-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnew_server_setup
More file actions
223 lines (191 loc) · 7.82 KB
/
new_server_setup
File metadata and controls
223 lines (191 loc) · 7.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
#!/bin/bash
echo "Starting the new server setup script"
cd ~
# Update the system
sudo apt-get update && sudo apt-get upgrade -y
echo ""
echo "Installing unattended-upgrades..."
# Install and setup unattended-upgrades
sudo apt-get install unattended-upgrades -y
# Edit the 50unattended-upgrade file
sudo sed -i 's|//\t"${distro_id}:${distro_codename}-security";|\t"${distro_id}:${distro_codename}-security";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//\t"${distro_id}:${distro_codename}-updates";|\t"${distro_id}:${distro_codename}-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::AutoFixInterruptedDpkg "false";|Unattended-Upgrade::AutoFixInterruptedDpkg "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::Remove-Unused-Dependencies "false";|Unattended-Upgrade::Remove-Unused-Dependencies "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
# Edit the 10periodic file
sudo cat >/etc/apt/apt.conf.d/10periodic <<EOL
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOL
/etc/init.d/unattended-upgrades restart
echo ""
echo "Installing fail2ban for SSHD..."
# Install and setup fail2ban for SSHD
sudo apt-get install fail2ban -y
# Copy the default jail.conf file to a new file called jail.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Change the ban time from 600 seconds (10 min) to 86,400 seconds (1 day) :)
perl -pi -e 's/bantime = 10m/bantime = 1440m/g' /etc/fail2ban/jail.local
# Change the find time from 600 seconds (10 min) to 3,600 seconds (1 hour)
perl -pi -e 's/findtime = 10m/findtime = 60m/g' /etc/fail2ban/jail.local
sudo service fail2ban restart
echo ""
echo "Enabling ufw firewall, only allowing ssh (port 22)..."
sudo apt install ufw
# Enable and set the ufw firewall for ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw --force enable
echo ""
echo "Installing Maldet..."
# Download and install Maldet (LMD)
cd /usr/local/src/
sudo wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
sudo tar -xzf maldetect-current.tar.gz
cd */
sudo sh ./install.sh
cd ..
# Delete original download zip files
sudo rm -rf maldetect-current.tar.gz
sudo rm -rf maldetect-*
cd ~
# Enable the LMD quarantine by replacing these 0's with 1's
perl -pi -e 's/quarantine_hits="0"/quarantine_hits="1"/g' /usr/local/maldetect/conf.maldet
perl -pi -e 's/quarantine_clean="0"/quarantine_clean="1"/g' /usr/local/maldetect/conf.maldet
echo ""
echo "Installing ClamAV..."
# Install ClamAV
sudo apt-get install clamtk clamav -y
echo ""
echo "Testing Maldet with ClamAV..."
sudo maldet -d
sudo maldet -u
echo ""
echo "Do you want to install Docker CE?"
select d_yn in "Yes" "No"
do
case $d_yn in
Yes )
echo "Installing Docker CE from the official Docker repository..."
sudo apt update
# Install the prerequisites
sudo apt install curl \
linux-image-extra-$(uname -r) \
linux-image-extra-virtual -y
# Setup the repository
sudo apt install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
apt-key fingerprint 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
sudo add-apt-repository "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
# Install the Docker engine
sudo apt update
echo "Do you want to install the latest version of Docker?"
select dv_yn in "Yes" "No"
do
case $dv_yn in
Yes )
sudo apt install docker-ce -y
break
;;
No )
apt-cache madison docker-ce
read -e -p "Which Docker CE version should be installed?" docker_version
sudo apt install docker-ce=$docker_version -y
break
;;
esac
done
# Install Docker Compose
sudo curl -L https://github.com/docker/compose/releases/download/1.25.4/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Add the docker group and add this user to the group
sudo groupadd docker
sudo usermod -aG docker $USER
echo ""
echo "Finished installing Docker CE. You can test it by running:"
echo "sudo docker run hello-world"
echo ""
echo "Re-log into this computer to allow Docker commands to be run without sudo"
echo ""
break
;;
No )
break
;;
esac
done
# Create a new system user with sudo access
echo ""
echo "Do you want to create a new user with sudo access?"
select u_yn in "Yes" "No"
do
case $u_yn in
Yes )
read -e -p "Enter the username you want to use: " new_username
grep "^$new_username" /etc/passwd > /dev/null
if [ $? -eq 0 ]; then
echo "$new_username already exists"
echo "The user was not changed. Try another username..."
else
# Create the new user account
sudo adduser $new_username
# The user will be prompted to enter their password
# Enable the user to have sudo access
sudo usermod -aG sudo $new_username
echo "Successfully created $new_username as a sudo user"
break
fi
;;
No )
echo "No user will be created."
echo "Make sure you are not relying only on the root user, as that is a security issue!"
echo "It is a good idea to create a not root system user when administering this server."
echo "Run these commands to create a new user and to give them sudo access:"
echo "sudo adduser <new username>"
echo "sudo usermod -aG sudo <new username>"
break
;;
esac
done
echo ""
echo "Disabling root based login..."
# Before disabling root login, ensure a non root user exist
perl -pi -e 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo service ssh restart
echo ""
echo "Do you already have an SSH key pair linked to the main user account on this server?"
select k_yn in "Yes" "No"
do
case $k_yn in
Yes )
echo "Disabling password based login..."
perl -pi -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo service ssh restart
break
;;
No )
echo "Password based login MAY be enabled."
echo ""
echo "Add an ssh key pair for your user. View this link for help adding a ssh key:"
echo "ssh-copy-id -i ~/.ssh/id_ed25519.pub <user>@<ip address>"
echo "https://github.com/camisatx/Guides/blob/master/Ubuntu_Commands.md#ssh-key"
echo ""
echo "Once complete, disable password based login by running the following two lines:"
echo "perl -pi -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config"
echo "sudo service ssh restart"
echo ""
break
;;
esac
done
echo ""
echo "Finished setting up the server"
echo "Have fun!"