From 16541e279c0a7cc3f6ae1efea3c8d8a44a424cf1 Mon Sep 17 00:00:00 2001 From: Oxbian Date: Thu, 31 Aug 2023 14:58:35 +0200 Subject: Automatic secure server configuration script + readme --- secure.sh | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 secure.sh (limited to 'secure.sh') diff --git a/secure.sh b/secure.sh new file mode 100644 index 0000000..448b11b --- /dev/null +++ b/secure.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# A script to secure a server + +TITLE='\033[0;36m' +INFO='\033[0;32m' +RESET='\033[0m' + +if [ "$UID" -eq "0" ]; then + clear + echo "This script MUST NOT be run as root." + echo "Exiting.." + sleep 3 && exit 1 +fi + +echo -e "${TITLE}- Updating system & adding automatic updates ${RESET}" +# Update the server +sudo apt update +sudo apt upgrade + +# Automatic upgrades +sudo apt install unattended-upgrades -y +sed -i -e "s^//Unattended-Upgrade::Mail \"\";^Unattended-Upgrade::Mail \"root\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"false\";^Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sed -i -e "s^//Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot \"true\";^Unattended-Upgrade::Automatic-Reboot \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^g" /etc/apt/apt.conf.d/50unattended-upgrades +sudo tee -a /etc/apt/apt.conf.d/02periodic &>/dev/null << EOF +APT::Periodic::Enable '1'; +APT::Periodic::Update-Package-Lists '1'; +APT::Periodic::Download-Upgradeable-Packages '1'; +APT::Periodic::Unattended-Upgrade '1'; +APT::Periodic::AutocleanInterval '1'; +APT::Periodic::Verbose '2'; +EOF + + +echo -e "${TITLE}- Deleting useless services ${RESET}" +# Stopping useless services +sudo service --status-all +echo -e "${INFO}Which services do you want to remove - q to stop the loop ${RESET}" +while read -r service +do + if [ "$service" = "q" ]; then + break + fi + sudo apt remove $service +done + +echo -e "${TITLE}- Setup SSH securities ${RESET}" +# SSH Security +sudo apt install fail2ban +sudo systemctl start fail2ban +sudo systemctl enable fail2ban +sudo tee -a /etc/motd &>/dev/null << EOF +*************************************************************************** + NOTICE TO USERS + +This computer system is the private property of its owner, whether +individual, corporate or government. It is for authorized use only. +Users (authorized or unauthorized) have no explicit or implicit +expectation of privacy. + +Any or all uses of this system and all files on this system may be +intercepted, monitored, recorded, copied, audited, inspected, and +disclosed to your employer, to authorized site, government, and law +enforcement personnel, as well as authorized officials of government +agencies, both domestic and foreign. + +By using this system, the user consents to such interception, monitoring, +recording, copying, auditing, inspection, and disclosure at the +discretion of such personnel or officials. Unauthorized or improper use +of this system may result in civil and criminal penalties and +administrative or disciplinary action, as appropriate. By continuing to +use this system you indicate your awareness of and consent to these terms +and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the +conditions stated in this warning. + +**************************************************************************** +EOF +sudo ln -sf "$(pwd)/custom.conf" /etc/ssh/sshd_config.d/custom.conf +sudo tee -a /etc/ssh/sshd_config.d/custom.conf << EOF +AllowUsers $USER +EOF + +sudo service ssh restart +sudo systemctl enable ssh + +echo -e "${TITLE}- Checking virus, rootkits, and logging with logwatch ${RESET}" +# Installing root-kit checking +sudo apt install rkhunter +sudo rkhunter --propupd +sudo rkhunter --check +# Installing clamAV +sudo apt install clamav clamav-daemon +sudo systemctl enable clamav-freshclam +sudo freshclam +sudo systemctl start clamav-freshclam +sudo clamscan -i -r --remove / +# Installing logwatch +sudo apt install logwatch + + +echo -e "${INFO}[v] Configuration done ${RESET}" + -- cgit v1.2.3