server-scripts/sshupdate.sh

#!/usr/bin/env bash

set -e

# ===============================
# CONFIG VALUES (EDIT HERE)
# ===============================
SSH_PORT="48291"

echo "==============================="
echo " Server Prep Script"
echo "==============================="

# -------------------------------
# Prompt for hostname
# -------------------------------
read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME

if [ -z "$NEW_HOSTNAME" ]; then
  echo "Hostname cannot be empty"
  exit 1
fi

hostnamectl set-hostname "$NEW_HOSTNAME"

# -------------------------------
# Timezone
# -------------------------------
read -p "Enter timezone [default: America/Chicago]: " NEW_TZ
NEW_TZ=${NEW_TZ:-America/Chicago}

timedatectl set-timezone "$NEW_TZ"
timedatectl set-ntp true

# -------------------------------
# System update
# -------------------------------
apt update && apt upgrade -y

# -------------------------------
# Base packages
# -------------------------------
apt install -y \
  curl \
  ca-certificates \
  gnupg \
  lsb-release \
  apt-transport-https \
  software-properties-common \
  fail2ban \
  net-tools \
  unzip \
  jq

# -------------------------------
# SSH CONFIG (MODERN - socket)
# -------------------------------
echo "Configuring SSH socket on port ${SSH_PORT}..."

mkdir -p /etc/systemd/system/ssh.socket.d

cat > /etc/systemd/system/ssh.socket.d/override.conf <<EOF
[Socket]
ListenStream=
ListenStream=${SSH_PORT}
EOF

# Keep sshd_config aligned
sed -i "s/^#*Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config

# SSH auth settings
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config

if ! grep -q "^KbdInteractiveAuthentication" /etc/ssh/sshd_config; then
  echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config
else
  sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config
fi

if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then
  echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
else
  sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
fi

systemctl daemon-reexec
systemctl daemon-reload
systemctl restart ssh.socket
systemctl restart ssh

# -------------------------------
# SSH KEY INSTALL
# -------------------------------
echo "Installing SSH key..."

SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531"

mkdir -p ~/.ssh
chmod 700 ~/.ssh

grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

echo "✅ SSH key added"

# -------------------------------
# Firewall
# -------------------------------
read -p "Disable UFW? (Y/n): " DISABLE_UFW

if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then
  systemctl stop ufw || true
  systemctl disable ufw || true
else
  ufw allow ${SSH_PORT}/tcp
  ufw allow 80/tcp
  ufw allow 443/tcp
  ufw --force enable
fi

# -------------------------------
# Fail2Ban
# -------------------------------
systemctl enable fail2ban
systemctl start fail2ban

# -------------------------------
# Finish
# -------------------------------
IP_ADDR=$(hostname -I | awk '{print $1}')

echo ""
echo "==============================="
echo " ✅ SERVER READY"
echo "==============================="

echo "Hostname: $NEW_HOSTNAME"
echo "Timezone: $NEW_TZ"
echo "SSH Port: $SSH_PORT"
echo "IP: $IP_ADDR"

echo ""
echo "⚠️ TEST SSH NOW:"
echo "ssh -p $SSH_PORT root@$IP_ADDR"
``