louis/server-scripts
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

remove root loin prompt

Browse Source
This commit is contained in:
Louis Gutenschwager
2026-05-31 14:19:47 -05:00
parent 5c757a9da8
commit dde3f269ec
1 changed files with 113 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
sshupdate.sh
View File

@@ -2,14 +2,94 @@
set -e set -e
echo "===============================" # ===============================
echo " SSH Configuration Script" # CONFIG VALUES (EDIT HERE)
echo "===============================" # ===============================
SSH_PORT="48291"
SSHD_CONFIG="/etc/ssh/sshd_config" echo "==============================="
echo " Server Prep Script"
echo "==============================="
# ------------------------------- # -------------------------------
# Install SSH Key # Prompt for hostname
# -------------------------------
read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME
if [ -z "$NEW_HOSTNAME" ]; then
echo "Hostname cannot be empty"
exit 1
fi
hostnamectl set-hostname "$NEW_HOSTNAME"
# -------------------------------
# Timezone
# -------------------------------
read -p "Enter timezone [default: America/Chicago]: " NEW_TZ
NEW_TZ=${NEW_TZ:-America/Chicago}
timedatectl set-timezone "$NEW_TZ"
timedatectl set-ntp true
# -------------------------------
# System update
# -------------------------------
apt update && apt upgrade -y
# -------------------------------
# Base packages
# -------------------------------
apt install -y \
curl \
ca-certificates \
gnupg \
lsb-release \
apt-transport-https \
software-properties-common \
fail2ban \
net-tools \
unzip \
jq
# -------------------------------
# SSH CONFIG (MODERN - socket)
# -------------------------------
echo "Configuring SSH socket on port ${SSH_PORT}..."
mkdir -p /etc/systemd/system/ssh.socket.d
cat > /etc/systemd/system/ssh.socket.d/override.conf <<EOF
[Socket]
ListenStream=
ListenStream=${SSH_PORT}
EOF
# Keep sshd_config aligned
sed -i "s/^#*Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config
# SSH auth settings
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config
if ! grep -q "^KbdInteractiveAuthentication" /etc/ssh/sshd_config; then
echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config
else
sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config
fi
if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then
echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
else
sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
fi
systemctl daemon-reexec
systemctl daemon-reload
systemctl restart ssh.socket
systemctl restart ssh
# -------------------------------
# SSH KEY INSTALL
# ------------------------------- # -------------------------------
echo "Installing SSH key..." echo "Installing SSH key..."
@@ -21,71 +101,45 @@ chmod 700 ~/.ssh
grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
echo "✅ Key installed" echo "✅ SSH key added"
# ------------------------------- # -------------------------------
# Backup config # Firewall
# ------------------------------- # -------------------------------
cp ${SSHD_CONFIG} ${SSHD_CONFIG}.bak.$(date +%s) read -p "Disable UFW? (Y/n): " DISABLE_UFW
# ------------------------------- if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then
# SSH SETTINGS systemctl stop ufw || true
# ------------------------------- systemctl disable ufw || true
echo "Updating SSH settings..."
# Pubkey
if grep -q "^PubkeyAuthentication" "$SSHD_CONFIG"; then
sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONFIG"
else else
echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG" ufw allow ${SSH_PORT}/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable
fi fi
# Password (initially enabled for safety)
if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then
sed -i "s/^PasswordAuthentication.*/PasswordAuthentication yes/" "$SSHD_CONFIG"
else
echo "PasswordAuthentication yes" >> "$SSHD_CONFIG"
fi
# KbdInteractive ✅
if grep -q "^KbdInteractiveAuthentication" "$SSHD_CONFIG"; then
sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" "$SSHD_CONFIG"
else
echo "KbdInteractiveAuthentication yes" >> "$SSHD_CONFIG"
fi
# ChallengeResponse
if grep -q "^ChallengeResponseAuthentication" "$SSHD_CONFIG"; then
sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" "$SSHD_CONFIG"
else
echo "ChallengeResponseAuthentication yes" >> "$SSHD_CONFIG"
fi
systemctl restart ssh
echo "✅ SSH restarted"
# ------------------------------- # -------------------------------
# Optional Lockdown # Fail2Ban
# ------------------------------- # -------------------------------
read -p "Disable password login? (y/N): " DISABLE_PASS systemctl enable fail2ban
systemctl start fail2ban
if [[ "$DISABLE_PASS" =~ ^[Yy]$ ]]; then # -------------------------------
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONFIG" # Finish
systemctl restart ssh # -------------------------------
echo "✅ Password login disabled" IP_ADDR=$(hostname -I | awk '{print $1}')
fi
read -p "Disable root login? (y/N): " DISABLE_ROOT
if [[ "$DISABLE_ROOT" =~ ^[Yy]$ ]]; then
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" "$SSHD_CONFIG"
systemctl restart ssh
echo "✅ Root login disabled"
fi
echo "" echo ""
echo "===============================" echo "==============================="
echo " ✅ SSH CONFIG COMPLETE" echo " ✅ SERVER READY"
echo "===============================" echo "==============================="
echo "⚠️ Test SSH access before closing your session"
echo "Hostname: $NEW_HOSTNAME"
echo "Timezone: $NEW_TZ"
echo "SSH Port: $SSH_PORT"
echo "IP: $IP_ADDR"
echo ""
echo "⚠️ TEST SSH NOW:"
echo "ssh -p $SSH_PORT root@$IP_ADDR"
``