Skip to content

Instantly share code, notes, and snippets.

@lrobert
Last active August 3, 2023 20:04
  • Star 5 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save lrobert/6816181 to your computer and use it in GitHub Desktop.
Ubuntu Base Server Configuration/Hardening Script
#!/bin/bash
#
# Lee Robert's Base Ubuntu Installation script for use on Digital Ocean (Or any other ubuntu install really.)
# Made and tested with Ubuntu 13.04 64bit
#
# Steps:
# 01. Secure Root User
# 02. Make .bashrc print out pretty colors (and root's prompt will be red)
# 03. Create a local user
# 04. Update sudoers file so only root + local user can use sudo
# 05. Harden ssh. If root has authorized_keys we'll make our local user use that and disable password auth for ssh
# 06. Upgrade the system
# 07. Install fail2ban
# 08. Enable unattended security updates
# 09. Configure logwatch (emails log summaries)
# 10. Setup time syncronization
# 11. Setup localtime (hard-coded Canada/Eastern)
# 12. Turn on firewall with SSH access allowed
# 13. Install New Relic daemon if we have an api key.
#
# TODO:
# - Better timezone selection
# - Better firewall rules (such as specifying an ip address to allow ssh from.
# - Investigate RBAC
# - Investigate Roles
# - Investigate what kernel parameters need to be set in /etc/sysctl.conf
# - Configure the OOM
# - Uninstall unneeded software
#
# Written by Lee Robert (https://github.com/lrobert)
#
# Detect if we are running as root (or using sudo)
if [ `id -u` != 0 ]; then
echo -e "\nScript must be run as root. Please use sudo to run this script or login as root.\n";
exit 1;
fi
TIMEZONE="/usr/share/zoneinfo/Canada/Eastern"
NEW_USER_NAME=""
SYS_ADMIN_EMAIL=""
echo -e "Timezone: $TIMEZONE"
echo -e "If you want a different timezone you must edit the script.\n"
while [ -z "$NEW_USER_NAME" ]; do
echo -e -n "Please enter the name of your new user: "
read NEW_USER_NAME
done
while [ -z "$SYS_ADMIN_EMAIL" ]; do
echo -e -n "Please enter the email of your system admin (for email logs):"
read SYS_ADMIN_EMAIL
done
# http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
# Update Root Password
# -----------------------
echo -e "Please change the password for ROOT."
passwd root
# Enable color prompt and change color code from 32 to 31 for root
# and just enable color prompt for all new users
# -----------------------
echo -e "\nUpdating .bashrc to enable fancy colors.\n"
sed -i -e 's/#force_color_prompt/force_color_prompt/g' /root/.bashrc
sed -i -e 's/32m/31m/g' /root/.bashrc
sed -i -e 's/#force_color_prompt/force_color_prompt/g' /etc/skel/.bashrc
# Create new user (voziv)
echo -e "Creating new user: $NEW_USER_NAME\n"
useradd -m -s /bin/bash $NEW_USER_NAME
echo -e "Please change the password for $NEW_USER_NAME\n"
passwd $NEW_USER_NAME
# Update sudoers file
sed -i -e "s/%admin/#%admin/g" /etc/sudoers
sed -i -e "s/%sudo/#%sudo/g" /etc/sudoers
sed -i -e "s/root\tALL=(ALL:ALL) ALL/root\tALL=(ALL:ALL) ALL\n$NEW_USER_NAME\tALL=(ALL:ALL) ALL/g" /etc/sudoers
