01_server_init.sh 1.8 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. #!/bin/bash
  2. SSH_PORT="$1"
  3. SWAP_SIZE="$2"
  4. # install basic packages
  5. apt update
  6. apt install -y \
  7. ca-certificates \
  8. apt-transport-https \
  9. git \
  10. curl \
  11. wget \
  12. unzip \
  13. screen \
  14. net-tools \
  15. dnsutils \
  16. nano \
  17. gnupg2 \
  18. resolvconf
  19. # use DEB822 format
  20. rm -f /etc/apt/sources.list
  21. cat > /etc/apt/sources.list.d/debian.sources << EOF
  22. Types: deb
  23. URIs: https://deb.debian.org/debian
  24. Suites: trixie trixie-updates trixie-backports
  25. Components: main contrib non-free non-free-firmware
  26. Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp
  27. Types: deb
  28. URIs: https://security.debian.org/debian-security
  29. Suites: trixie-security
  30. Components: main contrib non-free non-free-firmware
  31. Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp
  32. EOF
  33. apt update
  34. apt upgrade -y
  35. # setup swap
  36. fallocate -l $SWAP_SIZE /swapfile
  37. chmod 600 /swapfile
  38. mkswap /swapfile
  39. swapon /swapfile
  40. cat <<EOF >> /etc/fstab
  41. /swapfile none swap sw 0 0
  42. EOF
  43. mount -a
  44. # setup ntp
  45. apt update
  46. apt install -y chrony
  47. systemctl enable chrony
  48. systemctl restart chrony
  49. # setup ssh
  50. sed -i 's/^#\?PermitRootLogin.*$/PermitRootLogin no/g' /etc/ssh/sshd_config
  51. sed -i 's/^#\?PubkeyAuthentication.*$/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
  52. sed -i 's/^#\?PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
  53. systemctl restart sshd
  54. # setup fail2ban
  55. apt update
  56. apt install -y fail2ban
  57. cat > /etc/fail2ban/jail.local << EOF
  58. [DEFAULT]
  59. ignoreip = 127.0.0.1/8 ::1
  60. bantime = 1h
  61. findtime = 10m
  62. maxretry = 3
  63. [sshd]
  64. enabled = true
  65. port = $SSH_PORT
  66. logpath = /var/log/auth.log
  67. EOF
  68. systemctl enable fail2ban
  69. systemctl restart fail2ban
  70. # setup ufw
  71. apt install -y ufw
  72. ufw default deny incoming
  73. ufw default allow outgoing
  74. sed -i 's/IPV6=no/IPV6=yes/' /etc/default/ufw
  75. ufw allow $SSH_PORT/tcp
  76. ufw enable