Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
223 lines (190 sloc) 7.8 KB
#!/bin/bash
echo "Starting the new server setup script"
cd ~
# Update the system
sudo apt-get update && sudo apt-get upgrade -y
echo ""
echo "Installing unattended-upgrades..."
# Install and setup unattended-upgrades
sudo apt-get install unattended-upgrades -y
# Edit the 50unattended-upgrade file
sudo sed -i 's|//\t"${distro_id}:${distro_codename}-security";|\t"${distro_id}:${distro_codename}-security";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//\t"${distro_id}:${distro_codename}-updates";|\t"${distro_id}:${distro_codename}-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::AutoFixInterruptedDpkg "false";|Unattended-Upgrade::AutoFixInterruptedDpkg "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::Remove-Unused-Dependencies "false";|Unattended-Upgrade::Remove-Unused-Dependencies "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
# Edit the 10periodic file
sudo cat >/etc/apt/apt.conf.d/10periodic <<EOL
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOL
/etc/init.d/unattended-upgrades restart
echo ""
echo "Installing fail2ban for SSHD..."
# Install and setup fail2ban for SSHD
sudo apt-get install fail2ban -y
# Copy the default jail.conf file to a new file called jail.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Change the ban time from 600 seconds (10 min) to 86,400 seconds (1 day) :)
perl -pi -e 's/bantime = 10m/bantime = 1440m/g' /etc/fail2ban/jail.local
# Change the find time from 600 seconds (10 min) to 3,600 seconds (1 hour)
perl -pi -e 's/findtime = 10m/findtime = 60m/g' /etc/fail2ban/jail.local
sudo service fail2ban restart
echo ""
echo "Enabling ufw firewall, only allowing ssh (port 22)..."
# Enable and set the ufw firewall for ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw --force enable
echo ""
echo "Installing Maldet..."
# Download and install Maldet (LMD)
cd /usr/local/src/
sudo wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
sudo tar -xzf maldetect-current.tar.gz
cd */
sudo sh ./install.sh
cd ..
# Delete original download zip files
sudo rm -rf maldetect-current.tar.gz
sudo rm -rf maldetect-*
cd ~
# Enable the LMD quarantine by replacing these 0's with 1's
perl -pi -e 's/quarantine_hits="0"/quarantine_hits="1"/g' /usr/local/maldetect/conf.maldet
perl -pi -e 's/quarantine_clean="0"/quarantine_clean="1"/g' /usr/local/maldetect/conf.maldet
echo ""
echo "Installing ClamAV..."
# Install ClamAV
sudo apt-get install clamtk clamav -y
echo ""
echo "Testing Maldet with ClamAV..."
sudo maldet -d
sudo maldet -u
echo ""
echo "Do you want to install Docker CE?"
select d_yn in "Yes" "No"
do
case $d_yn in
Yes )
echo "Installing Docker CE from the official Docker repository..."
sudo apt update
# Install the prerequisites
sudo apt install curl \
linux-image-extra-$(uname -r) \
linux-image-extra-virtual -y
# Setup the repository
sudo apt install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
apt-key fingerprint 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
sudo add-apt-repository "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
# Install the Docker engine
sudo apt update
echo "Do you want to install the latest version of Docker?"
select dv_yn in "Yes" "No"
do
case $dv_yn in
Yes )
sudo apt install docker-ce -y
break
;;
No )
apt-cache madison docker-ce
read -e -p "Which Docker CE version should be installed?" docker_version
sudo apt install docker-ce=$docker_version -y
break
;;
esac
done
# Install Docker Compose
sudo curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Add the docker group and add this user to the group
sudo groupadd docker
sudo usermod -aG docker $USER
echo ""
echo "Finished installing Docker CE. You can test it by running:"
echo "sudo docker run hello-world"
echo ""
echo "Re-log into this computer to allow Docker commands to be run without sudo"
echo ""
break
;;
No )
break
;;
esac
done
# Create a new system user with sudo access
echo ""
echo "Do you want to create a new user with sudo access?"
select u_yn in "Yes" "No"
do
case $u_yn in
Yes )
read -e -p "Enter the username you want to use: " new_username
grep "^$new_username" /etc/passwd > /dev/null
if [ $? -eq 0 ]; then
echo "$new_username already exists"
echo "The user was not changed. Try another username..."
else
# Create the new user account
sudo adduser $new_username
# The user will be prompted to enter their password
# Enable the user to have sudo access
sudo usermod -aG sudo $new_username
echo "Successfully created $new_username as a sudo user"
break
fi
;;
No )
echo "No user will be created."
echo "Make sure you are not relying only on the root user, as that is a security issue!"
echo "It is a good idea to create a not root system user when administering this server."
echo "Run these commands to create a new user and to give them sudo access:"
echo "sudo adduser <new username>"
echo "sudo usermod -aG sudo <new username>"
break
;;
esac
done
echo ""
echo "Disabling root based login..."
# Before disabling root login, ensure a non root user exist
perl -pi -e 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo service ssh restart
echo ""
echo "Do you already have an SSH key pair linked to the main user account on this server?"
select k_yn in "Yes" "No"
do
case $k_yn in
Yes )
echo "Disabling password based login..."
perl -pi -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo service ssh restart
break
;;
No )
echo "Password based login MAY be enabled."
echo ""
echo "Add an ssh key pair for your user. View this link for help adding a ssh key:"
echo "ssh-copy-id -i ~/.ssh/id_ed25519.pub <user>@<ip address>"
echo "https://github.com/camisatx/Guides/blob/master/Ubuntu_Commands.md#ssh-key"
echo ""
echo "Once complete, disable password based login by running the following two lines:"
echo "perl -pi -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config"
echo "sudo service ssh restart"
echo ""
break
;;
esac
done
echo ""
echo "Finished setting up the server"
echo "Have fun!"