From a2923b42dbd061cd1bfe46c56dc0aff43ccb33f1 Mon Sep 17 00:00:00 2001
From: Filip Pytloun <filip@pytloun.cz>
Date: Fri, 4 Mar 2016 14:07:10 +0100
Subject: Cleanup code by spliting files

---
 files/config.txt                         | 43 +++++++++++++++++++++++
 files/firstboot/10-begin.sh              |  2 ++
 files/firstboot/21-generate-ssh-keys.sh  |  8 +++++
 files/firstboot/22-expandroot.sh         | 52 ++++++++++++++++++++++++++++
 files/firstboot/99-finish.sh             |  3 ++
 files/fstab                              |  2 ++
 files/iptables/flush-ip6tables.sh        | 15 ++++++++
 files/iptables/flush-iptables.sh         | 10 ++++++
 files/iptables/ip6tables.rules           | 48 ++++++++++++++++++++++++++
 files/iptables/ip6tables.service         | 15 ++++++++
 files/iptables/iptables.rules            | 43 +++++++++++++++++++++++
 files/iptables/iptables.service          | 15 ++++++++
 files/modprobe.d/raspi-blacklist.conf    |  9 +++++
 files/sysctl.d/81-rpi-vm.conf            |  6 ++++
 files/sysctl.d/82-rpi-net-hardening.conf | 59 ++++++++++++++++++++++++++++++++
 15 files changed, 330 insertions(+)
 create mode 100644 files/config.txt
 create mode 100644 files/firstboot/10-begin.sh
 create mode 100644 files/firstboot/21-generate-ssh-keys.sh
 create mode 100644 files/firstboot/22-expandroot.sh
 create mode 100644 files/firstboot/99-finish.sh
 create mode 100644 files/fstab
 create mode 100644 files/iptables/flush-ip6tables.sh
 create mode 100644 files/iptables/flush-iptables.sh
 create mode 100644 files/iptables/ip6tables.rules
 create mode 100644 files/iptables/ip6tables.service
 create mode 100644 files/iptables/iptables.rules
 create mode 100644 files/iptables/iptables.service
 create mode 100644 files/modprobe.d/raspi-blacklist.conf
 create mode 100644 files/sysctl.d/81-rpi-vm.conf
 create mode 100644 files/sysctl.d/82-rpi-net-hardening.conf

(limited to 'files')

diff --git a/files/config.txt b/files/config.txt
new file mode 100644
index 0000000..7491765
--- /dev/null
+++ b/files/config.txt
@@ -0,0 +1,43 @@
+# For more options and information see
+# http://www.raspberrypi.org/documentation/configuration/config-txt.md
+# Some settings may impact device functionality. See link above for details
+
+# uncomment if you get no picture on HDMI for a default "safe" mode
+#hdmi_safe=1
+
+# uncomment this if your display has a black border of unused pixels visible
+# and your display can output without overscan
+#disable_overscan=1
+
+# uncomment the following to adjust overscan. Use positive numbers if console
+# goes off screen, and negative if there is too much border
+#overscan_left=16
+#overscan_right=16
+#overscan_top=16
+#overscan_bottom=16
+
+# uncomment to force a console size. By default it will be display's size minus
+# overscan.
+#framebuffer_width=1280
+#framebuffer_height=720
+
+# uncomment if hdmi display is not detected and composite is being output
+#hdmi_force_hotplug=1
+
+# uncomment to force a specific HDMI mode (this will force VGA)
+#hdmi_group=1
+#hdmi_mode=1
+
+# uncomment to force a HDMI mode rather than DVI. This can make audio work in
+# DMT (computer monitor) modes
+#hdmi_drive=2
+
+# uncomment to increase signal to HDMI, if you have interference, blanking, or
+# no display
+#config_hdmi_boost=4
+
+# uncomment for composite PAL
+#sdtv_mode=2
+
+# uncomment to overclock the arm. 700 MHz is the default.
+#arm_freq=800
diff --git a/files/firstboot/10-begin.sh b/files/firstboot/10-begin.sh
new file mode 100644
index 0000000..6258bb7
--- /dev/null
+++ b/files/firstboot/10-begin.sh
@@ -0,0 +1,2 @@
+#!/bin/sh -e
+logger -t "rc.firstboot" "Starting first boot actions"
diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/21-generate-ssh-keys.sh
new file mode 100644
index 0000000..a6c567c
--- /dev/null
+++ b/files/firstboot/21-generate-ssh-keys.sh
@@ -0,0 +1,8 @@
+logger -t "rc.firstboot" "Generating SSH host keys"
+rm -f /etc/ssh/ssh_host_*
+ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
+ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
+ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
+ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
+
+systemctl restart sshd
diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/22-expandroot.sh
new file mode 100644
index 0000000..00b94af
--- /dev/null
+++ b/files/firstboot/22-expandroot.sh
@@ -0,0 +1,52 @@
+logger -t "rc.firstboot" "Expanding root"
+ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
+PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
+case "${ROOT_PART}" in
+  mmcblk0*) ROOT_DEV=mmcblk0 ;;
+  sda*)     ROOT_DEV=sda ;;
+esac
+if [ "$PART_NUM" = "$ROOT_PART" ]; then
+  logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
+  return 0
+fi
+
+# NOTE: the NOOBS partition layout confuses parted. For now, let's only
+# agree to work with a sufficiently simple partition layout
+if [ "$PART_NUM" -gt 2 ]; then
+  logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
+  return 0
+fi
+LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
+if [ $LAST_PART_NUM -ne $PART_NUM ]; then
+  logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
+  return 0
+fi
+
+# Get the starting offset of the root partition
+PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
+[ "$PART_START" ] || return 1
+
+# Get the possible last sector for the root partition
+PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
+[ "$PART_LAST" ] || return 1
+
+# Return value will likely be error for fdisk as it fails to reload the
+# partition table because the root fs is mounted
+### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
+fdisk /dev/${ROOT_DEV} <<EOF2 || true
+p
+d
+$PART_NUM
+n
+p
+$PART_NUM
+$PART_START
+$PART_LAST
+p
+w
+EOF2
+
+# Reload the partition table, resize root filesystem then remove resizing code from this file
+partprobe &&
+  resize2fs /dev/${ROOT_PART} &&
+  logger -t "rc.firstboot" "Root partition successfuly resized."
diff --git a/files/firstboot/99-finish.sh b/files/firstboot/99-finish.sh
new file mode 100644
index 0000000..f3f64b5
--- /dev/null
+++ b/files/firstboot/99-finish.sh
@@ -0,0 +1,3 @@
+logger -t "rc.firstboot" "First boot actions finished"
+rm -f /etc/rc.firstboot
+sed -i '/.*rc.firstboot/d' /etc/rc.local
diff --git a/files/fstab b/files/fstab
new file mode 100644
index 0000000..4ec06e9
--- /dev/null
+++ b/files/fstab
@@ -0,0 +1,2 @@
+/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
+/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
diff --git a/files/iptables/flush-ip6tables.sh b/files/iptables/flush-ip6tables.sh
new file mode 100644
index 0000000..498e97f
--- /dev/null
+++ b/files/iptables/flush-ip6tables.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+
+for table in $(</proc/net/ip6_tables_names)
+do
+  ip6tables -t \$table -F
+  ip6tables -t \$table -X
+  ip6tables -t \$table -Z
+done
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
diff --git a/files/iptables/flush-iptables.sh b/files/iptables/flush-iptables.sh
new file mode 100644
index 0000000..6336455
--- /dev/null
+++ b/files/iptables/flush-iptables.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
diff --git a/files/iptables/ip6tables.rules b/files/iptables/ip6tables.rules
new file mode 100644
index 0000000..30e8b36
