Skip to content

Instantly share code, notes, and snippets.

@etoews

etoews/secure-server.sh

Created February 18, 2014 19:01
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save etoews/9077518 to your computer and use it in GitHub Desktop.
Save etoews/9077518 to your computer and use it in GitHub Desktop.
Download ZIP
Secure an Ubuntu server
Raw
secure-server.sh
#!/bin/bash
# This script assumes you've created this server with a key pair. If you haven't, you're not getting back in.
# Switch to everett user
adduser --shell /bin/bash --gecos "User for managing feeds" --disabled-password --home /home/everett everett
adduser everett sudo
grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || echo "#includedir /etc/sudoers.d" >> /etc/sudoers
( umask 226 && echo "everett ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/50_everett_sh )
mkdir /home/everett/.ssh
cp .ssh/authorized_keys /home/everett/.ssh/
chown -R everett:everett /home/everett/.ssh
su everett
cd
# Lock it down
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo service ssh restart
sudo ufw allow 22
sudo ufw --force enable
sudo apt-get -y install fail2ban
# Upgrade and set unattended upgrades
sudo apt-get -y update; sudo apt-get -y upgrade
sudo apt-get -y install unattended-upgrades
sudo sed -i 's/Download-Upgradeable-Packages "0";/Download-Upgradeable-Packages "1";/g' /etc/apt/apt.conf.d/10periodic
sudo sed -i 's/AutocleanInterval "0";/AutocleanInterval "7";/g' /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment