Last active
October 19, 2020 13:13
-
-
Save chris-redbeed/b3cee239532cee25b2357b4225e7f791 to your computer and use it in GitHub Desktop.
Sets up and hardens an Debian Linux server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Arch Linux Setup: https://gist.github.com/kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3 | |
# Change root password | |
echo "# Change password of root user" | |
passwd | |
# Change hostname | |
echo "# Change hostname" | |
hostname | |
hostname $hostname | |
# Setup mirror-list | |
echo "# Finding fastest mirrors" | |
aptitude -y install netselect netselect-apt | |
netselect-apt -c germany -t 15 -a amd64 | |
# Self-upgrade | |
echo "# Update system" | |
aptitude -y update && aptitude -y safe-upgrade | |
# Create user | |
echo "# Create new user" | |
echo "Please enter username:" | |
read username | |
useradd -m $username | |
passwd $username | |
chsh -s /bin/bash $username | |
echo "Please enter public key:" | |
read publickey | |
mkdir "/home/"$username"/.ssh/" | |
echo $publickey > "/home/"$username"/.ssh/authorized_keys" | |
# Configure sshd | |
echo "# Configure sshd" | |
echo "Please enter a ssh port:" | |
read sshport | |
echo "# Custom sshd configurations | |
# Set the ssh port | |
Port "$sshport" | |
# Forbid root login | |
PermitRootLogin no | |
# End login-attempts after 30s | |
LoginGraceTime 30s | |
# Give only one try to auth | |
MaxAuthTries 1 | |
# Use public key authentication only | |
PubkeyAuthentication yes | |
# Find the file in .ssh/authorized_keys | |
AuthorizedKeysFile .ssh/authorized_keys | |
# Use the pam authentication module | |
UsePAM yes | |
# Disable password auth | |
PasswordAuthentication no | |
# Limit the maximum number of not-logged-in connections to 2 | |
MaxStartups 2 | |
# Print no default message after login as this will be handeled by pam | |
PrintMotd no | |
# Load sftp-subsystem (default arch linux) | |
Subsystem sftp /usr/lib/ssh/sftp-server | |
# Add permissions for specific users | |
AllowUsers "$username > /etc/ssh/sshd_config | |
# Setup firewall | |
echo "# Setup firewall with ufw." | |
aptitude -y install ufw | |
ufw default allow outgoing | |
ufw default deny incoming | |
ufw allow $sshport/tcp | |
ufw limit $sshport/tcp | |
ufw enable | |
systemctl start ufw | |
systemctl enable ufw | |
# Setup auto-update | |
echo "# Setup auto-update (unattended-upgrades)" | |
aptitude -y install unattended-upgrades apt-listchanges | |
# run "apt-get update" and "upgrade" daily | |
echo 'APT::Periodic::Update-Package-Lists "1"; | |
APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades | |
# add whiteliste for "Security" updates | |
echo 'Unattended-Upgrade::Origins-Pattern { | |
"origin=Debian,codename=${distro_codename},label=Debian-Security"; | |
}; | |
Unattended-Upgrade::Package-Blacklist { | |
};' >> /etc/apt/apt.conf.d/50unattended-upgrades | |
# add mail service (send root info) | |
echo '[apt] | |
frontend=pager | |
confirm=false | |
email_address=root | |
save_seen=/var/lib/apt/listchanges.db | |
which=news' >> /etc/apt/listchanges.conf | |
# Setup timezone and ntp | |
timedatectl set-timezone Europe/Berlin | |
timedatectl set-ntp true | |
# Good to know: | |
# nginx: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10 | |
# php: https://www.itzgeek.com/how-tos/linux/debian/how-to-install-php-7-3-7-2-7-1-on-debian-10-debian-9-debian-8.html | |
# certbot https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10 |
Author
chris-redbeed
commented
May 1, 2020
•
- Arch Linux Setup: https://gist.github.com/kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment