sixg0000d · February 3, 2021 23:34
diff --git a/init-server.sh b/init-server.sh
 #!/bin/bash

 EXTRA_PACKAGES=${EXTRA_PACKAGES:-"tar wget vim rpmconf sudo bind-utils fish sshguard jq"}
 NEW_SSH_PORT=${NEW_PORT:-"$(shuf -i 10000-65535 -n 1)"}

 function check_package_management() {
    if command -v dnf >/dev/null; then
        echo "package management: dnf"
        pm=dnf
        pm_install='dnf -y install'
    elif command -v yum >/dev/null; then
        echo "package management: yum"
        pm=yum
        pm_install='yum -y install'
    else
        echo "package management: not found"
        echo "skip packages installation"
        return 1
    fi
 }

 function upgrade() {
    $pm -y upgrade
 }

 function install_extra_packages() {
    if [ ! -e "/etc/fedora-release" ]; then
        $pm_install epel-release
        $pm makecache
    fi
    if selinuxenabled; then
        EXTRA_PACKAGES="${EXTRA_PACKAGES} policycoreutils-python-utils"
    fi
    $pm_install ${EXTRA_PACKAGES}
 }

 function packages_installation() {
    if check_package_management; then
        upgrade
        install_extra_packages
    fi
 }

 function change_ssh_port() {
    OLD_SSH_PORT=$(awk '/^Port / { print $2 }' /etc/ssh/sshd_config)
    if [ -z "$OLD_SSH_PORT" ]; then
        OLD_SSH_PORT=22
    fi
    sed -e "s|^#\?Port.*|Port ${NEW_SSH_PORT:-10022}|" -i /etc/ssh/sshd_config
    if selinuxenabled; then
        semanage port -d -t ssh_port_t -p tcp ${OLD_SSH_PORT} || :
        semanage port -a -t ssh_port_t -p tcp ${NEW_SSH_PORT:-10022}
    fi
    if (firewall-cmd --state &>/dev/null); then
        firewall-cmd --service ssh --add-port ${NEW_SSH_PORT:-10022}/tcp --permanent
        firewall-cmd --service ssh --remove-port ${OLD_SSH_PORT:-22}/tcp --permanent
    fi
 }

 function disable_password_login() {
    if (egrep '^#?PasswordAuthentication.*' /etc/ssh/sshd_config &>/dev/null); then
        sed -e 's|^#\?PasswordAuthentication.*|PasswordAuthentication no|g' -i /etc/ssh/sshd_config
    else
        echo 'PasswordAuthentication no' >>/etc/ssh/sshd_config
    fi
 }

 function sysctl_config() {
    if sysctl $1 &>/dev/null; then
        local current=$(sysctl -n $1)
        [ "${current}" == "$2" ] || echo "$1=$2" >>/etc/sysctl.conf
    fi
 }

 function enable_bbr() {
    kernel_version_major=$(uname -r | awk -F . '{print $1}')
    kernel_version_minor=$(uname -r | awk -F . '{print $2}')
    if [ "$kernel_version_major" -gt 4 ] || ([ "$kernel_version_major" -eq 4 ] && [ "$kernel_version_minor" -ge 9 ]); then
        sysctl_config net.core.default_qdisc fq
        sysctl_config net.ipv4.tcp_congestion_control bbr
        sysctl -p
    fi
 }

 function enable_sshguard() {
    systemctl enable sshguard.service
 }

 function print_info() {
    echo "Done"
    echo "New sshd port: $(awk '/^Port / { print $2 }' /etc/ssh/sshd_config)"
    echo "Please reboot"
 }

 function main() {
    packages_installation
    change_ssh_port
    disable_password_login
    enable_bbr
    enable_sshguard
    print_info
 }

 main "$@"
	#!/bin/bash

	EXTRA_PACKAGES=${EXTRA_PACKAGES:-"tar wget vim rpmconf sudo bind-utils fish sshguard jq"}
	NEW_SSH_PORT=${NEW_PORT:-"$(shuf -i 10000-65535 -n 1)"}

	function check_package_management() {
	if command -v dnf >/dev/null; then
	echo "package management: dnf"
	pm=dnf
	pm_install='dnf -y install'
	elif command -v yum >/dev/null; then
	echo "package management: yum"
	pm=yum
	pm_install='yum -y install'
	else
	echo "package management: not found"
	echo "skip packages installation"
	return 1
	fi
	}

	function upgrade() {
	$pm -y upgrade
	}

	function install_extra_packages() {
	if [ ! -e "/etc/fedora-release" ]; then
	$pm_install epel-release
	$pm makecache
	fi
	if selinuxenabled; then
	EXTRA_PACKAGES="${EXTRA_PACKAGES} policycoreutils-python-utils"
	fi
	$pm_install ${EXTRA_PACKAGES}
	}

	function packages_installation() {
	if check_package_management; then
	upgrade
	install_extra_packages
	fi
	}

	function change_ssh_port() {
	OLD_SSH_PORT=$(awk '/^Port / { print $2 }' /etc/ssh/sshd_config)
	if [ -z "$OLD_SSH_PORT" ]; then
	OLD_SSH_PORT=22
	fi
	sed -e "s\|^#\?Port.*\|Port ${NEW_SSH_PORT:-10022}\|" -i /etc/ssh/sshd_config
	if selinuxenabled; then
	semanage port -d -t ssh_port_t -p tcp ${OLD_SSH_PORT} \|\| :
	semanage port -a -t ssh_port_t -p tcp ${NEW_SSH_PORT:-10022}
	fi
	if (firewall-cmd --state &>/dev/null); then
	firewall-cmd --service ssh --add-port ${NEW_SSH_PORT:-10022}/tcp --permanent
	firewall-cmd --service ssh --remove-port ${OLD_SSH_PORT:-22}/tcp --permanent
	fi
	}

	function disable_password_login() {
	if (egrep '^#?PasswordAuthentication.*' /etc/ssh/sshd_config &>/dev/null); then
	sed -e 's\|^#\?PasswordAuthentication.*\|PasswordAuthentication no\|g' -i /etc/ssh/sshd_config
	else
	echo 'PasswordAuthentication no' >>/etc/ssh/sshd_config
	fi
	}

	function sysctl_config() {
	if sysctl $1 &>/dev/null; then
	local current=$(sysctl -n $1)
	[ "${current}" == "$2" ] \|\| echo "$1=$2" >>/etc/sysctl.conf
	fi
	}

	function enable_bbr() {
	kernel_version_major=$(uname -r \| awk -F . '{print $1}')
	kernel_version_minor=$(uname -r \| awk -F . '{print $2}')
	if [ "$kernel_version_major" -gt 4 ] \|\| ([ "$kernel_version_major" -eq 4 ] && [ "$kernel_version_minor" -ge 9 ]); then
	sysctl_config net.core.default_qdisc fq
	sysctl_config net.ipv4.tcp_congestion_control bbr
	sysctl -p
	fi
	}

	function enable_sshguard() {
	systemctl enable sshguard.service
	}

	function print_info() {
	echo "Done"
	echo "New sshd port: $(awk '/^Port / { print $2 }' /etc/ssh/sshd_config)"
	echo "Please reboot"
	}

	function main() {
	packages_installation
	change_ssh_port
	disable_password_login
	enable_bbr
	enable_sshguard
	print_info
	}

	main "$@"