marrold/InitialBootScript

## InitialBootScript
#!/bin/sh

# Disable root login
sed -i -z 's/PermitRootLogin yes\|$/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i -z 's/#PasswordAuthentication yes\|$/PasswordAuthentication no/' /etc/ssh/sshd_config

# Update and install packages
apt update
apt upgrade -y
apt install -y\
  git\
  tcpdump\
  htop\
  vim\
  sudo\
  fail2ban\
  mtr\
  net-tools\
  screen\
  qemu-guest-agent

# Add the default user
useradd matthew -m -s /bin/bash -G sudo

# Double check they belong to sudo group
usermod -a -G sudo matthew

# Force the user to change their password
passwd -d matthew
chage -d 0 matthew

# Allow the user to sudoers group to sudo without a password
echo '%sudo ALL=NOPASSWD: ALL' | sudo EDITOR='tee -a' visudo

# Add ssh key
echo "Install SSH Key"
mkdir -p /home/matthew/.ssh
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDvVzZ4sXTkt9aFgmOhTRJmSfCFr5VVjpNxhifFoqmpO3/dj+ZnXzVpVSkxA/ihPeXTLbcVjCh+SIaXDtIsi4pdQSQaZskw+3MYxLbOpC2fChiVAkJGXxVTR7/ieuhV+kj4H9mbQz6mo/CgtXQFVqUHvJuMSCtctQ0/TiU29hpucxtsDO79Yz/zrsHpJS5ZCpTjnrzyRM85OSjrBxsbttxit3e/pIv0dILqE/S4GFasjg4H7IpHXpcshopdQlDRgyMSkcTxNz2k0t48h/CPsQWsxZQceCrqueVjG4u3ouLD19Ek5199n36UkI6KR4TraC5SQ/Z7LzwS9OB00mW80oOSVu8yAEs3vEqBk7v71iZcg5H7fSEtXWhU1bQQds2aETX7vN9kyBD0IaXkjT2XQdLeyGPkgg9FMySAWOljc0wKRbmkjxOijdFHSMSUCeMJoeic9uXIlLBLBEKt9uKE6GJFcEzUWgkKHy4pALhqPu7y2/My67g8NL6MBbfx4iNWvUBpt/TTRNhcrya3mteXa889hSDG7qBX1zcrmOE/uZAtMRN+xG+CMTQcxFelVumedYcqLWEb4DalFXh+tD+bhUpM4D6ChisdLkjWSa4HM4NKxs/FTmeyU7di1vz92VTaK4MBOjlQvYms/fT66cofIITCv+arn4Tp+hJgd6fobOv954OgkofnUcN+M0/NEVK2klCcZ13zoiSJ2GxgIPFCur5lsIueD+gvK46JHlbGRwPL5qH2yf80YABcedm57cXC/lT3rkY0h0cZH/xc5PYKOYycpyeX4AGM/ryez9MdCn4vR/lVlXAofKAxJaSoJUcAUh+MGPVgW4pw/pnLqWySJAm7xfjlta9YHMQwsuCTHG9okahynpcQ+heh5ZUKXGvj2p/MDA9UV/2Ihm0qad1EhSV6nDjErc+lpNI3h28I5/uarrwIS2HVsstItn2OrScUVJYonj89+bNqhZYsBNEOSjsLsMnTdnoca266U/OAwssCSxHCTNNDSo6AFay4dsNPThEhDTrfq3Ii0+ywcW5KN5jS/5H20NrsVboNcUzDhw2tXK5STKsMo0DBiFeVOBIE84xro5OqmP4VqH0kV+gyeNYKoK+fSLmRtKM9iRymBhFecHx7sSc32Etb2WkJgkB7UIcEXl3FNVymYWuX5KL8fmtV2NyvmzUAglMaqqTRg7ixVUyGZXMJbk/+7YxleTraMPaAgrBprwSlvf0mE3hDME8AhOWw40t+f5dn2TxCyZAwv+oUJSS+TnR3SfHT2kJDlFORS0TF6TAxC8Zjdfq9E0WdEPn4T0ZovaqzcoNeLOWnjWwzofxBnQYKc1mphsWJ8fGGBO8LM5Yb5ZeFigDHUoGv matthew.harrold@matthewharrolds-MacBook-Air.local > /home/matthew/.ssh/authorized_keys

# Fix permissions
chown -R matthew:matthew /home/matthew
chmod 700 /home/matthew/.ssh
chmod 600 /home/matthew/.ssh/authorized_keys

# Fix vim
echo 'set mouse-=a' > /root/.vimrc
echo 'set mouse-=a' > /home/matthew/.vimrc

# Setup IPTables
cat << 'EOF' >> /etc/iptables.rules
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# ICMP
-A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
-A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
COMMIT
EOF

cat << 'EOF' >> /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules
EOF

# Reboot
reboot
	#!/bin/sh

	# Disable root login
	sed -i -z 's/PermitRootLogin yes\\|$/PermitRootLogin no/' /etc/ssh/sshd_config
	sed -i -z 's/#PasswordAuthentication yes\\|$/PasswordAuthentication no/' /etc/ssh/sshd_config

