160 lines
No EOL
6.2 KiB
Bash
160 lines
No EOL
6.2 KiB
Bash
#!/bin/bash
|
|
# Debian 12.1 post install script for new servers
|
|
# Author: Martijn de Boer
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "You must be a root user" 2>&1
|
|
exit 1
|
|
fi
|
|
|
|
# Check if we are running Debian
|
|
if [[ ! -f /etc/debian_version ]]; then
|
|
echo "This script only works on Debian"
|
|
exit 1
|
|
fi
|
|
|
|
# Configuration options
|
|
AUTHORIZED_SSH_KEYS="https://change.my.host.tld/authorized_keys"
|
|
SSH_PORT=$(shuf -i 2020-4020 -n 1)
|
|
|
|
echo "This script will perform the following actions:"
|
|
echo " - Update all packages to latest"
|
|
echo " - Harden the system"
|
|
echo " - Install common packages"
|
|
echo " - Configure SSH to listen on port ${SSH_PORT} and disable passwords if desired"
|
|
echo " - Configure firewall"
|
|
echo ""
|
|
|
|
read -p "Disable SSH passwords and load public keys from ${AUTHORIZED_SSH_KEYS}? " -n 1 -r REPLY_SSH_KEYS
|
|
case "$REPLY_SSH_KEYS" in
|
|
y|Y ) echo "yes";;
|
|
n|N ) echo "no";;
|
|
* ) echo "invalid";;
|
|
esac
|
|
|
|
set -e
|
|
|
|
# Make a sane environment
|
|
echo "Setting up environment..."
|
|
echo "deb https://deb.debian.org/debian/ bookworm main contrib non-free-firmware non-free" > /etc/apt/sources.list
|
|
|
|
# Update everything to latest
|
|
echo "Updating packages..."
|
|
apt update
|
|
apt -y upgrade
|
|
|
|
# System hardening
|
|
echo "Hardening system..."
|
|
|
|
## Disable info packets
|
|
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Track bad attempts
|
|
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Harden ip options
|
|
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Disable routing functionality
|
|
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Network optimisation
|
|
echo "Optimising network settings..."
|
|
echo "net.ipv4.ip_local_port_range = 2000 65000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.tcp_rmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.tcp_wmem = 4096 87380 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.core.rmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.core.wmem_max = 8388608" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.core.netdev_max_backlog = 5000" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Kernel hardening
|
|
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Kernel optimisation
|
|
echo "kernel.pid_max = 65536" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
## Filesystem protected
|
|
echo "Hardening filesystem..."
|
|
echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-custom.conf &> /dev/null
|
|
|
|
# Write sysctl values
|
|
sysctl -p /etc/sysctl.d/99-custom.conf
|
|
|
|
# Set limits
|
|
echo "Setting security limits..."
|
|
touch /etc/security/limits.d/99-custom.conf
|
|
echo "* hard nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
|
echo "* soft nofile 94000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
|
echo "* hard nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
|
echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf &> /dev/null
|
|
|
|
# Install common packages
|
|
echo "Installing common packages..."
|
|
apt install -y debian-archive-keyring apt-transport-https vim git ufw &> /dev/null
|
|
|
|
# Configure SSH
|
|
echo "Configuring SSH..."
|
|
sed -i 's/#Port 22/Port ${SSH_PORT}/g' /etc/ssh/sshd_config
|
|
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config
|
|
|
|
if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]]
|
|
then
|
|
echo "Configuring SSH keys..."
|
|
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
|
|
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
|
|
|
|
mkdir -p /root/.ssh
|
|
curl -s ${AUTHORIZED_SSH_KEYS} > /root/.ssh/authorized_keys
|
|
chmod 700 /root/.ssh
|
|
chmod 600 /root/.ssh/authorized_keys
|
|
fi
|
|
|
|
# Configure firewall
|
|
echo "Configuring firewall..."
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow ${SSH_PORT}
|
|
ufw allow http
|
|
ufw allow https
|
|
ufw enable
|
|
|
|
# Install crowdsec
|
|
echo "Installing crowdsec..."
|
|
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
|
|
apt install crowdsec crowdsec-firewall-bouncer crowdsec-firewall-bouncer-iptables -y &> /dev/null
|
|
|
|
echo "Done configuring!"
|
|
|
|
# Reboot
|
|
read -p "Reboot the system now? " -n 1 -r REPLY_REBOOT
|
|
case "$REPLY_REBOOT" in
|
|
y|Y ) echo "yes";;
|
|
n|N ) echo "no";;
|
|
* ) echo "invalid";;
|
|
esac
|
|
|
|
if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]]
|
|
then
|
|
reboot
|
|
fi |