Add 'debian-setup.sh'
This commit is contained in:
parent
9003bf424d
commit
1e8984cc96
104
debian-setup.sh
Normal file
104
debian-setup.sh
Normal file
@ -0,0 +1,104 @@
|
||||
#!/bin/bash
|
||||
|
||||
### configuration ###
|
||||
admin_user="newnius"
|
||||
|
||||
|
||||
#####################
|
||||
|
||||
# check environment
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "[ERROR] Please run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! hash apt 2>/dev/null; then
|
||||
echo "[ERROR] Only debian is supported"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
# install security updates
|
||||
apt update
|
||||
|
||||
#uncomment as it may prompt update grub window
|
||||
#apt upgrade -y
|
||||
|
||||
# install necessary tools
|
||||
echo "[INFO] Installing necessary tools"
|
||||
apt install -y curl vim git sudo ca-certificates apt-transport-https haveged
|
||||
|
||||
# install ssh service
|
||||
if ! hash sshd 2>/dev/null; then
|
||||
echo "[INFO] Installing ssh service"
|
||||
apt install -y openssh-server openssh-client
|
||||
fi
|
||||
|
||||
# Add admin user
|
||||
echo "[INFO] Creating admin user"
|
||||
ssh_pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
||||
|
||||
useradd $admin_user -m -s /bin/bash
|
||||
echo $admin_user:$ssh_pass | chpasswd
|
||||
|
||||
|
||||
# Add to sudoers
|
||||
sed -i "/$admin_user/d" /etc/sudoers
|
||||
sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers
|
||||
|
||||
|
||||
# update root password to random and forget it
|
||||
echo "[INFO] Updating root password to random"
|
||||
pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
||||
echo root:$pass | chpasswd
|
||||
|
||||
|
||||
# ssh, update port, decline root ligin
|
||||
echo "[INFO] Updating ssh port"
|
||||
ssh_port=$((RANDOM%65535+10000))
|
||||
sed -i '/Port /d' /etc/ssh/sshd_config
|
||||
echo "Port $ssh_port" >> /etc/ssh/sshd_config
|
||||
|
||||
sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config
|
||||
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
|
||||
|
||||
systemctl restart ssh
|
||||
|
||||
# install ntpdate
|
||||
echo "[INFO] Configuring time sync service"
|
||||
apt install -y ntp ntpdate ntpstat
|
||||
|
||||
systemctl stop ntp
|
||||
ntpdate pool.ntp.org
|
||||
systemctl start ntp
|
||||
|
||||
|
||||
# enable bbr, requires 4.9.0 or higher
|
||||
if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" | sort -V | head -n1`" ]; then
|
||||
echo "[WARN] bbr is not supported on $(uname -r), skip"
|
||||
else
|
||||
echo "[INFO] Enabling bbr"
|
||||
sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
|
||||
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
|
||||
|
||||
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
|
||||
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
|
||||
|
||||
sysctl -p
|
||||
fi
|
||||
|
||||
# Disable ipv6
|
||||
#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf
|
||||
#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
|
||||
#sysctl -p
|
||||
|
||||
|
||||
# output
|
||||
echo "[INFO] Setup finished"
|
||||
|
||||
res="SSH user:\t$admin_user\n \
|
||||
SSH port:\t$ssh_port\n \
|
||||
SSH password:\t$ssh_pass\n"
|
||||
|
||||
echo -e $res | expand --tabs=16
|
||||
|
||||
Loading…
Reference in New Issue
Block a user