diff --git a/install.sh b/install.sh index f127a5d..0d30e70 100644 --- a/install.sh +++ b/install.sh @@ -17,24 +17,28 @@ fi AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys" SSH_PORT="2323" +set -e + +echo echo "Install and configure new Debian 12.1 (bookworm) servers" +echo echo "This script will perform the following actions:" echo " - Update all packages to latest" echo " - Harden the system" echo " - Install common packages" echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if desired" echo " - Configure firewall" +echo " - Install crowdsec + firewall bouncer" echo "" # Ask for confirmation echo -e "\e[1;32mPlease review the actions above and confirm to continue...\e[0m" -echo -e "\e[1;31mWARNING: Make sure you understand the following prompt(s) before continuing!\e[0m" +echo -e "\e[1;31mWARNING: Make sure you understand the prompt(s) before continuing!\e[0m" read -p "Continue? " -n 1 -r REPLY_CONTINUE -case "$REPLY_CONTINUE" in - y|Y ) echo "yes";; - n|N ) echo "no";; - * ) echo "invalid";; -esac +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + exit 1 +fi read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS case "$REPLY_SSH_KEYS" in @@ -43,9 +47,6 @@ case "$REPLY_SSH_KEYS" in * ) echo "invalid";; esac -set -e - - # Make a sane environment echo -e "\e[1;32mSetting up environment...\e[0m" echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list @@ -102,6 +103,14 @@ echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf ## Kernel hardening echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf +echo "kernel.kptr_restrict = 1" >> /etc/sysctl.d/99-custom.conf +echo "kernel.dmesg_restrict = 1" >> /etc/sysctl.d/99-custom.conf +echo "kernel.kexec_load_disabled = 1" >> /etc/sysctl.d/99-custom.conf +echo "kernel.yama.ptrace_scope = 1" >> /etc/sysctl.d/99-custom.conf +echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-custom.conf +echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.core.bpf_jit_harden = 2" >> /etc/sysctl.d/99-custom.conf + ## Kernel optimisation echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf @@ -124,7 +133,7 @@ echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf # Install common packages echo -e "\e[1;32mInstalling common packages...\e[0m" -apt install -y debian-archive-keyring apt-transport-https vim git ufw openssh-server &> /dev/null +apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server &> /dev/null # Configure SSH echo -e "\e[1;32mConfiguring SSH...\e[0m"