thetillhoff/setup-debian-server.sh

## setup-debian-server.sh
# Prerequisites
# - install debian netinst iso in non-graphical mode
# - deselect all packages that are advertised at the end of the installer - EXCEPT the SSH server and the standard system utilities
# - logged in as non-root user, then `su root` and follow the `Usage`.

# Usage
# `wget -O - "https://gist.githubusercontent.com/thetillhoff/38b109abe1782708c0059f7f99e1426f/raw/setup-debian-server.sh" | sh`
# or
# `wget -O - "https://link.thetillhoff.de/debian-server" | sh`

# Result
# - minimal server, with hardened ssh enabled


# update packages
apt-get update && apt-get upgrade -y

# install sudo
apt-get install -y sudo

# add user to sudoers ($USER even works when `su`-ing to root)
/sbin/usermod -aG sudo $USER
# [optional] log out and in again to apply group settings

# install basic tools
apt-get install -y git wget curl coreutils ntp rsync
# - coreutils contains tools like cat md5sum, head, tail ,...

# set timezone (optional - is taken over from initially set up timezone)
timedatectl set-timezone Europe/Berlin

# Get ssh public key from github
mkdir -p /home/$USER/.ssh
wget https://github.com/thetillhoff.keys -O /home/$USER/.ssh/authorized_keys
chmod 600 /home/$USER/.ssh/authorized_keys
chmod 700 /home/$USER/.ssh
chown -R $USER:$USER /home/$USER/.ssh

# ssh hardening
sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
systemctl restart sshd

# install hyperv tooling
# wget https://raw.githubusercontent.com/Hinara/linux-vm-tools/ubuntu20-04/ubuntu/20.04/install.sh
# chmod -x ./install.sh
# ./install.sh # this script needs to be run twice - with a reboot in between
	# Prerequisites
	# - install debian netinst iso in non-graphical mode
	# - deselect all packages that are advertised at the end of the installer - EXCEPT the SSH server and the standard system utilities
	# - logged in as non-root user, then `su root` and follow the `Usage`.

	# Usage
	# `wget -O - "https://gist.githubusercontent.com/thetillhoff/38b109abe1782708c0059f7f99e1426f/raw/setup-debian-server.sh" \| sh`
	# or
	# `wget -O - "https://link.thetillhoff.de/debian-server" \| sh`

	# Result
	# - minimal server, with hardened ssh enabled


	# update packages
	apt-get update && apt-get upgrade -y

	# install sudo
	apt-get install -y sudo

	# add user to sudoers ($USER even works when `su`-ing to root)
	/sbin/usermod -aG sudo $USER
	# [optional] log out and in again to apply group settings

	# install basic tools
	apt-get install -y git wget curl coreutils ntp rsync
	# - coreutils contains tools like cat md5sum, head, tail ,...

	# set timezone (optional - is taken over from initially set up timezone)
	timedatectl set-timezone Europe/Berlin

	# Get ssh public key from github
	mkdir -p /home/$USER/.ssh
	wget https://github.com/thetillhoff.keys -O /home/$USER/.ssh/authorized_keys
	chmod 600 /home/$USER/.ssh/authorized_keys
	chmod 700 /home/$USER/.ssh
	chown -R $USER:$USER /home/$USER/.ssh

	# ssh hardening
	sed -i -e '/^\(#\\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
	sed -i -e '/^\(#\\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
	sed -i -e '/^\(#\\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
	sed -i -e '/^\(#\\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
	sed -i -e '/^\(#\\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
	systemctl restart sshd

	# install hyperv tooling
	# wget https://raw.githubusercontent.com/Hinara/linux-vm-tools/ubuntu20-04/ubuntu/20.04/install.sh
	# chmod -x ./install.sh
	# ./install.sh # this script needs to be run twice - with a reboot in between