yg-ht/buildscript.sh

## buildscript.sh
#!/bin/bash
passwd #reset root user password
deluser --remove-all-files ubuntu -q 2>/dev/null # remove default user account
sed -i 's/^# deb/deb/g' /etc/apt/sources.list # enable all default package sources
apt update && apt upgrade -y # update all installed packages
apt -y install fail2ban unattended-upgrades haveged htop apparmor-utils libpam-pwquality debsums apt-show-versions arpwatch # install some extra packages
# create cron job that updates and reboots on a weekly basis (uptime is not critical)
echo "# ┌───────────── minute (0 - 59)" > customcron
echo "# │  ┌───────────── hour (0 - 23)" >> customcron
echo "# │  │ ┌───────────── day of month (1 - 31)" >> customcron
echo "# │  │ │ ┌───────────── month (1 - 12)" >> customcron
echo "# │  │ │ │ ┌───────────── day of week (0 - 6) (Sunday to Saturday; 7 is also Sunday on some systems)" >> customcron
echo "# │  │ │ │ │" >> customcron
echo "# *  * * * *  command to execute" >> customcron
echo "  0  0 * * * /usr/bin/apt update" >> customcron
echo "  0  4 * * 6 /usr/bin/apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'" >> customcron
echo "  30 5 * * 6 /usr/bin/purge-old-kernels  --keep 3 -qy" >> customcron
echo "  0  6 * * 6 /usr/bin/apt autoremove -y" >> customcron
echo "  30 6 * * 6 /sbin/reboot" >> customcron
crontab customcron
sed -i 's/^Port 22/Port [PORT]/g' /etc/ssh/sshd_config # change default SSH port
sed -i '/^PermitRootLogin*/c\PermitRootLogin without-password' /etc/ssh/sshd_config # permitting root login, but only with an SSH key
sed -i 's/^ServerKeyBits 1024/ServerKeyBits 4096/' /etc/ssh/sshd_config # shouldn't matter now because of rest of config, but upgrade key size anyway just in case
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # disallow password auth
echo "" >> /etc/ssh/sshd_config # add a space into the file so it doesn't go mental
echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config # set permitted SSH ciphers
echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config # set permitted SSH key exchange ciphers
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" >> /etc/ssh/sshd_config # set permitted SSH MACs
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
echo "Compression no" >> /etc/ssh/sshd_config
echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
echo "MaxSessions 2" >> /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
sed -i '/^LogLevel*/c\LogLevel VERBOSE' /etc/ssh/sshd_config
sed -i '/^TCPKeepAlive*/c\TCPKeepAlive no' /etc/ssh/sshd_config
sed -i '/^X11Forwarding*/c\X11Forwarding no' /etc/ssh/sshd_config
cp /etc/ssh/moduli /etc/ssh/moduli.bak # backup the original moduli file
awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # remove any weak moduli
mv "${HOME}/moduli" /etc/ssh/moduli # replace the original moduli file
rm -v /etc/ssh/ssh_host_*key* # remove default SSH host keys
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null # recreate good SSH host key
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null # and again
echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # use built-in package updater, I think only for critical patches, I want all patches but that is only weekly
echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # and again
sed -i 's/pam_pwquality.so retry=3/pam_pwquality.so try_first_pass retry=3/g' /etc/pam.d/common-password
echo "minlen=24" >> /etc/security/pwquality.conf
echo "dcredit=-1" >> /etc/security/pwquality.conf
echo "ucredit=-1" >> /etc/security/pwquality.conf
echo "ocredit=-1" >> /etc/security/pwquality.conf
echo "lcredit=-1" >> /etc/security/pwquality.conf
sed -i 's/99999$/365/g' /etc/login.defs # set a maximum age for passwords of one year
sed -i '/^PASS_MIN_DAYS*/c\PASS_MIN_DAYS 2' /etc/login.defs # set a minimum number of days for each password greater than zero
echo -e "blacklist uas\nblacklist usb_storage" > /etc/modprobe.d/blacklist_usbdrive.conf # disable USB storage
echo 'install udf /bin/true' > /etc/modprobe.d/CIS.conf
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
sed -i 's/#Banner \/etc\/issue.net/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
sed -i 's/#net.ipv4.conf.all.log_martians/net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "alias nano='nano -c'" >> ~/.bashrc
cd /opt && git clone https://github.com/CISOfy/lynis.git
ufw allow from [IP]/32 to any port [SSHPORT] proto tcp # FW rule for non-standard SSH, only permittable from my VPN server
ufw --force enable # reload FW
reboot # bounce it
	#!/bin/bash
	passwd #reset root user password
	deluser --remove-all-files ubuntu -q 2>/dev/null # remove default user account
