From 25dcc9ce7ea0d9f2a5653bbb057cb1c5da45e3f8 Mon Sep 17 00:00:00 2001 From: Louis Gutenschwager Date: Sun, 31 May 2026 13:09:54 -0500 Subject: [PATCH] scripts added --- serverprep.sh | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++ sshupdate.sh | 91 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 207 insertions(+) create mode 100644 serverprep.sh create mode 100644 sshupdate.sh diff --git a/serverprep.sh b/serverprep.sh new file mode 100644 index 0000000..f5a1e17 --- /dev/null +++ b/serverprep.sh @@ -0,0 +1,116 @@ +#!/usr/bin/env bash + +set -e + +# =============================== +# CONFIG VALUES (EDIT HERE) +# =============================== +SSH_PORT="48291" + +echo "===============================" +echo " Server Prep Script" +echo "===============================" + +# ------------------------------- +# Prompt for hostname +# ------------------------------- +read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME + +if [ -z "$NEW_HOSTNAME" ]; then + echo "Hostname cannot be empty" + exit 1 +fi + +hostnamectl set-hostname "$NEW_HOSTNAME" + +# ------------------------------- +# Timezone +# ------------------------------- +read -p "Enter timezone [default: America/Chicago]: " NEW_TZ +NEW_TZ=${NEW_TZ:-America/Chicago} + +timedatectl set-timezone "$NEW_TZ" +timedatectl set-ntp true + +# ------------------------------- +# System update +# ------------------------------- +apt update && apt upgrade -y + +# ------------------------------- +# Base packages +# ------------------------------- +apt install -y \ + curl \ + ca-certificates \ + gnupg \ + lsb-release \ + apt-transport-https \ + software-properties-common \ + fail2ban \ + net-tools \ + unzip \ + jq + +# ------------------------------- +# SSH CONFIG (MODERN - socket) +# ------------------------------- +echo "Configuring SSH socket on port ${SSH_PORT}..." + +mkdir -p /etc/systemd/system/ssh.socket.d + +cat > /etc/systemd/system/ssh.socket.d/override.conf <> /etc/ssh/sshd_config +else + sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config +fi + +if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then + echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config +else + sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config +fi + +systemctl daemon-reexec +systemctl daemon-reload +systemctl restart ssh.socket +systemctl restart ssh + +# ------------------------------- +# SSH KEY INSTALL +# ------------------------------- +echo "Installing SSH key..." + +SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531" + +mkdir -p ~/.ssh +chmod 700 ~/.ssh + +grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys +chmod 600 ~/.ssh/authorized_keys + +echo "✅ SSH key added" + +# ------------------------------- +# Firewall +# ------------------------------- +read -p "Disable UFW? (Y/n): " DISABLE_UFW + +if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then + systemctl stop ufw || true + systemctl disable ufw || true +else + ufw allow ${SSH_PORT}/tcp + ufw allow 80/tcp diff --git a/sshupdate.sh b/sshupdate.sh new file mode 100644 index 0000000..fdd94fb --- /dev/null +++ b/sshupdate.sh @@ -0,0 +1,91 @@ +#!/usr/bin/env bash + +set -e + +echo "===============================" +echo " SSH Configuration Script" +echo "===============================" + +SSHD_CONFIG="/etc/ssh/sshd_config" + +# ------------------------------- +# Install SSH Key +# ------------------------------- +echo "Installing SSH key..." + +SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531" + +mkdir -p ~/.ssh +chmod 700 ~/.ssh + +grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys +chmod 600 ~/.ssh/authorized_keys + +echo "✅ Key installed" + +# ------------------------------- +# Backup config +# ------------------------------- +cp ${SSHD_CONFIG} ${SSHD_CONFIG}.bak.$(date +%s) + +# ------------------------------- +# SSH SETTINGS +# ------------------------------- +echo "Updating SSH settings..." + +# Pubkey +if grep -q "^PubkeyAuthentication" "$SSHD_CONFIG"; then + sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONFIG" +else + echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG" +fi + +# Password (initially enabled for safety) +if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then + sed -i "s/^PasswordAuthentication.*/PasswordAuthentication yes/" "$SSHD_CONFIG" +else + echo "PasswordAuthentication yes" >> "$SSHD_CONFIG" +fi + +# KbdInteractive ✅ +if grep -q "^KbdInteractiveAuthentication" "$SSHD_CONFIG"; then + sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" "$SSHD_CONFIG" +else + echo "KbdInteractiveAuthentication yes" >> "$SSHD_CONFIG" +fi + +# ChallengeResponse +if grep -q "^ChallengeResponseAuthentication" "$SSHD_CONFIG"; then + sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" "$SSHD_CONFIG" +else + echo "ChallengeResponseAuthentication yes" >> "$SSHD_CONFIG" +fi + +systemctl restart ssh + +echo "✅ SSH restarted" + +# ------------------------------- +# Optional Lockdown +# ------------------------------- +read -p "Disable password login? (y/N): " DISABLE_PASS + +if [[ "$DISABLE_PASS" =~ ^[Yy]$ ]]; then + sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONFIG" + systemctl restart ssh + echo "✅ Password login disabled" +fi + +read -p "Disable root login? (y/N): " DISABLE_ROOT + +if [[ "$DISABLE_ROOT" =~ ^[Yy]$ ]]; then + sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" "$SSHD_CONFIG" + systemctl restart ssh + echo "✅ Root login disabled" +fi + +echo "" +echo "===============================" +echo " ✅ SSH CONFIG COMPLETE" +echo "===============================" +echo "⚠️ Test SSH access before closing your session"