Initial commit — SETEC LABS Manager (Setec_CDM)
Flask-based VPS management panel with SSH remote command execution. Includes E2E encrypted SSH tunnel (AES-256-GCM + Go agent), setup wizard, security hardening tools, DNS management, firewall configs, monitoring, backup, and .sec patch update system. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
DigiJ
55
updates/sec/debian12_0326.sec
Normal file
55
updates/sec/debian12_0326.sec
Normal file
@@ -0,0 +1,55 @@
|
||||
# Setec Labs Security Update — Debian 12 Bookworm
|
||||
# Release: 2026-03
|
||||
# Target: Debian 12 (Bookworm)
|
||||
# Author: seteclabs.io
|
||||
# Applied via: sec_updates.py parse_and_apply_cmd()
|
||||
|
||||
[packages]
|
||||
# Critical security patches for March 2026
|
||||
apt-get update -qq
|
||||
apt-get install -y --only-upgrade openssl libssl3
|
||||
apt-get install -y --only-upgrade libgnutls30
|
||||
apt-get install -y --only-upgrade openssh-server openssh-client
|
||||
apt-get install -y --only-upgrade curl libcurl4
|
||||
apt-get install -y --only-upgrade sudo
|
||||
apt-get install -y --only-upgrade systemd libsystemd0
|
||||
apt-get install -y --only-upgrade linux-image-amd64
|
||||
apt-get install -y --only-upgrade bind9-dnsutils bind9-host
|
||||
apt-get install -y --only-upgrade nginx
|
||||
apt-get install -y --only-upgrade python3 libpython3-stdlib
|
||||
apt-get install -y --only-upgrade git
|
||||
apt-get install -y --only-upgrade vim-common xxd
|
||||
|
||||
[sysctl]
|
||||
# Harden network stack
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
kernel.randomize_va_space = 2
|
||||
fs.protected_hardlinks = 1
|
||||
fs.protected_symlinks = 1
|
||||
kernel.kptr_restrict = 1
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
[services]
|
||||
systemctl restart ssh
|
||||
systemctl restart nginx
|
||||
systemctl daemon-reexec
|
||||
|
||||
[files]
|
||||
chmod 600 /etc/ssh/sshd_config
|
||||
chmod 700 /root/.ssh
|
||||
chmod 644 /etc/sysctl.d/99-setec-update.conf
|
||||
chown root:root /etc/sysctl.d/99-setec-update.conf
|
||||
|
||||
[custom]
|
||||
# Cleanup old kernels
|
||||
bash:-:apt-get autoremove -y --purge 2>&1
|
||||
# Verify no known vulnerable packages remain
|
||||
bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'
|
||||
Reference in New Issue
Block a user