Last active
December 13, 2023 18:39
-
-
Save noogen/ba0b5f1e07b6c89773fbae05c3436272 to your computer and use it in GitHub Desktop.
fresh-ubuntu-docker.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ "$(id -u)" != "0" ]; then | |
echo "This script must be run as root!" 1>&2 | |
exit 1 | |
fi | |
export DEBIAN_FRONTEND=noninteractive | |
add-apt-repository universe | |
apt-get update && apt-get upgrade -y | |
apt-get -y install ntpdate fail2ban apt-transport-https ca-certificates software-properties-common | |
echo "1. update sshd_config" 1>&2 | |
sed -i -e "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config | |
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config | |
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config | |
service sshd restart | |
echo "2. update fail2ban.conf" 1>&2 | |
if [ ! -f /etc/sysctl.conf.bak ]; then | |
echo -e "\n\n[sshd2]\n\nport = 2022\nlogpath = %(sshd_log)s\nenabled = true\nfilter = sshd\nmaxretry = 6\n\n" >> /etc/fail2ban/jail.conf | |
ip6tables -P INPUT DROP | |
ip6tables -P OUTPUT DROP | |
ip6tables -P FORWARD DROP | |
mv /etc/sysctl.conf /etc/sysctl.conf.bak | |
cat <<EOF >/etc/sysctl.conf | |
# IP Spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Ignore ICMP broadcast requests | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Disable source packet routing | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv6.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv6.conf.default.accept_source_route = 0 | |
# Ignore send redirects | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# Block SYN attacks | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_max_syn_backlog = 2048 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_syn_retries = 5 | |
# Log Martians | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Ignore ICMP redirects | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Ignore Directed pings | |
net.ipv4.icmp_echo_ignore_all = 1 | |
# Disable IPv6 | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
net.ipv6.conf.lo.disable_ipv6 = 1 | |
# Enable overcommit memory | |
vm.overcommit_memory = 1 | |
# Tweaks for redis and elasticsearch | |
net.core.somaxconn = 524288 | |
vm.max_map_count = 524288 | |
fs.file-max = 524288 | |
fs.inotify.max_user_watches = 524288 | |
# swap | |
vm.swappiness = 10 | |
EOF | |
sysctl -p | |
fi | |
echo "* soft nofile 400000" >> /etc/security/limits.conf | |
echo "* hard nofile 400000" >> /etc/security/limits.conf | |
mv /etc/apt/apt.conf.d/10periodic /tmp/10periodic | |
cat <<EOF >/etc/apt/apt.conf.d/10periodic | |
APT::Periodic::Update-Package-Lists "1"; | |
APT::Periodic::Download-Upgradeable-Packages "1"; | |
APT::Periodic::AutocleanInterval "7"; | |
APT::Periodic::Unattended-Upgrade "1"; | |
EOF | |
# allow cleanup for auto security update | |
sed -i -e "s/\/\/Unattended-Upgrade::Remove-Unused-Dependencies \"false\"/Unattended-Upgrade::Remove-Unused-Dependencies \"true\"/g" /etc/apt/apt.conf.d/50unattended-upgrades | |
# disable transparent hugepage for redis and mongo | |
cat <<EOF >/etc/my-startup.sh | |
##!/bin/bash | |
# Disable Transparent Hugepage | |
# | |
echo never | tee /sys/kernel/mm/transparent_hugepage/enabled | |
echo never | tee /sys/kernel/mm/transparent_hugepage/defrag | |
exit 0 | |
EOF | |
# enable my-startup | |
cat <<EOF >/etc/systemd/system/my-startup.service | |
[Unit] | |
Description=My Startup Service | |
After=network.service | |
ConditionPathExists=/bin/bash /etc/my-startup.sh | |
[Service] | |
Type=forking | |
ExecStart=/etc/my-startup.sh | |
TimeoutSec=0 | |
RemainAfterExit=yes | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
chmod 644 /etc/systemd/system/my-startup.service | |
systemctl daemon-reload | |
systemctl enable my-startup | |
systemctl status my-startup.service | |
read -p "Install docker? " -n 1 -r | |
if [[ $REPLY =~ ^[Yy]$ ]] | |
then | |
curl -fsSL https://get.docker.com -o get-docker.sh | |
sh ./get-docker.sh | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment