Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 1 Branch 0 Tags
420d8deddf5da58834d1c6bf382d59b5ff29a3ce
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Debian First Boot Setup Script

A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.

Download and Run

Download the latest version of the script directly from the repository:

wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
sudo ./setup.sh

Alternative direct download:

wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh

Features

System Security

  • System Updates: Updates all packages to latest versions
  • Essential Package Installation: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
  • SSH Hardening: Disables root SSH login, password authentication, and enables key-based authentication
  • Root Account Locking: Locks the root password for enhanced security
  • Automatic Security Updates: Configures unattended-upgrades for security patches

User Management

  • Sysadmin User: Creates a default sysadmin user with sudo privileges
  • Additional Users: Option to create additional administrative users
  • SSH Key Generation: Generates SSH keys for all created users and root
  • User Validation: Validates usernames and prevents duplicates

Firewall Configuration

  • UFW Option: Easy-to-use Uncomplicated Firewall with predefined rules
  • Manual iptables: Basic iptables configuration for advanced users
  • Default Ports: Allows SSH (22), HTTP (80), and HTTPS (443)

Intrusion Prevention

  • Fail2ban: Optional protection against brute-force attacks
  • IP Banning: Configurable ban times and retry limits
  • Log Monitoring: Monitors SSH authentication logs

What the Script Does

1. System Preparation

  • Verifies root privileges and Debian system
  • Updates package lists and upgrades all packages
  • Installs essential system packages

2. User Account Setup

  • Creates sysadmin user with home directory
  • Optionally creates additional administrative users
  • Adds all users to sudo group
  • Sets up password authentication for initial access

3. Security Configuration

  • Disables root SSH login
  • Configures SSH for key-based authentication only
  • Locks root password
  • Sets up firewall rules (UFW or iptables)
  • Optionally configures fail2ban for intrusion prevention

4. SSH Key Generation

  • Generates ED25519 SSH keys for each user
  • Generates SSH key for root user
  • Sets proper file permissions (600 for private, 644 for public keys)
  • Displays all public keys for easy copying

5. System Finalization

  • Configures automatic security updates
  • Restarts SSH service with new configuration
  • Performs system cleanup
  • Displays final system status and connection information

Interactive Configuration

The script prompts for several configuration options:

Additional User Creation

=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.

Would you like to create an additional user account? (y/N):

Firewall Configuration

=== Firewall Configuration ===
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.

UFW vs iptables:
• UFW: Easy to use, good for basic setups
• Manual iptables: More control, better for complex setups (VPN servers, etc.)

Would you like to install and configure UFW? (y/N):

Fail2ban Configuration

=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.

Consider skipping fail2ban if:
• You're running a VPN server (WireGuard, OpenVPN, etc.)
• You have complex iptables rules
• You prefer managing IP banning manually

Would you like to install and configure fail2ban? (Y/n):

Security Features

SSH Hardening

  • Protocol 2 only
  • Public key authentication required
  • Password authentication disabled
  • Empty passwords prohibited
  • X11 forwarding disabled
  • Maximum 3 authentication attempts
  • Client alive interval: 5 minutes
  • Restricted user access (AllowUsers directive)

Firewall Rules

UFW Configuration:

  • Default deny incoming
  • Default allow outgoing
  • Allow SSH (port 22)
  • Allow HTTP (port 80)
  • Allow HTTPS (port 443)

iptables Configuration:

  • Drop all incoming by default
  • Allow established and related connections
  • Allow loopback traffic
  • Allow SSH, HTTP, HTTPS
  • Persistent rules saved to /etc/iptables/rules.v4

Fail2ban Settings

  • Ban time: 1 hour
  • Find time: 10 minutes
  • Maximum retries: 3
  • SSH jail enabled
  • Monitors /var/log/auth.log

Post-Installation

SSH Connection

After setup completion, connect using:

ssh sysadmin@YOUR_SERVER_IP

Or with additional user:

ssh USERNAME@YOUR_SERVER_IP

SSH Key Management

  1. Copy the displayed SSH public keys
  2. Add them to your Git server and other systems
  3. Use the keys for passwordless authentication

System Management

  • View UFW status: sudo ufw status verbose
  • Check iptables rules: sudo iptables -L -n
  • Monitor fail2ban: sudo fail2ban-client status sshd
  • Check SSH config: sudo sshd -T

Customization

Manual Firewall Rules

If you chose manual iptables, customize /etc/iptables-basic.sh:

sudo nano /etc/iptables-basic.sh
sudo /etc/iptables-basic.sh

Fail2ban Configuration

Modify fail2ban settings in /etc/fail2ban/jail.local:

sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban

SSH Configuration

Additional SSH hardening in /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd

Requirements

  • Operating System: Debian 12 (Bookworm)
  • Privileges: Must run as root
  • Network: Internet connection for package updates
  • Storage: Minimal disk space requirements

Important Notes

⚠️ Security Warnings:

  1. Root SSH login will be DISABLED
  2. Root password will be LOCKED
  3. SSH password authentication will be DISABLED
  4. Only SSH key authentication will be allowed
  5. Only created users can SSH to the server

🔄 Reboot Recommended: A system reboot is recommended after running the script to ensure all changes take effect.

📋 Backup Recommendation: Take a system snapshot before running the script if running on a virtual machine.

Troubleshooting

Cannot SSH After Setup

  1. Ensure SSH key is properly added to your SSH agent
  2. Verify the public key was added to the server
  3. Check SSH client configuration
  4. Use verbose mode: ssh -v sysadmin@server-ip

Firewall Issues

  1. Check UFW status: sudo ufw status
  2. Verify port 22 is allowed: sudo ufw status numbered
  3. For iptables: sudo iptables -L -n | grep 22

Fail2ban Problems

  1. Check service status: sudo systemctl status fail2ban
  2. View logs: sudo journalctl -u fail2ban
  3. Check jail status: sudo fail2ban-client status

Contributing

Feel free to submit issues and enhancement requests to improve this script!

License

This project is open source and available under standard terms.

Description
A simple bash script that helps users set up SSH keys and clone repositories from a private git server.
Readme 183 KiB
Languages
Shell 100%