Initial Setup

by jahidulhamid
19 deployments · 0 still active · last rev. 3 months ago

Initialize server with a default setup.

It can do the following:

1. update (only package list) or upgrade (full upgrade) system
2.1. set hostname
2.2. add host entry with hostname to address 127.0.1.1
3. set up colorful bash prompt
4. set up a standard user with sudo privilege using a user defined login shell
5.1. set up SSH public key for a specified user
5.2. disable password login for SSH
5.3. disable root login for SSH
5.4. restrict SSH access to only IPV4 or IPV6
6. set up some common packages (git, wget, tar, gzip, lzip, bc, inxi, build-essential)
7. set up fail2ban
8.1 set up ufw
8.2 ufw: allow ftp, ssh, http, https and mail server ports
8.3 ufw: deny all incoming
8.4 ufw: allow all outgoing
9. set up sendmail
10.1 set up apache2
10.2 apache2 tuning for low memory
11.1 set up mysql
11.2 mysql tuning for security
11.3 mysql tuning for low memory

The logs are saved in /var/cache/initserver.sh.log file

Compatible with: Debian 8, Debian 9, Ubuntu 16.04 LTS, Ubuntu 17.04, Debian 7, Ubuntu 14.04 LTS
						#!/bin/bash
# <UDF name="update_mode" Label="Update mode" oneOf="update,upgrade" default="upgrade" />
# <UDF name="system_hostname" Label="System hostname" example="myhostname" default="" />
# <UDF name="user_name" Label="Standard username" example="user" default="" />
# <UDF name="user_password" Label="Password for standard user" default="" />
# <UDF name="user_shell" Label="Default SHELL for standard user" default="/bin/bash" example="/full/path/to/shell" />
# <UDF name="ssh_user" Label="SSH user" example="user" default="" />
# <UDF name="ssh_pubkey" Label="SSH public key" default="" />
# <UDF name="ssh_disable_password_login" Label="Disable password login for SSH" oneOf="yes,no" default="yes" />
# <UDF name="ssh_disable_root_login" Label="Disable root login for SSH" oneOf="yes,no" default="yes" />
# <UDF name="ssh_restrict_address_family" Label="Restrict SSH AddressFamily" oneOf="inet,inet6" default="inet" />
# <UDF name="fail2ban_install" Label="Install fail2ban" oneOf="yes,no" default="yes" />
# <UDF name="ufw_install" Label="Install UFW firewall" oneOf="yes,no" default="yes" />
# <UDF name="common_install" Label="Install common packages (git, wget, tar, bc, gzip, lzip, inxi)" oneOf="yes,no" default="yes" />
# <UDF name="colorful_bash_prompt_install" Label="Install a colorful bash prompt" oneOf="yes,no" default="yes" />
# <UDF name="sendmail_install" Label="Install sendmail" oneOf="yes,no" default="yes" />
# <UDF name="apache2_install" Label="Install apache2 webserver" oneOf="yes,no" default="yes" />
# <UDF name="mysql_install" Label="Install mysql" oneOf="yes,no" default="yes" />
# <UDF name="mysql_root_password" Label="Root password for mysql" default="" />

mkdir -p /var/cache
exec &>  >(tee -a /var/cache/initserver.sh.log)

source <ssinclude StackScriptID="182722">

if [[ "$UPDATE_MODE" = update ]]; then
    system_update
elif [[ "$UPDATE_MODE" = upgrade ]]; then
    system_upgrade
fi

if [[ -n "$SYSTEM_HOSTNAME" ]]; then
    system_set_hostname "$SYSTEM_HOSTNAME"
    system_add_host_entry 127.0.1.1 "$SYSTEM_HOSTNAME"
fi

if [[ "$COLORFUL_BASH_PROMPT_INSTALL" = yes ]]; then
    colorful_bash_prompt_install
fi

if [[ -n "$USER_NAME" ]] && [[ -n "$USER_PASSWORD" ]]; then
    user_add_with_sudo "$USER_NAME" "$USER_PASSWORD" $USER_SHELL
fi

if [[ -n "$SSH_USER" ]] && [[ -n "$SSH_PUBKEY" ]]; then
    if ssh_user_add_pubkey "$SSH_USER" "$SSH_PUBKEY"; then
        if [[ "$SSH_DISABLE_PASSWORD_LOGIN" = yes ]]; then
            ssh_disable_password_login
        fi
    elif [[ "$SSH_DISABLE_PASSWORD_LOGIN" = yes ]]; then
        wrn_out "Could not set SSH public key, thus password login will not be disabled"
    fi
elif [[ "$SSH_DISABLE_PASSWORD_LOGIN" = yes ]]; then
    wrn_out "Disabling password login without setting SSH public key is not allowed."
fi

if [[ "$SSH_DISABLE_ROOT_LOGIN" = yes ]]; then
    ssh_disable_root_login
fi

if [[ -n "$SSH_RESTRICT_ADDRESS_FAMILY" ]]; then
    ssh_restrict_address_family "$SSH_RESTRICT_ADDRESS_FAMILY"
    ssh_restart
fi

if [[ "$COMMON_INSTALL" = yes ]]; then
    COMMON_PACKS+=(build-essential)
    common_install
fi

if [[ "$FAIL2BAN_INSTALL" = yes ]]; then
    fail2ban_install
fi

if [[ "$UFW_INSTALL" = yes ]]; then
    ufw_install
fi

if [[ "$SENDMAIL_INSTALL" = yes ]]; then
    sendmail_install
fi

if [[ "$APACHE2_INSTALL" = yes ]]; then
    apache2_install &&
    apache2_tune_with_defaults &&
    apache2_restart
fi

if [[ "$MYSQL_INSTALL" = yes ]]; then
    mysql_install "$MYSQL_ROOT_PASSWORD" &&
    mysql_tune_security "$MYSQL_ROOT_PASSWORD" &&
    mysql_tune_with_defaults &&
    mysql_restart
fi