#!/bin/bash clear# ------------------# twitter: @F0U4D_ # ----------------

1. #!/bin/bash
2.  
3. clear
4.  
5. # ------------------
6. # twitter: @F0U4D_
7. # ------------------
8.  
9. echo "Welcome to Ubuntu Server Initial setup "
10. echo "By: @F0U4D_"
11.  
12.  
13.  
14.  
15. # check if the user has root privilage
16.  
17. if [[ $EUID -ne 0 ]]
18. then
19. printf "%s " "This script must be run as root"
20. exit 1
21. fi
22. export LC_ALL=C
23. # ------------------
24.  
25.  
26.  
27. # ------------------
28. # update and upgrade
29. # ------------------
30. echo "--------------------------------------------------------------------"
31. echo "updating and upgrading the server "
32. echo "--------------------------------------------------------------------"
33. apt-get update
34. apt-get upgrade -y
35. apt-get autoremove -y
36. apt-get autoclean -y
37. echo "--------------------------------------------------------------------"
38. echo "DONE -- > updating and upgrading the server "
39. echo "--------------------------------------------------------------------"
40. # ------------------
41.  
42.  
43.  
44. # ------------------
45. # let's add first root user
46. # ------------------
47. echo "--------------------------------------------------------------------"
48. echo "adding sudo user "
49. echo "--------------------------------------------------------------------"
50.  
51. echo "create your sudo user: "
52. read -p "Enter username : " username
53. read -s -p "Enter password : " password
54.  
55. if [ $(id -u) -eq 0 ]; then
56. egrep "^$username" /etc/passwd >/dev/null
57. if [ $? -eq 0 ]; then
58. echo "$username exists!"
59. exit 1
60. else
61. pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
62. useradd -m -p $pass $username
63. [ $? -eq 0 ] && echo "User $username has been added to system! " || echo "Failed to add a user!"
64. usermod -aG sudo $username
65. echo "User $username has been added to sudoers file and sudo group "
66.  
67. mkdir /home/$username/.ssh
68. cp ~/.ssh/authorized_keys /home/$username/.ssh/authorized_keys
69. chown $username /home/$username/.ssh/authorized_keys
70. fi
71. else
72. echo "Only root may add a user to the system"
73. exit 2
74. fi
75. echo "--------------------------------------------------------------------"
76. echo "DONE -- > adding sudo user: $username "
77. echo "--------------------------------------------------------------------"
78. # ------------------
79.  
80.  
81.  
82. # ------------------
83. # Changing SSH Port
84. # ------------------
85. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
86. echo "--------------------------------------------------------------------"
87. echo "changing ssh port number "
88. echo "--------------------------------------------------------------------"
89. read -p "which port number have you chosen? (Chose between 1024-65535) " sshportconfig
90. if (( ("$sshportconfig" > 1024) && ("$sshportconfig" < 65535) )); then
91. sed -i "s/.*Port [^ ]*/Port $sshportconfig/g" /etc/ssh/sshd_config
92. echo "--------------------------------------------------------------------"
93. echo "SSH port has been changed to: $sshportconfig. "
94. echo "--------------------------------------------------------------------"
95. else
96. echo "Port chosen is incorrect."
97. read -p "which port number have you chosen? (Chose between 1024-65535) " sshportconfig
98. if (( ("$sshportconfig" > 1024) && ("$sshportconfig" < 65535) )); then
99. echo "Port $sshportconfig" >> /etc/ssh/sshd_config
100. echo "--------------------------------------------------------------------"
101. echo "SSH port has been changed to: $sshportconfig. "
102. echo "--------------------------------------------------------------------"
103. else
104. echo "No"
105. echo "BYE!, F0U4D_"
106. shutdown -h now
107. exit 2
108. fi
109. fi
110.  
111. echo "--------------------------------------------------------------------"
112. echo "DONE -- > changing ssh port number to $sshportconfig "
113. echo "--------------------------------------------------------------------"
114. # ------------------
115.  
116.  
117.  
118. # ------------------
119. # Disaple root login
120. # ------------------
121. echo "--------------------------------------------------------------------"
122. echo "disaple root & passwordless login "
123. echo "--------------------------------------------------------------------"
124. if [ $(id -u) -eq 0 ]; then
125. sed -i "s/.*RSAAuthentication.*/RSAAuthentication yes/g" /etc/ssh/sshd_config
126. sed -i "s/.*PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
127. sed -i "s/.*PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config
128. sed -i "s/.*AuthorizedKeysFile.*/AuthorizedKeysFile\t\.ssh\/authorized_keys/g" /etc/ssh/sshd_config
129. sed -i "s/.*PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
130. sed -i "s/.*DebianBanner.*/DebianBanner no/g" /etc/ssh/sshd_config
131. sed -i "s/.*X11Forwarding.*/X11Forwarding No/g" /etc/ssh/sshd_config
132. echo "AllowUsers $username" >> /etc/ssh/sshd_config
133. echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
134. echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
135. else
136. echo "Only root may add a user to the system"
137. exit 2
138. fi
139. echo "--------------------------------------------------------------------"
140. echo "DONE -- > disaple root & passwordless login "
141. echo "--------------------------------------------------------------------"
142. # ------------------
143.  
144.  
145.  
146. # ------------------
147. # Disaple root login
148. # ------------------
149. echo "--------------------------------------------------------------------"
150. echo "Secure shared memory. "
151. echo "--------------------------------------------------------------------"
152. cp /etc/fstab /etc/fstab.bak
153. FSTAB=/etc/fstab
154. SED=`which sed`
155.  
156. #nosuid on /sys
157. if [ $(grep " \/sys " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
158. MNT_OPTS=$(grep " \/sys " ${FSTAB} | awk '{print $4}')
159. ${SED} -i "s/\( \/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
160. fi
161.  
162. #nodev,nosuid on /boot
163. if [ $(grep " \/boot " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
164. MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}')
165. ${SED} -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
166. fi
167.  
168. #nodev and nosuid on /usr
169. if [ $(grep " \/usr " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
170. MNT_OPTS=$(grep " \/usr " ${FSTAB} | awk '{print $4}')
171. ${SED} -i "s/\( \/usr .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
172. fi
173.  
174. #nodev and nosuid on /home
175. if [ $(grep " \/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
176. MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}')
177. ${SED} -i "s/\( \/home .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
178. fi
179.  
180. #nodev and nosuid on /export/home
181. if [ $(grep " \/export\/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
182. MNT_OPTS=$(grep " \/export\/home " ${FSTAB} | awk '{print $4}')
183. ${SED} -i "s/\( \/export\/home .*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
184. fi
185.  
186. #nodev and nosuid on /usr/local
187. if [ $(grep " \/usr\/local " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
188. MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} | awk '{print $4}')
189. ${SED} -i "s/\( \/usr\/local.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
190. fi
191.  
192. #nodev,noexec,nosuid on /dev/shm
193. if [ $(grep " \/dev\/shm " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
194. MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}')
195. ${SED} -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
196. fi
197.  
198. #nodev,noexec,nosuid on /tmp
199. if [ $(grep " \/tmp " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
200. MNT_OPTS=$(grep " \/tmp " ${FSTAB} | awk '{print $4}')
201. ${SED} -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
202. fi
203.  
204. #nodev,noexec,nosuid on /var/tmp
205. if [ $(grep " \/var\/tmp " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
206. MNT_OPTS=$(grep " \/var\/tmp " ${FSTAB} | awk '{print $4}')
207. ${SED} -i "s/\( \/var\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
208. fi
209.  