	# Update and install packages
	apt update
	apt upgrade -y
	apt install -y\
	git\
	tcpdump\
	htop\
	vim\
	sudo\
	fail2ban\
	mtr\
	net-tools\
	screen\
	qemu-guest-agent

	# Add the default user
	useradd matthew -m -s /bin/bash -G sudo

	# Double check they belong to sudo group
	usermod -a -G sudo matthew

	# Force the user to change their password
	passwd -d matthew
	chage -d 0 matthew

	# Allow the user to sudoers group to sudo without a password
	echo '%sudo ALL=NOPASSWD: ALL' \| sudo EDITOR='tee -a' visudo

	# Add ssh key
	echo "Install SSH Key"
	mkdir -p /home/matthew/.ssh
	echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDvVzZ4sXTkt9aFgmOhTRJmSfCFr5VVjpNxhifFoqmpO3/dj+ZnXzVpVSkxA/ihPeXTLbcVjCh+SIaXDtIsi4pdQSQaZskw+3MYxLbOpC2fChiVAkJGXxVTR7/ieuhV+kj4H9mbQz6mo/CgtXQFVqUHvJuMSCtctQ0/TiU29hpucxtsDO79Yz/zrsHpJS5ZCpTjnrzyRM85OSjrBxsbttxit3e/pIv0dILqE/S4GFasjg4H7IpHXpcshopdQlDRgyMSkcTxNz2k0t48h/CPsQWsxZQceCrqueVjG4u3ouLD19Ek5199n36UkI6KR4TraC5SQ/Z7LzwS9OB00mW80oOSVu8yAEs3vEqBk7v71iZcg5H7fSEtXWhU1bQQds2aETX7vN9kyBD0IaXkjT2XQdLeyGPkgg9FMySAWOljc0wKRbmkjxOijdFHSMSUCeMJoeic9uXIlLBLBEKt9uKE6GJFcEzUWgkKHy4pALhqPu7y2/My67g8NL6MBbfx4iNWvUBpt/TTRNhcrya3mteXa889hSDG7qBX1zcrmOE/uZAtMRN+xG+CMTQcxFelVumedYcqLWEb4DalFXh+tD+bhUpM4D6ChisdLkjWSa4HM4NKxs/FTmeyU7di1vz92VTaK4MBOjlQvYms/fT66cofIITCv+arn4Tp+hJgd6fobOv954OgkofnUcN+M0/NEVK2klCcZ13zoiSJ2GxgIPFCur5lsIueD+gvK46JHlbGRwPL5qH2yf80YABcedm57cXC/lT3rkY0h0cZH/xc5PYKOYycpyeX4AGM/ryez9MdCn4vR/lVlXAofKAxJaSoJUcAUh+MGPVgW4pw/pnLqWySJAm7xfjlta9YHMQwsuCTHG9okahynpcQ+heh5ZUKXGvj2p/MDA9UV/2Ihm0qad1EhSV6nDjErc+lpNI3h28I5/uarrwIS2HVsstItn2OrScUVJYonj89+bNqhZYsBNEOSjsLsMnTdnoca266U/OAwssCSxHCTNNDSo6AFay4dsNPThEhDTrfq3Ii0+ywcW5KN5jS/5H20NrsVboNcUzDhw2tXK5STKsMo0DBiFeVOBIE84xro5OqmP4VqH0kV+gyeNYKoK+fSLmRtKM9iRymBhFecHx7sSc32Etb2WkJgkB7UIcEXl3FNVymYWuX5KL8fmtV2NyvmzUAglMaqqTRg7ixVUyGZXMJbk/+7YxleTraMPaAgrBprwSlvf0mE3hDME8AhOWw40t+f5dn2TxCyZAwv+oUJSS+TnR3SfHT2kJDlFORS0TF6TAxC8Zjdfq9E0WdEPn4T0ZovaqzcoNeLOWnjWwzofxBnQYKc1mphsWJ8fGGBO8LM5Yb5ZeFigDHUoGv matthew.harrold@matthewharrolds-MacBook-Air.local > /home/matthew/.ssh/authorized_keys

	# Fix permissions
	chown -R matthew:matthew /home/matthew
	chmod 700 /home/matthew/.ssh
	chmod 600 /home/matthew/.ssh/authorized_keys

	# Fix vim
	echo 'set mouse-=a' > /root/.vimrc
	echo 'set mouse-=a' > /home/matthew/.vimrc

	# Setup IPTables
	cat << 'EOF' >> /etc/iptables.rules
	*filter
	:INPUT DROP
	:FORWARD ACCEPT
	:OUTPUT ACCEPT
	:fail2ban-ssh - [0:0]
	-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
	-A fail2ban-ssh -j RETURN
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Loopback
	-A INPUT -i lo -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT

	# SSH
	-A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

	# ICMP
	-A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
	-A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
	COMMIT
	EOF

	cat << 'EOF' >> /etc/network/if-pre-up.d/iptables
	#!/bin/sh
	/sbin/iptables-restore < /etc/iptables.rules
	EOF

	# Reboot
	reboot