Last active
February 17, 2020 15:38
-
-
Save droidzone/23a0615508c9bbfaf45a8197de0b1a46 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Generate a random password | |
| # = number of characters; defaults to 32 | |
| # = include special characters; 1 = yes, 0 = no; defaults to 1 | |
| function randpass() { | |
| [ "" == "0" ] && CHAR="[:alnum:]" || CHAR="[:graph:]" | |
| cat /dev/urandom | tr -cd "$CHAR" | head -c ${1:-32} | |
| echo | |
| } | |
| AUTH_KEY="http://droidzone.in/securessh/mysshkey.pub" | |
| AUTH_KEYNAME="mysshkey.pub" | |
| echo Removing bash history and mysql history | |
| if [ -e ~/.bash_history ]; then rm ~/.bash_history; fi | |
| if [ -e ~/.mysql_history ]; then rm ~/.mysql_history; fi | |
| echo Downloading new authorized public key... | |
| #wget $ -O mysshkey.pub --no-check-certificate | |
| if [ -e $AUTH_KEYNAME ]; then rm $AUTH_KEYNAME; fi | |
| wget $AUTH_KEY -O mysshkey.pub --no-check-certificate -nv | |
| echo Creating .ssh if it doesnt exist... | |
| if [ ! -d ~/.ssh ]; then mkdir ~/.ssh; fi | |
| echo Cleaning up .ssh/ | |
| chattr -i .ssh/* | |
| #chmod -R +w .ssh/* | |
| #rm ~/.ssh/* | |
| echo Installing new public key.. | |
| cat $AUTH_KEYNAME > ~/.ssh/authorized_keys | |
| echo Setting proper permissions on .ssh and its contents | |
| chmod -R go= ~/.ssh | |
| #echo Setting immuatable bit... | |
| #chattr +i ~/.ssh/authorized_keys | |
| echo Creating a new private key | |
| ssh-keygen -t rsa -f ~/.ssh/id_rsa_mypvtkey -N "" | |
| echo The genrated key may be copied to aother seever with: | |
| echo ssh-copy-id -i ~/.ssh/id_rsa_mypvtkey.pub root@host | |
| ssh-add ~/.ssh/id_rsa_mypvtkey | |
| echo Deleting downloaded key | |
| echo Run the following manually: | |
| echo ssh-add ~/.ssh/id_rsa_mypvtkey | |
| rm $AUTH_KEYNAME | |
| echo "Adding iptables rules for blocking ssh bruteforce" | |
| iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " | |
| iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP | |
| echo | |
| echo "Here's a random password for your use:" | |
| randpass 32 1 | |
| echo "It's recommended to change your password now. " | |
| echo " Type: passwd" | |
| rm -rf ./securessh | |
| echo Changing default ssh port from 22 to 9992.. | |
| sed -i 's/Port 22/Port 9992/g' /etc/ssh/sshd_config | |
| service ssh restart | |
| echo Securing mysql | |
| if [ `which mysqld` ] | |
| then | |
| rm ~/.mysql_history | |
| ln -s /dev/null ~/.mysql_history | |
| else | |
| echo "mysql not running/installed" | |
| fi | |
| #Installing packages | |
| apt update | |
| apt install emacs ffmpeg | |
| echo 'alias l="ls -lah --color"' >> /root/.bashrc | |
| #This line needs to be last. Else script aborts | |
| exec ssh-agent bash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment