System config - HackMD

# System config ###### tags: `system config` `arch` `linux` ### ToDo: - [X11-Firejail] - [ ] - [ ] ### Packages - [System] ``` apparmor audit cockpit cockpit-dashboard cockpit-docker cockpit-pcp cpupower firejail firetools dnscrypt-proxy ``` --- ### Deactivate Multicast ``` sudo iptables -A INPUT -s 224.0.0.0/4 -j REJECT sudo iptables -A INPUT -d 224.0.0.0/4 -j REJECT sudo iptables -A INPUT -s 240.0.0.0/5 -j REJECT sudo iptables -A INPUT -m pkttype --pkt-type multicast -j REJECT sudo iptables -A INPUT -m pkttype --pkt-type broadcast -j REJECT # sudo iptables -A OUTPUT -s 224.0.0.0/4 -j REJECT sudo iptables -A OUTPUT -d 224.0.0.0/4 -j REJECT sudo iptables -A OUTPUT -s 240.0.0.0/5 -j REJECT sudo iptables -A OUTPUT -m pkttype --pkt-type multicast -j REJECT sudo iptables -A OUTPUT -m pkttype --pkt-type broadcast -j REJECT # sudo ip link set enp12s0 multicast off sudo ip link set enp13s0 multicast off sudo ip link set proton0 multicast off # sudo ifconfig enp12s0 -multicast sudo ifconfig enp13s0 -multicast sudo ifconfig proton0 -multicast ``` --- ### Cockpit `mkdir -p /etc/systemd/system/cockpit.socket.d` ``` echo " [Socket] ListenStream= ListenStream=127.0.0.1:443" > /etc/systemd/system/cockpit.socket.d/listen.conf ``` `systemctl restart cockpit.socket` * Firewalld Port If Firewalld is configured as your firewall, then you will need to tell it to allow Cockpit to receive connections on the new port. Run the following commands to do so. The last options specify the desired TCP port. ``` $ sudo firewall-cmd [--zone=ZONE] --add-port=443/tcp $ sudo firewall-cmd --permanent [--zone=ZONE] --add-port=443/tcp ``` --- ### GRUB * in ` /etc/default/grub ` add: ` apparmor=1 security=apparmor udev.log_priority=3 audit=1 rcutree.rcu_idle_gp_delay=1 acpi_osi=! acpi_osi='Windows 2009' ` to ` GRUB_CMDLINE_LINUX_DEFAULT `. --- sudo ifconfig eth0 -multicast ### Firejail `# firecfg` `# apparmor_parser -r /etc/apparmor.d/firejail-default` ##### pacman hook: `mkdir /etc/pacman.d/hooks/` `nano /etc/pacman.d/hooks/firejail.hook` ``` [Trigger] Type = Path Operation = Install Operation = Upgrade Operation = Remove Target = usr/bin/* Target = usr/local/bin/* Target = usr/share/applications/*.desktop [Action] Description = Configure symlinks in /usr/local/bin based on firecfg.config... When = PostTransaction Depends = firejail Exec = /bin/sh -c 'firecfg &>/dev/null' ``` --- ### DNScrypt-proxy ` pacman -S dnscrypt-proxy ` ` systemctl enable --now dnscrypt-proxy.service ` * configuration file: ` /etc/dnscrypt-proxy/dnscrypt-proxy.toml ` * set DNS to localhost: ` nmcli connection modify 'enp13s0' ipv4.dns 127.0.0.1 ` ` nmcli connection modify 'enp13s0' ipv4.dns-search 127.0.0.1 ` --- ### Protonvpn-cli-ng * Install dependencies: `sudo pacman -S --needed openvpn python dialog python-pythondialog python-setuptools python-docopt python-requests ` * Install Protonvpn-cli via python-pip `sudo pip3 install protonvpn-cli && sudo pip3 install protonvpn-cli --upgrade ` * configure Protonvpn: `sudo protonvpn init` `sudo protonvpn configure` `sudo protonvpn connect --cc de` * Create autoconnect on boot service: `cp protonvpn-autoconnect.service /etc/systemd/system/protonvpn-autoconnect.service` `systemctl daemon-reload` `systemctl enable protonvpn-autoconnect`