#!/usr/bin/env bash set -e # =============================== # CONFIG VALUES (EDIT HERE) # =============================== SSH_PORT="48291" echo "===============================" echo " Server Prep Script" echo "===============================" # ------------------------------- # Prompt for hostname # ------------------------------- read -p "Enter new hostname (FQDN recommended): " NEW_HOSTNAME if [ -z "$NEW_HOSTNAME" ]; then echo "Hostname cannot be empty" exit 1 fi hostnamectl set-hostname "$NEW_HOSTNAME" # ------------------------------- # Timezone # ------------------------------- read -p "Enter timezone [default: America/Chicago]: " NEW_TZ NEW_TZ=${NEW_TZ:-America/Chicago} timedatectl set-timezone "$NEW_TZ" timedatectl set-ntp true # ------------------------------- # System update # ------------------------------- apt update && apt upgrade -y # ------------------------------- # Base packages # ------------------------------- apt install -y \ curl \ ca-certificates \ gnupg \ lsb-release \ apt-transport-https \ software-properties-common \ fail2ban \ net-tools \ unzip \ jq # ------------------------------- # SSH CONFIG (MODERN - socket) # ------------------------------- echo "Configuring SSH socket on port ${SSH_PORT}..." mkdir -p /etc/systemd/system/ssh.socket.d cat > /etc/systemd/system/ssh.socket.d/override.conf <> /etc/ssh/sshd_config else sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config fi if ! grep -q "^ChallengeResponseAuthentication" /etc/ssh/sshd_config; then echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config else sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config fi systemctl daemon-reexec systemctl daemon-reload systemctl restart ssh.socket systemctl restart ssh # ------------------------------- # SSH KEY INSTALL # ------------------------------- echo "Installing SSH key..." SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531" mkdir -p ~/.ssh chmod 700 ~/.ssh grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys echo "✅ SSH key added" # ------------------------------- # Firewall # ------------------------------- read -p "Disable UFW? (Y/n): " DISABLE_UFW if [[ ! "$DISABLE_UFW" =~ ^[Nn]$ ]]; then systemctl stop ufw || true systemctl disable ufw || true else ufw allow ${SSH_PORT}/tcp ufw allow 80/tcp ufw allow 443/tcp ufw --force enable fi # ------------------------------- # Fail2Ban # ------------------------------- systemctl enable fail2ban systemctl start fail2ban # ------------------------------- # Finish # ------------------------------- IP_ADDR=$(hostname -I | awk '{print $1}') echo "" echo "===============================" echo " ✅ SERVER READY" echo "===============================" echo "Hostname: $NEW_HOSTNAME" echo "Timezone: $NEW_TZ" echo "SSH Port: $SSH_PORT" echo "IP: $IP_ADDR" echo "" echo "⚠️ TEST SSH NOW:" echo "ssh -p $SSH_PORT root@$IP_ADDR"