Created
February 18, 2014 19:01
-
-
Save etoews/9077518 to your computer and use it in GitHub Desktop.
Secure an Ubuntu server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script assumes you've created this server with a key pair. If you haven't, you're not getting back in. | |
| # Switch to everett user | |
| adduser --shell /bin/bash --gecos "User for managing feeds" --disabled-password --home /home/everett everett | |
| adduser everett sudo | |
| grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || echo "#includedir /etc/sudoers.d" >> /etc/sudoers | |
| ( umask 226 && echo "everett ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/50_everett_sh ) | |
| mkdir /home/everett/.ssh | |
| cp .ssh/authorized_keys /home/everett/.ssh/ | |
| chown -R everett:everett /home/everett/.ssh | |
| su everett | |
| cd | |
| # Lock it down | |
| sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config | |
| sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
| sudo service ssh restart | |
| sudo ufw allow 22 | |
| sudo ufw --force enable | |
| sudo apt-get -y install fail2ban | |
| # Upgrade and set unattended upgrades | |
| sudo apt-get -y update; sudo apt-get -y upgrade | |
| sudo apt-get -y install unattended-upgrades | |
| sudo sed -i 's/Download-Upgradeable-Packages "0";/Download-Upgradeable-Packages "1";/g' /etc/apt/apt.conf.d/10periodic | |
| sudo sed -i 's/AutocleanInterval "0";/AutocleanInterval "7";/g' /etc/apt/apt.conf.d/10periodic | |
| echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment