-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy path00-setup.sh
74 lines (57 loc) · 2.26 KB
/
00-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
source vars
# Stop apt-get from hanging on security updates
echo 'precedence ::ffff:0:0/96 100' >> /etc/gai.conf
# Update and Upgrade
apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
# Set hostname
hostnamectl set-hostname $hostname
# Set Timezone
timedatectl set-timezone $timezone
# Update hosts file
echo "127.0.0.1 $hostname" >> /etc/hosts
echo "127.0.0.1 localhost.localdomain localhost" >> /etc/hosts
# Set up automatic security updates
apt install unattended-upgrades
echo -e "APT::Periodic::Update-Package-Lists \"1\";\n\
APT::Periodic::Download-Upgradeable-Packages \"1\";\n\
APT::Periodic::AutocleanInterval \"7\";\n\
APT::Periodic::Unattended-Upgrade \"1\";\n"\
> /etc/apt/apt.conf.d/10periodic
# Create user
useradd -m -s /bin/bash $username
# Create Password
echo $username:$passwd | chpasswd
# Add user to Sudoers
adduser $username sudo
sed --in-place 's/^#\s*\(%sudo\s\+ALL=(ALL)\s\+NOPASSWD:\s\+ALL\)/\1/' /etc/sudoers
# Install & Configure SSH
sed -z 's/PermitRootLogin yes\|$/PermitRootLogin no/' /etc/ssh/sshd_config
sed -z 's/PasswordAuthentication yes\|$/PasswordAuthentication no/' /etc/ssh/sshd_config
echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
systemctl restart sshd
# Install & Configure Fail2Ban
apt-get -y install fail2ban
sed 's/\(^[[:alpha:]]\)/# \1/' /etc/fail2ban/fail2ban.conf | sudo tee /etc/fail2ban/fail2ban.local &> /dev/null
sed 's/\(^[a-z tab]\)/# \1/' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local &> /dev/null
# Allow SSH
ufw allow ssh
ufw default allow outgoing
ufw default deny incoming
# Enable Firewall
ufw --force enable
echo ''
echo "Now you'll need to push your local SSH keys to this remote server so that you can reboot and login as that user."
echo "Logging in as root won't work once you reboot."
echo "So, from your local machine run:"
echo "ssh-copy-id $username@$ipaddr"
echo "Now you should be able to log in as your user."
echo "ssh $username@$ipaddr"
echo ''
echo "Have you pushed your key?"
select yn in "Yes" "No"; do
case $yn in
Yes ) echo "Ok, rebooting now."; echo ''; reboot -h now; break;;
No ) echo "Ok, you can still SSH in as root until we reboot."; exit;;
esac
done