linux-setup/debian-setup.sh

#!/bin/bash

### configuration ###
admin_user="newnius"


#####################

# check environment
if [ "$EUID" -ne 0 ]; then
  echo "[ERROR] Please run as root"
  exit 1
fi

if ! hash apt 2>/dev/null; then
  echo "[ERROR] Only debian is supported"
  exit 1
fi


# install security updates
apt update

#uncomment as it may prompt update grub window
#apt upgrade -y

# install necessary tools
echo "[INFO] Installing necessary tools"
apt install -y curl vim git sudo ca-certificates apt-transport-https haveged

# install ssh service
if ! hash sshd 2>/dev/null; then
  echo "[INFO] Installing ssh service"
  apt install -y openssh-server openssh-client
fi

# Add admin user
echo "[INFO] Creating admin user"
ssh_pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)

useradd $admin_user -m -s /bin/bash
echo $admin_user:$ssh_pass | chpasswd


# Add to sudoers
sed -i "/$admin_user/d" /etc/sudoers
sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers


# update root password to random and forget it
echo "[INFO] Updating root password to random"
pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
echo root:$pass | chpasswd


# ssh, update port, decline root ligin
echo "[INFO] Updating ssh port"
ssh_port=$((RANDOM%65535+10000))
sed -i '/Port /d' /etc/ssh/sshd_config
echo "Port $ssh_port" >> /etc/ssh/sshd_config

sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

systemctl restart ssh

# install ntpdate
echo "[INFO] Configuring time sync service"
apt install -y ntp ntpdate ntpstat

systemctl stop ntp
ntpdate pool.ntp.org
systemctl start ntp


# enable bbr, requires 4.9.0 or higher
if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" | sort -V | head -n1`" ]; then
  echo "[WARN] bbr is not supported on $(uname -r), skip"
else
  echo "[INFO] Enabling bbr"
  sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
  echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf

  sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
  echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

  sysctl -p
fi

# Disable ipv6
#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf
#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
#sysctl -p


# output
echo "[INFO] Setup finished"

res="SSH user:\t$admin_user\n \
SSH port:\t$ssh_port\n \
SSH password:\t$ssh_pass\n"

echo -e $res | expand --tabs=16
Add 'debian-setup.sh' 2022-04-21 16:02:01 +00:00			`#!/bin/bash`

			`### configuration ###`
			`admin_user="newnius"`


			`#####################`

			`# check environment`
			`if [ "$EUID" -ne 0 ]; then`
			`echo "[ERROR] Please run as root"`
			`exit 1`
			`fi`

			`if ! hash apt 2>/dev/null; then`
			`echo "[ERROR] Only debian is supported"`
			`exit 1`
			`fi`


			`# install security updates`
			`apt update`

			`#uncomment as it may prompt update grub window`
			`#apt upgrade -y`

			`# install necessary tools`
			`echo "[INFO] Installing necessary tools"`
			`apt install -y curl vim git sudo ca-certificates apt-transport-https haveged`

			`# install ssh service`
			`if ! hash sshd 2>/dev/null; then`
			`echo "[INFO] Installing ssh service"`
			`apt install -y openssh-server openssh-client`
			`fi`

			`# Add admin user`
			`echo "[INFO] Creating admin user"`
			`ssh_pass=$(head /dev/urandom \| tr -dc A-Za-z0-9 \| head -c 32)`

			`useradd $admin_user -m -s /bin/bash`
			`echo $admin_user:$ssh_pass \| chpasswd`


			`# Add to sudoers`
			`sed -i "/$admin_user/d" /etc/sudoers`
			`sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers`


			`# update root password to random and forget it`
			`echo "[INFO] Updating root password to random"`
			`pass=$(head /dev/urandom \| tr -dc A-Za-z0-9 \| head -c 32)`
			`echo root:$pass \| chpasswd`


			`# ssh, update port, decline root ligin`
			`echo "[INFO] Updating ssh port"`
			`ssh_port=$((RANDOM%65535+10000))`
			`sed -i '/Port /d' /etc/ssh/sshd_config`
			`echo "Port $ssh_port" >> /etc/ssh/sshd_config`

			`sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config`
			`echo "PermitRootLogin no" >> /etc/ssh/sshd_config`

			`systemctl restart ssh`

			`# install ntpdate`
			`echo "[INFO] Configuring time sync service"`
			`apt install -y ntp ntpdate ntpstat`

			`systemctl stop ntp`
			`ntpdate pool.ntp.org`
			`systemctl start ntp`


			`# enable bbr, requires 4.9.0 or higher`
			if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" \| sort -V \| head -n1`" ]; then
			`echo "[WARN] bbr is not supported on $(uname -r), skip"`
			`else`
			`echo "[INFO] Enabling bbr"`
			`sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf`
			`echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf`

			`sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf`
			`echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf`

			`sysctl -p`
			`fi`

			`# Disable ipv6`
			`#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf`
			`#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf`
			`#sysctl -p`


			`# output`
			`echo "[INFO] Setup finished"`

			`res="SSH user:\t$admin_user\n \`
			`SSH port:\t$ssh_port\n \`
			`SSH password:\t$ssh_pass\n"`

			`echo -e $res \| expand --tabs=16`