Last active
September 16, 2020 09:25
-
-
Save kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3 to your computer and use it in GitHub Desktop.
Sets up and hardens an Arch Linux server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See https://gist.github.com/chris-redbeed/b3cee239532cee25b2357b4225e7f791 for a Debian version of this script. | |
# Change root password | |
echo "# Change password of root user" | |
passwd | |
# Change hostname | |
echo "# Change hostname" | |
read hostname | |
hostname $hostname | |
# Setup mirror-list | |
echo "# Finding fastest mirrors" | |
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.backup | |
sed -i 's/^#Server/Server/' /etc/pacman.d/mirrorlist.backup | |
rankmirrors -n 10 /etc/pacman.d/mirrorlist.backup > /etc/pacman.d/mirrorlist | |
# Self-upgrade | |
echo "# Update system with pacman" | |
pacman -Syu | |
# Create user | |
echo "# Create new user" | |
echo "Please enter username:" | |
read username | |
useradd -m $username | |
passwd $username | |
echo "Please enter public key:" | |
read publickey | |
mkdir "/home/"$username"/.ssh/" | |
echo $publickey > "/home/"$username"/.ssh/authorized_keys" | |
# Configure sshd | |
echo "# Configure sshd" | |
echo "Please enter a ssh port:" | |
read sshport | |
echo "# Custom sshd configurations | |
# Set the ssh port | |
Port "$sshport" | |
# Forbid root login | |
PermitRootLogin no | |
# End login-attempts after 30s | |
LoginGraceTime 30s | |
# Give only one try to auth | |
MaxAuthTries 1 | |
# Use public key authentication only | |
PubkeyAuthentication yes | |
# Find the file in .ssh/authorized_keys | |
AuthorizedKeysFile .ssh/authorized_keys | |
# Use the pam authentication module | |
UsePAM no | |
# Disable password auth | |
PasswordAuthentication no | |
# Disable challenge response | |
ChallengeResponseAuthentication no | |
# Limit the maximum number of not-logged-in connections to 2 | |
MaxStartups 2 | |
# Print no default message after login as this will be handeled by pam | |
PrintMotd no | |
# Load sftp-subsystem (default arch linux) | |
Subsystem sftp /usr/lib/ssh/sftp-server | |
# Add permissions for specific users | |
AllowUsers "$username > /etc/ssh/sshd_config | |
# Setup firewall | |
echo "# Setup firewall with ufw." | |
pacman -S ufw | |
ufw default allow outgoing | |
ufw default deny incoming | |
ufw allow $sshport/tcp | |
ufw limit $sshport/tcp | |
ufw enable | |
systemctl start ufw | |
systemctl enable ufw | |
# Setup auto-update | |
echo "# Setup auto-update" | |
echo "[Unit] | |
Description=Automatic Update | |
After=network-online.target | |
[Service] | |
Type=simple | |
ExecStart=/usr/bin/pacman -Syuq --noconfirm | |
TimeoutStopSec=180 | |
KillMode=process | |
KillSignal=SIGINT | |
[Install] | |
WantedBy=multi-user.target" > /etc/systemd/system/autoupdate.service | |
echo "[Unit] | |
Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes | |
[Timer] | |
OnBootSec=5min | |
OnUnitActiveSec=60min | |
Unit=autoupdate.service | |
[Install] | |
WantedBy=multi-user.target" > /etc/systemd/system/autoupdate.timer | |
systemctl enable /etc/systemd/system/autoupdate.timer | |
# Setup timezone and ntp | |
timedatectl set-timezone Europe/Berlin | |
timedatectl set-ntp true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment