1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
#!/bin/bash
# A script to secure a server
TITLE='\033[0;36m'
INFO='\033[0;32m'
RESET='\033[0m'
if [ "$UID" -eq "0" ]; then
clear
echo "This script MUST NOT be run as root."
echo "Exiting.."
sleep 3 && exit 1
fi
echo -e "${TITLE}- Updating system & adding automatic updates ${RESET}"
# Update the server
sudo apt update
sudo apt upgrade
# Automatic upgrades
sudo apt install unattended-upgrades -y
sed -i -e "s^//Unattended-Upgrade::Mail \"\";^Unattended-Upgrade::Mail \"root\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"false\";^Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot \"true\";^Unattended-Upgrade::Automatic-Reboot \"true\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sed -i -e "s^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";^g" /etc/apt/apt.conf.d/50unattended-upgrades
sudo tee -a /etc/apt/apt.conf.d/02periodic &>/dev/null << EOF
APT::Periodic::Enable '1';
APT::Periodic::Update-Package-Lists '1';
APT::Periodic::Download-Upgradeable-Packages '1';
APT::Periodic::Unattended-Upgrade '1';
APT::Periodic::AutocleanInterval '1';
APT::Periodic::Verbose '2';
EOF
echo -e "${TITLE}- Deleting useless services ${RESET}"
# Stopping useless services
sudo service --status-all
echo -e "${INFO}Which services do you want to remove - q to stop the loop ${RESET}"
while read -r service
do
if [ "$service" = "q" ]; then
break
fi
sudo apt remove $service
done
echo -e "${TITLE}- Setup SSH securities ${RESET}"
# SSH Security
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo tee -a /etc/motd &>/dev/null << EOF
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
EOF
sudo ln -sf "$(pwd)/custom.conf" /etc/ssh/sshd_config.d/custom.conf
sudo tee -a /etc/ssh/sshd_config.d/custom.conf << EOF
AllowUsers $USER
EOF
sudo service ssh restart
sudo systemctl enable ssh
echo -e "${TITLE}- Checking virus, rootkits, and logging with logwatch ${RESET}"
# Installing root-kit checking
sudo apt install rkhunter
sudo rkhunter --propupd
sudo rkhunter --check
# Installing clamAV
sudo apt install clamav clamav-daemon
sudo systemctl enable clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
sudo clamscan -i -r --remove /
# Installing logwatch
sudo apt install logwatch
echo -e "${INFO}[v] Configuration done ${RESET}"
|
