Last active
July 9, 2018 22:19
-
-
Save marrold/8221c1f865579320cb4b85a790f90223 to your computer and use it in GitHub Desktop.
Initial Boot Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Disable root login | |
| sed -i -z 's/PermitRootLogin yes\|$/PermitRootLogin no/' /etc/ssh/sshd_config | |
| sed -i -z 's/#PasswordAuthentication yes\|$/PasswordAuthentication no/' /etc/ssh/sshd_config | |
| # Update and install packages | |
| apt update | |
| apt upgrade -y | |
| apt install -y\ | |
| git\ | |
| tcpdump\ | |
| htop\ | |
| vim\ | |
| sudo\ | |
| fail2ban\ | |
| mtr\ | |
| net-tools\ | |
| screen\ | |
| qemu-guest-agent | |
| # Add the default user | |
| useradd matthew -m -s /bin/bash -G sudo | |
| # Double check they belong to sudo group | |
| usermod -a -G sudo matthew | |
| # Force the user to change their password | |
| passwd -d matthew | |
| chage -d 0 matthew | |
| # Allow the user to sudoers group to sudo without a password | |
| echo '%sudo ALL=NOPASSWD: ALL' | sudo EDITOR='tee -a' visudo | |
| # Add ssh key | |
| echo "Install SSH Key" | |
| mkdir -p /home/matthew/.ssh | |
| echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDvVzZ4sXTkt9aFgmOhTRJmSfCFr5VVjpNxhifFoqmpO3/dj+ZnXzVpVSkxA/ihPeXTLbcVjCh+SIaXDtIsi4pdQSQaZskw+3MYxLbOpC2fChiVAkJGXxVTR7/ieuhV+kj4H9mbQz6mo/CgtXQFVqUHvJuMSCtctQ0/TiU29hpucxtsDO79Yz/zrsHpJS5ZCpTjnrzyRM85OSjrBxsbttxit3e/pIv0dILqE/S4GFasjg4H7IpHXpcshopdQlDRgyMSkcTxNz2k0t48h/CPsQWsxZQceCrqueVjG4u3ouLD19Ek5199n36UkI6KR4TraC5SQ/Z7LzwS9OB00mW80oOSVu8yAEs3vEqBk7v71iZcg5H7fSEtXWhU1bQQds2aETX7vN9kyBD0IaXkjT2XQdLeyGPkgg9FMySAWOljc0wKRbmkjxOijdFHSMSUCeMJoeic9uXIlLBLBEKt9uKE6GJFcEzUWgkKHy4pALhqPu7y2/My67g8NL6MBbfx4iNWvUBpt/TTRNhcrya3mteXa889hSDG7qBX1zcrmOE/uZAtMRN+xG+CMTQcxFelVumedYcqLWEb4DalFXh+tD+bhUpM4D6ChisdLkjWSa4HM4NKxs/FTmeyU7di1vz92VTaK4MBOjlQvYms/fT66cofIITCv+arn4Tp+hJgd6fobOv954OgkofnUcN+M0/NEVK2klCcZ13zoiSJ2GxgIPFCur5lsIueD+gvK46JHlbGRwPL5qH2yf80YABcedm57cXC/lT3rkY0h0cZH/xc5PYKOYycpyeX4AGM/ryez9MdCn4vR/lVlXAofKAxJaSoJUcAUh+MGPVgW4pw/pnLqWySJAm7xfjlta9YHMQwsuCTHG9okahynpcQ+heh5ZUKXGvj2p/MDA9UV/2Ihm0qad1EhSV6nDjErc+lpNI3h28I5/uarrwIS2HVsstItn2OrScUVJYonj89+bNqhZYsBNEOSjsLsMnTdnoca266U/OAwssCSxHCTNNDSo6AFay4dsNPThEhDTrfq3Ii0+ywcW5KN5jS/5H20NrsVboNcUzDhw2tXK5STKsMo0DBiFeVOBIE84xro5OqmP4VqH0kV+gyeNYKoK+fSLmRtKM9iRymBhFecHx7sSc32Etb2WkJgkB7UIcEXl3FNVymYWuX5KL8fmtV2NyvmzUAglMaqqTRg7ixVUyGZXMJbk/+7YxleTraMPaAgrBprwSlvf0mE3hDME8AhOWw40t+f5dn2TxCyZAwv+oUJSS+TnR3SfHT2kJDlFORS0TF6TAxC8Zjdfq9E0WdEPn4T0ZovaqzcoNeLOWnjWwzofxBnQYKc1mphsWJ8fGGBO8LM5Yb5ZeFigDHUoGv [email protected] > /home/matthew/.ssh/authorized_keys | |
| # Fix permissions | |
| chown -R matthew:matthew /home/matthew | |
| chmod 700 /home/matthew/.ssh | |
| chmod 600 /home/matthew/.ssh/authorized_keys | |
| # Fix vim | |
| echo 'set mouse-=a' > /root/.vimrc | |
| echo 'set mouse-=a' > /home/matthew/.vimrc | |
| # Setup IPTables | |
| cat << 'EOF' >> /etc/iptables.rules | |
| *filter | |
| :INPUT DROP | |
| :FORWARD ACCEPT | |
| :OUTPUT ACCEPT | |
| :fail2ban-ssh - [0:0] | |
| -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh | |
| -A fail2ban-ssh -j RETURN | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Loopback | |
| -A INPUT -i lo -j ACCEPT | |
| -A OUTPUT -o lo -j ACCEPT | |
| # SSH | |
| -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
| # ICMP | |
| -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT | |
| -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT | |
| COMMIT | |
| EOF | |
| cat << 'EOF' >> /etc/network/if-pre-up.d/iptables | |
| #!/bin/sh | |
| /sbin/iptables-restore < /etc/iptables.rules | |
| EOF | |
| # Reboot | |
| reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment