#!/bin/bash # A script to secure a server TITLE='\033[0;36m' INFO='\033[0;32m' RESET='\033[0m' if [ "$UID" -eq "0" ]; then clear echo "This script MUST NOT be run as root." echo "Exiting.." sleep 3 && exit 1 fi echo -e "${TITLE}- Updating system & adding automatic updates ${RESET}" # Update the server sudo apt update sudo apt upgrade # Automatic upgrades sudo apt install unattended-upgrades -y sed -i -e "s^//Unattended-Upgrade::Mail \"\";^Unattended-Upgrade::Mail \"root\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"false\";^Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sed -i -e "s^//Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot \"true\";^Unattended-Upgrade::Automatic-Reboot \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^g" /etc/apt/apt.conf.d/50unattended-upgrades sudo tee -a /etc/apt/apt.conf.d/02periodic &>/dev/null << EOF APT::Periodic::Enable '1'; APT::Periodic::Update-Package-Lists '1'; APT::Periodic::Download-Upgradeable-Packages '1'; APT::Periodic::Unattended-Upgrade '1'; APT::Periodic::AutocleanInterval '1'; APT::Periodic::Verbose '2'; EOF echo -e "${TITLE}- Deleting useless services ${RESET}" # Stopping useless services sudo service --status-all echo -e "${INFO}Which services do you want to remove - q to stop the loop ${RESET}" while read -r service do if [ "$service" = "q" ]; then break fi sudo apt remove $service done echo -e "${TITLE}- Setup SSH securities ${RESET}" # SSH Security sudo apt install fail2ban sudo systemctl start fail2ban sudo systemctl enable fail2ban sudo tee -a /etc/motd &>/dev/null << EOF *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** EOF sudo ln -sf "$(pwd)/custom.conf" /etc/ssh/sshd_config.d/custom.conf sudo tee -a /etc/ssh/sshd_config.d/custom.conf << EOF AllowUsers $USER EOF sudo service ssh restart sudo systemctl enable ssh echo -e "${TITLE}- Checking virus, rootkits, and logging with logwatch ${RESET}" # Installing root-kit checking sudo apt install rkhunter sudo rkhunter --propupd sudo rkhunter --check # Installing clamAV sudo apt install clamav clamav-daemon sudo systemctl enable clamav-freshclam sudo freshclam sudo systemctl start clamav-freshclam sudo clamscan -i -r --remove / # Installing logwatch sudo apt install logwatch echo -e "${TITLE}- Installing and configuring firewall ${RESET}" # Install firewall sudo apt install ufw sudo ufw enable sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh echo -e "${TITLE}- Sysctl config for security ${RESET}" sudo tee -a /etc/sysctl.conf << EOF kernel.kptr_restrict=2 kernel.dmesg_restrict=1 kernel.printk=3 3 3 3 kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 dev.tty.ldisc_autoload=0 vm.unprivileged_userfaultfd=0 kernel.kexec_load_disabled=1 kernel.sysrq=4 kernel.unprivileged_userns_clone=0 kernel.perf_event_paranoid=3 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_rfc1337=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.icmp_echo_ignore_all=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 net.ipv4.tcp_sack=0 net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 kernel.yama.ptrace_scope=2 vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 fs.protected_symlinks=1 fs.protected_hardlinks=1 fs.protected_fifos=2 fs.protected_regular=2 vm.swappiness=1 EOF sudo sysctl -p echo -e "${INFO}[v] Configuration done ${RESET}"