noogen/fresh-ubuntu-docker.sh

## fresh-ubuntu-docker.sh
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root!" 1>&2
   exit 1
fi

export DEBIAN_FRONTEND=noninteractive
add-apt-repository universe
apt-get update && apt-get upgrade -y
apt-get -y install ntpdate fail2ban apt-transport-https ca-certificates software-properties-common

echo "1. update sshd_config" 1>&2
sed -i -e "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config

service sshd restart

echo "2. update fail2ban.conf" 1>&2
if [ ! -f /etc/sysctl.conf.bak ]; then
   echo -e "\n\n[sshd2]\n\nport    = 2022\nlogpath = %(sshd_log)s\nenabled  = true\nfilter   = sshd\nmaxretry = 6\n\n" >> /etc/fail2ban/jail.conf

   ip6tables -P INPUT DROP
   ip6tables -P OUTPUT DROP
   ip6tables -P FORWARD DROP

   mv /etc/sysctl.conf /etc/sysctl.conf.bak

   cat <<EOF >/etc/sysctl.conf
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Enable overcommit memory
vm.overcommit_memory = 1

# Tweaks for redis and elasticsearch
net.core.somaxconn = 524288
vm.max_map_count = 524288
fs.file-max = 524288
fs.inotify.max_user_watches = 524288

# swap
vm.swappiness = 10
EOF

   sysctl -p
fi

echo "* soft nofile 400000" >> /etc/security/limits.conf
echo "* hard nofile 400000" >> /etc/security/limits.conf

mv /etc/apt/apt.conf.d/10periodic /tmp/10periodic
cat <<EOF >/etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF

# allow cleanup for auto security update
sed -i -e "s/\/\/Unattended-Upgrade::Remove-Unused-Dependencies \"false\"/Unattended-Upgrade::Remove-Unused-Dependencies \"true\"/g" /etc/apt/apt.conf.d/50unattended-upgrades

# disable transparent hugepage for redis and mongo
cat <<EOF >/etc/my-startup.sh
##!/bin/bash
# Disable Transparent Hugepage
#
echo never | tee /sys/kernel/mm/transparent_hugepage/enabled
echo never | tee /sys/kernel/mm/transparent_hugepage/defrag
exit 0

EOF

# enable my-startup
cat <<EOF >/etc/systemd/system/my-startup.service
[Unit]
Description=My Startup Service
After=network.service
ConditionPathExists=/bin/bash /etc/my-startup.sh

[Service]
Type=forking
ExecStart=/etc/my-startup.sh
TimeoutSec=0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

EOF

chmod 644 /etc/systemd/system/my-startup.service
systemctl daemon-reload
systemctl enable my-startup
systemctl status my-startup.service

read -p "Install docker? " -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]
then
   curl -fsSL https://get.docker.com -o get-docker.sh
   sh ./get-docker.sh
fi
	#!/bin/bash
	if [ "$(id -u)" != "0" ]; then
	echo "This script must be run as root!" 1>&2
	exit 1
	fi

	export DEBIAN_FRONTEND=noninteractive
	add-apt-repository universe
	apt-get update && apt-get upgrade -y
	apt-get -y install ntpdate fail2ban apt-transport-https ca-certificates software-properties-common

	echo "1. update sshd_config" 1>&2
	sed -i -e "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config
	sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
	sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config

	service sshd restart

	echo "2. update fail2ban.conf" 1>&2
	if [ ! -f /etc/sysctl.conf.bak ]; then
	echo -e "\n\n[sshd2]\n\nport = 2022\nlogpath = %(sshd_log)s\nenabled = true\nfilter = sshd\nmaxretry = 6\n\n" >> /etc/fail2ban/jail.conf

	ip6tables -P INPUT DROP
	ip6tables -P OUTPUT DROP
	ip6tables -P FORWARD DROP

	mv /etc/sysctl.conf /etc/sysctl.conf.bak

	cat <<EOF >/etc/sysctl.conf
	# IP Spoofing protection
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Ignore ICMP broadcast requests
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Disable source packet routing
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Ignore send redirects
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Block SYN attacks
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 2048
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_syn_retries = 5

	# Log Martians
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ignore ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Ignore Directed pings
	net.ipv4.icmp_echo_ignore_all = 1

	# Disable IPv6
	net.ipv6.conf.all.disable_ipv6 = 1
	net.ipv6.conf.default.disable_ipv6 = 1
	net.ipv6.conf.lo.disable_ipv6 = 1

	# Enable overcommit memory
	vm.overcommit_memory = 1

	# Tweaks for redis and elasticsearch
	net.core.somaxconn = 524288
	vm.max_map_count = 524288
	fs.file-max = 524288
	fs.inotify.max_user_watches = 524288

	# swap
	vm.swappiness = 10
	EOF

	sysctl -p
	fi

	echo "* soft nofile 400000" >> /etc/security/limits.conf
	echo "* hard nofile 400000" >> /etc/security/limits.conf

	mv /etc/apt/apt.conf.d/10periodic /tmp/10periodic
	cat <<EOF >/etc/apt/apt.conf.d/10periodic
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";
	EOF

	# allow cleanup for auto security update
	sed -i -e "s/\/\/Unattended-Upgrade::Remove-Unused-Dependencies \"false\"/Unattended-Upgrade::Remove-Unused-Dependencies \"true\"/g" /etc/apt/apt.conf.d/50unattended-upgrades

	# disable transparent hugepage for redis and mongo
	cat <<EOF >/etc/my-startup.sh
	##!/bin/bash
	# Disable Transparent Hugepage
	#
	echo never \| tee /sys/kernel/mm/transparent_hugepage/enabled
	echo never \| tee /sys/kernel/mm/transparent_hugepage/defrag
	exit 0

	EOF

	# enable my-startup
	cat <<EOF >/etc/systemd/system/my-startup.service
	[Unit]
	Description=My Startup Service
	After=network.service
	ConditionPathExists=/bin/bash /etc/my-startup.sh

	[Service]
	Type=forking
	ExecStart=/etc/my-startup.sh
	TimeoutSec=0
	RemainAfterExit=yes

	[Install]
	WantedBy=multi-user.target

	EOF

	chmod 644 /etc/systemd/system/my-startup.service
	systemctl daemon-reload
	systemctl enable my-startup
	systemctl status my-startup.service

	read -p "Install docker? " -n 1 -r
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	curl -fsSL https://get.docker.com -o get-docker.sh
	sh ./get-docker.sh
	fi