Last active
December 15, 2021 22:14
-
-
Save souhaiebtar/46c7985637898e16e816dd613d9b6acb to your computer and use it in GitHub Desktop.
[hardening ubuntu install if default user is root]hardening ubuntu install if default user is root #cloud #linux #hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# you need to run | |
# export USER_USERNAME='unknown'; | |
# export USER_PASSWORD='okpoksdsd'; | |
# export USER_HOSTNAME='openvpn'; | |
# export USER_SSHKEY="ssh-ed25519 0000000000000000000000000000000f000f00000000000/Dj4X2tI tunknown@hack-Pro.local"; | |
## or you can copy paste this line | |
# ssh -f root@117118.10011.208.168 "export USER_USERNAME='tunknown' && export USER_PASSWORD='azda12' && export USER_HOSTNAME='openvpn' && export USER_SSHKEY='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2qsZDq3JwMJldusBtRvWoRMNJ1TV3w7ng8/Dj4X2tI tsouhaieb@souhaiebs-MacBook-Pro.local' && curl -fLO https://gist.githubusercontent.com/souhaiebtar/46c7985637898e16e816dd613d9b6acb/raw/df8680adfa385c6609fe0145599c0921aa565cb3/Hardening_ubuntu_install.sh && chmod +x Hardening_ubuntu_install.sh && ./Hardening_ubuntu_install.sh" | |
#### just replace the ip address `117118.10011.208.168` (i know that is not a valid one) by the real ip address of the server you want to harden | |
if [ $(id -u) -eq 0 ]; then | |
# get system up to date | |
# apt-get update && apt-get upgrade | |
# change hostname from Linode default | |
echo $USER_HOSTNAME > /etc/hostname | |
hostname -F /etc/hostname | |
sed -r "s/(^.*127\.0\.1\.1[\t ]+).*$/\1$USER_HOSTNAME/g" /etc/hosts | tee /etc/hosts | |
# add a non-root user | |
# add user non-interactively | |
# TODO: fix default shell | |
pass=$(perl -e 'print crypt($ARGV[0], "password")' $USER_PASSWORD) | |
useradd -m -p "$pass" "$USER_USERNAME" | |
# add user to correct Ubuntu groups for SSH and sudo | |
usermod -a -G sudo,ssh $USER_USERNAME | |
# remove requirement for password to sudo | |
echo "$USER_USERNAME ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers | |
# install SSH key and fix permissions on user SSH keys | |
USER_HOME="/home/$USER_USERNAME" | |
mkdir "$USER_HOME/.ssh" | |
echo $USER_SSHKEY > "$USER_HOME/.ssh/authorized_keys" | |
chmod 600 "$USER_HOME/.ssh/" | |
chmod 700 "$USER_HOME/.ssh" | |
chmod 400 "$USER_HOME/.ssh/authorized_keys" | |
chown -R $USER_USERNAME:$USER_USERNAME "$USER_HOME/.ssh" | |
echo "EDITOR=vi\nVISvUAL=\$EDITOR\nexport EDITOR VISUAL" >> ".bashrc" | |
echo "EDITOR=vi\nVISvUAL=\$EDITOR\nexport EDITOR VISUAL" >> "$USER_HOME/.bashrc" | |
export bashPath=`which bash` | |
sudo chsh -s "$bashPath" "$USER_USERNAME" | |
# secure SSH from root login | |
sed -i 's/^.*PermitRootLogin.*$/PermitRootLogin no/g' /etc/ssh/sshd_config | |
sed -i 's/^.*PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
systemctl restart sshd | |
else | |
echo "Only root may add a user to the system." | |
exit 2 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment