lindesvard/bash

## bash
chmod +x setup.sh
sudo ./setup.sh

## setup.sh
#!/bin/bash

# Update and upgrade system
echo "Updating and upgrading the system..."
sudo apt update && sudo apt upgrade -y

# Install necessary packages
echo "Installing necessary packages..."
sudo apt install -y whois  # For mkpasswd
sudo apt install -y libpam-google-authenticator fail2ban ufw

# Create a new user with sudo access
read -p "Enter the new username: " username
if id "$username" &>/dev/null; then
    echo "User $username already exists!"
    exit 1
else
    # Generate a random password
    password=$(openssl rand -base64 12)

    # Create the user and assign the password
    sudo adduser --gecos "" "$username" --disabled-password
    echo "$username:$password" | sudo chpasswd
    sudo usermod -aG sudo "$username"
    echo "User $username created with sudo access."
    echo "Generated password for $username: $password"

    # Generate SSH key for the new user
    sudo -u "$username" mkdir -p /home/"$username"/.ssh
    sudo -u "$username" ssh-keygen -t rsa -b 4096 -f /home/"$username"/.ssh/id_rsa -q -N ""
    echo "SSH key generated for $username."

    # Copy the existing authorized_keys from root or initial user to the new user's .ssh directory
    if [ -f /root/.ssh/authorized_keys ]; then
        sudo cp /root/.ssh/authorized_keys /home/"$username"/.ssh/
    fi
    sudo chown -R "$username":"$username" /home/"$username"/.ssh
    if [ -f /home/"$username"/.ssh/authorized_keys ]; then
		    sudo chmod 600 /home/"$username"/.ssh/authorized_keys
		fi
    echo "Authorized keys copied to new user's .ssh directory."

    # Outputs the public key
    public_key=$(cat /home/"$username"/.ssh/id_rsa.pub)
fi

# Set up SSH to use keys only (disable password login)
echo "Configuring SSH to use keys only..."
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo sed -ri 's/^(#)?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -ri 's/^(#)?PermitRootLogin\s+.*/PermitRootLogin no/' /etc/ssh/sshd_config
# Enables Google Authenticator
sudo sed -i 's/^#*\s*KbdInteractiveAuthentication\s.*$/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
sudo echo 'AuthenticationMethods publickey,password publickey,keyboard-interactive' | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd

# Enable and configure the firewall
echo "Enabling and configuring the firewall..."
sudo ufw allow OpenSSH
# Ports for Caprover
# sudo ufw allow 80,443,3000,996,7946,4789,2377/tcp;
# sudo ufw allow 7946,4789,2377/udp;
sudo ufw enable

# Configure Google Authenticator
echo "Configuring Google Authenticator for the user..."
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/sshd
echo "auth required pam_permit.so" | sudo tee -a /etc/pam.d/sshd
sudo sed -i '/^@include common-auth/s/^/#/' /etc/pam.d/sshd
sudo runuser -l "$username" -c 'google-authenticator -t -d -f -r 3 -R 30 -W'
sudo systemctl restart sshd

# Configure Fail2Ban
echo "Configuring Fail2Ban..."
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check if Docker is installed
if ! command -v docker &> /dev/null
then
    echo "Docker is not installed. Installing Docker..."
    # Update the apt package index
    sudo apt-get update
    # Install required packages
    sudo apt-get install -y \
        ca-certificates \
        curl \
        gnupg \
        lsb-release
    # Add Docker’s official GPG key
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    # Set up the stable repository
    echo \
      "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
      $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    # Install Docker Engine
    sudo apt-get update
    sudo apt-get install -y docker-ce docker-ce-cli containerd.io
    # Add current user to the Docker group
    sudo usermod -aG docker $USER
    sudo usermod -aG docker $username

		# Check if the script is being run interactively, then change group without needing re-login
		if tty -s; then
		    newgrp docker
		fi
    echo "Docker installed successfully."
else
    echo "Docker is already installed."
fi

echo "Server security enhancement is complete."
echo ""
echo "------------"
echo "Host:       $(hostname)"
echo "Username:   $username"
echo "Password:   $password"
echo "------------"
echo "Public key: $public_key"
echo "------------"
echo "2FA:        $(cat /home/"$username"/.google_authenticator)"
echo "------------"
	#!/bin/bash

