Go to file

Sérgio Barbosa c1951eec11 Add SSH security configuration options to setup script. Implement user prompts for disabling SSH password authentication and setting up SSH keys. Enhance logging and user feedback during SSH key setup process, including checks for existing keys in authorized_keys.

2025-09-05 12:55:28 +01:00

README.md

Enhance README with sudo access instructions for setup script and improve command validation in setup.sh. Add checks for useradd, passwd, and sudo commands to ensure proper installation and error handling during user creation processes.

2025-09-05 12:40:42 +01:00

setup.sh

Add SSH security configuration options to setup script. Implement user prompts for disabling SSH password authentication and setting up SSH keys. Enhance logging and user feedback during SSH key setup process, including checks for existing keys in authorized_keys.

2025-09-05 12:55:28 +01:00

README.md

Debian First Boot Setup Script

A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.

Download and Run

Download the latest version of the script directly from the repository:

wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
sudo ./setup.sh

If you don't have sudo access, use su - (with the dash):

wget -O setup.sh "https://del-c.net/deb12"
chmod +x setup.sh
su -
./setup.sh

Alternative direct download:

wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh

Features

System Security

System Updates: Updates all packages to latest versions
Essential Package Installation: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
SSH Hardening: Disables root SSH login, password authentication, and enables key-based authentication
Root Account Locking: Locks the root password for enhanced security
Automatic Security Updates: Configures unattended-upgrades for security patches

User Management

Sysadmin User: Creates a default sysadmin user with sudo privileges
Additional Users: Option to create additional administrative users
SSH Key Generation: Generates SSH keys for all created users and root
User Validation: Validates usernames and prevents duplicates

Firewall Configuration

UFW Option: Easy-to-use Uncomplicated Firewall with predefined rules
Manual iptables: Basic iptables configuration for advanced users
Default Ports: Allows SSH (22), HTTP (80), and HTTPS (443)

Intrusion Prevention

Fail2ban: Optional protection against brute-force attacks
IP Banning: Configurable ban times and retry limits
Log Monitoring: Monitors SSH authentication logs

What the Script Does

1. System Preparation

Verifies root privileges and Debian system
Updates package lists and upgrades all packages
Installs essential system packages

2. User Account Setup

Creates sysadmin user with home directory
Optionally creates additional administrative users
Adds all users to sudo group
Sets up password authentication for initial access

3. Security Configuration

Disables root SSH login
Configures SSH for key-based authentication only
Locks root password
Sets up firewall rules (UFW or iptables)
Optionally configures fail2ban for intrusion prevention

4. SSH Key Generation

Generates ED25519 SSH keys for each user
Generates SSH key for root user
Sets proper file permissions (600 for private, 644 for public keys)
Displays all public keys for easy copying

5. System Finalization

Configures automatic security updates
Restarts SSH service with new configuration
Performs system cleanup
Displays final system status and connection information

Interactive Configuration

The script prompts for several configuration options:

Additional User Creation

=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.

Would you like to create an additional user account? (y/N):

Firewall Configuration

=== Firewall Configuration ===
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.

UFW vs iptables:
• UFW: Easy to use, good for basic setups
• Manual iptables: More control, better for complex setups (VPN servers, etc.)

Would you like to install and configure UFW? (y/N):

Fail2ban Configuration

=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.

Consider skipping fail2ban if:
• You're running a VPN server (WireGuard, OpenVPN, etc.)
• You have complex iptables rules
• You prefer managing IP banning manually

Would you like to install and configure fail2ban? (Y/n):

Security Features

SSH Hardening

Protocol 2 only
Public key authentication required
Password authentication disabled
Empty passwords prohibited
X11 forwarding disabled
Maximum 3 authentication attempts
Client alive interval: 5 minutes
Restricted user access (AllowUsers directive)

Firewall Rules

UFW Configuration:

Default deny incoming
Default allow outgoing
Allow SSH (port 22)
Allow HTTP (port 80)
Allow HTTPS (port 443)

iptables Configuration:

Drop all incoming by default
Allow established and related connections
Allow loopback traffic
Allow SSH, HTTP, HTTPS
Persistent rules saved to /etc/iptables/rules.v4

Fail2ban Settings

Ban time: 1 hour
Find time: 10 minutes
Maximum retries: 3
SSH jail enabled
Monitors /var/log/auth.log

Post-Installation

SSH Connection

After setup completion, connect using:

ssh sysadmin@YOUR_SERVER_IP

Or with additional user:

ssh USERNAME@YOUR_SERVER_IP

SSH Key Management

Copy the displayed SSH public keys
Add them to your Git server and other systems
Use the keys for passwordless authentication

System Management

View UFW status: sudo ufw status verbose
Check iptables rules: sudo iptables -L -n
Monitor fail2ban: sudo fail2ban-client status sshd
Check SSH config: sudo sshd -T

Customization

Manual Firewall Rules

If you chose manual iptables, customize /etc/iptables-basic.sh:

sudo nano /etc/iptables-basic.sh
sudo /etc/iptables-basic.sh

Fail2ban Configuration

Modify fail2ban settings in /etc/fail2ban/jail.local:

sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban

SSH Configuration

Additional SSH hardening in /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd

Requirements

Operating System: Debian 12 (Bookworm)
Privileges: Must run as root
Network: Internet connection for package updates
Storage: Minimal disk space requirements

Important Notes

⚠️ Security Warnings:

Root SSH login will be DISABLED
Root password will be LOCKED
SSH password authentication will be DISABLED
Only SSH key authentication will be allowed
Only created users can SSH to the server

🔄 Reboot Recommended: A system reboot is recommended after running the script to ensure all changes take effect.

📋 Backup Recommendation: Take a system snapshot before running the script if running on a virtual machine.

Troubleshooting

Cannot SSH After Setup

Ensure SSH key is properly added to your SSH agent
Verify the public key was added to the server
Check SSH client configuration
Use verbose mode: ssh -v sysadmin@server-ip

Firewall Issues

Check UFW status: sudo ufw status
Verify port 22 is allowed: sudo ufw status numbered
For iptables: sudo iptables -L -n | grep 22

Fail2ban Problems

Check service status: sudo systemctl status fail2ban
View logs: sudo journalctl -u fail2ban
Check jail status: sudo fail2ban-client status

Contributing

Feel free to submit issues and enhancement requests to improve this script!

License

This project is open source and available under standard terms.