Skip to content

Preparing the SSC

Jump to bottom
rootTHC edited this page Aug 9, 2024 · 19 revisions

You should only be here if you have already prepped your server for deployment. Read the AWS Deployment or Generic Deployment

Basic OpSec

ln -sf /dev/null /root/.bash_history
passwd # reset password

Remove default crap

systemctl stop  motd-news
systemctl disable motd-news
systemctl stop  motd-news.timer
systemctl disable  motd-news.timer
systemctl stop pvedaemon
systemctl disable pvedaemon
systemctl stop pveproxy
systemctl disable pveproxy
systemctl stop packagekitd
systemctl disable packagekitd
systemctl stop spiceproxy
systemctl disable spiceproxy
systemctl stop dovecot
systemctl disable dovecot
systemctl stop xinetd
systemctl disable xinetd
systemctl stop apache2
systemctl disable apache2
systemctl stop postfix
systemctl disable postfix
systemctl stop sw-cp-server
systemctl disable sw-cp-server
systemctl stop nginx
systemctl disable nginx
systemctl stop mysql
systemctl disable mysql
systemctl stop bind9
systemctl disable bind9
systemctl stop rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind
# I hate snapd with a passion.
# Many times AWS failed to start an instance because snapd consumed 1GB+ memory -> kernel panic.
systemctl stop snapd
systemctl stop snapd.socket
systemctl disable snapd
apt remove --purge --assume-yes snapd gnome-software-plugin-snap
rm -rf ~/snap/
rm -rf /var/cache/snapd/
### Stop leaking secrets to swap:
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

Install useful stuff

apt update -y
apt install -y curl tmux cpu-checker libvirt-daemon-system net-tools \
                    dnsmasq-base genisoimage virtinst libosinfo-bin \
                    cryptsetup qemu-kvm qemu-utils xfsprogs htop vim \
                    jq fd-find ripgrep iftop systemd-timesyncd secure-delete \
                    dnsutils less vim smartmontools
echo 'set ttymouse=' >>/etc/vim/vimrc # Vim is unusable with mouse support.
ln -s fdfind /usr/bin/fd
# Stop these colorless and boring MOTD
sed 's/\(.*\)_motd\(.*\)/#\1_motd\2/g' -i /etc/pam.d/sshd
# Enable NTP
timedatectl set-ntp true
# cut & paste this into your shell
addswap()
{
    local dev
    dev=$1

    mkswap "$dev"
    eval FS_$(blkid "${dev}" | cut -f2-2 -d' ')
    echo -e "UUID=${FS_UUID} none swap    sw,pri=1              0       0" >>/etc/fstab
}
addsf()
{
    local dev
    dev=$1
    [[ ! -d /sf ]] && mkdir /sf
    mkfs -t xfs -f "$dev"
    eval FS_$(blkid "${dev}" | cut -f2-2 -d' ')
    echo -e "UUID=${FS_UUID}     /sf    xfs    defaults,nofail,noatime,usrquota,prjquota 1 2" >>/etc/fstab
    mount /sf
    [[ ! -d /sf/config ]] && mkdir /sf/config
}

Join us on Telegram if you have any questions or comments.

Clone this wiki locally