DigitalOcean ubuntu 14.04 server configuration script.
#!/bin/bash | |
username="ubuntu" | |
ssh_pub_key="" | |
# Setup user | |
adduser $username | |
usermod -a -G sudo $username | |
sudo mkdir -p "/home/${username}/.ssh" | |
sudo echo "${ssh_pub_key}" > "/home/${username}/.ssh/authorized_keys" | |
sudo chmod 700 "/home/${username}/.ssh" | |
sudo chmod 600 "/home/${username}/.ssh/authorized_keys" | |
sudo chown -R "${username}:${username}" "/home/${username}/.ssh" | |
# update software repository server | |
sudo apt-get update -y | |
sudo apt-get install -y python-software-properties | |
sudo add-apt-repository -y ppa:keithw/mosh | |
sudo apt-get update -y | |
sudo apt-get install -y mosh | |
# firewall via iptables | |
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
sudo iptables -A INPUT -p udp --dport 60000:61000 -j ACCEPT | |
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
sudo iptables -I INPUT 1 -i lo -j ACCEPT | |
sudo iptables -P INPUT DROP | |
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
sudo ip6tables -I INPUT 1 -i lo -j ACCEPT | |
sudo ip6tables -P INPUT DROP | |
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections | |
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections | |
sudo apt-get install -y iptables-persistent | |
# fail2ban | |
sudo apt-get install -y fail2ban | |
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
# configure sshd | |
sshd_config="# Package generated configuration file | |
# See the sshd_config(5) manpage for details | |
# What ports, IPs and protocols we listen for | |
Port 22 | |
# Use these options to restrict which interfaces/protocols sshd will bind to | |
#ListenAddress :: | |
#ListenAddress 0.0.0.0 | |
Protocol 2 | |
# HostKeys for protocol version 2 | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_dsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
#Privilege Separation is turned on for security | |
UsePrivilegeSeparation yes | |
# Lifetime and size of ephemeral version 1 server key | |
KeyRegenerationInterval 3600 | |
ServerKeyBits 1024 | |
# Logging | |
SyslogFacility AUTH | |
# LogLevel INFO | |
LogLevel VERBOSE | |
# Authentication: | |
LoginGraceTime 120 | |
#PermitRootLogin yes | |
PermitRootLogin no | |
StrictModes yes | |
RSAAuthentication yes | |
PubkeyAuthentication yes | |
#AuthorizedKeysFile %h/.ssh/authorized_keys | |
# Don't read the user's ~/.rhosts and ~/.shosts files | |
IgnoreRhosts yes | |
# For this to work you will also need host keys in /etc/ssh_known_hosts | |
RhostsRSAAuthentication no | |
# similar for protocol version 2 | |
HostbasedAuthentication no | |
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
#IgnoreUserKnownHosts yes | |
# To enable empty passwords, change to yes (NOT RECOMMENDED) | |
PermitEmptyPasswords no | |
# Change to yes to enable challenge-response passwords (beware issues with | |
# some PAM modules and threads) | |
ChallengeResponseAuthentication no | |
# Change to no to disable tunnelled clear text passwords | |
#PasswordAuthentication yes | |
PasswordAuthentication no | |
# Kerberos options | |
#KerberosAuthentication no | |
#KerberosGetAFSToken no | |
#KerberosOrLocalPasswd yes | |
#KerberosTicketCleanup yes | |
# GSSAPI options | |
#GSSAPIAuthentication no | |
#GSSAPICleanupCredentials yes | |
# X11Forwarding yes | |
X11Forwarding no | |
X11DisplayOffset 10 | |
PrintMotd no | |
PrintLastLog yes | |
TCPKeepAlive yes | |
#UseLogin no | |
#MaxStartups 10:30:60 | |
#Banner /etc/issue.net | |
# Allow client to pass locale environment variables | |
AcceptEnv LANG LC_* | |
Subsystem sftp /usr/lib/openssh/sftp-server | |
# Set this to 'yes' to enable PAM authentication, account processing, | |
# and session processing. If this is enabled, PAM authentication will | |
# be allowed through the ChallengeResponseAuthentication and | |
# PasswordAuthentication. Depending on your PAM configuration, | |
# PAM authentication via ChallengeResponseAuthentication may bypass | |
# the setting of \"PermitRootLogin without-password\". | |
# If you just want the PAM account and session checks to run without | |
# PAM authentication, then enable this but set PasswordAuthentication | |
# and ChallengeResponseAuthentication to 'no'. | |
UsePAM yes | |
# AllowUsers $username | |
AllowTcpForwarding no | |
" | |
sudo echo "${sshd_config}" > /etc/ssh/sshd_config | |
sudo service ssh restart | |
# update server | |
sudo apt-get upgrade -y |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment