Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Sets up and hardens an Arch Linux server.
# See for a Debian version of this script.
# Change root password
echo "# Change password of root user"
# Change hostname
echo "# Change hostname"
read hostname
hostname $hostname
# Setup mirror-list
echo "# Finding fastest mirrors"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.backup
sed -i 's/^#Server/Server/' /etc/pacman.d/mirrorlist.backup
rankmirrors -n 10 /etc/pacman.d/mirrorlist.backup > /etc/pacman.d/mirrorlist
# Self-upgrade
echo "# Update system with pacman"
pacman -Syu
# Create user
echo "# Create new user"
echo "Please enter username:"
read username
useradd -m $username
passwd $username
echo "Please enter public key:"
read publickey
mkdir "/home/"$username"/.ssh/"
echo $publickey > "/home/"$username"/.ssh/authorized_keys"
# Configure sshd
echo "# Configure sshd"
echo "Please enter a ssh port:"
read sshport
echo "# Custom sshd configurations
# Set the ssh port
Port "$sshport"
# Forbid root login
PermitRootLogin no
# End login-attempts after 30s
LoginGraceTime 30s
# Give only one try to auth
MaxAuthTries 1
# Use public key authentication only
PubkeyAuthentication yes
# Find the file in .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# Use the pam authentication module
UsePAM no
# Disable password auth
PasswordAuthentication no
# Disable challenge response
ChallengeResponseAuthentication no
# Limit the maximum number of not-logged-in connections to 2
MaxStartups 2
# Print no default message after login as this will be handeled by pam
PrintMotd no
# Load sftp-subsystem (default arch linux)
Subsystem sftp /usr/lib/ssh/sftp-server
# Add permissions for specific users
AllowUsers "$username > /etc/ssh/sshd_config
# Setup firewall
echo "# Setup firewall with ufw."
pacman -S ufw
ufw default allow outgoing
ufw default deny incoming
ufw allow $sshport/tcp
ufw limit $sshport/tcp
ufw enable
systemctl start ufw
systemctl enable ufw
# Setup auto-update
echo "# Setup auto-update"
echo "[Unit]
Description=Automatic Update
ExecStart=/usr/bin/pacman -Syuq --noconfirm
[Install]" > /etc/systemd/system/autoupdate.service
echo "[Unit]
Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes
[Install]" > /etc/systemd/system/autoupdate.timer
systemctl enable /etc/systemd/system/autoupdate.timer
# Setup timezone and ntp
timedatectl set-timezone Europe/Berlin
timedatectl set-ntp true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment