nhtzr · November 18, 2018 19:26
diff --git a/server_setup.sh b/server_setup.sh
 #!/bin/bash

 #Getting started
 # install sudo
 apt-get install sudo
 # create new user
 adduser alice
 # add to sudo group
 usermod -aG alice
 # change accounts
 su alice
 # test sudo
 sudo ls /root

 #Disabling root
 # delete root password
 sudo passwd -d root
 #lock root user
 sudo passwd -l root

 #SSH Authentication
 # We will ban password authentication because we'll be using keys.
 # Copy your ssh public key to /home/user/.ssh/authorized_keys
 # User will be the account you're ssh command is connecting to.
 # For example ssh [email protected] will look in /home/alice/.ssh/authorized_keys

 #SSH Config
 sudo vim /etc/ssh/sshd_config
 # set PermitRootLogin no
 # set AddressFamily to inet orinet6 to only listen on 1 address
 # set PasswordAuthentication no
 # You can also change the default SSH port if you'd like but the next steps will help with leaving it default.
 # Read the following for the pros and cons of having a custom SSH port
 # https://security.stackexchange.com/questions/32308/should-i-change-the-default-ssh-port-on-linux-servers
 # Lastly, let's restart ssh for changes to take affect.
 sudo systemctl reload sshd

 #Port Knocking
 #https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu

 #System tools
 # Get and install updates
 sudo apt-get update && apt-get upgrade -y
 # Install unattended-upgrades to automatically install security updates
 sudo apt-get install unattended-upgrades
 # You can add an email to send alerts to when updates are performed and also includes other packages to update.
 vim /etc/apt/apt.conf.d/50unattended-upgrades

 #Setting up a firewall
 sudo apt-get install ufw
 # Enable default ports
 sudo ufw default allow outgoing
 sudo ufw default deny incoming
 # You can see what ports are open by checking it with
 sudo ufw status
 # You can enable specific services you want with:
 sudo ufw enable ssh
 sudo ufw enable http
 # Here's an example of enabling a port
 sudo ufw enable 443
 # If you run docker you can also block traffic to network interfaces so block all external communication to docker0.
 # Later we will be installing PSAD which monitors logs and other parts of the server for intrusion detection. We'll edit the UFW config so they work well together.
 # Add
 # custom psad logging directives
 #-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
 #-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
 # to the end of /etc/ufw/before.rules and /etc/ufw/before6.rules

 # When you're all done enable ufw
 sudo ufw enable

 #Network Hardening
 sudo vim /etc/sysctl.conf
 # Add the following lines. Read the files comments to understand what each variable is.
 # IP Spoofing protection
 #net.ipv4.conf.all.rp_filter = 1
 #net.ipv4.conf.default.rp_filter = 1
 # Ignore ICMP broadcast requests
 #net.ipv4.icmp_echo_ignore_broadcasts = 1
 # Disable source packet routing
 #net.ipv4.conf.all.accept_source_route = 0
 #net.ipv6.conf.all.accept_source_route = 0 
 #net.ipv4.conf.default.accept_source_route = 0
 #net.ipv6.conf.default.accept_source_route = 0
 # Ignore send redirects
 #net.ipv4.conf.all.send_redirects = 0
 #net.ipv4.conf.default.send_redirects = 0
 # Block SYN attacks
 #net.ipv4.tcp_syncookies = 1
 #net.ipv4.tcp_max_syn_backlog = 2048
 #net.ipv4.tcp_synack_retries = 2
 #net.ipv4.tcp_syn_retries = 5
 # Log Martians
 #net.ipv4.conf.all.log_martians = 1
 #net.ipv4.icmp_ignore_bogus_error_responses = 1
 # Ignore ICMP redirects
 #net.ipv4.conf.all.accept_redirects = 0
 #net.ipv6.conf.all.accept_redirects = 0
 #net.ipv4.conf.default.accept_redirects = 0 
 #net.ipv6.conf.default.accept_redirects = 0
 # Ignore Directed pings
 #net.ipv4.icmp_echo_ignore_all = 1

 #Prevent IP Spoofing
 sudo vim /etc/host.conf
 # Add the following lines
 order bind,hosts
 nospoof on

 #Install fail2ban
 sudo apt-get install fail2ban
 # fail2ban will automatically start with default config
 # fail2ban can be setup to monitor any log such as apache access.log and you can ban IPs that try to access certain pages.

 #Install rkhunter (finds root kits)
 sudo apt-get install rkhunter
 # After you can add your email for alerts
 sudo vim /etc/rkhunter.conf
 # Add email to MAIL-ON-WARNING
 # Make sure to set MAIL_CMD

 #Install psad (intrusion detector)
 sudo apt-get install psad
 # Edit config
 sudo vim /etc/psad/psad.conf
 # Add email to EMAIL_ADDRESSES and set HOSTNAME
 # Set ENABLE_AUTO IDS Y and AUTO_IDS_DANGER_LEVEL to 1
 # Now update signature database
 sudo psad --sig-update
 # Start psad
 sudo psad start

 #Testing configuration
 # Install nmap to see open ports
 sudo apt-get install nmap
 # execute
 nmap -v -sT localhost

 #Additional setup
 # Once your server is setup exactly how you like it look into setting up tripwire
 #https://opensource.com/article/18/1/securing-linux-filesystem-tripwire

 #Disclaimer
 # I am not a security expert or systems administrator. I'm just a developer that wanted to make a to do list I can follow when configuring new VPS boxes that are running on Debian.
	#!/bin/bash

	#Getting started
	# install sudo
	apt-get install sudo
	# create new user
	adduser alice
	# add to sudo group
	usermod -aG alice
	# change accounts
	su alice
	# test sudo
	sudo ls /root

	#Disabling root
	# delete root password
	sudo passwd -d root
	#lock root user
	sudo passwd -l root

	#SSH Authentication
	# We will ban password authentication because we'll be using keys.
	# Copy your ssh public key to /home/user/.ssh/authorized_keys
	# User will be the account you're ssh command is connecting to.
	# For example ssh [email protected] will look in /home/alice/.ssh/authorized_keys

	#SSH Config
	sudo vim /etc/ssh/sshd_config
	# set PermitRootLogin no
	# set AddressFamily to inet orinet6 to only listen on 1 address
	# set PasswordAuthentication no
	# You can also change the default SSH port if you'd like but the next steps will help with leaving it default.
	# Read the following for the pros and cons of having a custom SSH port
	# https://security.stackexchange.com/questions/32308/should-i-change-the-default-ssh-port-on-linux-servers
	# Lastly, let's restart ssh for changes to take affect.
	sudo systemctl reload sshd

	#Port Knocking
	#https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu

	#System tools
	# Get and install updates
	sudo apt-get update && apt-get upgrade -y
	# Install unattended-upgrades to automatically install security updates
	sudo apt-get install unattended-upgrades
	# You can add an email to send alerts to when updates are performed and also includes other packages to update.
	vim /etc/apt/apt.conf.d/50unattended-upgrades

	#Setting up a firewall
	sudo apt-get install ufw
	# Enable default ports
	sudo ufw default allow outgoing
	sudo ufw default deny incoming
	# You can see what ports are open by checking it with
	sudo ufw status
	# You can enable specific services you want with:
	sudo ufw enable ssh
	sudo ufw enable http
	# Here's an example of enabling a port
	sudo ufw enable 443
	# If you run docker you can also block traffic to network interfaces so block all external communication to docker0.
	# Later we will be installing PSAD which monitors logs and other parts of the server for intrusion detection. We'll edit the UFW config so they work well together.
	# Add
	# custom psad logging directives
	#-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
	#-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
	# to the end of /etc/ufw/before.rules and /etc/ufw/before6.rules

	# When you're all done enable ufw
	sudo ufw enable

	#Network Hardening
	sudo vim /etc/sysctl.conf
	# Add the following lines. Read the files comments to understand what each variable is.
	# IP Spoofing protection
	#net.ipv4.conf.all.rp_filter = 1
	#net.ipv4.conf.default.rp_filter = 1
	# Ignore ICMP broadcast requests
	#net.ipv4.icmp_echo_ignore_broadcasts = 1
	# Disable source packet routing
	#net.ipv4.conf.all.accept_source_route = 0
	#net.ipv6.conf.all.accept_source_route = 0
	#net.ipv4.conf.default.accept_source_route = 0
	#net.ipv6.conf.default.accept_source_route = 0
	# Ignore send redirects
	#net.ipv4.conf.all.send_redirects = 0
	#net.ipv4.conf.default.send_redirects = 0
	# Block SYN attacks
	#net.ipv4.tcp_syncookies = 1
	#net.ipv4.tcp_max_syn_backlog = 2048
	#net.ipv4.tcp_synack_retries = 2
	#net.ipv4.tcp_syn_retries = 5
	# Log Martians
	#net.ipv4.conf.all.log_martians = 1
	#net.ipv4.icmp_ignore_bogus_error_responses = 1
	# Ignore ICMP redirects
	#net.ipv4.conf.all.accept_redirects = 0
	#net.ipv6.conf.all.accept_redirects = 0
	#net.ipv4.conf.default.accept_redirects = 0
	#net.ipv6.conf.default.accept_redirects = 0
	# Ignore Directed pings
	#net.ipv4.icmp_echo_ignore_all = 1

	#Prevent IP Spoofing
	sudo vim /etc/host.conf
	# Add the following lines
	order bind,hosts
	nospoof on

	#Install fail2ban
	sudo apt-get install fail2ban
	# fail2ban will automatically start with default config
	# fail2ban can be setup to monitor any log such as apache access.log and you can ban IPs that try to access certain pages.

	#Install rkhunter (finds root kits)
	sudo apt-get install rkhunter
	# After you can add your email for alerts
	sudo vim /etc/rkhunter.conf
	# Add email to MAIL-ON-WARNING
	# Make sure to set MAIL_CMD

	#Install psad (intrusion detector)
	sudo apt-get install psad
	# Edit config
	sudo vim /etc/psad/psad.conf
	# Add email to EMAIL_ADDRESSES and set HOSTNAME
	# Set ENABLE_AUTO IDS Y and AUTO_IDS_DANGER_LEVEL to 1
	# Now update signature database
	sudo psad --sig-update
	# Start psad
	sudo psad start

	#Testing configuration
	# Install nmap to see open ports
	sudo apt-get install nmap
	# execute
	nmap -v -sT localhost

	#Additional setup
	# Once your server is setup exactly how you like it look into setting up tripwire
	#https://opensource.com/article/18/1/securing-linux-filesystem-tripwire

	#Disclaimer
	# I am not a security expert or systems administrator. I'm just a developer that wanted to make a to do list I can follow when configuring new VPS boxes that are running on Debian.