add-apt-repository ppa:numix/ppa
apt update && sudo apt install numix-gtk-theme numix-icon-theme-circle
apt install unity-tweak-tool
unity-tweak-tool
snap lower half, set icons and theme, decrease launcher icon size, set date, remove webapp integration, check security options present
apt install tilda lm-sensors privoxy wavemon chromium-browser vlc htop irssi whois vim filezilla curl nmap git gdebi keepass2 python-pip python3-pip shutter tcptraceroute iperf httping exfat-utils exfat-fuse tmux tshark aircrack-ng xsltproc p7zip-full arp-scan netdiscover network-manager-openvpn-gnome ipython ipython3 sshfs inxi build-essential
and set tilda in startup applications
wget https://download.teamviewer.com/download/teamviewer_i386.deb
dpkg --add-architecture i386
dgebi teamviewer_i386.deb
HISTCONTROL=ignoredups
HISTSIZE=200000
HISTFILESIZE=200000
HISTTIMEFORMAT="%d/%m/%y %T "
PROMPT_COMMAND="history -n; history -w; history -c; history -r; $PROMPT_COMMAND"
# drop weird packets
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INPUT -m state --state INVALID -j DROP
# drop fragmented packets
-A INPUT -f -j DROP
# drop XMASS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# limit 3 pings a second
-A INPUT -p icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j DROP
# rate limit SSH
#-A INPUT -p tcp --dport 22334 -i eth0 -m state --state NEW -m recent --set
#-A INPUT -p tcp --dport 22334 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# accept established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# drop policy for input
#-P INPUT DROP
# accept input trafic for ssh, http and mail
#-A INPUT -p tcp --dport 22334 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 25 -j ACCEPT
# drop all other input trafic
#-A INPUT -j DROP
# drop invalid forward packets
#-A FORWARD -m state --state INVALID -j DROP
# drop FORWARD trafic
-P FORWARD DROP
# drop invalid output packets
-A OUTPUT -m state --state INVALID -j DROP
# drop weird packets
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INPUT -m state --state INVALID -j DROP
# drop fragmented packets
#-A INPUT -f -j DROP
# drop XMASS packet
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# limit 3 pings a second
-A INPUT -p icmpv6 --icmpv6-type 8 -m limit --limit 3/sec -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 8 -j DROP
# accept established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#DROP MULTICAST TRAFFIC GOING TO ALL NODES LINK LOCAL
#-I INPUT 1 -d ff02::1 -j DROP
#BLOCK EXTENSION HEADERS
-I INPUT 1 -i eth1 -m ipv6header --header dst --soft -j DROP
-I INPUT 2 -i eth1 -m ipv6header --header hop --soft -j DROP
-I INPUT 3 -i eth1 -m ipv6header --header route --soft -j DROP
-I INPUT 4 -i eth1 -m ipv6header --header frag --soft -j DROP
-I INPUT 5 -i eth1 -m ipv6header --header auth --soft -j DROP
-I INPUT 6 -i eth1 -m ipv6header --header esp --soft -j DROP
-I INPUT 7 -i eth1 -m ipv6header --header none --soft -j DROP
# Drop packets with a type 0 routing header
-A INPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
# drop FORWARD trafic
-P FORWARD DROP
# drop invalid output packets
-A OUTPUT -m state --state INVALID -j DROP
vim /etc/systemd/system/iptables.service
[Unit]
Description=iptables
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/iptables-restore /etc/iptables.ipv4
ExecReload=/sbin/iptables-restore /etc/iptables.ipv4
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target
vim /etc/systemd/system/ip6tables.service
[Unit]
Description=ip6tables
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ip6tables-restore /etc/iptables.ipv6
ExecReload=/sbin/ip6tables-restore /etc/iptables.ipv6
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_name_of_file_$(date +%Y-%m-%d) -b 521 -C "$(whoami)@$(hostname)-$(date -I)"
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH
apt remove avahi-daemon
vim /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
# add the line: allow-guest=false
vim /etc/sysctl.conf
vim /etc/sysctl.d/10-magic-sysrq.conf
chmod 0700 /home/<user>/
sudo vim /etc/systemd/logind.conf
[Login]
NAutoVTs=2
ReserveVT=2
grub-mkpasswd-pbkdf2
vim /etc/grub.d/40_custom
set superuser="user"
password_pbkdf2 <user> encryptedpass
update-grub
Posted on:
If you are interested in contacting me feel free to do so by mail or online:
nob {at} nob.ro