diff --git a/README.md b/README.md index 3cc82fc..e315aef 100644 --- a/README.md +++ b/README.md @@ -1,153 +1,237 @@ -# GetGit - Git Repository Setup Tool +# Debian First Boot Setup Script -A simple bash script that helps users set up SSH keys and clone repositories from a private git server. +A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices. + +## Download and Run + +Download the latest version of the script directly from the repository: + +```bash +wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh" +chmod +x setup.sh +sudo ./setup.sh +``` ## Features -- **SSH Key Generation**: Automatically generates SSH keys if they don't exist -- **Dynamic User Support**: Works with any username on the git server -- **Repository Discovery**: Automatically discovers available repositories for the user -- **Interactive Selection**: Allows users to choose which repository to clone -- **Dotfiles Support**: Special handling for dotfiles repositories with automatic setup execution +### System Security +- **System Updates**: Updates all packages to latest versions +- **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server +- **SSH Hardening**: Disables root SSH login, password authentication, and enables key-based authentication +- **Root Account Locking**: Locks the root password for enhanced security +- **Automatic Security Updates**: Configures unattended-upgrades for security patches -## Usage +### User Management +- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges +- **Additional Users**: Option to create additional administrative users +- **SSH Key Generation**: Generates SSH keys for all created users and root +- **User Validation**: Validates usernames and prevents duplicates -1. Make the script executable: - ```bash - chmod +x setup.sh - ``` +### Firewall Configuration +- **UFW Option**: Easy-to-use Uncomplicated Firewall with predefined rules +- **Manual iptables**: Basic iptables configuration for advanced users +- **Default Ports**: Allows SSH (22), HTTP (80), and HTTPS (443) -2. Run the script: - ```bash - ./setup.sh - ``` +### Intrusion Prevention +- **Fail2ban**: Optional protection against brute-force attacks +- **IP Banning**: Configurable ban times and retry limits +- **Log Monitoring**: Monitors SSH authentication logs -3. Follow the prompts: - - Enter your git username - - Generate SSH key (if needed) - - Add the SSH key to your git account - - Select which repository to clone +## What the Script Does -## How It Works +### 1. System Preparation +- Verifies root privileges and Debian system +- Updates package lists and upgrades all packages +- Installs essential system packages -### 1. Username Input -The script prompts for your git username, which is used to: -- Discover available repositories -- Construct repository URLs -- Set up proper directory structure +### 2. User Account Setup +- Creates `sysadmin` user with home directory +- Optionally creates additional administrative users +- Adds all users to sudo group +- Sets up password authentication for initial access -### 2. SSH Key Management -- Checks for existing SSH key (`~/.ssh/id_ed25519`) -- Generates a new key if none exists -- Displays the public key for copying to your git account +### 3. Security Configuration +- Disables root SSH login +- Configures SSH for key-based authentication only +- Locks root password +- Sets up firewall rules (UFW or iptables) +- Optionally configures fail2ban for intrusion prevention -### 3. Repository Discovery -The script discovers ALL accessible repositories through multiple methods: +### 4. SSH Key Generation +- Generates ED25519 SSH keys for each user +- Generates SSH key for root user +- Sets proper file permissions (600 for private, 644 for public keys) +- Displays all public keys for easy copying -**Primary Method - API Access:** -- Attempts to use GitLab/Gitea API to fetch all repositories you have access to -- Includes both owned and shared repositories -- Automatically detects read/write permissions +### 5. System Finalization +- Configures automatic security updates +- Restarts SSH service with new configuration +- Performs system cleanup +- Displays final system status and connection information -**Fallback Method - Pattern Scanning:** -- Scans your own repositories: `username/dotfiles`, `username/scripts`, etc. -- Checks common shared repositories from users like: `admin`, `shared`, `public`, `team`, `common`, `devops`, `infrastructure` -- Discovers additional project repositories: `website`, `api`, `frontend`, `backend`, `database`, `monitoring`, etc. -- Tests SSH access to determine if you have read access to each repository +## Interactive Configuration -**Repository Types Discovered:** -- **Your repositories**: All repos you own -- **Shared repositories**: Repos you have read/write access to -- **Public repositories**: Publicly accessible repos on the server -- **Team repositories**: Organization/team repos you're a member of +The script prompts for several configuration options: -### 4. Repository Selection -Users can: -- Select from numbered list of all discovered repositories (owned and shared) -- Press Enter to use `username/dotfiles` (if available) -- Type `custom` to enter a custom repository path -- See access type indicators: `(owner)`, `(shared)`, etc. +### Additional User Creation +``` +=== Additional User Creation === +This script will create the 'sysadmin' user by default. +You can also create an additional user account if needed. -### 5. Cloning and Setup -- Clones the selected repository to the appropriate directory -- For dotfiles repositories: runs `setup.sh` automatically -- For other repositories: simply clones to `~/repository-name` - -## Configuration - -The script can be configured by modifying the settings at the top: - -```bash -### === SETTINGS === ### -GIT_SERVER="git.del-c.net" # Change to your git server +Would you like to create an additional user account? (y/N): ``` -## Directory Structure +### Firewall Configuration +``` +=== Firewall Configuration === +This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually. -- **Dotfiles**: `~/.dotfiles/` -- **Other repos**: `~/repository-name/` +UFW vs iptables: +• UFW: Easy to use, good for basic setups +• Manual iptables: More control, better for complex setups (VPN servers, etc.) + +Would you like to install and configure UFW? (y/N): +``` + +### Fail2ban Configuration +``` +=== Fail2ban Configuration === +Fail2ban protects against brute-force attacks by monitoring logs and banning IPs. + +Consider skipping fail2ban if: +• You're running a VPN server (WireGuard, OpenVPN, etc.) +• You have complex iptables rules +• You prefer managing IP banning manually + +Would you like to install and configure fail2ban? (Y/n): +``` + +## Security Features + +### SSH Hardening +- Protocol 2 only +- Public key authentication required +- Password authentication disabled +- Empty passwords prohibited +- X11 forwarding disabled +- Maximum 3 authentication attempts +- Client alive interval: 5 minutes +- Restricted user access (AllowUsers directive) + +### Firewall Rules +**UFW Configuration:** +- Default deny incoming +- Default allow outgoing +- Allow SSH (port 22) +- Allow HTTP (port 80) +- Allow HTTPS (port 443) + +**iptables Configuration:** +- Drop all incoming by default +- Allow established and related connections +- Allow loopback traffic +- Allow SSH, HTTP, HTTPS +- Persistent rules saved to `/etc/iptables/rules.v4` + +### Fail2ban Settings +- Ban time: 1 hour +- Find time: 10 minutes +- Maximum retries: 3 +- SSH jail enabled +- Monitors `/var/log/auth.log` + +## Post-Installation + +### SSH Connection +After setup completion, connect using: +```bash +ssh sysadmin@YOUR_SERVER_IP +``` + +Or with additional user: +```bash +ssh USERNAME@YOUR_SERVER_IP +``` + +### SSH Key Management +1. Copy the displayed SSH public keys +2. Add them to your Git server and other systems +3. Use the keys for passwordless authentication + +### System Management +- **View UFW status**: `sudo ufw status verbose` +- **Check iptables rules**: `sudo iptables -L -n` +- **Monitor fail2ban**: `sudo fail2ban-client status sshd` +- **Check SSH config**: `sudo sshd -T` + +## Customization + +### Manual Firewall Rules +If you chose manual iptables, customize `/etc/iptables-basic.sh`: +```bash +sudo nano /etc/iptables-basic.sh +sudo /etc/iptables-basic.sh +``` + +### Fail2ban Configuration +Modify fail2ban settings in `/etc/fail2ban/jail.local`: +```bash +sudo nano /etc/fail2ban/jail.local +sudo systemctl restart fail2ban +``` + +### SSH Configuration +Additional SSH hardening in `/etc/ssh/sshd_config`: +```bash +sudo nano /etc/ssh/sshd_config +sudo systemctl restart sshd +``` ## Requirements -- Bash shell -- Git installed -- SSH client -- Access to the configured git server +- **Operating System**: Debian 12 (Bookworm) +- **Privileges**: Must run as root +- **Network**: Internet connection for package updates +- **Storage**: Minimal disk space requirements -## Example Flow +## Important Notes -``` -$ ./setup.sh -[?] Enter your git username: -Username: john +⚠️ **Security Warnings:** +1. Root SSH login will be **DISABLED** +2. Root password will be **LOCKED** +3. SSH password authentication will be **DISABLED** +4. Only SSH key authentication will be allowed +5. Only created users can SSH to the server -[+] No SSH key found. Need to generate a new SSH key... -[+] If you are using the correct user, please enter your email for the SSH key. -Enter your email for the SSH key: john@example.com +🔄 **Reboot Recommended:** +A system reboot is recommended after running the script to ensure all changes take effect. -[*] Add the following public key to your GitHub account: ----------------------------------------- -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGx... john@example.com ----------------------------------------- -Press Enter after you've added the key... - -[+] Fetching all accessible git projects... -[*] Attempting to fetch repositories via API... -[*] Found repositories via API: -1. john/dotfiles (owner) -2. john/scripts (owner) -3. team/shared-configs (shared) -4. admin/common-tools (shared) -5. public/templates (shared) - -[?] Which project would you like to download? -Enter the number of the repository from the list above, or: -- Press Enter to use john/dotfiles (if available) -- Type 'custom' to enter a custom repository path - -Enter your choice: 3 -[*] Selected repository: git@git.del-c.net:team/shared-configs.git -[*] Download directory: /Users/john/shared-configs - -[+] Cloning selected repository... -[*] Repository cloned successfully to: /Users/john/shared-configs -``` +📋 **Backup Recommendation:** +Take a system snapshot before running the script if running on a virtual machine. ## Troubleshooting -### SSH Key Issues -- Ensure the SSH key is added to your git account -- Check SSH connection: `ssh -T git@git.del-c.net` +### Cannot SSH After Setup +1. Ensure SSH key is properly added to your SSH agent +2. Verify the public key was added to the server +3. Check SSH client configuration +4. Use verbose mode: `ssh -v sysadmin@server-ip` -### Repository Not Found -- Verify the repository exists on the server -- Check username spelling -- Ensure you have access to the repository +### Firewall Issues +1. Check UFW status: `sudo ufw status` +2. Verify port 22 is allowed: `sudo ufw status numbered` +3. For iptables: `sudo iptables -L -n | grep 22` -### Permission Denied -- Confirm SSH key is properly added to git account -- Verify you have read access to the repository +### Fail2ban Problems +1. Check service status: `sudo systemctl status fail2ban` +2. View logs: `sudo journalctl -u fail2ban` +3. Check jail status: `sudo fail2ban-client status` ## Contributing -Feel free to submit issues and enhancement requests! \ No newline at end of file +Feel free to submit issues and enhancement requests to improve this script! + +## License + +This project is open source and available under standard terms. \ No newline at end of file