diff --git a/debian-setup.sh b/debian-setup.sh new file mode 100644 index 0000000..5ae0c0d --- /dev/null +++ b/debian-setup.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +### configuration ### +admin_user="newnius" + + +##################### + +# check environment +if [ "$EUID" -ne 0 ]; then + echo "[ERROR] Please run as root" + exit 1 +fi + +if ! hash apt 2>/dev/null; then + echo "[ERROR] Only debian is supported" + exit 1 +fi + + +# install security updates +apt update + +#uncomment as it may prompt update grub window +#apt upgrade -y + +# install necessary tools +echo "[INFO] Installing necessary tools" +apt install -y curl vim git sudo ca-certificates apt-transport-https haveged + +# install ssh service +if ! hash sshd 2>/dev/null; then + echo "[INFO] Installing ssh service" + apt install -y openssh-server openssh-client +fi + +# Add admin user +echo "[INFO] Creating admin user" +ssh_pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) + +useradd $admin_user -m -s /bin/bash +echo $admin_user:$ssh_pass | chpasswd + + +# Add to sudoers +sed -i "/$admin_user/d" /etc/sudoers +sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers + + +# update root password to random and forget it +echo "[INFO] Updating root password to random" +pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) +echo root:$pass | chpasswd + + +# ssh, update port, decline root ligin +echo "[INFO] Updating ssh port" +ssh_port=$((RANDOM%65535+10000)) +sed -i '/Port /d' /etc/ssh/sshd_config +echo "Port $ssh_port" >> /etc/ssh/sshd_config + +sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config +echo "PermitRootLogin no" >> /etc/ssh/sshd_config + +systemctl restart ssh + +# install ntpdate +echo "[INFO] Configuring time sync service" +apt install -y ntp ntpdate ntpstat + +systemctl stop ntp +ntpdate pool.ntp.org +systemctl start ntp + + +# enable bbr, requires 4.9.0 or higher +if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" | sort -V | head -n1`" ]; then + echo "[WARN] bbr is not supported on $(uname -r), skip" +else + echo "[INFO] Enabling bbr" + sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf + echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf + + sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf + echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf + + sysctl -p +fi + +# Disable ipv6 +#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf +#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf +#sysctl -p + + +# output +echo "[INFO] Setup finished" + +res="SSH user:\t$admin_user\n \ +SSH port:\t$ssh_port\n \ +SSH password:\t$ssh_pass\n" + +echo -e $res | expand --tabs=16 +