Configuración Raspberry Pi Zero W

apt clean
apt update -y
apt-get install -y jq bc snmpd apt-show-versions lsb-release npm nodejs aptitude gawk ca-certificates initramfs-tools apt-utils build-essential libssl-dev libpcre++-dev hwinfo apt-transport-https python3-pip curl wget gcc make time dnsutils zip lsof bison build-essential cifs-utils mlocate openssl cmake rpm lm-sensors hddtemp libraspberrypi-bin cpufrequtils

apt-get --yes autoremove
apt-get --yes autoclean
apt-get --yes clean

systemctl mask hciuart.service
systemctl mask bluetooth.service
systemctl mask bluealsa.service

myArray=('btbcm' 'hci_uart' 'btusb' 'btrtl' 'btintel' 'bluetooth' 'btsdio')
for PROTOCOL in ${myArray[@]}; do
  echo "blacklist ${PROTOCOL}" > /etc/modprobe.d/${PROTOCOL}.conf
done

/usr/bin/tvservice -o
sed -i '/^exit 0/i \/usr\/bin\/tvservice -o' /etc/rc.local

myArray=('snd_hda_codec_hdmi' 'snd_hda_codec' 'snd_hda_intel')
for PROTOCOL in ${myArray[@]}; do
  echo "blacklist ${PROTOCOL}" > /etc/modprobe.d/${PROTOCOL}.conf
done

systemctl mask avahi-daemon
systemctl mask triggerhappy
systemctl mask bootlogs
systemctl mask console-setup
systemctl mask keyboard-setup.service
systemctl mask apt-daily.service
systemctl mask raspi-config.service

systemctl mask cups.service
systemctl mask alsa-state.service
systemctl mask cups-browsed.service

systemctl mask rpcbind.socket
systemctl mask rpcbind.service
systemctl mask rpcbind.target

cat >> /etc/sysctl.conf << EOF
dev.tty.ldisc_autoload = 0
fs.protected_fifos = 2
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
fs.suid_dumpable = 0
kernel.core_uses_pid = 1
kernel.randomize_va_space = 2
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2 
kernel.perf_event_paranoid = 3
kernel.sysrq = 0
kernel.unprivileged_bpf_disabled = 1
kernel.yama.ptrace_scope = 1
net.core.netdev_max_backlog = 2500
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 16384 65000
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_syncookies = 1
vm.dirty_ratio = 70
vm.overcommit_memory = 1
vm.swappiness = 10
EOF

sed -i 's/100/6144/g' /etc/dphys-swapfile
sed -i 's/#CONF_MAXSWAP=2048/CONF_MAXSWAP=6144/g' /etc/dphys-swapfile

cat >> /etc/sysctl.conf << EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
EOF

sed -i '/^::1/d' /etc/hosts
sed -i '/^ff0/d' /etc/hosts

RPI=rpi01
hostname ${RPI}
echo ${RPI} > /etc/hostname
echo -e "127.0.0.1\tlocalhost" > /etc/hosts
echo -e "10.0.1.71\t${RPI}" >> /etc/hosts

sed -i '/^$/d' /etc/hosts
sed -i 's|\t\t|\t|g' /etc/hosts

sed -i -r 's/^#?(PermitRootLogin|TCPKeepAlive|Compression|AllowAgentForwarding|PermitEmptyPasswords|useDNS|AllowTcpForwarding|X11Forwarding) yes/\1 no/' /etc/ssh/sshd_config

sed -i 's/.*AddressFamily.*/AddressFamily inet/g' /etc/ssh/sshd_config
sed -i 's/.*Compression.*/Compression no/g' /etc/ssh/sshd_config
sed -i 's/.*Banner.*/Banner no/g' /etc/ssh/sshd_config
sed -i 's/.*MaxAuthTries.*/MaxAuthTries 2/g' /etc/ssh/sshd_config
sed -i 's/.*ClientAliveCountMax.*/ClientAliveCountMax 2/g' /etc/ssh/sshd_config
sed -i 's/.*MaxSessions.*/MaxSessions 2/g' /etc/ssh/sshd_config
sed -i 's/.*LogLevel.*/LogLevel VERBOSE/g' /etc/ssh/sshd_config
sed -i 's/.*PrintMotd.*/PrintMotd no/g' /etc/ssh/sshd_config

cat >> /etc/ssh/sshd_config << EOF
AllowUsers pi
DenyUsers root
EOF

service sshd restart

touch $HOME/.hushlogin
touch /home/pi/.hushlogin

sed -i d /etc/issue
sed -i d /etc/issue.net
sed -i d /etc/motd

systemctl set-default runlevel3.target 
systemctl set-default multi-user.target

systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
systemctl mask ctrl-alt-del.target

apt clean
apt update -y
apt-get -y install sysstat
sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat
apt --purge autoremove -y

systemctl mask systemd-timesyncd

apt clean
apt update -y
apt-get -y install ntp ntpdate ntpstat
apt --purge autoremove -y

EOF
sh /tmp/update.sh

sed -i 's/debian.pool.ntp.org/europe.pool.ntp.org/g' /etc/default/ntpdate 
sed -i 's/debian.pool.ntp.org/europe.pool.ntp.org/g' /etc/ntp.conf

sed -i 's/iburst/iburst maxpoll 9/g' /etc/ntp.conf

cat >> /etc/ntp.conf << EOF
server 127.127.1.0
fudge 127.127.1.0 stratum 10
EOF

systemctl enable ntp

ntpq -p
ntpq -pn

ln -sf /usr/share/zoneinfo/Europe/Madrid /etc/localtime

apt clean
apt update -y
apt-get remove --purge nano -y
apt-get install vim vim-common vim-haproxy vim-syntastic vim-tiny -y 
apt --purge autoremove -y

ln -s /usr/bin/vim /bin/nano

echo 'SELECTED_EDITOR="/usr/bin/vim.basic"' > $HOME/.selected_editor
echo 'export VISUAL="vim"' >> $HOME/.bashrc

echo > $HOME/.vimrc << EOF
set mouse=a
EOF

sed -i 's/"syntax on/syntax on/g' /etc/vim/vimrc

chmod 750 /home/pi
chmod 750 /etc/sudoers.d

chown root.utmp /var/log/wtmp 
chmod 0744 /var/log/wtmp

touch /var/log/faillog
touch /var/log/tallylog
touch /var/log/secure
touch /etc/securetty

chmod 600 /var/log/tallylog
chmod 600 /var/log/faillog

chmod 600 /etc/crontab
chmod 600 /etc/cron.d
chmod 600 /etc/cron.hourly
chmod 600 /etc/cron.daily
chmod 600 /etc/cron.weekly
chmod 600 /etc/cron.monthly
chmod 744 /var/log/messages
chmod 600 /var/log/faillog
chmod 740 /var/log/secure

chmod 600 /etc/securetty

chmod 600 /var/spool/cron/crontabs
chmod 600 /etc/ssh/ssh_config

cat > /etc/shells <> /etc/securetty

myArray=("tipc" "rds" "sctp" "dccp" "n_hdlc" "firewire_core" "firewire_ohci")
for PROTOCOL in ${myArray[@]}; do
  echo "install ${PROTOCOL} /bin/true" > /etc/modprobe.d/${PROTOCOL}.conf 
done

myArray=("floppy" "snd_bcm2835" "cap-sdio-irq" "ohci1394" "sbp2" "dv1394" "raw1394" "video1394" "firewire-ohci" "firewire-sbp2" "firewire-core")
for PROTOCOL in ${myArray[@]}; do
  echo "blacklist ${PROTOCOL}" > /etc/modprobe.d/${PROTOCOL}.conf
done

chmod o-rx /usr/bin/gcc
chmod o-rx /usr/bin/g++
chmod o-rx /usr/bin/as

apt-get install libpam-cracklib
ln -s /lib/x86_64-linux-gnu/security/pam_cracklib.so /lib/security

cat >> /root/.bashrc << EOF
ulimit -u unlimited
EOF

sed -i "s|-Lsd|-LS6d|" /etc/default/snmpd
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
systemctl daemon-reload
service snmpd restart

cat <<'EOF' > /etc/default/cron
READ_ENV="yes"
MAILTO=""
CRONDARGS=-s -m off
EXTRA_OPTS="-L 0"
EOF

service cron restart

echo '* hard core 0' >> /etc/security/limits.conf

cat > /etc/profile.d/myconfig.csh << 'EOF'
# Restrictive umask
if ($uid > 199 && "`id -gn`" == "`id -un`") then
    umask 007
else
    if ($uid > 199) then
        umask 027
    else
        umask 022
    endif
endif
EOF

echo "umask 077" >> /etc/profile
echo "umask 077" >> /etc/bash.bashrc

sed -i 's/^UMASK/# UMASK/g' /etc/login.defs

cat >> /etc/login.defs << 'EOF'
UMASK 027
USERGROUPS_ENAB no
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 10000
EOF

apt-get clean
apt-get remove --purge --auto-remove 'libx11-.*' -y
apt-get remove --purge --auto-remove x11-common -y
apt purge `dpkg --list | grep ^rc | awk '{ print $2; }'`
apt --purge autoremove -y