# Debian First Boot Setup Script

A streamlined bash script for securing and setting up a fresh Debian 12 system with essential security practices and optional SSH key management.

## Download and Run

Download the latest version of the script directly from the repository:

```bash
wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
sudo ./setup.sh
```

**If you don't have sudo access, use `su -` (with the dash):**
```bash
wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
su -
./setup.sh
```

Alternative direct download:
```bash
wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh
```

## Features

### System Security
- **System Updates**: Updates all packages to latest versions
- **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
- **SSH Hardening**: Disables root SSH login, enables key authentication, configures security timeouts
- **Root Account Locking**: Locks the root password for enhanced security
- **Automatic Security Updates**: Configures unattended-upgrades for security patches

### User Management
- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges
- **Additional Users**: Option to create additional administrative users with sudo access
- **Smart SSH Key Setup**: Prompts to add SSH public keys only for users created during setup
- **Special User Handling**: Pre-configured SSH key option for user "sergio"
- **Automatic Key Generation**: Generates ED25519 SSH key pairs for users with SSH setup
- **User Validation**: Validates usernames and prevents duplicates

### Firewall Configuration
- **UFW Firewall**: Simple, optional firewall setup with SSH, HTTP, HTTPS access
- **Default Security**: Deny incoming, allow outgoing traffic by default

### Intrusion Prevention
- **Enhanced Fail2ban**: Improved fail2ban configuration with better reliability
- **SSH Protection**: Monitors and bans brute-force SSH attempts
- **Smart Configuration**: Uses jail.d for better compatibility

### Server Customization
- **Automatic Download**: Downloads `costumize.sh` script to sysadmin home directory
- **Post-Setup Tools**: Additional customization options after initial setup

## What the Script Does

### 1. System Preparation
- Verifies root privileges and Debian system
- Updates package lists and upgrades all packages
- Installs essential system packages

### 2. User Account Setup
- Creates `sysadmin` user with home directory
- Optionally creates additional administrative users
- Adds all users to sudo group
- Sets up password authentication for initial access

### 3. SSH Key Setup (Optional)
- Prompts to add SSH public keys only for newly created users
- Special handling for user "sergio" with pre-configured key option
- Validates SSH key format (ssh-rsa, ssh-ed25519, etc.)
- Creates .ssh directories with proper permissions
- Adds keys to authorized_keys files safely
- **Automatically generates SSH key pairs for created users**
- **No passphrase protection for generated keys**

### 4. Security Configuration
- Disables root SSH login and locks root password
- Configures SSH security settings (timeouts, max attempts)
- Restricts SSH access to created users only
- Optionally sets up UFW firewall with basic rules
- Optionally configures enhanced fail2ban protection

### 5. System Finalization
- Configures automatic security updates
- Downloads customization script to sysadmin home
- Restarts SSH service with new configuration
- Displays concise setup summary

## Interactive Configuration

The streamlined script prompts for just a few key options:

### Additional User Creation
```
=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.

Would you like to create an additional user account? (y/N):
```

### Firewall Configuration
```
=== Firewall Configuration ===
UFW (Uncomplicated Firewall) provides easy firewall management.

Install and configure UFW? (y/N):
```

### Fail2ban Protection
```
=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks.

Install and configure fail2ban? (Y/n):
```

### SSH Key Setup (Only for Created Users)
```
=== SSH Key Setup ===
Users created during setup: sysadmin username
You can add your SSH public key for easier login.

Add your SSH public key to created users? (Y/n):
```

**Special handling for user "sergio":**
```
Detected user 'sergio' was created.
Use pre-configured SSH key for sergio? (Y/n)
Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1

Use this key? (Y/n):
```

## Security Features

### SSH Hardening
- Root login disabled
- Public key authentication enabled
- Password authentication configurable (enabled by default for safety)
- Empty passwords prohibited
- X11 forwarding disabled
- Maximum 3 authentication attempts
- Client alive interval: 5 minutes
- Restricted user access (AllowUsers directive)

