# Debian First Boot Setup Script

A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.

## Download and Run

Download the latest version of the script directly from the repository:

```bash
wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh
```

## Features

### System Security
- **System Updates**: Updates all packages to latest versions
- **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
- **SSH Hardening**: Disables root SSH login, password authentication, and enables key-based authentication
- **Root Account Locking**: Locks the root password for enhanced security
- **Automatic Security Updates**: Configures unattended-upgrades for security patches

### User Management
- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges
- **Additional Users**: Option to create additional administrative users
- **SSH Key Generation**: Generates SSH keys for all created users and root
- **User Validation**: Validates usernames and prevents duplicates

### Firewall Configuration
- **UFW Option**: Easy-to-use Uncomplicated Firewall with predefined rules
- **Manual iptables**: Basic iptables configuration for advanced users
- **Default Ports**: Allows SSH (22), HTTP (80), and HTTPS (443)

### Intrusion Prevention
- **Fail2ban**: Optional protection against brute-force attacks
- **IP Banning**: Configurable ban times and retry limits
- **Log Monitoring**: Monitors SSH authentication logs

## What the Script Does

### 1. System Preparation
- Verifies root privileges and Debian system
- Updates package lists and upgrades all packages
- Installs essential system packages

### 2. User Account Setup
- Creates `sysadmin` user with home directory
- Optionally creates additional administrative users
- Adds all users to sudo group
- Sets up password authentication for initial access

### 3. Security Configuration
- Disables root SSH login
- Configures SSH for key-based authentication only
- Locks root password
- Sets up firewall rules (UFW or iptables)
- Optionally configures fail2ban for intrusion prevention

### 4. SSH Key Generation
- Generates ED25519 SSH keys for each user
- Generates SSH key for root user
- Sets proper file permissions (600 for private, 644 for public keys)
- Displays all public keys for easy copying

### 5. System Finalization
- Configures automatic security updates
- Restarts SSH service with new configuration
- Performs system cleanup
- Displays final system status and connection information

## Interactive Configuration

The script prompts for several configuration options:

### Additional User Creation
```
=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.

Would you like to create an additional user account? (y/N):
```

### Firewall Configuration
```
=== Firewall Configuration ===
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.

UFW vs iptables:
• UFW: Easy to use, good for basic setups
• Manual iptables: More control, better for complex setups (VPN servers, etc.)

Would you like to install and configure UFW? (y/N):
```

### Fail2ban Configuration
```
=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.

Consider skipping fail2ban if:
• You're running a VPN server (WireGuard, OpenVPN, etc.)
• You have complex iptables rules
• You prefer managing IP banning manually

Would you like to install and configure fail2ban? (Y/n):
```

## Security Features

### SSH Hardening
- Protocol 2 only
- Public key authentication required
- Password authentication disabled
- Empty passwords prohibited
- X11 forwarding disabled
- Maximum 3 authentication attempts
- Client alive interval: 5 minutes
- Restricted user access (AllowUsers directive)

### Firewall Rules
**UFW Configuration:**
- Default deny incoming
- Default allow outgoing
- Allow SSH (port 22)
- Allow HTTP (port 80)
- Allow HTTPS (port 443)

**iptables Configuration:**
- Drop all incoming by default
- Allow established and related connections
- Allow loopback traffic
- Allow SSH, HTTP, HTTPS
- Persistent rules saved to `/etc/iptables/rules.v4`

### Fail2ban Settings
- Ban time: 1 hour
- Find time: 10 minutes
- Maximum retries: 3
- SSH jail enabled
- Monitors `/var/log/auth.log`

## Post-Installation

### SSH Connection
After setup completion, connect using:
```bash
ssh sysadmin@YOUR_SERVER_IP
```

Or with additional user:
```bash
ssh USERNAME@YOUR_SERVER_IP
```

### SSH Key Management
1. Copy the displayed SSH public keys
2. Add them to your Git server and other systems
3. Use the keys for passwordless authentication

### System Management
- **View UFW status**: `sudo ufw status verbose`
- **Check iptables rules**: `sudo iptables -L -n`
- **Monitor fail2ban**: `sudo fail2ban-client status sshd`
- **Check SSH config**: `sudo sshd -T`

## Customization

### Manual Firewall Rules
If you chose manual iptables, customize `/etc/iptables-basic.sh`:
```bash
sudo nano /etc/iptables-basic.sh
sudo /etc/iptables-basic.sh
```

### Fail2ban Configuration
Modify fail2ban settings in `/etc/fail2ban/jail.local`:
```bash
sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
```

### SSH Configuration
Additional SSH hardening in `/etc/ssh/sshd_config`:
```bash
sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd
```

## Requirements

- **Operating System**: Debian 12 (Bookworm)
- **Privileges**: Must run as root
- **Network**: Internet connection for package updates
- **Storage**: Minimal disk space requirements

## Important Notes

⚠️ **Security Warnings:**
1. Root SSH login will be **DISABLED**
2. Root password will be **LOCKED**
3. SSH password authentication will be **DISABLED**
4. Only SSH key authentication will be allowed
5. Only created users can SSH to the server

🔄 **Reboot Recommended:**
A system reboot is recommended after running the script to ensure all changes take effect.

📋 **Backup Recommendation:**
Take a system snapshot before running the script if running on a virtual machine.

## Troubleshooting

### Cannot SSH After Setup
1. Ensure SSH key is properly added to your SSH agent
2. Verify the public key was added to the server
3. Check SSH client configuration
4. Use verbose mode: `ssh -v sysadmin@server-ip`

### Firewall Issues
1. Check UFW status: `sudo ufw status`
2. Verify port 22 is allowed: `sudo ufw status numbered`
3. For iptables: `sudo iptables -L -n | grep 22`

### Fail2ban Problems
1. Check service status: `sudo systemctl status fail2ban`
2. View logs: `sudo journalctl -u fail2ban`
3. Check jail status: `sudo fail2ban-client status`

## Contributing

Feel free to submit issues and enhancement requests to improve this script!

## License

This project is open source and available under standard terms.