Currently updated for Debian 12 "Bookworm"
Edit /etc/ssl/openssl.cnf
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0
Edit /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
# $ssh -Q cipher
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
# $ssh -Q kex
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
# $ssh -Q mac
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1,hmac-sha1-96-etm@openssh.com,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5,hmac-md5-96-etm@openssh.com,hmac-md5-96,umac-64-etm@openssh.com,umac-64@openssh.com
# $ssh -Q key
HostBasedAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa
PubKeyAcceptedAlgorithms +ssh-rsa
systemctl restart ssh
Edit /etc/default/grub
Add mitigations=off tsx=on to GRUB_CMDLINE_LINUX=
Run update-grub
apt-get -y -f purge apparmor
apt-mark hold apparmor
rm -rf /var/cache/apparmor
rm -rf /etc/apparmor.d
echo 'APT::Never-MarkAuto-Sections { "apparmor*"; };' > /etc/apt/apt.conf.d/99apparmor
apt-get -y update
apt-get -y autoremove
apt-get -y autoclean
apt-get install rsyslog
systemctl enable --now rsyslog
Edit /etc/logrotate.d/rsyslog
rotate 14
daily
Edit /etc/systemd/journald.conf
[Journal]
Storage=none
ForwardToSyslog=yes
rm -rf /var/log/journal/*
systemctl restart systemd-journald
echo 'Apt::Cmd::Disable-Script-Warning "true";' > /etc/apt/apt.conf.d/99disable-cli-warning
git config --system core.autocrlf false
git config --system core.eol lf
git config --system http.sslverify false
git config --system init.defaultbranch 'master'
git config --system safe.directory '*'
git config --system user.useConfigOnly true
apt-get --purge remove vim
apt-get update
apt-get install build-essential libncurses-dev
cd /usr/local/src
wget https://github.com/vim/vim/archive/refs/tags/v7.4.tar.gz -O vim-7.4.tar.gz
tar -xzvf vim-7.4.tar.gz
cd vim-7.4
CFLAGS="-DSYS_VIMRC_FILE='\"/etc/vim/vimrc\"' -DSYS_GVIMRC_FILE='\"/etc/vim/gvimrc\"'" ./configure \
--prefix=/usr/local \
--with-features=huge \
--enable-multibyte \
--disable-gui \
--disable-luainterp \
--disable-perlinterp \
--disable-rubyinterp \
--disable-pythoninterp \
--disable-python3interp \
--enable-cscope \
--with-tlib=ncurses \
--enable-fail-if-missing
make
make install
wget https://raw.githubusercontent.com/anzz1/vimconfig/master/vim74/debian.vim -O /usr/local/share/vim/vim74/debian.vim
wget https://raw.githubusercontent.com/anzz1/vimconfig/master/colors/less.vim -O /usr/local/share/vim/vim74/colors/less.vim
wget https://raw.githubusercontent.com/anzz1/vimconfig/master/vimrc -O /etc/vim/vimrc
wget https://raw.githubusercontent.com/anzz1/vimconfig/master/vimrc.local -O /etc/vim/vimrc.local
crontab -e
Add following lines
@reboot "/root/cron/boot.sh" > /dev/null
0 0 * * * "/root/cron/daily.sh" > /dev/null
Create the boot.sh and daily.sh scripts where you can easily run simple stuff without having to make own crontab entries for them
#!/bin/sh
# run stuff
exit 0