/init.sh
forked from tmiller/init.sh
Created Jun 29, 2016
DigitalOcean ubuntu 14.04 server configuration script.
| #!/bin/bash | |
| username="ubuntu" | |
| ssh_pub_key="" | |
| # Setup user | |
| adduser $username | |
| usermod -a -G sudo $username | |
| sudo mkdir -p "/home/${username}/.ssh" | |
| sudo echo "${ssh_pub_key}" > "/home/${username}/.ssh/authorized_keys" | |
| sudo chmod 700 "/home/${username}/.ssh" | |
| sudo chmod 600 "/home/${username}/.ssh/authorized_keys" | |
| sudo chown -R "${username}:${username}" "/home/${username}/.ssh" | |
| # update software repository server | |
| sudo apt-get update -y | |
| sudo apt-get install -y python-software-properties | |
| sudo add-apt-repository -y ppa:keithw/mosh | |
| sudo apt-get update -y | |
| sudo apt-get install -y mosh | |
| # firewall via iptables | |
| sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| sudo iptables -A INPUT -p udp --dport 60000:61000 -j ACCEPT | |
| sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
| sudo iptables -I INPUT 1 -i lo -j ACCEPT | |
| sudo iptables -P INPUT DROP | |
| sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| sudo ip6tables -I INPUT 1 -i lo -j ACCEPT | |
| sudo ip6tables -P INPUT DROP | |
| echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections | |
| echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections | |
| sudo apt-get install -y iptables-persistent | |
| # fail2ban | |
| sudo apt-get install -y fail2ban | |
| sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
| # configure sshd | |
| sshd_config="# Package generated configuration file | |
| # See the sshd_config(5) manpage for details | |
| # What ports, IPs and protocols we listen for | |
| Port 22 | |
| # Use these options to restrict which interfaces/protocols sshd will bind to | |
| #ListenAddress :: | |
| #ListenAddress 0.0.0.0 | |
| Protocol 2 | |
| # HostKeys for protocol version 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_dsa_key | |
| HostKey /etc/ssh/ssh_host_ecdsa_key | |
| #Privilege Separation is turned on for security | |
| UsePrivilegeSeparation yes | |
| # Lifetime and size of ephemeral version 1 server key | |
| KeyRegenerationInterval 3600 | |
| ServerKeyBits 1024 | |
| # Logging | |
| SyslogFacility AUTH | |
| # LogLevel INFO | |
| LogLevel VERBOSE | |
| # Authentication: | |
| LoginGraceTime 120 | |
| #PermitRootLogin yes | |
| PermitRootLogin no | |
| StrictModes yes | |
| RSAAuthentication yes | |
| PubkeyAuthentication yes | |
| #AuthorizedKeysFile %h/.ssh/authorized_keys | |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| IgnoreRhosts yes | |
| # For this to work you will also need host keys in /etc/ssh_known_hosts | |
| RhostsRSAAuthentication no | |
| # similar for protocol version 2 | |
| HostbasedAuthentication no | |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
| #IgnoreUserKnownHosts yes | |
| # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
| PermitEmptyPasswords no | |
| # Change to yes to enable challenge-response passwords (beware issues with | |
| # some PAM modules and threads) | |
| ChallengeResponseAuthentication no | |
| # Change to no to disable tunnelled clear text passwords | |
| #PasswordAuthentication yes | |
| PasswordAuthentication no | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosGetAFSToken no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| # X11Forwarding yes | |
| X11Forwarding no | |
| X11DisplayOffset 10 | |
| PrintMotd no | |
| PrintLastLog yes | |
| TCPKeepAlive yes | |
| #UseLogin no | |
| #MaxStartups 10:30:60 | |
| #Banner /etc/issue.net | |
| # Allow client to pass locale environment variables | |
| AcceptEnv LANG LC_* | |
| Subsystem sftp /usr/lib/openssh/sftp-server | |
| # Set this to 'yes' to enable PAM authentication, account processing, | |
| # and session processing. If this is enabled, PAM authentication will | |
| # be allowed through the ChallengeResponseAuthentication and | |
| # PasswordAuthentication. Depending on your PAM configuration, | |
| # PAM authentication via ChallengeResponseAuthentication may bypass | |
| # the setting of \"PermitRootLogin without-password\". | |
| # If you just want the PAM account and session checks to run without | |
| # PAM authentication, then enable this but set PasswordAuthentication | |
| # and ChallengeResponseAuthentication to 'no'. | |
| UsePAM yes | |
| # AllowUsers $username | |
| AllowTcpForwarding no | |
| " | |
| sudo echo "${sshd_config}" > /etc/ssh/sshd_config | |
| sudo service ssh restart | |
| # update server | |
| sudo apt-get upgrade -y |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment