-
-
Save lindesvard/75cd2848bd72a763ba07f44c2cf1e66f to your computer and use it in GitHub Desktop.
Secure VPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chmod +x setup.sh | |
sudo ./setup.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Update and upgrade system | |
echo "Updating and upgrading the system..." | |
sudo apt update && sudo apt upgrade -y | |
# Install necessary packages | |
echo "Installing necessary packages..." | |
sudo apt install -y whois # For mkpasswd | |
sudo apt install -y libpam-google-authenticator fail2ban ufw | |
# Create a new user with sudo access | |
read -p "Enter the new username: " username | |
if id "$username" &>/dev/null; then | |
echo "User $username already exists!" | |
exit 1 | |
else | |
# Generate a random password | |
password=$(openssl rand -base64 12) | |
# Create the user and assign the password | |
sudo adduser --gecos "" "$username" --disabled-password | |
echo "$username:$password" | sudo chpasswd | |
sudo usermod -aG sudo "$username" | |
echo "User $username created with sudo access." | |
echo "Generated password for $username: $password" | |
# Generate SSH key for the new user | |
sudo -u "$username" mkdir -p /home/"$username"/.ssh | |
sudo -u "$username" ssh-keygen -t rsa -b 4096 -f /home/"$username"/.ssh/id_rsa -q -N "" | |
echo "SSH key generated for $username." | |
# Copy the existing authorized_keys from root or initial user to the new user's .ssh directory | |
if [ -f /root/.ssh/authorized_keys ]; then | |
sudo cp /root/.ssh/authorized_keys /home/"$username"/.ssh/ | |
fi | |
sudo chown -R "$username":"$username" /home/"$username"/.ssh | |
if [ -f /home/"$username"/.ssh/authorized_keys ]; then | |
sudo chmod 600 /home/"$username"/.ssh/authorized_keys | |
fi | |
echo "Authorized keys copied to new user's .ssh directory." | |
# Outputs the public key | |
public_key=$(cat /home/"$username"/.ssh/id_rsa.pub) | |
fi | |
# Set up SSH to use keys only (disable password login) | |
echo "Configuring SSH to use keys only..." | |
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak | |
sudo sed -ri 's/^(#)?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config | |
sudo sed -ri 's/^(#)?PermitRootLogin\s+.*/PermitRootLogin no/' /etc/ssh/sshd_config | |
# Enables Google Authenticator | |
sudo sed -i 's/^#*\s*KbdInteractiveAuthentication\s.*$/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config | |
sudo echo 'AuthenticationMethods publickey,password publickey,keyboard-interactive' | sudo tee -a /etc/ssh/sshd_config | |
sudo systemctl restart sshd | |
# Enable and configure the firewall | |
echo "Enabling and configuring the firewall..." | |
sudo ufw allow OpenSSH | |
# Ports for Caprover | |
# sudo ufw allow 80,443,3000,996,7946,4789,2377/tcp; | |
# sudo ufw allow 7946,4789,2377/udp; | |
sudo ufw enable | |
# Configure Google Authenticator | |
echo "Configuring Google Authenticator for the user..." | |
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak | |
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/sshd | |
echo "auth required pam_permit.so" | sudo tee -a /etc/pam.d/sshd | |
sudo sed -i '/^@include common-auth/s/^/#/' /etc/pam.d/sshd | |
sudo runuser -l "$username" -c 'google-authenticator -t -d -f -r 3 -R 30 -W' | |
sudo systemctl restart sshd | |
# Configure Fail2Ban | |
echo "Configuring Fail2Ban..." | |
sudo systemctl enable fail2ban | |
sudo systemctl start fail2ban | |
# Check if Docker is installed | |
if ! command -v docker &> /dev/null | |
then | |
echo "Docker is not installed. Installing Docker..." | |
# Update the apt package index | |
sudo apt-get update | |
# Install required packages | |
sudo apt-get install -y \ | |
ca-certificates \ | |
curl \ | |
gnupg \ | |
lsb-release | |
# Add Docker’s official GPG key | |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |
# Set up the stable repository | |
echo \ | |
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \ | |
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
# Install Docker Engine | |
sudo apt-get update | |
sudo apt-get install -y docker-ce docker-ce-cli containerd.io | |
# Add current user to the Docker group | |
sudo usermod -aG docker $USER | |
sudo usermod -aG docker $username | |
# Check if the script is being run interactively, then change group without needing re-login | |
if tty -s; then | |
newgrp docker | |
fi | |
echo "Docker installed successfully." | |
else | |
echo "Docker is already installed." | |
fi | |
echo "Server security enhancement is complete." | |
echo "" | |
echo "------------" | |
echo "Host: $(hostname)" | |
echo "Username: $username" | |
echo "Password: $password" | |
echo "------------" | |
echo "Public key: $public_key" | |
echo "------------" | |
echo "2FA: $(cat /home/"$username"/.google_authenticator)" | |
echo "------------" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment