Created
October 29, 2023 17:12
-
-
Save bomsn/32fdb7055426be64b64160c07256fdde to your computer and use it in GitHub Desktop.
A startup script for basic server hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Note: make sure to replace `your-sudo-user` with your username across the script | |
| # Update system | |
| apt-get update -y | |
| apt-get upgrade -y | |
| # Create a new sudo user | |
| useradd -m -s /bin/bash your-sudo-user | |
| # Give the sudo user same password as root for initial login | |
| echo "your-sudo-user:$(grep root /etc/shadow | cut -d: -f2)" | chpasswd -e | |
| # Force password change on first login | |
| chage -d 0 your-sudo-user | |
| # Add the user to relevant groups | |
| usermod -aG sudo your-sudo-user | |
| usermod -aG www-data your-sudo-user | |
| # Change SSH port | |
| sed -i 's/#Port 22/Port 2233/' /etc/ssh/sshd_config | |
| # Disable root login via SSH | |
| sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config | |
| # Install and enable UFW firewall, also allow our new ssh port | |
| apt-get install ufw -y | |
| ufw allow 2233/tcp | |
| ufw enable | |
| # Install fail2ban | |
| apt-get install fail2ban -y | |
| service fail2ban start | |
| # Configure fail2ban | |
| sed -i 's/maxretry = 3/maxretry = 5/' /etc/fail2ban/jail.conf | |
| # Restart SSH service | |
| systemctl restart sshd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment