18c2bfd5c6
- build-unified.sh: master build script (16 hooks, kernel 7.0.0-rc7) - config/package-lists: Debian package selections - assets: Alfred Commander extension tarball - docs: ARM64 investigation, kernel upgrade roadmap
194 lines
9.1 KiB
Bash
Executable File
194 lines
9.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# ═══════════════════════════════════════════════════════════════
|
|
# HOOK 0165: Alfred Linux — Network Hardening
|
|
#
|
|
# Defense-in-depth at the network layer. Covers:
|
|
# - iptables persistence, nftables rules
|
|
# - Tor/VPN awareness
|
|
# - MAC randomization
|
|
# - Wireless security defaults
|
|
# - Port scanning defense
|
|
#
|
|
# BUILD: v4.0+ (RC8+)
|
|
# ═══════════════════════════════════════════════════════════════
|
|
set -e
|
|
echo "╔═══════════════════════════════════════════════════════════╗"
|
|
echo "║ [0165] Alfred Linux — Network Hardening ║"
|
|
echo "╚═══════════════════════════════════════════════════════════╝"
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 1. MAC ADDRESS RANDOMIZATION
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-01] Configuring MAC address randomization..."
|
|
mkdir -p /etc/NetworkManager/conf.d/
|
|
cat > /etc/NetworkManager/conf.d/99-alfred-privacy.conf << 'NMRANDOM'
|
|
[device]
|
|
wifi.scan-rand-mac-address=yes
|
|
|
|
[connection]
|
|
wifi.cloned-mac-address=random
|
|
ethernet.cloned-mac-address=random
|
|
|
|
[connectivity]
|
|
uri=
|
|
NMRANDOM
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 2. NFTABLES BASELINE RULES
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-02] Installing nftables baseline firewall rules..."
|
|
apt-get install -y --no-install-recommends nftables 2>/dev/null || true
|
|
|
|
cat > /etc/nftables.conf << 'NFTABLES'
|
|
#!/usr/sbin/nft -f
|
|
flush ruleset
|
|
|
|
table inet alfred_firewall {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow loopback
|
|
iifname "lo" accept
|
|
|
|
# Allow established/related connections
|
|
ct state established,related accept
|
|
|
|
# Allow ICMP (ping) but rate-limit
|
|
ip protocol icmp icmp type echo-request limit rate 5/second accept
|
|
ip6 nexthdr ipv6-icmp accept
|
|
|
|
# Allow SSH
|
|
tcp dport 22 ct state new limit rate 15/minute accept
|
|
|
|
# Log and drop everything else
|
|
log prefix "[ALFRED-FW-DROP] " flags all counter drop
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|
|
NFTABLES
|
|
chmod 600 /etc/nftables.conf
|
|
systemctl enable nftables 2>/dev/null || true
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 3. TCP WRAPPER DEFAULTS
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-03] Configuring TCP wrappers..."
|
|
if [ -f /etc/hosts.deny ]; then
|
|
if ! grep -q 'ALL: ALL' /etc/hosts.deny 2>/dev/null; then
|
|
echo "ALL: ALL" >> /etc/hosts.deny
|
|
fi
|
|
fi
|
|
if [ -f /etc/hosts.allow ]; then
|
|
if ! grep -q 'sshd: ALL' /etc/hosts.allow 2>/dev/null; then
|
|
echo "sshd: ALL" >> /etc/hosts.allow
|
|
fi
|
|
fi
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 4. PORT SCAN DEFENSE (via sysctl + nft)
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-04] Configuring port scan defense..."
|
|
cat > /etc/sysctl.d/98-alfred-antiscan.conf << 'ANTISCAN'
|
|
# Drop packets with bogus TCP flags
|
|
net.ipv4.tcp_ecn = 0
|
|
# Quick FIN timeout against stealth scans
|
|
net.ipv4.tcp_fin_timeout = 10
|
|
# Don't respond to broadcasts
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
ANTISCAN
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 5. WIRELESS SECURITY
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-05] Hardening wireless defaults..."
|
|
cat > /etc/NetworkManager/conf.d/99-alfred-wifi-security.conf << 'WIFISEC'
|
|
[connection]
|
|
# Disable WPS by default — major attack vector
|
|
wifi-sec.wps-method=disabled
|
|
|
|
[wifi]
|
|
# Prefer 5GHz band to reduce range-based attacks
|
|
band-preference=a
|
|
WIFISEC
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 6. SSH ADDITIONAL HARDENING
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-06] Applying additional SSH hardening..."
|
|
mkdir -p /etc/ssh/sshd_config.d/
|
|
cat > /etc/ssh/sshd_config.d/alfred-hardening.conf << 'SSHHARDEN'
|
|
# Alfred Linux — SSH Hardening
|
|
Protocol 2
|
|
PermitRootLogin no
|
|
MaxAuthTries 3
|
|
LoginGraceTime 30
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
PermitEmptyPasswords no
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
MaxSessions 3
|
|
PermitUserEnvironment no
|
|
Banner /etc/issue.net
|
|
DebianBanner no
|
|
# Strong ciphers only
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
|
|
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
|
SSHHARDEN
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# 7. NETWORK MONITORING TOOL
|
|
# ═══════════════════════════════════════════════════
|
|
echo "[NET-07] Installing network monitor tool..."
|
|
cat > /usr/local/bin/alfred-network-status << 'NETSTATUS'
|
|
#!/bin/bash
|
|
echo ""
|
|
echo "╔════════════════════════════════════════════════════╗"
|
|
echo "║ Alfred Linux — Network Security Status ║"
|
|
echo "╚════════════════════════════════════════════════════╝"
|
|
echo ""
|
|
echo "── Firewall ──"
|
|
if command -v nft &>/dev/null; then
|
|
RULES=$(nft list ruleset 2>/dev/null | grep -c "accept\|drop\|reject")
|
|
echo " nftables: active (${RULES} rules)"
|
|
fi
|
|
ufw status 2>/dev/null | head -3 | sed 's/^/ /' || true
|
|
echo ""
|
|
echo "── Listening Services ──"
|
|
ss -tlnp 2>/dev/null | grep LISTEN | awk '{print " " $4 " → " $6}' | head -10
|
|
echo ""
|
|
echo "── MAC Randomization ──"
|
|
NM_RAND=$(cat /etc/NetworkManager/conf.d/99-alfred-privacy.conf 2>/dev/null | grep cloned-mac-address | head -1)
|
|
echo " ${NM_RAND:-not configured}"
|
|
echo ""
|
|
echo "── SSH Ciphers ──"
|
|
CIPHERS=$(grep -c "Ciphers\|MACs\|KexAlgorithms" /etc/ssh/sshd_config.d/alfred-hardening.conf 2>/dev/null || echo 0)
|
|
echo " Hardened cipher config: ${CIPHERS} rules"
|
|
echo ""
|
|
echo "── Fail2ban ──"
|
|
fail2ban-client status 2>/dev/null | grep "jail list" | sed 's/^/ /' || echo " not running"
|
|
echo ""
|
|
NETSTATUS
|
|
chmod +x /usr/local/bin/alfred-network-status
|
|
|
|
echo "╔═══════════════════════════════════════════════════════════╗"
|
|
echo "║ [0165] Network Hardening — COMPLETE ║"
|
|
echo "║ ✓ MAC randomization (WiFi + Ethernet) ║"
|
|
echo "║ ✓ nftables default-deny firewall ║"
|
|
echo "║ ✓ TCP wrappers (default deny) ║"
|
|
echo "║ ✓ Port scan defense (sysctl tuning) ║"
|
|
echo "║ ✓ Wireless security (WPS disabled, 5GHz pref) ║"
|
|
echo "║ ✓ SSH: strong ciphers only, no forwarding ║"
|
|
echo "║ ✓ alfred-network-status monitoring tool ║"
|
|
echo "╚═══════════════════════════════════════════════════════════╝"
|