Created
February 13, 2011 19:56
-
-
Save bradwright/825038 to your computer and use it in GitHub Desktop.
StackScript to make a more secure Ubuntu server install out of the box
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Setup script designed to get a Ubuntu 10.4 LTS server | |
# up and running with secure defaults. | |
# <UDF name="user_hostname" Label="Hostname for new Linode" /> | |
# <UDF name="user_username" Label="Username for non-root account" /> | |
# <UDF name="user_password" Label="Password for new user" /> | |
# include basic commands and convenience utilities from | |
# http://www.linode.com/stackscripts/view/?StackScriptID=1 | |
source <ssinclude StackScriptID="1"> | |
# get system up to date | |
apt-get update && apt-get upgrade | |
# change hostname from Linode default | |
echo $USER_HOSTNAME > /etc/hostname | |
hostname -F /etc/hostname | |
# add hostname to hosts file so sudo doesn't break | |
echo -e "\n$(system_primary_ip)" >> /etc/hosts | |
# add a non-root user | |
# add user non-interactively | |
# TODO: fix default shell | |
useradd -d "/home/$USER_USERNAME" -m $USER_USERNAME | |
# set password non-interactively | |
echo "$USER_USERNAME:$USER_PASSWORD" | chpasswd | |
# add user to correct Ubuntu groups for SSH and sudo | |
usermod -a -G sudo,ssh $USER_USERNAME | |
# remove requirement for password to sudo | |
echo -e "\n$USER_USERNAME ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers | |
# install SSH key and fix permissions on user SSH keys | |
USER_HOME="/home/$USER_USERNAME" | |
mkdir "$USER_HOME/.ssh" | |
echo $USER_SSHKEY > "$USER_HOME/.ssh/authorized_keys" | |
chmod "$USER_HOME/.ssh/" 600 | |
chmod "$USER_HOME/.ssh" 700 | |
chown -r "$USER_HOME/.ssh" $USER_USERNAME:$USER_USERNAME | |
# secure SSH from root login | |
sed -e 's/^.*PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config | tee /etc/ssh/sshd_config | |
sed -e 's/^.*PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config | tee /etc/ssh/sshd_config | |
# TODO: add iptables configuration |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment