commit fc1d57ef86b663a1f60ca9b5bbdad353308d15c1 Author: Martijn de Boer Date: Sat Aug 5 15:57:10 2023 +0200 Initial work in progress diff --git a/install.sh b/install.sh new file mode 100644 index 0000000..f29806f --- /dev/null +++ b/install.sh @@ -0,0 +1,156 @@ +#!/bin/bash +# Debian 12.1 post install script for new servers +# Author: Martijn de Boer + +if [[ $EUID -ne 0 ]]; then + echo "You must be a root user" 2>&1 + exit 1 +fi + +# Check if we are running Debian +if [[ ! -f /etc/debian_version ]]; then + echo "This script only works on Debian" + exit 1 +fi + +# Configuration options +AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys" +SSH_PORT=$(shuf -i 2020-4020 -n 1) + +echo "This script will perform the following actions:" +echo " - Update all packages to latest" +echo " - Harden the system" +echo " - Install common packages" +echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if desired" +echo " - Configure firewall" +echo "" + +read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS +case "$REPLY_SSH_KEYS" in + y|Y ) echo "yes";; + n|N ) echo "no";; + * ) echo "invalid";; +esac + +set -e + +# Make a sane environment +echo "Setting up environment..." +echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list + +# Update everything to latest +echo "Updating packages..." +apt update +apt -y upgrade + +# System hardening +echo "Hardening system..." + +## Disable info packets +echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf + +## Track bad attempts +echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf + +## Harden ip options +echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf + +## Disable routing functionality +echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf + +## Network optimisation +echo "Optimising network settings..." +echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf +echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf + +## Kernel hardening +echo "kernel.exec-shield = 1" >> /etc/sysctl.d/99-custom.conf +echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf + +## Kernel optimisation +echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf + +## Filesystem protected +echo "Hardening filesystem..." +echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf +echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf + +# Write sysctl values +sysctl -p /etc/sysctl.d/99-custom.conf + +# Set limits +echo "Setting security limits..." +touch /etc/securitiy/limits.d/99-custom.conf +echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf +echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf +echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf +echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf + +# Install common packages +echo "Installing common packages..." +apt install -y vim git ufw + +# Configure SSH +echo "Configuring SSH..." +sed -i 's/#Port 22/Port ${SSH_PORT}/g' /etc/ssh/sshd_config +sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config + +if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] +then + echo "Configuring SSH keys..." + sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config + sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config + + mkdir -p /root/.ssh + curl -s ${AUTHORIZED_SSH_KEYS} > /root/.ssh/authorized_keys + chmod 700 /root/.ssh + chmod 600 /root/.ssh/authorized_keys +fi + +# Configure firewall +echo "Configuring firewall..." +ufw default deny incoming +ufw default allow outgoing +ufw allow ${SSH_PORT} +ufw allow http +ufw allow https +ufw enable + +echo "Done configuring!" + +# Reboot +read -p "Reboot the system now? " -n 1 -r REPLY_REBOOT +case "$REPLY_REBOOT" in + y|Y ) echo "yes";; + n|N ) echo "no";; + * ) echo "invalid";; +esac + +if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] +then + reboot +fi \ No newline at end of file