-
-
Save djrobby/531c3e57b82f769ef1450449d869c5e8 to your computer and use it in GitHub Desktop.
Server initialization script for newly created Vultr VPS instances
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| cat << EOF | |
| #=============================================================================# | |
| # Startup Boot Script # | |
| # --------------------------------------------------------------------------- # | |
| # Platform : Vultr VPS (Debian 9) # | |
| # Author : KaiserKatze <[email protected]> # | |
| # --------------------------------------------------------------------------- # | |
| # This startup script is saved to `/tmp/firstboot.exec` after execution. # | |
| # Output produced can be found in `/tmp/firstboot.log`. # | |
| # Scripts are executed using `/bin/bash` (Linux), `/bin/sh` (FreeBSD), etc. # | |
| #=============================================================================# | |
| EOF | |
| #=============================================================================# | |
| # Variables | |
| #=============================================================================# | |
| NEW_USER_NAME= | |
| NEW_SSH_PORT= | |
| SHADOWSOCKS_PORT= | |
| SHADOWSOCKS_PASSWORD= | |
| SHADOWSOCKS_METHOD="xchacha20-ietf-poly1305" | |
| #=============================================================================# | |
| # Install apt packages | |
| #=============================================================================# | |
| # shadowsocks-libev | |
| sh -c 'printf "deb http://deb.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/stretch-backports.list' | |
| apt update | |
| apt -t stretch-backports install shadowsocks-libev | |
| # User permission management | |
| apt install -y sudo | |
| # Network analysis - nmap | |
| apt install -y nmap | |
| # DNS analysis - dig | |
| apt install -y dnsutils | |
| # Fire wall - ufw | |
| apt install -y ufw | |
| # Build essentials - gcc | |
| apt install -y build-essential | |
| #=============================================================================# | |
| # Routines | |
| #=============================================================================# | |
| # Create new user | |
| PATH_ROOT_DIR="/root" | |
| PATH_HOME_DIR="/home/$NEW_USER_NAME" | |
| # Add yourself as new user | |
| useradd -m -d "$PATH_HOME_DIR" -s /bin/bash "$NEW_USER_NAME" | |
| # Grant youself admin priviledges | |
| usermod -aG sudo "$NEW_USER_NAME" | |
| # Verify priviledges | |
| groups "$NEW_USER_NAME" | |
| # Setup SSH authorization | |
| PATH_SSH_DIR="$PATH_HOME_DIR/.ssh" | |
| PATH_SSH_AKEYS="$PATH_SSH_DIR/authorized_keys" | |
| mkdir -p "$PATH_SSH_DIR" | |
| chmod 600 "$PATH_SSH_DIR" | |
| touch "$PATH_SSH_AKEYS" | |
| # !!! TODO: Please fill in your public key !!! | |
| cat > "$PATH_SSH_AKEYS" << EOF | |
| EOF | |
| chmod 700 "$PATH_SSH_AKEYS" | |
| PATH_ROOT_APP_DIR="$PATH_ROOT_DIR/App" | |
| mkdir -p "$PATH_ROOT_APP_DIR" | |
| # Setup DenyHosts | |
| # @see https://github.com/denyhosts/denyhosts | |
| # @see http://denyhosts.sourceforge.net/ | |
| cd "$PATH_ROOT_APP_DIR" | |
| git clone https://github.com/denyhosts/denyhosts.git | |
| cd denyhosts | |
| # WARNING: | |
| # module `ipaddr` & `denyhosts` must be installed with root/sudo permission; | |
| # in addition, they must be installed under python 2.x environment. | |
| python -m pip install ipaddr | |
| python setup.py install | |
| FILE_DENYHOST_CONFIG="denyhosts.conf" | |
| cp -t /etc "$FILE_DENYHOST_CONFIG" | |
| cp daemon-control-dist daemon-control | |
| # On my VPS instance (Debian 9), `denyhosts.py` is found in `/usr/local/bin/` | |
| ln -s "/usr/local/bin/denyhosts.py" "/usr/sbin/denyhosts" | |
| chown root daemon-control | |
| chmod 700 daemon-control | |
| python daemon-control start | |
| # Setup `~/.bashrc` | |
| # !!! TODO: Please fill in your .bashrc script !!! | |
| cat > "$PATH_HOME_DIR/.bashrc" << EOF | |
| EOF | |
| # Ban root user | |
| passwd -l root | |
| # Configure sshd | |
| PATH_SSHD_CONFIG="/etc/ssh/sshd_config" | |
| # !!! TODO: Please fill in your sshd config !!! | |
| cat > "$PATH_SSHD_CONFIG" << EOF | |
| EOF | |
| # Restart sshd | |
| systemctl reload sshd | |
| # Setup firewall | |
| ufw limit "$NEW_SSH_PORT/tcp" | |
| ufw allow "WWW Secure" # allows HTTPS, vital for nginx | |
| ufw allow "$SHADOWSOCKS_PORT" # allows both tcp and udp traffic | |
| ufw logging off | |
| ufw enable | |
| ufw status numbered | |
| # Setup shadowsocks-libev service | |
| PATH_SHADOWSOCKS_CONFIG="/etc/shadowsocks-libev/config.json" | |
| cat > "$PATH_SHADOWSOCKS_CONFIG" << EOF | |
| { | |
| "server":"0.0.0.0", | |
| "server_port":$SHADOWSOCKS_PORT, | |
| "local_port":1080, | |
| "password":"$SHADOWSOCKS_PASSWORD", | |
| "timeout":300, | |
| "method":"$SHADOWSOCKS_METHOD" | |
| } | |
| EOF | |
| service shadowsocks-libev start | |
| systemctl status shadowsocks-libev | |
| # Web server | |
| apt install -y nginx-full | |
| # HTTPS certification | |
| apt install -y certbot | |
| # Setup Django server | |
| python3 -m pip install django | |
| python3 -m pip install uwsgi | |
| # Setup Nodejs server | |
| curl -sL https://deb.nodesource.com/setup_11.x | bash - | |
| apt install -y nodejs | |
| # FTP server | |
| apt install -y vsftpd | |
| # DNS server | |
| apt install -y bind9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment