
790 | RemainAfterExit=yes |
|
|||
791 | [Install] |
|
|||
792 | WantedBy=multi-user.target |
|
|||
793 | EOM |
|
|||
794 |
|
526 | |||
795 | # Create ip6tables file |
|
527 | # Create ip6tables file | |
796 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
528 | install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh | |
797 | #!/bin/sh |
|
|||
798 | ip6tables -F |
|
|||
799 | ip6tables -X |
|
|||
800 | ip6tables -Z |
|
|||
801 | for table in $(</proc/net/ip6_tables_names) |
|
|||
802 | do |
|
|||
803 | ip6tables -t \$table -F |
|
|||
804 | ip6tables -t \$table -X |
|
|||
805 | ip6tables -t \$table -Z |
|
|||
806 | done |
|
|||
807 | ip6tables -P INPUT ACCEPT |
|
|||
808 | ip6tables -P OUTPUT ACCEPT |
|
|||
809 | ip6tables -P FORWARD ACCEPT |
|
|||
810 | EOM |
|
|||
811 |
|
||||
812 | # Create ip6tables rule file |
|
|||
813 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
|||
814 | *filter |
|
|||
815 | :INPUT DROP [0:0] |
|
|||
816 | :FORWARD DROP [0:0] |
|
|||
817 | :OUTPUT ACCEPT [0:0] |
|
|||
818 | :TCP - [0:0] |
|
|||
819 | :UDP - [0:0] |
|
|||
820 | :SSH - [0:0] |
|
|||
821 |
|
||||
822 | # Drop packets with RH0 headers |
|
|||
823 | -A INPUT -m rt --rt-type 0 -j DROP |
|
|||
824 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
|||
825 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
|||
826 |
|
529 | |||
827 | # Rate limit ping requests |
|
530 | install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules | |
828 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
|||
829 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
|||
830 |
|
||||
831 | # Accept established connections |
|
|||
832 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
|||
833 |
|
||||
834 | # Accept all traffic on loopback interface |
|
|||
835 | -A INPUT -i lo -j ACCEPT |
|
|||
836 |
|
||||
837 | # Drop packets declared invalid |
|
|||
838 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
|||
839 |
|
||||
840 | # SSH rate limiting |
|
|||
841 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
|||
842 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
|||
843 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
|||
844 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
|||
845 |
|
||||
846 | # Send TCP and UDP connections to their respective rules chain |
|
|||
847 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
|||
848 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
|||
849 |
|
||||
850 | # Reject dropped packets with a RFC compliant responce |
|
|||
851 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
852 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
853 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
854 |
|
||||
855 | ## TCP PORT RULES |
|
|||
856 | # -A TCP -p tcp -j LOG |
|
|||
857 |
|
||||
858 | ## UDP PORT RULES |
|
|||
859 | # -A UDP -p udp -j LOG |
|
|||
860 |
|
||||
861 | COMMIT |
|
|||
862 | EOM |
|
|||
863 |
|
531 | |||
864 | # Reload systemd configuration and enable iptables service |
|
532 | # Reload systemd configuration and enable iptables service | |
865 | chroot_exec systemctl daemon-reload |
|
533 | chroot_exec systemctl daemon-reload |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant