set

1. #!/bin/bash
2. #################################################
3. # Debian 12
4. #################################################
5. # Обновляем систему
6. apt update
7. apt full-upgrade -y
8.  
9. #################################################
10. # Устанавливаем софт
11. apt purge ntp -y
12. apt install -y xorg figlet sudo wget git cron curl systemd-timesyncd unattended-upgrades sudo
13.  
14. #################################################
15. # Включаем автоматические обновления безопасности Debian
16. dpkg-reconfigure --priority=low unattended-upgrades
17.  
18. #################################################
19. # Меняем дизайн оболочки BASH
20. echo 'VDSina-Holland' > /etc/hostname && hostname VDSina-Holland && echo 'PS1="\\n\[\e[0;36m\]\t\e[0m\]\e[0;91m\] \u @ \[\e[0m\]\[\e[0;33m\]\H: \[\e[0m\]\[\e[0;94m\][ \w ]\e[0;92m\] \\n\\$ >> \[\e[0m\]"' >> ~/.bashrc
21.  
22. #################################################
23. # Создаем файл с содержанием:
24. cat > /etc/banner <<\eof
25.           ######################################################################
26.              ##     Cервер предназначен только для авторизованных пользователей!   ##
27.                 ###            Вся активность регистрируется и проверяется!            ###
28.                  ##               Предлагаю прекратить попытку взлома!                 ##
29.           ######################################################################
30. eof
31.  
32. #################################################
33. # Делаем скрипт salute.sh, содержащий вызов figlet с нужными параметрами и размещаем его в /etc/profile.d.
34. # Вычищаем файл motd и с помощью редактора nano создаем скрипт в нужном месте:
35. cat /dev/null > /etc/motd
36. cat > /etc/profile.d/salute.sh << eof
37. #!/bin/sh
38. figlet -ctk -f slant VDSina - Holland
39. eof
40.  
41.  
42. #################################################
43. # Изменяем часовой пояс и проверяем статус службы по обновлению времени через интернет
44. timedatectl set-timezone Europe/Saratov
45.  
46. #################################################
47. # Синхронизация времени
48. apt purge ntp
49. systemctl start systemd-timesyncd
50.  
51. #################################################
52. # Проверка синхронизации времени
53. systemctl status systemd-timesyncd
54. timedatectl
55.  
56. #################################################
57. # Меняем файл sshd_config
58.  
59. cat > /etc/ssh/sshd_config <<\eof
60.  
61. # This is the sshd server system-wide configuration file.  See
62. # sshd_config(5) for more information.
63.  
64. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
65.  
66. # The strategy used for options in the default sshd_config shipped with
67. # OpenSSH is to specify options with their default value where
68. # possible, but leave them commented.  Uncommented options override the
69. # default value.
70.  
71. Include /etc/ssh/sshd_config.d/*.conf
72.  
73. Port 32164
74. AddressFamily inet
75. #ListenAddress 0.0.0.0
76. #ListenAddress ::
77.  
78. #HostKey /etc/ssh/ssh_host_rsa_key
79. #HostKey /etc/ssh/ssh_host_ecdsa_key
80. HostKey /etc/ssh/ssh_host_ed25519_key
81.  
82. # Ciphers and keying
83. #RekeyLimit default none
84.  
85. # Logging
86. #SyslogFacility AUTH
87. LogLevel INFO
88.  
89. # Authentication:
90.  
91. LoginGraceTime 30
92. PermitRootLogin yes
93. StrictModes yes
94. MaxAuthTries 6
95. #MaxSessions 10
96.  
97. PubkeyAuthentication yes
98.  
99. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
100. AuthorizedKeysFile  .ssh/authorized_keys
101.  
102. #AuthorizedPrincipalsFile none
103.  
104. #AuthorizedKeysCommand none
105. #AuthorizedKeysCommandUser nobody
106.  
107. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
108. #HostbasedAuthentication no
109. # Change to yes if you don't trust ~/.ssh/known_hosts for
110. # HostbasedAuthentication
111. IgnoreUserKnownHosts yes
112. # Don't read the user's ~/.rhosts and ~/.shosts files
113. IgnoreRhosts yes
114.  
115. # To disable tunneled clear text passwords, change to no here!
116. PasswordAuthentication no
117. PermitEmptyPasswords no
118.  
119. # Change to yes to enable challenge-response passwords (beware issues with
120. # some PAM modules and threads)
121. KbdInteractiveAuthentication no
122.  
123. # Kerberos options
124. #KerberosAuthentication no
125. #KerberosOrLocalPasswd yes
126. #KerberosTicketCleanup yes
127. #KerberosGetAFSToken no
128.  
129. # GSSAPI options
130. #GSSAPIAuthentication no
131. #GSSAPICleanupCredentials yes
132. #GSSAPIStrictAcceptorCheck yes
133. #GSSAPIKeyExchange no
134.  