### UFW Firewall (Optional)
- Default deny incoming, allow outgoing
- Allow SSH (port 22)
- Allow HTTP (port 80)
- Allow HTTPS (port 443)
- Simple management with `ufw` command

### Enhanced Fail2ban (Optional)
- Configuration stored in `/etc/fail2ban/jail.d/custom.conf`
- Ban time: 1 hour
- Find time: 10 minutes
- Maximum retries: 3
- SSH jail with improved reliability
- Better error handling and service verification

## Post-Installation

### SSH Connection
After setup completion, connect using:
```bash
ssh sysadmin@YOUR_SERVER_IP
```

Or with additional user:
```bash
ssh USERNAME@YOUR_SERVER_IP
```

### Server Customization
After initial setup, run the customization script:
```bash
./costumize.sh
```

This script provides:
- **Hostname Configuration**: Set server hostname
- **Git Deploy Keys**: Create SSH keys for Git repository access
- **SSH Config Setup**: Automatic SSH configuration for Git servers
- **Repository Instructions**: Ready-to-use Git clone commands

### Generated SSH Keys
Created users will have SSH key pairs automatically generated:
```bash
# Private key (for outbound connections)
~/.ssh/id_ed25519

# Public key (share with other systems)
~/.ssh/id_ed25519.pub
```

**Key Features:**
- **ED25519 algorithm** (modern and secure)
- **No passphrase** (ready for automation)
- **Proper permissions** (600 for private, 644 for public)
- **Hostname-based comments** (username@hostname)

### System Management
- **View UFW status**: `sudo ufw status verbose`
- **Monitor fail2ban**: `sudo fail2ban-client status sshd`
- **Check SSH config**: `sudo sshd -T`
- **View system logs**: `sudo journalctl -u ssh`

## Advanced Configuration

### Fail2ban Customization
Modify fail2ban settings in `/etc/fail2ban/jail.d/custom.conf`:
```bash
sudo nano /etc/fail2ban/jail.d/custom.conf
sudo systemctl restart fail2ban
```

### SSH Configuration
Additional SSH hardening in `/etc/ssh/sshd_config`:
```bash
sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd
```

### UFW Rules
Add custom firewall rules:
```bash
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw status numbered
```

## Requirements

- **Operating System**: Debian 12 (Bookworm)
- **Privileges**: Must run as root
- **Network**: Internet connection for package updates
- **Storage**: Minimal disk space requirements

## Important Notes

⚠️ **Security Warnings:**
1. Root SSH login will be **DISABLED**
2. Root password will be **LOCKED**
3. SSH password authentication is **ENABLED** by default (can be disabled via SSH keys)
4. Only created users (sysadmin + optional additional) can SSH to the server
5. Set up SSH keys for passwordless authentication

🔄 **Reboot Recommended:**
A system reboot is recommended after running the script to ensure all changes take effect.

📋 **Backup Recommendation:**
Take a system snapshot before running the script if running on a virtual machine.

## Troubleshooting

### Cannot SSH After Setup
1. Ensure SSH key is properly added to your SSH agent
2. Verify the public key was added to the server
3. Check SSH client configuration
4. Use verbose mode: `ssh -v sysadmin@server-ip`

### SSH Service Broken
If the setup script breaks SSH service, you can recover:
1. Access the server via console (not SSH)
2. Download the recovery script:
   ```bash
   wget -O fix-ssh.sh "https://del-c.net/deb12-fix"
   chmod +x fix-ssh.sh
   su -
   ./fix-ssh.sh
   ```
3. The script will restore from backup or create a basic working configuration

### Firewall Issues
1. Check UFW status: `sudo ufw status`
2. Verify port 22 is allowed: `sudo ufw status numbered`
3. For iptables: `sudo iptables -L -n | grep 22`

### Fail2ban Problems
1. Check service status: `sudo systemctl status fail2ban`
2. View logs: `sudo journalctl -u fail2ban`
3. Check jail status: `sudo fail2ban-client status`

## Contributing

Feel free to submit issues and enhancement requests to improve this script!

## License

This project is open source and available under standard terms.