Skip to content

Instantly share code, notes, and snippets.

@Rickardo987
Last active June 7, 2022 05:14
Show Gist options
  • Save Rickardo987/125b9de77d40ef872fba4db94268df9a to your computer and use it in GitHub Desktop.
Save Rickardo987/125b9de77d40ef872fba4db94268df9a to your computer and use it in GitHub Desktop.
Im tired of manually typing these in so I created a script.
#!/usr/bin/env bash
# Check root
if [ "$EUID" -ne 0 ]
then echo "Gemme root!"
exit
fi
# Add unprivileged user
while true
do
read -r -p "Create user ricky? [y/n] " input
case $input in
[yY][eE][sS]|[yY])
echo "Creating user..."
adduser ricky
usermod -aG sudo ricky
break
;;
[nN][oO]|[nN])
echo "Skipping..."
break
;;
*)
echo "Invalid input..."
;;
esac
done
echo "Adding packages repos..."
# Install docker
echo " -> Adding docker..."
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
echo " -> Adding cloudflare..."
sudo curl https://pkg.cloudflare.com/cloudflare-main.gpg -o /usr/share/keyrings/cloudflare-main.gpg
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/ focal main' | sudo tee /etc/apt/sources.list.d/cloudflare-main.list
# Updating Packages
echo "Updating APT..."
sudo apt update
echo "Upgrading APT..."
sudo apt full-upgrade -y
echo "Installing packages..."
sudo apt install zsh haveged rng-tools docker-ce docker-ce-cli containerd.io docker-compose-plugin cloudflared -y
echo "Hardening SSH (known_hosts will require a refresh)..."
# Harden SSH
# Source: https://www.sshaudit.com/hardening_guides.html#ubuntu_20_04_lts
# Re-generate the RSA and ED25519 keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# Remove small Diffie-Hellman moduli
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
# Enable the RSA and ED25519 keys
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
# Restrict supported key exchange, cipher, and MAC algorithms
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
# Touch up config
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
echo "AllowUsers ricky" >> /etc/ssh/sshd_config
# Restart OpenSSH server
service ssh restart
echo "Adding ssh key to authorized_keys..."
mkdir /home/ricky/.ssh
touch /home/ricky/.ssh/authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqJfkX2RMLenAm8fdihcXZv+E2foWsDmKfF+5EoRVmJ [email protected]" >> /home/ricky/.ssh/authorized_keys
chown -R ricky: /home/ricky/.ssh/
# Install ohmyzsh
echo "Installing ohmyzsh as ricky..."
wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -O /tmp/zsh.sh
chmod +x /tmp/zsh.sh
sudo -i -u ricky sh -c '/tmp/zsh.sh --unattended'
rm /tmp/zsh.sh
sudo -i -u ricky sh -c 'chsh -s $(which zsh)'
sed -i 's/ZSH_THEME=\"robbyrussell\"/ZSH_THEME=\"agnoster\"/' /home/ricky/.zshrc
echo "Done!"
@Rickardo987
Copy link
Author

For future reference bash <(curl -sL https://gist.githubusercontent.com/Rickardo987/125b9de77d40ef872fba4db94268df9a/raw/c93e3e7492f365e19d8258b14cc871b7865ebe47/new_server_deploy.sh)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment