Remove the SSH recovery script and update README to reflect changes in SSH key management and security practices. Enhance user prompts for SSH key setup during user creation, including special handling for the user "sergio". Streamline logging and error handling in the setup process.
This commit is contained in:
179
README.md
179
README.md
@@ -1,6 +1,6 @@
|
||||
# Debian First Boot Setup Script
|
||||
|
||||
A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.
|
||||
A streamlined bash script for securing and setting up a fresh Debian 12 system with essential security practices and optional SSH key management.
|
||||
|
||||
## Download and Run
|
||||
|
||||
@@ -32,25 +32,30 @@ sudo ./setup.sh
|
||||
### System Security
|
||||
- **System Updates**: Updates all packages to latest versions
|
||||
- **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
|
||||
- **SSH Hardening**: Disables root SSH login, password authentication, and enables key-based authentication
|
||||
- **SSH Hardening**: Disables root SSH login, enables key authentication, configures security timeouts
|
||||
- **Root Account Locking**: Locks the root password for enhanced security
|
||||
- **Automatic Security Updates**: Configures unattended-upgrades for security patches
|
||||
|
||||
### User Management
|
||||
- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges
|
||||
- **Additional Users**: Option to create additional administrative users
|
||||
- **SSH Key Generation**: Generates SSH keys for all created users and root
|
||||
- **Additional Users**: Option to create additional administrative users with sudo access
|
||||
- **Smart SSH Key Setup**: Prompts to add SSH public keys only for users created during setup
|
||||
- **Special User Handling**: Pre-configured SSH key option for user "sergio"
|
||||
- **Automatic Key Generation**: Generates ED25519 SSH key pairs for users with SSH setup
|
||||
- **User Validation**: Validates usernames and prevents duplicates
|
||||
|
||||
### Firewall Configuration
|
||||
- **UFW Option**: Easy-to-use Uncomplicated Firewall with predefined rules
|
||||
- **Manual iptables**: Basic iptables configuration for advanced users
|
||||
- **Default Ports**: Allows SSH (22), HTTP (80), and HTTPS (443)
|
||||
- **UFW Firewall**: Simple, optional firewall setup with SSH, HTTP, HTTPS access
|
||||
- **Default Security**: Deny incoming, allow outgoing traffic by default
|
||||
|
||||
### Intrusion Prevention
|
||||
- **Fail2ban**: Optional protection against brute-force attacks
|
||||
- **IP Banning**: Configurable ban times and retry limits
|
||||
- **Log Monitoring**: Monitors SSH authentication logs
|
||||
- **Enhanced Fail2ban**: Improved fail2ban configuration with better reliability
|
||||
- **SSH Protection**: Monitors and bans brute-force SSH attempts
|
||||
- **Smart Configuration**: Uses jail.d for better compatibility
|
||||
|
||||
### Server Customization
|
||||
- **Automatic Download**: Downloads `costumize.sh` script to sysadmin home directory
|
||||
- **Post-Setup Tools**: Additional customization options after initial setup
|
||||
|
||||
## What the Script Does
|
||||
|
||||
@@ -65,28 +70,31 @@ sudo ./setup.sh
|
||||
- Adds all users to sudo group
|
||||
- Sets up password authentication for initial access
|
||||
|
||||
### 3. Security Configuration
|
||||
- Disables root SSH login
|
||||
- Configures SSH for key-based authentication only
|
||||
- Locks root password
|
||||
- Sets up firewall rules (UFW or iptables)
|
||||
- Optionally configures fail2ban for intrusion prevention
|
||||
### 3. SSH Key Setup (Optional)
|
||||
- Prompts to add SSH public keys only for newly created users
|
||||
- Special handling for user "sergio" with pre-configured key option
|
||||
- Validates SSH key format (ssh-rsa, ssh-ed25519, etc.)
|
||||
- Creates .ssh directories with proper permissions
|
||||
- Adds keys to authorized_keys files safely
|
||||
- **Automatically generates SSH key pairs for created users**
|
||||
- **No passphrase protection for generated keys**
|
||||
|
||||
### 4. SSH Key Generation
|
||||
- Generates ED25519 SSH keys for each user
|
||||
- Generates SSH key for root user
|
||||
- Sets proper file permissions (600 for private, 644 for public keys)
|
||||
- Displays all public keys for easy copying
|
||||
### 4. Security Configuration
|
||||
- Disables root SSH login and locks root password
|
||||
- Configures SSH security settings (timeouts, max attempts)
|
||||
- Restricts SSH access to created users only
|
||||
- Optionally sets up UFW firewall with basic rules
|
||||
- Optionally configures enhanced fail2ban protection
|
||||
|
||||
### 5. System Finalization
|
||||
- Configures automatic security updates
|
||||
- Downloads customization script to sysadmin home
|
||||
- Restarts SSH service with new configuration
|
||||
- Performs system cleanup
|
||||
- Displays final system status and connection information
|
||||
- Displays concise setup summary
|
||||
|
||||
## Interactive Configuration
|
||||
|
||||
The script prompts for several configuration options:
|
||||
The streamlined script prompts for just a few key options:
|
||||
|
||||
### Additional User Creation
|
||||
```
|
||||
@@ -100,61 +108,63 @@ Would you like to create an additional user account? (y/N):
|
||||
### Firewall Configuration
|
||||
```
|
||||
=== Firewall Configuration ===
|
||||
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.
|
||||
UFW (Uncomplicated Firewall) provides easy firewall management.
|
||||
|
||||
UFW vs iptables:
|
||||
• UFW: Easy to use, good for basic setups
|
||||
• Manual iptables: More control, better for complex setups (VPN servers, etc.)
|
||||
|
||||
Would you like to install and configure UFW? (y/N):
|
||||
Install and configure UFW? (y/N):
|
||||
```
|
||||
|
||||
### Fail2ban Configuration
|
||||
### Fail2ban Protection
|
||||
```
|
||||
=== Fail2ban Configuration ===
|
||||
Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.
|
||||
Fail2ban protects against brute-force attacks.
|
||||
|
||||
Consider skipping fail2ban if:
|
||||
• You're running a VPN server (WireGuard, OpenVPN, etc.)
|
||||
• You have complex iptables rules
|
||||
• You prefer managing IP banning manually
|
||||
Install and configure fail2ban? (Y/n):
|
||||
```
|
||||
|
||||
Would you like to install and configure fail2ban? (Y/n):
|
||||
### SSH Key Setup (Only for Created Users)
|
||||
```
|
||||
=== SSH Key Setup ===
|
||||
Users created during setup: sysadmin username
|
||||
You can add your SSH public key for easier login.
|
||||
|
||||
Add your SSH public key to created users? (Y/n):
|
||||
```
|
||||
|
||||
**Special handling for user "sergio":**
|
||||
```
|
||||
Detected user 'sergio' was created.
|
||||
Use pre-configured SSH key for sergio? (Y/n)
|
||||
Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1
|
||||
|
||||
Use this key? (Y/n):
|
||||
```
|
||||
|
||||
## Security Features
|
||||
|
||||
### SSH Hardening
|
||||
- Protocol 2 only
|
||||
- Public key authentication required
|
||||
- Password authentication disabled
|
||||
- Root login disabled
|
||||
- Public key authentication enabled
|
||||
- Password authentication configurable (enabled by default for safety)
|
||||
- Empty passwords prohibited
|
||||
- X11 forwarding disabled
|
||||
- Maximum 3 authentication attempts
|
||||
- Client alive interval: 5 minutes
|
||||
- Restricted user access (AllowUsers directive)
|
||||
|
||||
### Firewall Rules
|
||||
**UFW Configuration:**
|
||||
- Default deny incoming
|
||||
- Default allow outgoing
|
||||
### UFW Firewall (Optional)
|
||||
- Default deny incoming, allow outgoing
|
||||
- Allow SSH (port 22)
|
||||
- Allow HTTP (port 80)
|
||||
- Allow HTTPS (port 443)
|
||||
- Simple management with `ufw` command
|
||||
|
||||
**iptables Configuration:**
|
||||
- Drop all incoming by default
|
||||
- Allow established and related connections
|
||||
- Allow loopback traffic
|
||||
- Allow SSH, HTTP, HTTPS
|
||||
- Persistent rules saved to `/etc/iptables/rules.v4`
|
||||
|
||||
### Fail2ban Settings
|
||||
### Enhanced Fail2ban (Optional)
|
||||
- Configuration stored in `/etc/fail2ban/jail.d/custom.conf`
|
||||
- Ban time: 1 hour
|
||||
- Find time: 10 minutes
|
||||
- Maximum retries: 3
|
||||
- SSH jail enabled
|
||||
- Monitors `/var/log/auth.log`
|
||||
- SSH jail with improved reliability
|
||||
- Better error handling and service verification
|
||||
|
||||
## Post-Installation
|
||||
|
||||
@@ -169,30 +179,46 @@ Or with additional user:
|
||||
ssh USERNAME@YOUR_SERVER_IP
|
||||
```
|
||||
|
||||
### SSH Key Management
|
||||
1. Copy the displayed SSH public keys
|
||||
2. Add them to your Git server and other systems
|
||||
3. Use the keys for passwordless authentication
|
||||
### Server Customization
|
||||
After initial setup, run the customization script:
|
||||
```bash
|
||||
./costumize.sh
|
||||
```
|
||||
|
||||
This script provides:
|
||||
- **Hostname Configuration**: Set server hostname
|
||||
- **Git Deploy Keys**: Create SSH keys for Git repository access
|
||||
- **SSH Config Setup**: Automatic SSH configuration for Git servers
|
||||
- **Repository Instructions**: Ready-to-use Git clone commands
|
||||
|
||||
### Generated SSH Keys
|
||||
Created users will have SSH key pairs automatically generated:
|
||||
```bash
|
||||
# Private key (for outbound connections)
|
||||
~/.ssh/id_ed25519
|
||||
|
||||
# Public key (share with other systems)
|
||||
~/.ssh/id_ed25519.pub
|
||||
```
|
||||
|
||||
**Key Features:**
|
||||
- **ED25519 algorithm** (modern and secure)
|
||||
- **No passphrase** (ready for automation)
|
||||
- **Proper permissions** (600 for private, 644 for public)
|
||||
- **Hostname-based comments** (username@hostname)
|
||||
|
||||
### System Management
|
||||
- **View UFW status**: `sudo ufw status verbose`
|
||||
- **Check iptables rules**: `sudo iptables -L -n`
|
||||
- **Monitor fail2ban**: `sudo fail2ban-client status sshd`
|
||||
- **Check SSH config**: `sudo sshd -T`
|
||||
- **View system logs**: `sudo journalctl -u ssh`
|
||||
|
||||
## Customization
|
||||
## Advanced Configuration
|
||||
|
||||
### Manual Firewall Rules
|
||||
If you chose manual iptables, customize `/etc/iptables-basic.sh`:
|
||||
### Fail2ban Customization
|
||||
Modify fail2ban settings in `/etc/fail2ban/jail.d/custom.conf`:
|
||||
```bash
|
||||
sudo nano /etc/iptables-basic.sh
|
||||
sudo /etc/iptables-basic.sh
|
||||
```
|
||||
|
||||
### Fail2ban Configuration
|
||||
Modify fail2ban settings in `/etc/fail2ban/jail.local`:
|
||||
```bash
|
||||
sudo nano /etc/fail2ban/jail.local
|
||||
sudo nano /etc/fail2ban/jail.d/custom.conf
|
||||
sudo systemctl restart fail2ban
|
||||
```
|
||||
|
||||
@@ -203,6 +229,13 @@ sudo nano /etc/ssh/sshd_config
|
||||
sudo systemctl restart sshd
|
||||
```
|
||||
|
||||
### UFW Rules
|
||||
Add custom firewall rules:
|
||||
```bash
|
||||
sudo ufw allow from 192.168.1.0/24 to any port 3306
|
||||
sudo ufw status numbered
|
||||
```
|
||||
|
||||
## Requirements
|
||||
|
||||
- **Operating System**: Debian 12 (Bookworm)
|
||||
@@ -215,9 +248,9 @@ sudo systemctl restart sshd
|
||||
⚠️ **Security Warnings:**
|
||||
1. Root SSH login will be **DISABLED**
|
||||
2. Root password will be **LOCKED**
|
||||
3. SSH password authentication will be **DISABLED**
|
||||
4. Only SSH key authentication will be allowed
|
||||
5. Only created users can SSH to the server
|
||||
3. SSH password authentication is **ENABLED** by default (can be disabled via SSH keys)
|
||||
4. Only created users (sysadmin + optional additional) can SSH to the server
|
||||
5. Set up SSH keys for passwordless authentication
|
||||
|
||||
🔄 **Reboot Recommended:**
|
||||
A system reboot is recommended after running the script to ensure all changes take effect.
|
||||
|
||||
Reference in New Issue
Block a user