Last active
June 23, 2016 08:36
-
-
Save mashhoodr/db40ad9b2048440b2d667db9a66e4dc1 to your computer and use it in GitHub Desktop.
Secure Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -o errexit | |
# Disclaimer: This is not the most secure configuration possible. This script | |
# is only intended to be more secure than the default configuration. No | |
# promises are made about this script preventing your server from getting | |
# owned or your bike getting stolen. The bad guys are still out to get you. | |
# And running this script does not excuse you from writing secure application | |
# code! | |
# | |
# This script assumes you're running it initially as root and logged in using | |
# a key pair. If you didn't, you'll be locked out of your VM. | |
if [ -z "$1" ]; then | |
echo "Usage: $0 NON_ROOT_USER" | |
echo "Example: $0 foo" | |
exit 1 | |
fi | |
NON_ROOT_USER=$1 | |
# Upgrade | |
apt-get update | |
apt-get -y upgrade | |
# Disable password login | |
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config | |
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
service ssh restart | |
# Block all ports except ssh and http/s | |
ufw default deny | |
ufw allow ssh | |
ufw allow http | |
ufw allow https | |
ufw allow 3000 # or any other port we might need to use | |
ufw --force enable | |
# Defend against brute force login attempts | |
apt-get -y install fail2ban | |
# Set unattended security upgrades | |
apt-get -y install unattended-upgrades | |
echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades | |
echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades | |
# Create a non-root user | |
adduser --shell /bin/bash --gecos "User" --home /home/$NON_ROOT_USER $NON_ROOT_USER | |
adduser $NON_ROOT_USER sudo | |
# Copy the public key to the non-root user | |
mkdir /home/$NON_ROOT_USER/.ssh | |
cp .ssh/authorized_keys /home/$NON_ROOT_USER/.ssh/ | |
chown -R $NON_ROOT_USER:$NON_ROOT_USER /home/$NON_ROOT_USER/.ssh | |
# reconfigure port 80 traffic to port 3000 | |
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000 | |
echo "Bye bye. Please copy the id_rsa into the /home/$NON_ROOT_USER/.ssh/authorized_keys and logout and login again as the non-root user." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment