84 lines
3.4 KiB
Bash
84 lines
3.4 KiB
Bash
#!/bin/bash
|
|
###########################################################################################
|
|
# Debian Bookworm VPS Hardening Setup Script V5.0.512.2024.08.07 #
|
|
###########################################################################################
|
|
# Copyright (c) 2019 - 2024, Marc Weidner, Centurion Intelligence Consulting Agency #
|
|
# https://coresecret.eu/ #
|
|
# Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 https://eupl.eu/1.2/en/ #
|
|
###########################################################################################
|
|
# https://keys.openpgp.org/vks/v1/by-fingerprint/A6D46A56AE17A185AB0F6DB77095A8A13CBE0FA3 #
|
|
# Fingerprint A6D4 6A56 AE17 A185 AB0F 6DB7 7095 A8A1 3CBE 0FA3 ## valid till: 01.01.2031 #
|
|
###########################################################################################
|
|
# Module: exdo_ephemeral_swap #
|
|
###########################################################################################
|
|
# shellcheck disable=SC2129 disable=SC2162
|
|
set -o errexit # Exit if a command fails.
|
|
set -o nounset # Exit if an unset variable is used.
|
|
set -o pipefail # Exit if a pipeline fails.
|
|
set -o noclobber # Prevent output redirection ">", ">&", "<>" from overwriting existing files.
|
|
set +o history # Temporarily turn off history, to avoid sensitive information leakage.
|
|
|
|
exdo_ephemeral_swap() {
|
|
clear
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Initalizing Ephemeral Swap - ...\033[0m" | tee -a "$LOG_INS"
|
|
|
|
echo ""
|
|
lsblk
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Ephemeral Swap will be installed on $EPHEMERAL_SWAP_PARTITION \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Please confirm, press 'ENTER' to continue \033[0m" | tee -a "$LOG_INS"
|
|
read
|
|
|
|
set +e
|
|
mkfs.ext4 -L crypt_swap_ephem /dev/"$EPHEMERAL_SWAP_PARTITION" 1M
|
|
set -e
|
|
|
|
cp -a /etc/crypttab /root/hardening/backup/crypttab.before.eswap
|
|
chmod 0640 /root/hardening/backup/crypttab.before.eswap
|
|
|
|
cat <<EOF >>/etc/crypttab
|
|
|
|
##### Added by hardening.sh - Module: exdo_ephemeral_swap #####
|
|
crypt_ephemeral_swap LABEL=crypt_swap_ephem /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096
|
|
|
|
EOF
|
|
|
|
cp -a /etc/fstab /root/hardening/backup/fstab.before.eswap
|
|
chmod 0640 /root/hardening/backup/fstab.before.eswap
|
|
|
|
cp -a /etc/fstab.defaults /root/hardening/backup/fstab.defaults.before.eswap
|
|
chmod 0640 /root/hardening/backup/fstab.defaults.before.eswap
|
|
|
|
cp -a /etc/fstab.hardened /root/hardening/backup/fstab.hardened.before.eswap
|
|
chmod 0640 /root/hardening/backup/fstab.hardened.before.eswap
|
|
|
|
cat <<EOF >>/etc/fstab
|
|
|
|
##### Added by hardening.sh - Module: exdo_ephemeral_swap #####
|
|
/dev/mapper/crypt_ephemeral_swap none swap defaults 0 0
|
|
|
|
EOF
|
|
|
|
cat <<EOF >>/etc/fstab.defaults
|
|
|
|
##### Added by hardening.sh - Module: exdo_ephemeral_swap #####
|
|
/dev/mapper/crypt_ephemeral_swap none swap defaults 0 0
|
|
|
|
EOF
|
|
|
|
cat <<EOF >>/etc/fstab.hardened
|
|
|
|
##### Added by hardening.sh - Module: exdo_ephemeral_swap #####
|
|
/dev/mapper/crypt_ephemeral_swap none swap defaults 0 0
|
|
|
|
EOF
|
|
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[32m++++ ++++ ++++ ++++ ++++ ++++ ++ Initalizing Ephemeral Swap - done\033[0m" | tee -a "$LOG_INS"
|
|
sleep "$SLEEPTIMER"
|
|
clear
|
|
} |