--- /dev/null
+++ b/files/iptables/ip6tables.rules
@@ -0,0 +1,48 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Drop packets with RH0 headers
+-A INPUT -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+
+# Rate limit ping requests
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT
diff --git a/files/iptables/ip6tables.service b/files/iptables/ip6tables.service
new file mode 100644
index 0000000..bb1644f
--- /dev/null
+++ b/files/iptables/ip6tables.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/etc/iptables/flush-ip6tables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/iptables/iptables.rules b/files/iptables/iptables.rules
new file mode 100644
index 0000000..2fc4ca4
--- /dev/null
+++ b/files/iptables/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Rate limit ping requests
+-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-rst
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT
diff --git a/files/iptables/iptables.service b/files/iptables/iptables.service
new file mode 100644
index 0000000..f5a1e89
--- /dev/null
+++ b/files/iptables/iptables.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/modprobe.d/raspi-blacklist.conf b/files/modprobe.d/raspi-blacklist.conf
new file mode 100644
index 0000000..0134f30
--- /dev/null
+++ b/files/modprobe.d/raspi-blacklist.conf
@@ -0,0 +1,9 @@
+blacklist snd_soc_core
+blacklist snd_pcm
+blacklist snd_pcm_dmaengine
+blacklist snd_timer
+blacklist snd_compress
+blacklist snd_soc_pcm512x_i2c
+blacklist snd_soc_pcm512x
+blacklist snd_soc_tas5713
+blacklist snd_soc_wm8804
diff --git a/files/sysctl.d/81-rpi-vm.conf b/files/sysctl.d/81-rpi-vm.conf
new file mode 100644
index 0000000..b818fc6
--- /dev/null
+++ b/files/sysctl.d/81-rpi-vm.conf
@@ -0,0 +1,6 @@
+# Avoid swapping and increase cache sizes
+vm.swappiness=1
+vm.dirty_background_ratio=20
+vm.dirty_ratio=40
+vm.dirty_writeback_centisecs=500
+vm.dirty_expire_centisecs=6000
diff --git a/files/sysctl.d/82-rpi-net-hardening.conf b/files/sysctl.d/82-rpi-net-hardening.conf
new file mode 100644
index 0000000..8ee6299
--- /dev/null
+++ b/files/sysctl.d/82-rpi-net-hardening.conf
@@ -0,0 +1,59 @@
+# Enable network stack hardening
+net.ipv4.tcp_timestamps=0
+net.ipv4.tcp_syncookies=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv4.conf.lo.accept_redirects=0
+net.ipv4.conf.lo.send_redirects=0
+net.ipv4.conf.lo.accept_source_route=0
+net.ipv4.conf.eth0.accept_redirects=0
+net.ipv4.conf.eth0.send_redirects=0
+net.ipv4.conf.eth0.accept_source_route=0
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.all.router_solicitations=0
+net.ipv6.conf.all.accept_ra_rtr_pref=0
+net.ipv6.conf.all.accept_ra_pinfo=0
+net.ipv6.conf.all.accept_ra_defrtr=0
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.dad_transmits=0
+net.ipv6.conf.all.max_addresses=1
+
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.default.accept_source_route=0
+net.ipv6.conf.default.router_solicitations=0
+net.ipv6.conf.default.accept_ra_rtr_pref=0
+net.ipv6.conf.default.accept_ra_pinfo=0
+net.ipv6.conf.default.accept_ra_defrtr=0
+net.ipv6.conf.default.autoconf=0
+net.ipv6.conf.default.dad_transmits=0
+net.ipv6.conf.default.max_addresses=1
+
+net.ipv6.conf.lo.accept_redirects=0
+net.ipv6.conf.lo.accept_source_route=0
+net.ipv6.conf.lo.router_solicitations=0
+net.ipv6.conf.lo.accept_ra_rtr_pref=0
+net.ipv6.conf.lo.accept_ra_pinfo=0
+net.ipv6.conf.lo.accept_ra_defrtr=0
+net.ipv6.conf.lo.autoconf=0
+net.ipv6.conf.lo.dad_transmits=0
+net.ipv6.conf.lo.max_addresses=1
+
+net.ipv6.conf.eth0.accept_redirects=0
+net.ipv6.conf.eth0.accept_source_route=0
+net.ipv6.conf.eth0.router_solicitations=0
+net.ipv6.conf.eth0.accept_ra_rtr_pref=0
+net.ipv6.conf.eth0.accept_ra_pinfo=0
+net.ipv6.conf.eth0.accept_ra_defrtr=0
+net.ipv6.conf.eth0.autoconf=0
+net.ipv6.conf.eth0.dad_transmits=0
+net.ipv6.conf.eth0.max_addresses=1
-- 
cgit v1.2.3