-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverInstall.sh
executable file
·84 lines (66 loc) · 4.4 KB
/
serverInstall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash
# Set all locals
timedatectl set-timezone Europe/Berlin && \
dpkg-reconfigure -f noninteractive tzdata && \
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen && \
echo 'LANG="de_DE.UTF-8"'>/etc/default/locale && \
dpkg-reconfigure --frontend=noninteractive locales && \
update-locale LANG=de_DE.UTF-8
cp .bashrc* .vimrc /etc/skel
chown root: /etc/skel/*
cp .bashrc* .vimrc /root
chown root: /root/*
for user in $(getent passwd | awk -F: '($3 >= 1000) && ($3 < 65530) {print $1}'); do
echo Copy files for user: $user
cp .bashrc* .vimrc /home/$user
chown $user: /home/$user
done
apt update
apt dist-upgrade -y
apt install -y lsb-release
cat <<EOT > /etc/apt/sources.list
#------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------#
deb http://deb.debian.org/debian/ bookworm contrib main non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm contrib main non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware
# deb-src http://deb.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmwaRe
#------------------------------------------------------------------------------#
# UNOFFICIAL REPOS #
#------------------------------------------------------------------------------#
EOT
apt update
apt dist-upgrade -y
apt install -y apt-transport-https ca-certificates curl dirmngr dnsutils dos2unix git gnupg htop lvm2 lsb-release man mc multitail nano ncdu net-tools pwgen python3-pip rsync screen sudo unzip ufw vim-nox wget whois
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update
apt dist-upgrade -y
#make-cadir /etc/openvpn/easy-rsa2
#cd /etc/ssl/certs
#time openssl dhparam -out dhparam.pem 4096
# Re-generate the RSA and ED25519 keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# Only allow secure Diffie-Hellman moduli and download from trusted website
rm /etc/ssh/moduli
for length in 3072 4096 8192; do
curl https://2ton.com.au/dhparam/$length/ssh >>/etc/ssh/moduli;
done
# Restrict supported key exchange, cipher, and MAC algorithms
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
systemctl restart ssh
echo "If you would like to install Docker, use"
echo "apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"