diff --git a/README.md b/README.md index 470571e..7c4e9df 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,111 @@ -# Proxoptimizer +# Proxmox Hardening and Optimization Script πŸš€πŸ”’ -Optimize Proxmox and if wished, add 2FA on Logon and SSH \ No newline at end of file +This repository contains a script designed to improve your Proxmox's performance and security. The script will automatically configure essential settings for your system, such as optimizing network protocols, security measures, logging configurations, and more. +The user is only required to respond to a few prompts, and the script will take care of the rest. + +## Features ✨ + + Force APT to use IPv4 🌐⚑ + Disable portmapper/rpcbind for security πŸ›‘πŸ›‘οΈ + Ensure entropy pools are populated πŸ”‘πŸ’» + Protect the web interface with Fail2Ban πŸ›‘οΈπŸš¨ + Limit the size and optimize journald πŸ““πŸ“Š + Ensure ksmtuned is enabled and optimized πŸ§ πŸ’‘ + Enable restart on kernel panic, kernel oops, and hard lockup πŸ”„βš οΈ + Increase max user watches, FD limit, FD ulimit, and max key limit πŸ§°πŸ”§ + Optimize logrotate πŸ”„ + Installing Google-Authenticator for 2FA (SSH & TUI) πŸ““πŸ›‘οΈ + +## Prerequisites πŸ“‹ + +Make sure your server meets the following requirements before running the script: + + A Proxmox system (Version 8.0 or newer) + Sudo privileges / or logged in with root + Internet connection for package installations + +## How to Use the Script πŸ› οΈ +1. Download the Script + +Clone the repository to your server: +```bash + git clone https://git.lainlounge.xyz/hax/Proxoptimizer.git + cd server-hardening-optimization +``` + +2. Make the Script Executable +```bash + chmod +x optimize-server.sh +``` + +3. Run the Script + +Execute the script with root privileges: +```bash + sudo ./optimize-server.sh +``` + +The script will automatically ask you questions during execution, such as: + +- Force APT to use IPv4? (yes/no) +- Disable rpcbind for security? (yes/no) +- Ensure entropy pools are populated? (yes/no) +- Enable Fail2Ban for web protection? (yes/no) +- Limit and optimize journald log size? (yes/no) +- Enable and optimize ksmtuned based on RAM? (yes/no) +- Enable kernel panic restart? (yes/no) +- Increase system limits (FD, user watches)? (yes/no) +- Optimize logrotate settings? (yes/no) +- Installing 2FA for SSH and TUI) (yes/no) + +After answering the prompts, the script will apply the changes automatically. + +## Script Details πŸ“ +1. Force APT to Use IPv4 🌐⚑ + + The script will automatically configure APT to use IPv4 for faster network performance. + +2. Disable Portmapper/RPCbind πŸ›‘πŸ›‘οΈ + + To enhance security, rpcbind will be disabled to prevent exposure to vulnerabilities. + +3. Ensure Entropy Pools Are Populated πŸ”‘πŸ’» + + haveged will be installed and configured to ensure your server has enough entropy for secure cryptographic operations. + +4. Protect the Web Interface with Fail2Ban πŸ›‘οΈπŸš¨ + + If the script detects a web interface (nginx/apache), Fail2Ban will be configured to block brute force attacks automatically. + +5. Limit and Optimize Journald πŸ““πŸ“Š + + Journald logs will be configured to limit their size and optimize retention to prevent excessive disk usage. + +6. Enable and Optimize ksmtuned πŸ§ πŸ’‘ + + ksmtuned will be enabled and configured based on your server's RAM size to improve memory management. + +7. Enable Kernel Panic, Kernel Oops, and Hard Lockup Restart πŸ”„βš οΈ + + The system will be configured to automatically restart after a kernel panic or hard lockup to minimize downtime. + +8. Increase System Limits πŸ§°πŸ”§ + + The script will increase the maximum number of file descriptors, user watches, and ulimit to prevent resource exhaustion during high load. + +9. Optimize Logrotate πŸ”„ + + Logrotate configurations will be optimized to ensure proper log file rotation without excessive disk usage. + +## Notes πŸ“ + + This script is intended to be run on a fresh or optimized server setup. + It’s recommended to review the changes the script makes, even though it automates everything based on the default configurations. + A reboot may be required for some changes to take effect, particularly those involving kernel parameters and system services. + +## Contributing 🀝 + +Feel free to fork the repository and create a pull request if you have any suggestions for improvements. Make sure to follow best practices and test any changes on a staging server before applying them to production. +License πŸ“„ + +This project is licensed under the MIT License see the LICENSE.md file for details. \ No newline at end of file