versvs/basic-config-hardening-ubuntu-server.sh

## basic-config-hardening-ubuntu-server.sh
##########################################################################################
# Basic configuration and some simple hardening for an Debian/Ubuntu server
##########################################################################################

# This guide assume that a fresh server is being configured.
# It is assumed that the user has root priviledges,
# and most of the sentences are to be run as superuser (root)


# Root Passwd;
# Set it to something complex, won't be used (more on that later),
# it is needed just in case something happens during these steps
passwd

# Update the system
apt-get update
apt-get dist-upgrade

# If a new kernel was installed, reboot the system to start using it now
shutdown -r now 'Kernel upgraded, a reboot is required'

# Optional steps would comprise the cleaning of any old, no longer needed Kernels

# See the name of the kernel currently being used
uname -r
# Outputs something like:
# `4.15.0-43-generic`

# get list of all installed kernels, filtering out the currently used kernel, to avoid errors
dpkg --list 'linux-image*'|awk '{ if ($1=="ii") print $2}'|grep -v `uname -r`
# Outputs something like:
# ```
# linux-image-4.15.0-40-generic
# linux-image-4.15.0-41-generic
# linux-image-4.15.0-42-generic
# ```

# remove all the unneeded kernels
# adapt and repeat this sentence to each of kernels present in your system that you'd like to purge
apt-get remove --purge linux-image-4.15.0-40-generic

# run autoremove, then upgrade grub list
apt-get autoremove
update-grub

# Now, let's get back to the mandatory steps
# Install fail2ban
apt-get install fail2ban

# create a user to log into the system and to handle any software deployed in it
useradd username
mkdir -p /home/username/.ssh
chmod 700 /home/username/.ssh
# set /bin/bash as shell for the new user
chsh -s /bin/bash username

# the login will be handled using SSH keys
# thus a public key needs to be added to the `authorized_keys` of the just-created user
# add the contents of any number of required public keys to that file
# example with `vi` (any editor is valid, i'm just a vi user)
vi /home/username/.ssh/authorized_keys

# set permissions for that file
chmod 400 /home/username/.ssh/authorized_keys
chown username:username /home/username -R

# set sudo password for the new user (won't be used to login, since a public key will be used for that)
passwd username

# add the new user to the sudoers
# comment all user/group grant lines and leave the two following:
# ```
# root    ALL=(ALL) ALL
# username  ALL=(ALL) ALL
# ```
visudo

# secure SSH editing `sshd_config` and adding the following lines, disable root login, disable login without public key
# ```
# PermitRootLogin no
# PasswordAuthentication no
# AllowUsers username@(your-ip) username@(another-ip-if-any)
# ```
vi /etc/ssh/sshd_config

# restart ssh to make the changes effective
service ssh restart

# add rules to the firewall and then enable it
# if you have a static IP, restrict the ssh login to your IP, otherwise just allow connections to port 22
ufw allow from {your-ip} to any port 22
ufw allow 80
ufw allow 443
ufw enable

# most probably, unattended-upgrades is already installed, but just in case...
apt-get install unattended-upgrades

# edit a couple of files to config unattended upgrades
# make `/etc/apt/apt.conf.d/10periodic` look like the following lines
# ```
# APT::Periodic::Update-Package-Lists "1";
# APT::Periodic::Download-Upgradeable-Packages "1";
# APT::Periodic::AutocleanInterval "7";
# APT::Periodic::Unattended-Upgrade "1";
# ```
vi /etc/apt/apt.conf.d/10periodic

# restrict allowed origins so that only security updates are downloaded
# most probably any other source will be already commented, but
# edit `/etc/apt/apt.conf.d/50unattended-upgrades` to confirm
#
# contents should look like this:
# Unattended-Upgrade::Allowed-Origins {
#         "Ubuntu lucid-security";
# //      "Ubuntu lucid-updates";
# };
vi /etc/apt/apt.conf.d/50unattended-upgrades

# install logwatch, then edit its config file and add a line to receive email notifications
# add a line like the following one, don't forget to set the right email
# /usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high
apt-get install logwatch
vi /etc/cron.daily/00logwatch

# Several sources were consulted while writing this:
# * Mostly: https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
# * Stack Overflow was used to confirm/change a few lines: https://stackoverflow.com/
	##########################################################################################
	# Basic configuration and some simple hardening for an Debian/Ubuntu server
	##########################################################################################

	# This guide assume that a fresh server is being configured.
	# It is assumed that the user has root priviledges,
	# and most of the sentences are to be run as superuser (root)


	# Root Passwd;
	# Set it to something complex, won't be used (more on that later),
	# it is needed just in case something happens during these steps
	passwd

	# Update the system
	apt-get update
	apt-get dist-upgrade

	# If a new kernel was installed, reboot the system to start using it now
	shutdown -r now 'Kernel upgraded, a reboot is required'

	# Optional steps would comprise the cleaning of any old, no longer needed Kernels

	# See the name of the kernel currently being used
	uname -r
	# Outputs something like:
	# `4.15.0-43-generic`

	# get list of all installed kernels, filtering out the currently used kernel, to avoid errors
	dpkg --list 'linux-image*'\|awk '{ if ($1=="ii") print $2}'\|grep -v `uname -r`
	# Outputs something like:
	# ```
	# linux-image-4.15.0-40-generic
	# linux-image-4.15.0-41-generic
	# linux-image-4.15.0-42-generic
	# ```

	# remove all the unneeded kernels
	# adapt and repeat this sentence to each of kernels present in your system that you'd like to purge
	apt-get remove --purge linux-image-4.15.0-40-generic

	# run autoremove, then upgrade grub list
	apt-get autoremove
	update-grub

	# Now, let's get back to the mandatory steps
	# Install fail2ban
	apt-get install fail2ban

	# create a user to log into the system and to handle any software deployed in it
	useradd username
	mkdir -p /home/username/.ssh
	chmod 700 /home/username/.ssh
	# set /bin/bash as shell for the new user
	chsh -s /bin/bash username

	# the login will be handled using SSH keys
	# thus a public key needs to be added to the `authorized_keys` of the just-created user
	# add the contents of any number of required public keys to that file
	# example with `vi` (any editor is valid, i'm just a vi user)
	vi /home/username/.ssh/authorized_keys

	# set permissions for that file
	chmod 400 /home/username/.ssh/authorized_keys
	chown username:username /home/username -R

	# set sudo password for the new user (won't be used to login, since a public key will be used for that)
	passwd username

	# add the new user to the sudoers
	# comment all user/group grant lines and leave the two following:
	# ```
	# root ALL=(ALL) ALL
	# username ALL=(ALL) ALL
	# ```
	visudo

	# secure SSH editing `sshd_config` and adding the following lines, disable root login, disable login without public key
	# ```
	# PermitRootLogin no
	# PasswordAuthentication no
	# AllowUsers username@(your-ip) username@(another-ip-if-any)
	# ```
	vi /etc/ssh/sshd_config

	# restart ssh to make the changes effective
	service ssh restart

	# add rules to the firewall and then enable it
	# if you have a static IP, restrict the ssh login to your IP, otherwise just allow connections to port 22
	ufw allow from {your-ip} to any port 22
	ufw allow 80
	ufw allow 443
	ufw enable

	# most probably, unattended-upgrades is already installed, but just in case...
	apt-get install unattended-upgrades

	# edit a couple of files to config unattended upgrades
	# make `/etc/apt/apt.conf.d/10periodic` look like the following lines
	# ```
	# APT::Periodic::Update-Package-Lists "1";
	# APT::Periodic::Download-Upgradeable-Packages "1";
	# APT::Periodic::AutocleanInterval "7";
	# APT::Periodic::Unattended-Upgrade "1";
	# ```
	vi /etc/apt/apt.conf.d/10periodic

	# restrict allowed origins so that only security updates are downloaded
	# most probably any other source will be already commented, but
	# edit `/etc/apt/apt.conf.d/50unattended-upgrades` to confirm
	#
	# contents should look like this:
	# Unattended-Upgrade::Allowed-Origins {
	# "Ubuntu lucid-security";
	# // "Ubuntu lucid-updates";
	# };
	vi /etc/apt/apt.conf.d/50unattended-upgrades

	# install logwatch, then edit its config file and add a line to receive email notifications
	# add a line like the following one, don't forget to set the right email
	# /usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high
	apt-get install logwatch
	vi /etc/cron.daily/00logwatch

	# Several sources were consulted while writing this:
	# * Mostly: https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
	# * Stack Overflow was used to confirm/change a few lines: https://stackoverflow.com/