remove root loin prompt

2026-05-31 14:19:47 -05:00
parent 5c757a9da8
commit dde3f269ec
1 changed files with 113 additions and 59 deletions
--- a/sshupdate.sh
+++ b/sshupdate.sh
@@ -2,14 +2,94 @@

 set -e

-echo "==============================="
-echo " SSH Configuration Script"
-echo "==============================="
+# ===============================
+# CONFIG VALUES (EDIT HERE)
+# ===============================
+SSH_PORT="48291"

-SSHD_CONFIG="/etc/ssh/sshd_config"
+echo "==============================="
+echo " Server Prep Script"
+echo "==============================="

 # -------------------------------
-# Install SSH Key
+# Prompt for hostname
+# -------------------------------
+read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME
+
+if [ -z "$NEW_HOSTNAME" ]; then
+  echo "Hostname cannot be empty"
+  exit 1
+fi
+
+hostnamectl set-hostname "$NEW_HOSTNAME"
+
+# -------------------------------
+# Timezone
+# -------------------------------
+read -p "Enter timezone [default: America/Chicago]: " NEW_TZ
+NEW_TZ=${NEW_TZ:-America/Chicago}
+
+timedatectl set-timezone "$NEW_TZ"
+timedatectl set-ntp true
+
+# -------------------------------
+# System update
+# -------------------------------
+apt update && apt upgrade -y
+
+# -------------------------------
+# Base packages
+# -------------------------------
+apt install -y \
+  curl \
+  ca-certificates \
+  gnupg \
+  lsb-release \
+  apt-transport-https \
+  software-properties-common \
+  fail2ban \
+  net-tools \
+  unzip \
+  jq
+
+# -------------------------------
+# SSH CONFIG (MODERN - socket)
+# -------------------------------
+echo "Configuring SSH socket on port ${SSH_PORT}..."
+
+mkdir -p /etc/systemd/system/ssh.socket.d
+
+cat > /etc/systemd/system/ssh.socket.d/override.conf <<EOF
+[Socket]
+ListenStream=
+ListenStream=${SSH_PORT}
+EOF
+
+# Keep sshd_config aligned
+sed -i "s/^#*Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config
+
+# SSH auth settings
+sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config
+
+if ! grep -q "^KbdInteractiveAuthentication" /etc/ssh/sshd_config; then
+  echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config
+else
+  sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config
+fi
+
+if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then
+  echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
+else
+  sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
+fi
+
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl restart ssh.socket
+systemctl restart ssh
+
+# -------------------------------
+# SSH KEY INSTALL
 # -------------------------------
 echo "Installing SSH key..."

@@ -21,71 +101,45 @@ chmod 700 ~/.ssh
 grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys
 chmod 600 ~/.ssh/authorized_keys

-echo "✅ Key installed"
+echo "✅ SSH key added"

 # -------------------------------
-# Backup config
+# Firewall
 # -------------------------------
-cp ${SSHD_CONFIG} ${SSHD_CONFIG}.bak.$(date +%s)
+read -p "Disable UFW? (Y/n): " DISABLE_UFW

-# -------------------------------
-# SSH SETTINGS
-# -------------------------------
-echo "Updating SSH settings..."
-
-# Pubkey
-if grep -q "^PubkeyAuthentication" "$SSHD_CONFIG"; then
-  sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONFIG"
+if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then
+  systemctl stop ufw || true
+  systemctl disable ufw || true
 else
-  echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG"
+  ufw allow ${SSH_PORT}/tcp
+  ufw allow 80/tcp
+  ufw allow 443/tcp
+  ufw --force enable
 fi

-# Password (initially enabled for safety)
-if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then
-  sed -i "s/^PasswordAuthentication.*/PasswordAuthentication yes/" "$SSHD_CONFIG"
-else
-  echo "PasswordAuthentication yes" >> "$SSHD_CONFIG"
-fi
-
-# KbdInteractive ✅
-if grep -q "^KbdInteractiveAuthentication" "$SSHD_CONFIG"; then
-  sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" "$SSHD_CONFIG"
-else
-  echo "KbdInteractiveAuthentication yes" >> "$SSHD_CONFIG"
-fi
-
-# ChallengeResponse
-if grep -q "^ChallengeResponseAuthentication" "$SSHD_CONFIG"; then
-  sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" "$SSHD_CONFIG"
-else
-  echo "ChallengeResponseAuthentication yes" >> "$SSHD_CONFIG"
-fi
-
-systemctl restart ssh
-
-echo "✅ SSH restarted"
-
 # -------------------------------
-# Optional Lockdown
+# Fail2Ban
 # -------------------------------
-read -p "Disable password login? (y/N): " DISABLE_PASS
+systemctl enable fail2ban
+systemctl start fail2ban

-if [[ "$DISABLE_PASS" =~ ^[Yy]$ ]]; then
-  sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONFIG"
-  systemctl restart ssh
-  echo "✅ Password login disabled"
-fi
-
-read -p "Disable root login? (y/N): " DISABLE_ROOT
-
-if [[ "$DISABLE_ROOT" =~ ^[Yy]$ ]]; then
-  sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" "$SSHD_CONFIG"
-  systemctl restart ssh
-  echo "✅ Root login disabled"
-fi
+# -------------------------------
+# Finish
+# -------------------------------
+IP_ADDR=$(hostname -I | awk '{print $1}')

 echo ""
 echo "==============================="
-echo " ✅ SSH CONFIG COMPLETE"
+echo " ✅ SERVER READY"
 echo "==============================="
-echo "⚠️ Test SSH access before closing your session"
+
+echo "Hostname: $NEW_HOSTNAME"
+echo "Timezone: $NEW_TZ"
+echo "SSH Port: $SSH_PORT"
+echo "IP: $IP_ADDR"
+
+echo ""
+echo "⚠️ TEST SSH NOW:"
+echo "ssh -p $SSH_PORT root@$IP_ADDR"
+``