135. # Set this to 'yes' to enable PAM authentication, account processing,
136. # and session processing. If this is enabled, PAM authentication will
137. # be allowed through the KbdInteractiveAuthentication and
138. # PasswordAuthentication.  Depending on your PAM configuration,
139. # PAM authentication via KbdInteractiveAuthentication may bypass
140. # the setting of "PermitRootLogin prohibit-password".
141. # If you just want the PAM account and session checks to run without
142. # PAM authentication, then enable this but set PasswordAuthentication
143. # and KbdInteractiveAuthentication to 'no'.
144. UsePAM yes
145.  
146. #AllowAgentForwarding yes
147. #AllowTcpForwarding yes
148. #GatewayPorts no
149. X11Forwarding yes
150. #X11DisplayOffset 10
151. #X11UseLocalhost yes
152. #PermitTTY yes
153. PrintMotd no
154. PrintLastLog yes
155. TCPKeepAlive yes
156. #PermitUserEnvironment no
157. #Compression delayed
158. ClientAliveInterval 60
159. ClientAliveCountMax 60
160. UseDNS no
161. #PidFile /run/sshd.pid
162. #MaxStartups 10:30:100
163. #PermitTunnel no
164. #ChrootDirectory none
165. #VersionAddendum none
166.  
167. # no default banner path
168. Banner /etc/banner
169.  
170. # Allow client to pass locale environment variables
171. AcceptEnv LANG LC_*
172.  
173. # override default of no subsystems
174. Subsystem   sftp    /usr/lib/openssh/sftp-server
175.  
176. # Example of overriding settings on a per-user basis
177. #Match User anoncvs
178. #   X11Forwarding no
179. #   AllowTcpForwarding no
180. #   PermitTTY no
181. #   ForceCommand cvs server
182. ClientAliveInterval 120
183. eof
184.  
185. #################################################
186. # Меняем файл sysctl.conf
187. #################################################
188. cat > /etc/sysctl.conf <<\eof
189.  
190. # /etc/sysctl.conf - Configuration file for setting system variables
191. # See /etc/sysctl.d/ for additional system variables.
192. # See sysctl.conf (5) for information.
193.  
194. #kernel.domainname = example.com
195.  
196. # Uncomment the following to stop low-level messages on console
197. #kernel.printk = 3 4 1 3
198.  
199. ###################################################################
200. # Functions previously found in netbase
201.  
202. # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
203. # Turn on Source Address Verification in all interfaces to
204. # prevent some spoofing attacks
205. #net.ipv4.conf.default.rp_filter=1
206. # Включить защиту от IP спуфинга
207. net.ipv4.conf.all.rp_filter=1
208.  
209. # Uncomment the next line to enable TCP/IP SYN cookies
210. # See http://lwn.net/Articles/277146/
211. # Note: This may impact IPv6 TCP sessions too
212. #net.ipv4.tcp_syncookies=1
213.  
214. # Uncomment the next line to enable packet forwarding for IPv4
215. net.ipv4.ip_forward=1
216.  
217. # Uncomment the next line to enable packet forwarding for IPv6
218. #  Enabling this option disables Stateless Address Autoconfiguration
219. #  based on Router Advertisements for this host
220. #net.ipv6.conf.all.forwarding=1
221.  
222. ###################################################################
223. # Additional settings - these settings can improve the network
224. # security of the host and prevent against some network attacks
225. # including spoofing attacks and man in the middle attacks through
226. # redirection. Some network environments, however, require that these
227. # settings are disabled so review and enable them as needed.
228. #
229. # Do not accept ICMP redirects (prevent MITM attacks)
230. #net.ipv4.conf.all.accept_redirects = 0
231. #net.ipv6.conf.all.accept_redirects = 0
232. # _or_
233. # Accept ICMP redirects only for gateways listed in our default
234. # gateway list (enabled by default)
235. # net.ipv4.conf.all.secure_redirects = 1
236. #
237. # Do not send ICMP redirects (we are not a router)
238. #net.ipv4.conf.all.send_redirects = 0
239. #
240. # Do not accept IP source route packets (we are not a router)
241. # Отключить IP source роутинг
242. net.ipv4.conf.all.accept_source_route = 0
243. #net.ipv6.conf.all.accept_source_route = 0
244. #
245. # Log Martian Packets
246. #net.ipv4.conf.all.log_martians = 1
247. #
248. ###################################################################
249. # Magic system request Key
250. # 0=disable, 1=enable all, >1 bitmask of sysrq functions
251. # See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
252. # for what other values do
253. #kernel.sysrq=438
254. ###################################################################
255. # Added by Kordan
256. # Игнорирование broadcast-запросов
257. net.ipv4.icmp_echo_ignore_all = 1
258. net.ipv4.icmp_echo_ignore_broadcasts=1
259. net.ipv4.icmp_ignore_bogus_error_responses=1
260.  
261. # Включаем execshield
262. kernel.exec-shield=1
263. kernel.randomize_va_space=1
264. eof
265.  
266. #################################################
267. # Установка WireGuard
268. #curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
269. #chmod +x wireguard-install.sh && ./wireguard-install.sh
270.  
271. #################################################