lattejed · June 10, 2019 17:17
diff --git a/ubuntu_basic_setup_az.sh b/ubuntu_basic_setup_az.sh
 # Note: This is for the Ubunutu 18.04.2 x64 image available as an Azure VM
 # provisioned via the command line and may not work for other images / OS versions.

 # Warning: This script directy edits some configuration files that may
 # render your OS unusable if there is an error. Use at your own risk.

 apt-get update

 read -p "Set password for user 'deploy' (recommended) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
  
 	echo "Set password for user 'deploy'"
 	passwd deploy
  
 	echo "Set password for 'deploy'"
 	echo
 fi

 read -p "Add 'deploy' to sudoers (required for 'deploy' user) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
 	cat << EOF > /etc/sudoers
 Defaults        env_reset
 Defaults        mail_badpass
 Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 root    ALL=(ALL:ALL) ALL
 deploy  ALL=(ALL:ALL) ALL
 EOF

 	echo "Added user 'deploy' to sudoers"
 	echo
 fi

 read -p "Upgrade installed packages (recommended) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
 	apt-get upgrade -y
 	echo "Upgraded installed packages"
 	echo
 fi

 read -p "Install fail2ban (recommended) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
 	apt-get install fail2ban -y

 	echo "Installed fail2ban"
 	echo
 fi

 read -p "Enable unattended security upgrades (recommended) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
 	apt-get install unattended-upgrades -y

 	cat << EOF > /etc/apt/apt.conf.d/10periodic
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
 APT::Periodic::Unattended-Upgrade "1";
 EOF

 	cat << EOF > /etc/apt/apt.conf.d/50unattended-upgrades 
 Unattended-Upgrade::Allowed-Origins {
  "${distro_id}:${distro_codename}-security";
 };
 EOF

 	echo "Enabled unattended upgrades"
 	echo
 fi

 read -p "Make ssh config more secure (recommended) [yN] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then

 	cat << EOF > /etc/ssh/sshd_config
 Port 22
 Protocol 2
 PermitRootLogin no
 PubkeyAuthentication yes
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 AllowAgentForwarding no
 AllowTcpForwarding no
 X11Forwarding no
 UsePAM yes
 EOF

 	service ssh restart

 fi
	# Note: This is for the Ubunutu 18.04.2 x64 image available as an Azure VM
	# provisioned via the command line and may not work for other images / OS versions.

	# Warning: This script directy edits some configuration files that may
	# render your OS unusable if there is an error. Use at your own risk.

	apt-get update

	read -p "Set password for user 'deploy' (recommended) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then

	echo "Set password for user 'deploy'"
	passwd deploy

	echo "Set password for 'deploy'"
	echo
	fi

	read -p "Add 'deploy' to sudoers (required for 'deploy' user) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	cat << EOF > /etc/sudoers
	Defaults env_reset
	Defaults mail_badpass
	Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	root ALL=(ALL:ALL) ALL
	deploy ALL=(ALL:ALL) ALL
	EOF

	echo "Added user 'deploy' to sudoers"
	echo
	fi

	read -p "Upgrade installed packages (recommended) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	apt-get upgrade -y
	echo "Upgraded installed packages"
	echo
	fi

	read -p "Install fail2ban (recommended) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	apt-get install fail2ban -y

	echo "Installed fail2ban"
	echo
	fi

	read -p "Enable unattended security upgrades (recommended) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	apt-get install unattended-upgrades -y

	cat << EOF > /etc/apt/apt.conf.d/10periodic
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::Unattended-Upgrade "1";
	EOF

	cat << EOF > /etc/apt/apt.conf.d/50unattended-upgrades
	Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}-security";
	};
	EOF

	echo "Enabled unattended upgrades"
	echo
	fi

	read -p "Make ssh config more secure (recommended) [yN] " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then

	cat << EOF > /etc/ssh/sshd_config
	Port 22
	Protocol 2
	PermitRootLogin no
	PubkeyAuthentication yes
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no
	UsePAM yes
	EOF

	service ssh restart

	fi