-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.sh
More file actions
79 lines (66 loc) · 3.27 KB
/
setup.sh
File metadata and controls
79 lines (66 loc) · 3.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/bash
# ────────────────────────────────────────────────────────────
# Initial Settings
# ────────────────────────────────────────────────────────────
USERS=("richard" "ansible")
SSH_CONFIG="/etc/ssh/sshd_config"
log_info() { echo -e "\e[1;34m[INFO] $1\e[0m"; }
log_success() { echo -e "\e[1;32m[SUCCESS] $1\e[0m"; }
log_warn() { echo -e "\e[1;33m[WARNING] $1\e[0m"; }
log_error() { echo -e "\e[1;31m[ERROR] $1\e[0m"; }
separator() {
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '='
}
log_info "Updating system..."
dnf update -y
# ────────────────────────────────────────────────────────────
# User Creation
# ────────────────────────────────────────────────────────────
separator
for USER in "${USERS[@]}"; do
if id "$USER" &>/dev/null; then
log_warn "User '$USER' already exists. Skipping..."
else
log_info "Creating user: $USER"
adduser "$USER"
log_info "Setting password for: $USER"
passwd "$USER"
usermod -aG wheel "$USER"
fi
done
# ────────────────────────────────────────────────────────────
# SSH Hardening
# ────────────────────────────────────────────────────────────
separator
log_info "Configuring SSH Security..."
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG"
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
# ────────────────────────────────────────────────────────────
# Wall Against Bots
# ────────────────────────────────────────────────────────────
separator
log_info "Configuring Fail2Ban..."
dnf install epel-release -y
dnf install fail2ban -y
systemctl enable --now fail2ban
cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT]
bantime = -1
findtime = 10m
maxretry = 1
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
EOF
systemctl restart fail2ban
# ────────────────────────────────────────────────────────────
# Finishing
# ────────────────────────────────────────────────────────────
separator
echo -e "\e[1;32m[SUCCESS] Initial setup complete.\e[0m
Next steps:
- Copy SSH keys
- Restart SSH
"