Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
22 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Debian First Boot Setup Script

A streamlined bash script for securing and setting up a fresh Debian 12 system with essential security practices and optional SSH key management.

Download and Run

Download the latest version of the script directly from the repository:

wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
sudo ./setup.sh

If you don't have sudo access, use su - (with the dash):

wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
su -
./setup.sh

Alternative direct download:

wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh

Features

System Security

  • System Updates: Updates all packages to latest versions
  • Essential Package Installation: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
  • SSH Hardening: Disables root SSH login, enables key authentication, configures security timeouts
  • Root Account Locking: Locks the root password for enhanced security
  • Automatic Security Updates: Configures unattended-upgrades for security patches

User Management

  • Sysadmin User: Creates a default sysadmin user with sudo privileges
  • Additional Users: Option to create additional administrative users with sudo access
  • Smart SSH Key Setup: Prompts to add SSH public keys only for users created during setup
  • Special User Handling: Pre-configured SSH key option for user "sergio"
  • Automatic Key Generation: Generates ED25519 SSH key pairs for users with SSH setup
  • User Validation: Validates usernames and prevents duplicates

Firewall Configuration

  • UFW Firewall: Simple, optional firewall setup with SSH, HTTP, HTTPS access
  • Default Security: Deny incoming, allow outgoing traffic by default

Intrusion Prevention

  • Enhanced Fail2ban: Improved fail2ban configuration with better reliability
  • SSH Protection: Monitors and bans brute-force SSH attempts
  • Smart Configuration: Uses jail.d for better compatibility

Server Customization

  • Automatic Download: Downloads costumize.sh script to sysadmin home directory
  • Post-Setup Tools: Additional customization options after initial setup

What the Script Does

1. System Preparation

  • Verifies root privileges and Debian system
  • Updates package lists and upgrades all packages
  • Installs essential system packages

2. User Account Setup

  • Creates sysadmin user with home directory
  • Optionally creates additional administrative users
  • Adds all users to sudo group
  • Sets up password authentication for initial access

3. SSH Key Setup (Optional)

  • Prompts to add SSH public keys only for newly created users
  • Special handling for user "sergio" with pre-configured key option
  • Validates SSH key format (ssh-rsa, ssh-ed25519, etc.)
  • Creates .ssh directories with proper permissions
  • Adds keys to authorized_keys files safely
  • Automatically generates SSH key pairs for created users
  • No passphrase protection for generated keys

4. Security Configuration

  • Disables root SSH login and locks root password
  • Configures SSH security settings (timeouts, max attempts)
  • Restricts SSH access to created users only
  • Optionally sets up UFW firewall with basic rules
  • Optionally configures enhanced fail2ban protection

5. System Finalization

  • Configures automatic security updates
  • Downloads customization script to sysadmin home
  • Restarts SSH service with new configuration
  • Displays concise setup summary

Interactive Configuration

The streamlined script prompts for just a few key options:

Additional User Creation

=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.

Would you like to create an additional user account? (y/N):

Firewall Configuration

=== Firewall Configuration ===
UFW (Uncomplicated Firewall) provides easy firewall management.

Install and configure UFW? (y/N):

Fail2ban Protection

=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks.

Install and configure fail2ban? (Y/n):

SSH Key Setup (Only for Created Users)

=== SSH Key Setup ===
Users created during setup: sysadmin username
You can add your SSH public key for easier login.

Add your SSH public key to created users? (Y/n):

Special handling for user "sergio":

Detected user 'sergio' was created.
Use pre-configured SSH key for sergio? (Y/n)
Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1

Use this key? (Y/n):

Security Features

SSH Hardening

  • Root login disabled
  • Public key authentication enabled
  • Password authentication configurable (enabled by default for safety)
  • Empty passwords prohibited
  • X11 forwarding disabled
  • Maximum 3 authentication attempts
  • Client alive interval: 5 minutes
  • Restricted user access (AllowUsers directive)

UFW Firewall (Optional)

  • Default deny incoming, allow outgoing
  • Allow SSH (port 22)
  • Allow HTTP (port 80)
  • Allow HTTPS (port 443)
  • Simple management with ufw command

Enhanced Fail2ban (Optional)

  • Configuration stored in /etc/fail2ban/jail.d/custom.conf
  • Ban time: 1 hour
  • Find time: 10 minutes
  • Maximum retries: 3
  • SSH jail with improved reliability
  • Better error handling and service verification

Post-Installation

SSH Connection

After setup completion, connect using:

ssh sysadmin@YOUR_SERVER_IP

Or with additional user:

ssh USERNAME@YOUR_SERVER_IP

Server Customization

After initial setup, run the customization script:

./costumize.sh

This script provides:

  • Hostname Configuration: Set server hostname
  • Git Deploy Keys: Create SSH keys for Git repository access
  • SSH Config Setup: Automatic SSH configuration for Git servers
  • Repository Instructions: Ready-to-use Git clone commands

Generated SSH Keys

Created users will have SSH key pairs automatically generated:

# Private key (for outbound connections)
~/.ssh/id_ed25519

# Public key (share with other systems)
~/.ssh/id_ed25519.pub

Key Features:

  • ED25519 algorithm (modern and secure)
  • No passphrase (ready for automation)
  • Proper permissions (600 for private, 644 for public)
  • Hostname-based comments (username@hostname)

System Management

  • View UFW status: sudo ufw status verbose
  • Monitor fail2ban: sudo fail2ban-client status sshd
  • Check SSH config: sudo sshd -T
  • View system logs: sudo journalctl -u ssh

Advanced Configuration

Fail2ban Customization

Modify fail2ban settings in /etc/fail2ban/jail.d/custom.conf:

sudo nano /etc/fail2ban/jail.d/custom.conf
sudo systemctl restart fail2ban

SSH Configuration

Additional SSH hardening in /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd

UFW Rules

Add custom firewall rules:

sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw status numbered

Requirements

  • Operating System: Debian 12 (Bookworm)
  • Privileges: Must run as root
  • Network: Internet connection for package updates
  • Storage: Minimal disk space requirements

Important Notes

⚠️ Security Warnings:

  1. Root SSH login will be DISABLED
  2. Root password will be LOCKED
  3. SSH password authentication is ENABLED by default (can be disabled via SSH keys)
  4. Only created users (sysadmin + optional additional) can SSH to the server
  5. Set up SSH keys for passwordless authentication

🔄 Reboot Recommended: A system reboot is recommended after running the script to ensure all changes take effect.

📋 Backup Recommendation: Take a system snapshot before running the script if running on a virtual machine.

Troubleshooting

Cannot SSH After Setup

  1. Ensure SSH key is properly added to your SSH agent
  2. Verify the public key was added to the server
  3. Check SSH client configuration
  4. Use verbose mode: ssh -v sysadmin@server-ip

SSH Service Broken

If the setup script breaks SSH service, you can recover:

  1. Access the server via console (not SSH)
  2. Download the recovery script: 
    wget -O fix-ssh.sh "https://del-c.net/deb12-fix"
chmod +x fix-ssh.sh
su -
./fix-ssh.sh
  3. The script will restore from backup or create a basic working configuration

Firewall Issues

  1. Check UFW status: sudo ufw status
  2. Verify port 22 is allowed: sudo ufw status numbered
  3. For iptables: sudo iptables -L -n | grep 22

Fail2ban Problems

  1. Check service status: sudo systemctl status fail2ban
  2. View logs: sudo journalctl -u fail2ban
  3. Check jail status: sudo fail2ban-client status

Contributing

Feel free to submit issues and enhancement requests to improve this script!

License

This project is open source and available under standard terms.

Description
A simple bash script that helps users set up SSH keys and clone repositories from a private git server.
Readme 183 KiB
Languages
Shell 100%