210. #nodev,noexec,nosuid on /var/log
211. if [ $(grep " \/var\/log " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
212. MNT_OPTS=$(grep " \/var\/tmp " ${FSTAB} | awk '{print $4}')
213. ${SED} -i "s/\( \/var\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
214. fi
215.  
216. #nodev,noexec,nosuid on /var/audit
217. if [ $(grep " \/var\/log\/audit " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
218. MNT_OPTS=$(grep " \/var\/log\/audit " ${FSTAB} | awk '{print $4}')
219. ${SED} -i "s/\( \/var\/log\/audit.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
220. fi
221.  
222. #nodev,nosuid on /var/
223. if [ $(grep " \/var " ${FSTAB} | grep -c "nodev") -eq 0 ]; then
224. MNT_OPTS=$(grep " \/var " ${FSTAB} | awk '{print $4}')
225. ${SED} -i "s/\( \/var.*${MNT_OPTS}\)/\1,nodev,nosuid/" ${FSTAB}
226. fi
227.  
228. echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab
229.  
230. echo "--------------------------------------------------------------------"
231. echo "DONE -- > Secure shared memory. "
232. echo "--------------------------------------------------------------------"
233.  
234.  
235.  
236.  
237. # ------------------
238. # Hadening network
239. # ------------------
240. echo "--------------------------------------------------------------------"
241. echo "Hadening network "
242. echo "--------------------------------------------------------------------"
243.  
244. cp /etc/sysctl.conf /etc/sysctl.conf.bak
245. cat > /etc/sysctl.conf << EOL
246.  
247.  
248.  
249.  
250.  
251. # Block SYN attacks
252.  
253. net.ipv4.tcp_max_syn_backlog = 2048
254. net.ipv4.tcp_syn_retries = 5
255.  
256. # Log Martians
257. net.ipv4.conf.all.log_martians = 1
258. net.ipv4.icmp_ignore_bogus_error_responses = 1
259.  
260. # Ignore ICMP redirects
261.  
262. net.ipv6.conf.all.accept_redirects = 0
263.  
264. net.ipv6.conf.default.accept_redirects = 0
265.  
266. # Ignore Directed pings
267. net.ipv4.icmp_echo_ignore_all = 1
268.  
269.  
270. # Controls IP packet forwarding
271. net.ipv4.ip_forward = 0
272.  
273. # Controls source route verification
274. net.ipv4.conf.default.rp_filter = 1
275.  
276. # Do not accept source routing
277. net.ipv4.conf.default.accept_source_route = 0
278.  
279. # Controls the System Request debugging functionality of the kernel
280. kernel.sysrq = 0
281.  
282. # Controls whether core dumps will append the PID to the core filename
283. # Useful for debugging multi-threaded applications
284. kernel.core_uses_pid = 1
285.  
286. # Controls the use of TCP syncookies
287. #net.ipv4.tcp_syncookies = 1
288. net.ipv4.tcp_synack_retries = 2
289.  
290. ########## IPv4 networking start ##############
291. # Send redirects, if router, but this is just server
292. net.ipv4.conf.all.send_redirects = 0
293. net.ipv4.conf.default.send_redirects = 0
294.  
295. # Accept packets with SRR option? No
296. net.ipv4.conf.all.accept_source_route = 0
297.  
298. # Accept Redirects? No, this is not router
299. net.ipv4.conf.all.accept_redirects = 0
300. net.ipv4.conf.all.secure_redirects = 0
301.  
302. # Log packets with impossible addresses to kernel log? yes
303. net.ipv4.conf.all.log_martians = 1
304. net.ipv4.conf.default.accept_source_route = 0
305. net.ipv4.conf.default.accept_redirects = 0
306. net.ipv4.conf.default.secure_redirects = 0
307.  
308. # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
309. net.ipv4.icmp_echo_ignore_broadcasts = 1
310.  
311. # Prevent against the common 'syn flood attack'
312. net.ipv4.tcp_syncookies = 1
313.  
314. # Enable source validation by reversed path, as specified in RFC1812
315. net.ipv4.conf.all.rp_filter = 1
316. net.ipv4.conf.default.rp_filter = 1
317.  
318. ########## IPv6 networking start ##############
319. # Number of Router Solicitations to send until assuming no routers are present.
320. # This is host and not router
321. net.ipv6.conf.default.router_solicitations = 0
322.  
323. # Accept Router Preference in RA?
324. net.ipv6.conf.default.accept_ra_rtr_pref = 0
325.  
326. # Learn Prefix Information in Router Advertisement
327. net.ipv6.conf.default.accept_ra_pinfo = 0
328.  
329. # Setting controls whether the system will accept Hop Limit settings from a router advertisement
330. net.ipv6.conf.default.accept_ra_defrtr = 0
331.  
332. #router advertisements can cause the system to assign a global unicast address to an interface
333. net.ipv6.conf.default.autoconf = 0
334.  
335. #how many neighbor solicitations to send out per address?
336. net.ipv6.conf.default.dad_transmits = 0
337.  
338. # How many global unicast IPv6 addresses can be assigned to each interface?
339. net.ipv6.conf.default.max_addresses = 1
340.  
341. ########## IPv6 networking ends ##############
342.  
343. #Enable ExecShield protection
344. kernel.exec-shield = 1
345. kernel.randomize_va_space = 1
346.  
347. # TCP and memory optimization
348. # increase TCP max buffer size setable using setsockopt()
349. #net.ipv4.tcp_rmem = 4096 87380 8388608
350. #net.ipv4.tcp_wmem = 4096 87380 8388608
351.  
352. # increase Linux auto tuning TCP buffer limits
353. #net.core.rmem_max = 8388608
354. #net.core.wmem_max = 8388608
355. #net.core.netdev_max_backlog = 5000
356. #net.ipv4.tcp_window_scaling = 1
357.  
358. # increase system file descriptor limit
359. fs.file-max = 65535
360.  
361. #Allow for more PIDs
362. kernel.pid_max = 65536
363.  
364. #Increase system IP port limits
365. net.ipv4.ip_local_port_range = 2000 65000
366. EOL
367. echo "--------------------------------------------------------------------"
368. echo "DONE -- > Hadening network "
369. echo "--------------------------------------------------------------------"
370.  
371.  
372.  
373. # ------------------
374. # Hadening network
375. # ------------------
376. echo "--------------------------------------------------------------------"
377. echo "Prevent IP Spoofing. "
378. echo "--------------------------------------------------------------------"
379. cp /etc/host.conf /etc/host.conf.bak
380. sed -i "s/order hosts,bind/order bind,hosts/g" /etc/host.conf
381. echo "nospoof on" >> /etc/host.conf
382. echo "--------------------------------------------------------------------"
383. echo "DONE -- > Prevent IP Spoofing "
384. echo "--------------------------------------------------------------------"
385.  
386.  
387. # ------------------
388. # MAKE SWAP FILE
389. # ------------------
390. echo "--------------------------------------------------------------------"
391. echo "MAKE SWAP FILE. "
392. echo "--------------------------------------------------------------------"
393. sudo fallocate -l 1G /swapfile
394. sudo chmod 600 /swapfile
395. sudo mkswap /swapfile
396. sudo swapon /swapfile
397. echo "/swapfile none swap sw 0 0" | sudo tee -a /etc/fstab
398. echo "vm.swappiness=10" >> /etc/sysctl.conf
399. echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf
400. echo "--------------------------------------------------------------------"
401. echo "DONE -- > MAKE SWAP FILE "
402. echo "--------------------------------------------------------------------"
403.  
404.  
405. echo "--------------------------------------------------------------------"
406. echo "DONE -- > INITIAL SETUP "
407. echo "rebooting now"
408. echo "get some coffee"
409. echo "--------------------------------------------------------------------"
410. reboot