	sed -i 's/^# deb/deb/g' /etc/apt/sources.list # enable all default package sources
	apt update && apt upgrade -y # update all installed packages
	apt -y install fail2ban unattended-upgrades haveged htop apparmor-utils libpam-pwquality debsums apt-show-versions arpwatch # install some extra packages
	# create cron job that updates and reboots on a weekly basis (uptime is not critical)
	echo "# ┌───────────── minute (0 - 59)" > customcron
	echo "# │ ┌───────────── hour (0 - 23)" >> customcron
	echo "# │ │ ┌───────────── day of month (1 - 31)" >> customcron
	echo "# │ │ │ ┌───────────── month (1 - 12)" >> customcron
	echo "# │ │ │ │ ┌───────────── day of week (0 - 6) (Sunday to Saturday; 7 is also Sunday on some systems)" >> customcron
	echo "# │ │ │ │ │" >> customcron
	echo "# * * * * * command to execute" >> customcron
	echo " 0 0 * * * /usr/bin/apt update" >> customcron
	echo " 0 4 * * 6 /usr/bin/apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'" >> customcron
	echo " 30 5 * * 6 /usr/bin/purge-old-kernels --keep 3 -qy" >> customcron
	echo " 0 6 * * 6 /usr/bin/apt autoremove -y" >> customcron
	echo " 30 6 * * 6 /sbin/reboot" >> customcron
	crontab customcron
	sed -i 's/^Port 22/Port [PORT]/g' /etc/ssh/sshd_config # change default SSH port
	sed -i '/^PermitRootLogin*/c\PermitRootLogin without-password' /etc/ssh/sshd_config # permitting root login, but only with an SSH key
	sed -i 's/^ServerKeyBits 1024/ServerKeyBits 4096/' /etc/ssh/sshd_config # shouldn't matter now because of rest of config, but upgrade key size anyway just in case
	sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # disallow password auth
	echo "" >> /etc/ssh/sshd_config # add a space into the file so it doesn't go mental
	echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config # set permitted SSH ciphers
	echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config # set permitted SSH key exchange ciphers
	echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" >> /etc/ssh/sshd_config # set permitted SSH MACs
	echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
	echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
	echo "Compression no" >> /etc/ssh/sshd_config
	echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
	echo "MaxSessions 2" >> /etc/ssh/sshd_config
	echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
	sed -i '/^LogLevel*/c\LogLevel VERBOSE' /etc/ssh/sshd_config
	sed -i '/^TCPKeepAlive*/c\TCPKeepAlive no' /etc/ssh/sshd_config
	sed -i '/^X11Forwarding*/c\X11Forwarding no' /etc/ssh/sshd_config
	cp /etc/ssh/moduli /etc/ssh/moduli.bak # backup the original moduli file
	awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # remove any weak moduli
	mv "${HOME}/moduli" /etc/ssh/moduli # replace the original moduli file
	rm -v /etc/ssh/ssh_host_key # remove default SSH host keys
	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null # recreate good SSH host key
	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null # and again
	echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # use built-in package updater, I think only for critical patches, I want all patches but that is only weekly
	echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # and again
	sed -i 's/pam_pwquality.so retry=3/pam_pwquality.so try_first_pass retry=3/g' /etc/pam.d/common-password
	echo "minlen=24" >> /etc/security/pwquality.conf
	echo "dcredit=-1" >> /etc/security/pwquality.conf
	echo "ucredit=-1" >> /etc/security/pwquality.conf
	echo "ocredit=-1" >> /etc/security/pwquality.conf
	echo "lcredit=-1" >> /etc/security/pwquality.conf
	sed -i 's/99999$/365/g' /etc/login.defs # set a maximum age for passwords of one year
	sed -i '/^PASS_MIN_DAYS*/c\PASS_MIN_DAYS 2' /etc/login.defs # set a minimum number of days for each password greater than zero
	echo -e "blacklist uas\nblacklist usb_storage" > /etc/modprobe.d/blacklist_usbdrive.conf # disable USB storage
	echo 'install udf /bin/true' > /etc/modprobe.d/CIS.conf
	echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
	echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
	sed -i 's/#Banner \/etc\/issue.net/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config
	echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
	sed -i 's/#net.ipv4.conf.all.log_martians/net.ipv4.conf.all.log_martians/g' /etc/sysctl.conf
	echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
	echo "alias nano='nano -c'" >> ~/.bashrc
	cd /opt && git clone https://github.com/CISOfy/lynis.git
	ufw allow from [IP]/32 to any port [SSHPORT] proto tcp # FW rule for non-standard SSH, only permittable from my VPN server
	ufw --force enable # reload FW
	reboot # bounce it