Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- clear
- # ------------------
- # twitter: @F0U4D_
- # ------------------
- echo "Welcome to Ubuntu Server Initial setup "
- echo "By: @F0U4D_"
- # check if the user has root privilage
- if [[ $EUID -ne 0 ]]
- then
- printf "%s " "This script must be run as root"
- exit 1
- fi
- export LC_ALL=C
- # ------------------
- # ------------------
- # update and upgrade
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "updating and upgrading the server "
- echo "--------------------------------------------------------------------"
- apt-get update
- apt-get upgrade -y
- apt-get autoremove -y
- apt-get autoclean -y
- echo "--------------------------------------------------------------------"
- echo "DONE -- > updating and upgrading the server "
- echo "--------------------------------------------------------------------"
- # ------------------
- # ------------------
- # let's add first root user
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "adding sudo user "
- echo "--------------------------------------------------------------------"
- echo "create your sudo user: "
- read -p "Enter username : " username
- read -s -p "Enter password : " password
- if [ $(id -u) -eq 0 ]; then
- egrep "^$username" /etc/passwd >/dev/null
- if [ $? -eq 0 ]; then
- echo "$username exists!"
- exit 1
- else
- pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
- useradd -m -p $pass $username
- [ $? -eq 0 ] && echo "User $username has been added to system! " || echo "Failed to add a user!"
- usermod -aG sudo $username
- echo "User $username has been added to sudoers file and sudo group "
- mkdir /home/$username/.ssh
- cp ~/.ssh/authorized_keys /home/$username/.ssh/authorized_keys
- chown $username /home/$username/.ssh/authorized_keys
- fi
- else
- echo "Only root may add a user to the system"
- exit 2
- fi
- echo "--------------------------------------------------------------------"
- echo "DONE -- > adding sudo user: $username "
- echo "--------------------------------------------------------------------"
- # ------------------
- # ------------------
- # Changing SSH Port
- # ------------------
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- echo "--------------------------------------------------------------------"
- echo "changing ssh port number "
- echo "--------------------------------------------------------------------"
- read -p "which port number have you chosen? (Chose between 1024-65535) " sshportconfig
- if (( ("$sshportconfig" > 1024) && ("$sshportconfig" < 65535) )); then
- sed -i "s/.*Port [^ ]*/Port $sshportconfig/g" /etc/ssh/sshd_config
- echo "--------------------------------------------------------------------"
- echo "SSH port has been changed to: $sshportconfig. "
- echo "--------------------------------------------------------------------"
- else
- echo "Port chosen is incorrect."
- read -p "which port number have you chosen? (Chose between 1024-65535) " sshportconfig
- if (( ("$sshportconfig" > 1024) && ("$sshportconfig" < 65535) )); then
- echo "Port $sshportconfig" >> /etc/ssh/sshd_config
- echo "--------------------------------------------------------------------"
- echo "SSH port has been changed to: $sshportconfig. "
- echo "--------------------------------------------------------------------"
- else
- echo "No"
- echo "BYE!, F0U4D_"
- shutdown -h now
- exit 2
- fi
- fi
- echo "--------------------------------------------------------------------"
- echo "DONE -- > changing ssh port number to $sshportconfig "
- echo "--------------------------------------------------------------------"
- # ------------------
- # ------------------
- # Disaple root login
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "disaple root & passwordless login "
- echo "--------------------------------------------------------------------"
- if [ $(id -u) -eq 0 ]; then
- sed -i "s/.*RSAAuthentication.*/RSAAuthentication yes/g" /etc/ssh/sshd_config
- sed -i "s/.*PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
- sed -i "s/.*PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config
- sed -i "s/.*AuthorizedKeysFile.*/AuthorizedKeysFile\t\.ssh\/authorized_keys/g" /etc/ssh/sshd_config
- sed -i "s/.*PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
- sed -i "s/.*DebianBanner.*/DebianBanner no/g" /etc/ssh/sshd_config
- sed -i "s/.*X11Forwarding.*/X11Forwarding No/g" /etc/ssh/sshd_config
- echo "AllowUsers $username" >> /etc/ssh/sshd_config
- echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
- echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
- else
- echo "Only root may add a user to the system"
- exit 2
- fi
- echo "--------------------------------------------------------------------"
- echo "DONE -- > disaple root & passwordless login "
- echo "--------------------------------------------------------------------"
- # ------------------
- # ------------------
- # Disaple root login
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "Secure shared memory. "
- echo "--------------------------------------------------------------------"
- cp /etc/fstab /etc/fstab.bak
- FSTAB=/etc/fstab
- SED=`which sed`
- #nosuid on /sys
- if [ $(grep " \/sys " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
- MNT_OPTS=$(grep " \/sys " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
- fi
- #nodev,nosuid on /boot
- if [ $(grep " \/boot " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
- MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- #nodev and nosuid on /usr
- if [ $(grep " \/usr " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/usr " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/usr .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- #nodev and nosuid on /home
- if [ $(grep " \/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/home .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- #nodev and nosuid on /export/home
- if [ $(grep " \/export\/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/export\/home " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/export\/home .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- #nodev and nosuid on /usr/local
- if [ $(grep " \/usr\/local " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/usr\/local.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- #nodev,noexec,nosuid on /dev/shm
- if [ $(grep " \/dev\/shm " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
- fi
- #nodev,noexec,nosuid on /tmp
- if [ $(grep " \/tmp " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/tmp " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
- fi
- #nodev,noexec,nosuid on /var/tmp
- if [ $(grep " \/var\/tmp " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/var\/tmp " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/var\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
- fi
- #nodev,noexec,nosuid on /var/log
- if [ $(grep " \/var\/log " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/var\/tmp " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/var\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
- fi
- #nodev,noexec,nosuid on /var/audit
- if [ $(grep " \/var\/log\/audit " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/var\/log\/audit " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/var\/log\/audit.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
- fi
- #nodev,nosuid on /var/
- if [ $(grep " \/var " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
- MNT_OPTS=$(grep " \/var " ${FSTAB} | awk '{print $4}')
- ${SED} -i "s/\( \/var.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
- fi
- echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab
- echo "--------------------------------------------------------------------"
- echo "DONE -- > Secure shared memory. "
- echo "--------------------------------------------------------------------"
- # ------------------
- # Hadening network
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "Hadening network "
- echo "--------------------------------------------------------------------"
- cp /etc/sysctl.conf /etc/sysctl.conf.bak
- cat > /etc/sysctl.conf << EOL
- # Block SYN attacks
- net.ipv4.tcp_max_syn_backlog = 2048
- net.ipv4.tcp_syn_retries = 5
- # Log Martians
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # Ignore ICMP redirects
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- # Ignore Directed pings
- net.ipv4.icmp_echo_ignore_all = 1
- # Controls IP packet forwarding
- net.ipv4.ip_forward = 0
- # Controls source route verification
- net.ipv4.conf.default.rp_filter = 1
- # Do not accept source routing
- net.ipv4.conf.default.accept_source_route = 0
- # Controls the System Request debugging functionality of the kernel
- kernel.sysrq = 0
- # Controls whether core dumps will append the PID to the core filename
- # Useful for debugging multi-threaded applications
- kernel.core_uses_pid = 1
- # Controls the use of TCP syncookies
- #net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_synack_retries = 2
- ########## IPv4 networking start ##############
- # Send redirects, if router, but this is just server
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.default.send_redirects = 0
- # Accept packets with SRR option? No
- net.ipv4.conf.all.accept_source_route = 0
- # Accept Redirects? No, this is not router
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
- # Log packets with impossible addresses to kernel log? yes
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.conf.default.accept_source_route = 0
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv4.conf.default.secure_redirects = 0
- # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- # Prevent against the common 'syn flood attack'
- net.ipv4.tcp_syncookies = 1
- # Enable source validation by reversed path, as specified in RFC1812
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- ########## IPv6 networking start ##############
- # Number of Router Solicitations to send until assuming no routers are present.
- # This is host and not router
- net.ipv6.conf.default.router_solicitations = 0
- # Accept Router Preference in RA?
- net.ipv6.conf.default.accept_ra_rtr_pref = 0
- # Learn Prefix Information in Router Advertisement
- net.ipv6.conf.default.accept_ra_pinfo = 0
- # Setting controls whether the system will accept Hop Limit settings from a router advertisement
- net.ipv6.conf.default.accept_ra_defrtr = 0
- #router advertisements can cause the system to assign a global unicast address to an interface
- net.ipv6.conf.default.autoconf = 0
- #how many neighbor solicitations to send out per address?
- net.ipv6.conf.default.dad_transmits = 0
- # How many global unicast IPv6 addresses can be assigned to each interface?
- net.ipv6.conf.default.max_addresses = 1
- ########## IPv6 networking ends ##############
- #Enable ExecShield protection
- kernel.exec-shield = 1
- kernel.randomize_va_space = 1
- # TCP and memory optimization
- # increase TCP max buffer size setable using setsockopt()
- #net.ipv4.tcp_rmem = 4096 87380 8388608
- #net.ipv4.tcp_wmem = 4096 87380 8388608
- # increase Linux auto tuning TCP buffer limits
- #net.core.rmem_max = 8388608
- #net.core.wmem_max = 8388608
- #net.core.netdev_max_backlog = 5000
- #net.ipv4.tcp_window_scaling = 1
- # increase system file descriptor limit
- fs.file-max = 65535
- #Allow for more PIDs
- kernel.pid_max = 65536
- #Increase system IP port limits
- net.ipv4.ip_local_port_range = 2000 65000
- EOL
- echo "--------------------------------------------------------------------"
- echo "DONE -- > Hadening network "
- echo "--------------------------------------------------------------------"
- # ------------------
- # Hadening network
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "Prevent IP Spoofing. "
- echo "--------------------------------------------------------------------"
- cp /etc/host.conf /etc/host.conf.bak
- sed -i "s/order hosts,bind/order bind,hosts/g" /etc/host.conf
- echo "nospoof on" >> /etc/host.conf
- echo "--------------------------------------------------------------------"
- echo "DONE -- > Prevent IP Spoofing "
- echo "--------------------------------------------------------------------"
- # ------------------
- # MAKE SWAP FILE
- # ------------------
- echo "--------------------------------------------------------------------"
- echo "MAKE SWAP FILE. "
- echo "--------------------------------------------------------------------"
- sudo fallocate -l 1G /swapfile
- sudo chmod 600 /swapfile
- sudo mkswap /swapfile
- sudo swapon /swapfile
- echo "/swapfile none swap sw 0 0" | sudo tee -a /etc/fstab
- echo "vm.swappiness=10" >> /etc/sysctl.conf
- echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf
- echo "--------------------------------------------------------------------"
- echo "DONE -- > MAKE SWAP FILE "
- echo "--------------------------------------------------------------------"
- echo "--------------------------------------------------------------------"
- echo "DONE -- > INITIAL SETUP "
- echo "rebooting now"
- echo "get some coffee"
- echo "--------------------------------------------------------------------"
- reboot
Add Comment
Please, Sign In to add comment