# Disable Password Auth in ssh (MAKE SURE YOU HAVE authorized_keys SET UP BEFORE DOING THIS!!!!)
sed -i -e 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
echo -e "\nAllowUsers $NEW_USER_NAME\n" >> /etc/ssh/sshd_config
# If we have authorized_keys set up in root we'll copy them over
# to our new user and disable password auth
if [ -a "/root/.ssh/authorized_keys" ]; then
if [[ $(stat -c%s "/root/.ssh/authorized_keys") -gt 10 ]]; then
echo -e "Detected authorized_keys file. Copying to $NEW_USER_NAME and disabled password authentication via SSH.\n"
mkdir /home/$NEW_USER_NAME/.ssh
cp /root/.ssh/authorized_keys /home/$NEW_USER_NAME/.ssh/authorized_keys
chown -R $NEW_USER_NAME:$NEW_USER_NAME /home/$NEW_USER_NAME/
chmod 700 /home/$NEW_USER_NAME/.ssh
chmod 400 /home/$NEW_USER_NAME/.ssh/authorized_keys
sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
fi
fi
echo -e "\nRestarting SSH service.\n"
service ssh restart
# Update and Upgrade the system
echo -e "\nRunning Update and Upgrade on the system.\n"
echo -e "\n When prompted about grub's menu.lst please keep the original!\n"
echo -e "\n When prompted about grub's menu.lst please keep the original!\n"
echo -e "\n When prompted about grub's menu.lst please keep the original!\n"
apt-get update -qq
apt-get upgrade -y -qq
# NOTE: Don't update the grub menu.lst just to be safe.
# Install fail2ban
echo -e "\n Installing fail2ban.\n"
apt-get fail2ban -y -qq
sed -i -e "s/destemail = root@localhost/$SYS_ADMIN_EMAIL/g" /etc/fail2ban/jail.conf
sed -e "s/\[recidive\]\\n/lols/g" /etc/fail2ban/jail.conf
# Allow unattended updates
# -----------------------
echo -e "\n Setting up unattended upgrades!\n"
apt-get install unattended-upgrades -y -qq
echo -e "APT::Periodic::Update-Package-Lists \"1\";" >> /etc/apt/apt.conf.d/10periodic
echo -e "APT::Periodic::Download-Upgradeable-Packages \"1\";" >> /etc/apt/apt.conf.d/10periodic
echo -e "APT::Periodic::AutocleanInterval \"7\";" >> /etc/apt/apt.conf.d/10periodic
echo -e "APT::Periodic::Unattended-Upgrade \"1\";" >> /etc/apt/apt.conf.d/10periodic
# This already allows what we need
# nano /etc/apt/apt.conf.d/50unattended-upgrades
# Unattended-Upgrade::Allowed-Origins {
# "Ubuntu lucid-security";
# // "Ubuntu lucid-updates";
# };
# Install logwatch
echo -e "\n Setting up logwatch.\n"
apt-get install logwatch -y -qq
sed -i -e 's/\/usr\/sbin\/logwatch/#\/usr\/sbin\/logwatch/g' /etc/cron.daily/00logwatch
echo -e "\n/usr/sbin/logwatch --mailto $SYS_ADMIN_EMAIL --detail high --format html\n" >> /etc/cron.daily/00logwatch
# Install additional packages
echo -e "\n Installing htop, git, and sysstat.\n"
apt-get install htop git sysstat -y -qq
# Set up Daily Time Syncro
echo -e "\n Setting up ntpdate.\n"
echo -e "ntpdate us.pool.ntp.org ntp.ubuntu.com" > /etc/cron.daily/ntpdate && chmod +x /etc/cron.daily/ntpdate
# Set up localtime
echo -e "\n Setting Timezone to $TIMEZONE.\n"
cp $TIMEZONE /etc/localtime
echo -e "\n Firewalling Server [SSH is ALLOWED].\n"
ufw allow ssh && ufw enable
# Install New Relic
NEW_RELIC_KEY=""
echo -e -n "Enter New Relic license key (blank to skip): "
read NEW_RELIC_KEY
if [[ ! -z "$NEW_RELIC_KEY" ]]; then
echo -e "\n Installing New Relic.\n"
echo -e "deb http://apt.newrelic.com/debian/ newrelic non-free" > /etc/apt/sources.list.d/newrelic.list
wget -O- https://download.newrelic.com/548C16BF.gpg | apt-key add -
apt-get update -y -qq
apt-get install newrelic-sysmond -y -qq
nrsysmond-config --set license_key=$NEW_RELIC_KEY
/etc/init.d/newrelic-sysmond start
else
echo -e "\n Skipping New Relic.\n"
fi
# PHP Lets use onedrej's repository to get the latest version
# apt-get install software-properties-common python-software-properties python3-software-properties
# sudo apt-add-repository ppa:ondrej/php5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment