-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecure-basic.sh
277 lines (235 loc) · 8.07 KB
/
secure-basic.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
#!/bin/bash
#
# Linux Auto Secure Script
# https://github.com/haiphamhoang/linux-auto-secure
# Copy (c) 2023 by haiphamhoang
# Color definitions
readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly ENDCOLOR='\033[0m'
# Global variables
ssh_current_port=$(echo "$SSH_CLIENT" | awk '{print $3}')
DOCKERINSTALL=false
HEXTRIXTOOL=false
SSHAUTHKEY=false
SSHPORT=$ssh_current_port
#######################################
# Validation Functions
#######################################
check_requirements() {
# Check if running with bash
if readlink /proc/$$/exe | grep -q "dash"; then
echo 'This installer needs to be run with "bash", not "sh".'
exit 1
fi
# Check if root
if [[ "$EUID" -ne 0 ]]; then
echo -e "${RED}Sorry, you need to run this as root${ENDCOLOR}"
exit 1
fi
# Check OS compatibility
check_os_compatibility
}
check_os_compatibility() {
# Discard stdin. Needed when running from an one-liner which includes a newline
read -N 999999 -t 0.001
# Detect OpenVZ 6
if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then
echo "The system is running an old kernel, which is incompatible with this installer."
exit
fi
# Detect OS
# $os_version variables aren't always in use, but are kept here for convenience
if grep -qs "ubuntu" /etc/os-release; then
os="ubuntu"
os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
elif [[ -e /etc/debian_version ]]; then
os="debian"
os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
# elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
# os="centos"
# os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
# elif [[ -e /etc/fedora-release ]]; then
# os="fedora"
# os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
else
echo "This installer seems to be running on an unsupported distribution.
Supported distros are Ubuntu, Debian."
exit
fi
if [[ "$os" == "ubuntu" && "$os_version" -lt 1804 ]]; then
echo "Ubuntu 18.04 or higher is required to use this installer.
This version of Ubuntu is too old and unsupported."
exit
fi
if [[ "$os" == "debian" ]]; then
if grep -q '/sid' /etc/debian_version; then
echo "Debian Testing and Debian Unstable are unsupported by this installer."
exit
fi
if [[ "$os_version" -lt 10 ]]; then
echo "Debian 10 or higher is required to use this installer.
This version of Debian is too old and unsupported."
exit
fi
fi
if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then
echo "CentOS 7 or higher is required to use this installer.
This version of CentOS is too old and unsupported."
exit
fi
# Root check
if [[ "$EUID" -ne 0 ]]; then
echo -e "${RED}Sorry, you need to run this as root${ENDCOLOR}"
exit 1
fi
}
#######################################
# Configuration Functions
#######################################
get_user_preferences() {
configure_ssh_port
configure_ssh_auth
configure_hextrix
configure_docker
}
configure_ssh_port() {
read -p "Change SSH Port, press Enter to keep current ($ssh_current_port): " sshport_update
until [[ -z "$sshport_update" || "$sshport_update" =~ ^[0-9]+$ && "$sshport_update" -le 65535 ]]; do
echo "$sshport_update: invalid port."
read -p "SSH Port (current $ssh_current_port): " sshport_update
done
SSHPORT=${sshport_update:-$ssh_current_port}
}
configure_ssh_auth() {
echo "Add/update SSH authorized_keys?"
select yn in "Yes" "No"; do
case $yn in
Yes) SSHAUTHKEY=true; break ;;
No|*) break ;;
esac
done
}
configure_hextrix() {
echo "Install HEXTRIXTOOL monitor?"
select yn in "Yes" "No"; do
case $yn in
Yes)
read -p "Input your monitor id: " hextrixtool_id
HEXTRIXTOOL=$hextrixtool_id
break
;;
No|*) break ;;
esac
done
}
configure_docker() {
echo "Install or update Docker?"
select yn in "Yes" "No"; do
case $yn in
Yes) DOCKERINSTALL=true; break ;;
No|*) break ;;
esac
done
}
#######################################
# Installation Functions
#######################################
install_base_packages() {
apt-get update -y && apt-get upgrade -y
apt-get install wget curl putty-tools -y
}
install_hextrix() {
[[ "$HEXTRIXTOOL" == false ]] && return
wget https://raw.githubusercontent.com/hetrixtools/agent/master/hetrixtools_install.sh
bash hetrixtools_install.sh "$HEXTRIXTOOL" 0 0 0 0 0 0
}
install_docker() {
[[ "$DOCKERINSTALL" != true ]] && return
echo "Installing Docker..."
# Remove old versions
for pkg in docker.io docker-doc docker-compose containerd runc; do
apt-get remove $pkg
done
# Install prerequisites
apt-get install ca-certificates curl gnupg lsb-release -y
# Add Docker repository
install -m 0755 -d /etc/apt/keyrings
curl -fsSL "https://download.docker.com/linux/$(. /etc/os-release && echo "$ID")/gpg" -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/$(. /etc/os-release && echo "$ID") \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker
apt-get update -y
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
systemctl enable docker
echo "Docker installed successfully"
sleep 3
docker --version
docker compose version
}
#######################################
# SSH Configuration Functions
#######################################
configure_ssh_security() {
[[ "$SSHAUTHKEY" != true ]] && return
echo "Updating SSH authentication keys..."
mkdir -p "/root/.ssh"
echo "Select SSH key option:"
select ossh in "Use my own key" "Make one" "Quit"; do
case $ossh in
"Use my own key")
read -p "Input your public key: " sshkey_pub
echo "$sshkey_pub" > /root/.ssh/authorized_keys
break
;;
"Make one")
generate_ssh_keys
break
;;
"Quit")
return
;;
esac
done
echo "Successfully updated authorized_keys"
}
generate_ssh_keys() {
echo "Generating SSH key files..."
mkdir -p gensshkey
ssh-keygen -o -a 256 -t ed25519 -f ./gensshkey/key_file -C "root@$(hostname)-$(date +'%Y%m%d')"
puttygen ./gensshkey/key_file -O private -o ./gensshkey/putty_private_key.ppk
cp ./gensshkey/key_file.pub /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
}
update_ssh_config() {
sed -i "s/#\?Port $ssh_current_port/Port $SSHPORT/" /etc/ssh/sshd_config
sed -i 's/#\?StrictModes.*/StrictModes yes/' /etc/ssh/sshd_config
sed -i 's/#\?MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config
sed -i 's/#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
service ssh restart || service sshd restart
}
#######################################
# Main Function
#######################################
main() {
check_requirements
get_user_preferences
# Installation process
install_base_packages
install_hextrix
install_docker
configure_ssh_security
update_ssh_config
# Final messages
echo "Installation completed."
if [ -d "./gensshkey" ]; then
echo -e "SSH key files saved at: ${GREEN}$(pwd)/gensshkey${ENDCOLOR}"
fi
echo "Remember to reboot your system!"
}
main