Merge pull request 'scripts added' (#1) from master into main

Reviewed-on: #1

serverprep.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+set -e
+
+# ===============================
+# CONFIG VALUES (EDIT HERE)
+# ===============================
+SSH_PORT="48291"
+
+echo "==============================="
+echo " Server Prep Script"
+echo "==============================="
+
+# -------------------------------
+# Prompt for hostname
+# -------------------------------
+read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME
+
+if [ -z "$NEW_HOSTNAME" ]; then
+  echo "Hostname cannot be empty"
+  exit 1
+fi
+
+hostnamectl set-hostname "$NEW_HOSTNAME"
+
+# -------------------------------
+# Timezone
+# -------------------------------
+read -p "Enter timezone [default: America/Chicago]: " NEW_TZ
+NEW_TZ=${NEW_TZ:-America/Chicago}
+
+timedatectl set-timezone "$NEW_TZ"
+timedatectl set-ntp true
+
+# -------------------------------
+# System update
+# -------------------------------
+apt update && apt upgrade -y
+
+# -------------------------------
+# Base packages
+# -------------------------------
+apt install -y \
+  curl \
+  ca-certificates \
+  gnupg \
+  lsb-release \
+  apt-transport-https \
+  software-properties-common \
+  fail2ban \
+  net-tools \
+  unzip \
+  jq
+
+# -------------------------------
+# SSH CONFIG (MODERN - socket)
+# -------------------------------
+echo "Configuring SSH socket on port ${SSH_PORT}..."
+
+mkdir -p /etc/systemd/system/ssh.socket.d
+
+cat > /etc/systemd/system/ssh.socket.d/override.conf <<EOF
+[Socket]
+ListenStream=
+ListenStream=${SSH_PORT}
+EOF
+
+# Keep sshd_config aligned
+sed -i "s/^#*Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config
+
+# SSH auth settings
+sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config
+
+if ! grep -q "^KbdInteractiveAuthentication" /etc/ssh/sshd_config; then
+  echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config
+else
+  sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config
+fi
+
+if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then
+  echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
+else
+  sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
+fi
+
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl restart ssh.socket
+systemctl restart ssh
+
+# -------------------------------
+# SSH KEY INSTALL
+# -------------------------------
+echo "Installing SSH key..."
+
+SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531"
+
+mkdir -p ~/.ssh
+chmod 700 ~/.ssh
+
+grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys
+chmod 600 ~/.ssh/authorized_keys
+
+echo "✅ SSH key added"
+
+# -------------------------------
+# Firewall
+# -------------------------------
+read -p "Disable UFW? (Y/n): " DISABLE_UFW
+
+if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then
+  systemctl stop ufw || true
+  systemctl disable ufw || true
+else
+  ufw allow ${SSH_PORT}/tcp
+  ufw allow 80/tcp

sshupdate.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "==============================="
+echo " SSH Configuration Script"
+echo "==============================="
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+# -------------------------------
+# Install SSH Key
+# -------------------------------
+echo "Installing SSH key..."
+
+SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531"
+
+mkdir -p ~/.ssh
+chmod 700 ~/.ssh
+
+grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys
+chmod 600 ~/.ssh/authorized_keys
+
+echo "✅ Key installed"
+
+# -------------------------------
+# Backup config
+# -------------------------------
+cp ${SSHD_CONFIG} ${SSHD_CONFIG}.bak.$(date +%s)
+
+# -------------------------------
+# SSH SETTINGS
+# -------------------------------
+echo "Updating SSH settings..."
+
+# Pubkey
+if grep -q "^PubkeyAuthentication" "$SSHD_CONFIG"; then
+  sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONFIG"
+else
+  echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG"
+fi
+
+# Password (initially enabled for safety)
+if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then
+  sed -i "s/^PasswordAuthentication.*/PasswordAuthentication yes/" "$SSHD_CONFIG"
+else
+  echo "PasswordAuthentication yes" >> "$SSHD_CONFIG"
+fi
+
+# KbdInteractive ✅
+if grep -q "^KbdInteractiveAuthentication" "$SSHD_CONFIG"; then
+  sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" "$SSHD_CONFIG"
+else
+  echo "KbdInteractiveAuthentication yes" >> "$SSHD_CONFIG"
+fi
+
+# ChallengeResponse
+if grep -q "^ChallengeResponseAuthentication" "$SSHD_CONFIG"; then
+  sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" "$SSHD_CONFIG"
+else
+  echo "ChallengeResponseAuthentication yes" >> "$SSHD_CONFIG"
+fi
+
+systemctl restart ssh
+
+echo "✅ SSH restarted"
+
+# -------------------------------
+# Optional Lockdown
+# -------------------------------
+read -p "Disable password login? (y/N): " DISABLE_PASS
+
+if [[ "$DISABLE_PASS" =~ ^[Yy]$ ]]; then
+  sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONFIG"
+  systemctl restart ssh
+  echo "✅ Password login disabled"
+fi
+
+read -p "Disable root login? (y/N): " DISABLE_ROOT
+
+if [[ "$DISABLE_ROOT" =~ ^[Yy]$ ]]; then
+  sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" "$SSHD_CONFIG"
+  systemctl restart ssh
+  echo "✅ Root login disabled"
+fi
+
+echo ""
+echo "==============================="
+echo " ✅ SSH CONFIG COMPLETE"
+echo "==============================="
+echo "⚠️ Test SSH access before closing your session"