2022-04-21 16:02:01 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
### configuration ###
|
|
|
|
|
admin_user="newnius"
|
|
|
|
|
|
|
|
|
|
#####################
|
|
|
|
|
|
2022-05-14 13:33:08 +00:00
|
|
|
# check permission
|
2022-04-21 16:02:01 +00:00
|
|
|
if [ "$EUID" -ne 0 ]; then
|
2022-05-14 13:33:08 +00:00
|
|
|
echo "[ERROR] Please run with user root"
|
2022-04-21 16:02:01 +00:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2022-05-14 13:33:08 +00:00
|
|
|
# check OS
|
|
|
|
|
file=/etc/apt/sources.list
|
|
|
|
|
if ! test -f "${file}"; then
|
|
|
|
|
echo "[ERROR] Only Debian is supported"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q debian "${file}"; then
|
|
|
|
|
echo "[ERROR] Only Debian is supported"
|
2022-04-21 16:02:01 +00:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2022-05-14 13:33:08 +00:00
|
|
|
# check do once
|
|
|
|
|
file=/etc/passwd
|
|
|
|
|
if grep -q ${admin_user} "${file}"; then
|
|
|
|
|
echo "[ERROR] OS is already setup"
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
|
2022-04-21 16:02:01 +00:00
|
|
|
|
|
|
|
|
# install security updates
|
|
|
|
|
apt update
|
|
|
|
|
|
|
|
|
|
#uncomment as it may prompt update grub window
|
|
|
|
|
#apt upgrade -y
|
|
|
|
|
|
2022-05-14 13:33:08 +00:00
|
|
|
|
2022-04-21 16:02:01 +00:00
|
|
|
# install necessary tools
|
|
|
|
|
echo "[INFO] Installing necessary tools"
|
2022-05-14 13:33:08 +00:00
|
|
|
apt install -y curl vim git sudo ca-certificates apt-transport-https haveged tree
|
2022-04-21 16:02:01 +00:00
|
|
|
|
|
|
|
|
# install ssh service
|
|
|
|
|
if ! hash sshd 2>/dev/null; then
|
|
|
|
|
echo "[INFO] Installing ssh service"
|
|
|
|
|
apt install -y openssh-server openssh-client
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Add admin user
|
|
|
|
|
echo "[INFO] Creating admin user"
|
|
|
|
|
ssh_pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
|
|
|
|
useradd $admin_user -m -s /bin/bash
|
|
|
|
|
echo $admin_user:$ssh_pass | chpasswd
|
|
|
|
|
|
|
|
|
|
# Add to sudoers
|
|
|
|
|
sed -i "/$admin_user/d" /etc/sudoers
|
|
|
|
|
sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers
|
|
|
|
|
|
|
|
|
|
# update root password to random and forget it
|
|
|
|
|
echo "[INFO] Updating root password to random"
|
|
|
|
|
pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
|
|
|
|
echo root:$pass | chpasswd
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ssh, update port, decline root ligin
|
|
|
|
|
echo "[INFO] Updating ssh port"
|
|
|
|
|
ssh_port=$((RANDOM%65535+10000))
|
|
|
|
|
sed -i '/Port /d' /etc/ssh/sshd_config
|
|
|
|
|
echo "Port $ssh_port" >> /etc/ssh/sshd_config
|
|
|
|
|
|
|
|
|
|
sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config
|
|
|
|
|
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
|
|
|
|
|
|
|
|
|
|
systemctl restart ssh
|
|
|
|
|
|
|
|
|
|
# install ntpdate
|
|
|
|
|
echo "[INFO] Configuring time sync service"
|
|
|
|
|
apt install -y ntp ntpdate ntpstat
|
|
|
|
|
|
|
|
|
|
systemctl stop ntp
|
|
|
|
|
ntpdate pool.ntp.org
|
|
|
|
|
systemctl start ntp
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# enable bbr, requires 4.9.0 or higher
|
|
|
|
|
if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" | sort -V | head -n1`" ]; then
|
|
|
|
|
echo "[WARN] bbr is not supported on $(uname -r), skip"
|
|
|
|
|
else
|
|
|
|
|
echo "[INFO] Enabling bbr"
|
|
|
|
|
sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
|
|
|
|
|
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
|
|
|
|
|
|
|
|
|
|
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
|
|
|
|
|
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
|
|
|
|
|
|
|
|
|
|
sysctl -p
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Disable ipv6
|
|
|
|
|
#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf
|
|
|
|
|
#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
|
|
|
|
|
#sysctl -p
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# output
|
|
|
|
|
echo "[INFO] Setup finished"
|
|
|
|
|
|
|
|
|
|
res="SSH user:\t$admin_user\n \
|
|
|
|
|
SSH port:\t$ssh_port\n \
|
|
|
|
|
SSH password:\t$ssh_pass\n"
|
|
|
|
|
|
|
|
|
|
echo -e $res | expand --tabs=16
|
|
|
|
|
|
