diff --git a/install.sh b/install.sh index 12fa5e7..f127a5d 100644 --- a/install.sh +++ b/install.sh @@ -15,8 +15,9 @@ fi # Configuration options AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys" -SSH_PORT=$(shuf -i 2020-4020 -n 1) +SSH_PORT="2323" +echo "Install and configure new Debian 12.1 (bookworm) servers" echo "This script will perform the following actions:" echo " - Update all packages to latest" echo " - Harden the system" @@ -25,6 +26,16 @@ echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if de echo " - Configure firewall" echo "" +# Ask for confirmation +echo -e "\e[1;32mPlease review the actions above and confirm to continue...\e[0m" +echo -e "\e[1;31mWARNING: Make sure you understand the following prompt(s) before continuing!\e[0m" +read -p "Continue? " -n 1 -r REPLY_CONTINUE +case "$REPLY_CONTINUE" in + y|Y ) echo "yes";; + n|N ) echo "no";; + * ) echo "invalid";; +esac + read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS case "$REPLY_SSH_KEYS" in y|Y ) echo "yes";; @@ -34,93 +45,106 @@ esac set -e + # Make a sane environment -echo "Setting up environment..." +echo -e "\e[1;32mSetting up environment...\e[0m" echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list # Update everything to latest -echo "Updating packages..." +echo -e "\e[1;32mUpdating packages...\e[0m" apt update apt -y upgrade # System hardening -echo "Hardening system..." +# echo in bold green text: hardening system +echo -e "\e[1;32mHardening system...\e[0m" ## Disable info packets -echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf ## Track bad attempts -echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf ## Harden ip options -echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf ## Disable routing functionality -echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf ## Network optimisation -echo "Optimising network settings..." -echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo -e "\e[1;32mOptimising network settings...\e[0m" +echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf ## Kernel hardening -echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf ## Kernel optimisation -echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf ## Filesystem protected -echo "Hardening filesystem..." -echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null -echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null +echo -e "\e[1;32mHardening filesystem...\e[0m" +echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf +echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf # Write sysctl values sysctl -p /etc/sysctl.d/99-custom.conf # Set limits -echo "Setting security limits..." +echo -e "\e[1;32mSetting security limits...\e[0m" touch /etc/security/limits.d/99-custom.conf -echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null -echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null -echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null -echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null +echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf +echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf +echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf +echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf # Install common packages -echo "Installing common packages..." -apt install -y debian-archive-keyring apt-transport-https vim git ufw &> /dev/null +echo -e "\e[1;32mInstalling common packages...\e[0m" +apt install -y debian-archive-keyring apt-transport-https vim git ufw openssh-server &> /dev/null # Configure SSH -echo "Configuring SSH..." +echo -e "\e[1;32mConfiguring SSH...\e[0m" sed -i 's/#Port 22/Port ${SSH_PORT}/g' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config +sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config +sed -i 's/#MaxSessions 10/MaxSessions 3/g' /etc/ssh/sshd_config +sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config +sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config +sed -i 's/#LoginGraceTime 2m/LoginGraceTime 30/g' /etc/ssh/sshd_config +sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config +sed -i 's/#GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config +sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config +sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' /etc/ssh/sshd_config +sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config +sed -i 's/#DebianBanner yes/DebianBanner no/g' /etc/ssh/sshd_config if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] then - echo "Configuring SSH keys..." + echo -e "\e[1;32mConfiguring SSH keys...\e[0m" sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config @@ -131,20 +155,21 @@ then fi # Configure firewall -echo "Configuring firewall..." +echo -e "\e[1;32mConfiguring firewall...\e[0m" ufw default deny incoming ufw default allow outgoing -ufw allow ${SSH_PORT} +ufw allow ${SSH_PORT}/tcp ufw allow http ufw allow https ufw enable # Install crowdsec -echo "Installing crowdsec..." +echo -e "\e[1;32mInstalling crowdsec...\e[0m" curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash apt install crowdsec crowdsec-firewall-bouncer crowdsec-firewall-bouncer-iptables -y &> /dev/null -echo "Done configuring!" +echo -e "\e[1;32mDone configuring!\e[0m" +echo -e "\e[1;31mWARNING: Make sure to remember the SSH port is set to: ${SSH_PORT}\e[0m" # Reboot read -p "Reboot the system now? " -n 1 -r REPLY_REBOOT @@ -154,7 +179,7 @@ case "$REPLY_REBOOT" in * ) echo "invalid";; esac -if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] +if [[ $REPLY_REBOOT =~ ^[Yy]$ ]] then reboot fi \ No newline at end of file