martijn/machineops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update install.sh

Browse source
This commit is contained in:
Martijn de Boer 2023-08-05 17:37:03 +02:00
parent c2673fc951
commit 0401672e2e
1 changed files with 19 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
install.sh
View file

@ -17,24 +17,28 @@ fi
AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys" AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys"
SSH_PORT="2323" SSH_PORT="2323"
set -e
echo
echo "Install and configure new Debian 12.1 (bookworm) servers" echo "Install and configure new Debian 12.1 (bookworm) servers"
echo
echo "This script will perform the following actions:" echo "This script will perform the following actions:"
echo " - Update all packages to latest" echo " - Update all packages to latest"
echo " - Harden the system" echo " - Harden the system"
echo " - Install common packages" echo " - Install common packages"
echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if desired" echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if desired"
echo " - Configure firewall" echo " - Configure firewall"
echo " - Install crowdsec + firewall bouncer"
echo "" echo ""
# Ask for confirmation # Ask for confirmation
echo -e "\e[1;32mPlease review the actions above and confirm to continue...\e[0m" echo -e "\e[1;32mPlease review the actions above and confirm to continue...\e[0m"
echo -e "\e[1;31mWARNING: Make sure you understand the following prompt(s) before continuing!\e[0m" echo -e "\e[1;31mWARNING: Make sure you understand the prompt(s) before continuing!\e[0m"
read -p "Continue? " -n 1 -r REPLY_CONTINUE read -p "Continue? " -n 1 -r REPLY_CONTINUE
case "$REPLY_CONTINUE" in if [[ ! $REPLY =~ ^[Yy]$ ]]
y|Y ) echo "yes";; then
n|N ) echo "no";; exit 1
* ) echo "invalid";; fi
esac
read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS
case "$REPLY_SSH_KEYS" in case "$REPLY_SSH_KEYS" in
@ -43,9 +47,6 @@ case "$REPLY_SSH_KEYS" in
* ) echo "invalid";; * ) echo "invalid";;
esac esac
set -e
# Make a sane environment # Make a sane environment
echo -e "\e[1;32mSetting up environment...\e[0m" echo -e "\e[1;32mSetting up environment...\e[0m"
echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list
@ -102,6 +103,14 @@ echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf
## Kernel hardening ## Kernel hardening
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf
echo "kernel.kptr_restrict = 1" >> /etc/sysctl.d/99-custom.conf
echo "kernel.dmesg_restrict = 1" >> /etc/sysctl.d/99-custom.conf
echo "kernel.kexec_load_disabled = 1" >> /etc/sysctl.d/99-custom.conf
echo "kernel.yama.ptrace_scope = 1" >> /etc/sysctl.d/99-custom.conf
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-custom.conf
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.d/99-custom.conf
echo "net.core.bpf_jit_harden = 2" >> /etc/sysctl.d/99-custom.conf
## Kernel optimisation ## Kernel optimisation
echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf
@ -124,7 +133,7 @@ echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf
# Install common packages # Install common packages
echo -e "\e[1;32mInstalling common packages...\e[0m" echo -e "\e[1;32mInstalling common packages...\e[0m"
apt install -y debian-archive-keyring apt-transport-https vim git ufw openssh-server &> /dev/null apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server &> /dev/null
# Configure SSH # Configure SSH
echo -e "\e[1;32mConfiguring SSH...\e[0m" echo -e "\e[1;32mConfiguring SSH...\e[0m"