	# Update and upgrade system
	echo "Updating and upgrading the system..."
	sudo apt update && sudo apt upgrade -y

	# Install necessary packages
	echo "Installing necessary packages..."
	sudo apt install -y whois # For mkpasswd
	sudo apt install -y libpam-google-authenticator fail2ban ufw

	# Create a new user with sudo access
	read -p "Enter the new username: " username
	if id "$username" &>/dev/null; then
	echo "User $username already exists!"
	exit 1
	else
	# Generate a random password
	password=$(openssl rand -base64 12)

	# Create the user and assign the password
	sudo adduser --gecos "" "$username" --disabled-password
	echo "$username:$password" \| sudo chpasswd
	sudo usermod -aG sudo "$username"
	echo "User $username created with sudo access."
	echo "Generated password for $username: $password"

	# Generate SSH key for the new user
	sudo -u "$username" mkdir -p /home/"$username"/.ssh
	sudo -u "$username" ssh-keygen -t rsa -b 4096 -f /home/"$username"/.ssh/id_rsa -q -N ""
	echo "SSH key generated for $username."

	# Copy the existing authorized_keys from root or initial user to the new user's .ssh directory
	if [ -f /root/.ssh/authorized_keys ]; then
	sudo cp /root/.ssh/authorized_keys /home/"$username"/.ssh/
	fi
	sudo chown -R "$username":"$username" /home/"$username"/.ssh
	if [ -f /home/"$username"/.ssh/authorized_keys ]; then
	sudo chmod 600 /home/"$username"/.ssh/authorized_keys
	fi
	echo "Authorized keys copied to new user's .ssh directory."

	# Outputs the public key
	public_key=$(cat /home/"$username"/.ssh/id_rsa.pub)
	fi

	# Set up SSH to use keys only (disable password login)
	echo "Configuring SSH to use keys only..."
	sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
	sudo sed -ri 's/^(#)?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config
	sudo sed -ri 's/^(#)?PermitRootLogin\s+.*/PermitRootLogin no/' /etc/ssh/sshd_config
	# Enables Google Authenticator
	sudo sed -i 's/^#\sKbdInteractiveAuthentication\s.*$/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
	sudo echo 'AuthenticationMethods publickey,password publickey,keyboard-interactive' \| sudo tee -a /etc/ssh/sshd_config
	sudo systemctl restart sshd

	# Enable and configure the firewall
	echo "Enabling and configuring the firewall..."
	sudo ufw allow OpenSSH
	# Ports for Caprover
	# sudo ufw allow 80,443,3000,996,7946,4789,2377/tcp;
	# sudo ufw allow 7946,4789,2377/udp;
	sudo ufw enable

	# Configure Google Authenticator
	echo "Configuring Google Authenticator for the user..."
	sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
	echo "auth required pam_google_authenticator.so" \| sudo tee -a /etc/pam.d/sshd
	echo "auth required pam_permit.so" \| sudo tee -a /etc/pam.d/sshd
	sudo sed -i '/^@include common-auth/s/^/#/' /etc/pam.d/sshd
	sudo runuser -l "$username" -c 'google-authenticator -t -d -f -r 3 -R 30 -W'
	sudo systemctl restart sshd

	# Configure Fail2Ban
	echo "Configuring Fail2Ban..."
	sudo systemctl enable fail2ban
	sudo systemctl start fail2ban

	# Check if Docker is installed
	if ! command -v docker &> /dev/null
	then
	echo "Docker is not installed. Installing Docker..."
	# Update the apt package index
	sudo apt-get update
	# Install required packages
	sudo apt-get install -y \
	ca-certificates \
	curl \
	gnupg \
	lsb-release
	# Add Docker’s official GPG key
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
	# Set up the stable repository
	echo \
	"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
	$(lsb_release -cs) stable" \| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
	# Install Docker Engine
	sudo apt-get update
	sudo apt-get install -y docker-ce docker-ce-cli containerd.io
	# Add current user to the Docker group
	sudo usermod -aG docker $USER
	sudo usermod -aG docker $username

	# Check if the script is being run interactively, then change group without needing re-login
	if tty -s; then
	newgrp docker
	fi
	echo "Docker installed successfully."
	else
	echo "Docker is already installed."
	fi

	echo "Server security enhancement is complete."
	echo ""
	echo "------------"
	echo "Host: $(hostname)"
	echo "Username: $username"
	echo "Password: $password"
	echo "------------"
	echo "Public key: $public_key"
	echo "------------"
	echo "2FA: $(cat /home/"$username"/.google_authenticator)"
	echo "------------"