init.sh
| @@ -124,7 +124,7 @@ print_ok "Hardening SSH settings" | |||
| 124 | 124 | run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \ | |
| 125 | 125 | s/PasswordAuthentication yes/PasswordAuthentication no/; \ | |
| 126 | 126 | s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \ | |
| 127 | - | sudo systemctl restart sshd" | |
| 127 | + | sudo systemctl restart sshd || sudo systemctl restart ssh" | |
| 128 | 128 | ||
| 129 | 129 | # 9) Remove other non-system users | |
| 130 | 130 | print_ok "Removing other users" | |
init.sh
| @@ -154,7 +154,8 @@ sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ | |||
| 154 | 154 | enabled = true | |
| 155 | 155 | port = ssh | |
| 156 | 156 | filter = sshd | |
| 157 | - | logpath = /var/log/auth.log | |
| 157 | + | backend = systemd | |
| 158 | + | logpath = journal | |
| 158 | 159 | maxretry = 3 | |
| 159 | 160 | findtime = 600 | |
| 160 | 161 | bantime = 3600 | |
| @@ -239,4 +240,4 @@ print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |||
| 239 | 240 | # * Have the latest updates installed | |
| 240 | 241 | # * Have sysbench installed for performance testing | |
| 241 | 242 | # * Have a final benchmark run to verify CPU performance | |
| 242 | - | # * Have a final cleanup of unnecessary packages | |
| 243 | + | # * Have a final cleanup of unnecessary packages | |
init.sh
| @@ -91,13 +91,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE | |||
| 91 | 91 | # 6) Generate & persist random password (once) | |
| 92 | 92 | if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then | |
| 93 | 93 | # In this case, the password is already set | |
| 94 | - | print_ok "Reusing existing password for $NEWUSER" | |
| 95 | - | PASS_NEW=$(<"/etc/$NEWUSER.pass") | |
| 94 | + | print_ok "Don't have to change password. Reusing existing password for $NEWUSER" | |
| 95 | + | PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass") | |
| 96 | 96 | else | |
| 97 | 97 | PASS_NEW=$(uuidgen) | |
| 98 | 98 | print_ok "Setting password for $NEWUSER" | |
| 99 | 99 | run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd" | |
| 100 | 100 | run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null" | |
| 101 | + | run_remote "sudo chmod 600 /etc/$NEWUSER.pass" | |
| 102 | + | run_remote "sudo chown root:root /etc/$NEWUSER.pass" | |
| 101 | 103 | print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!" | |
| 102 | 104 | fi | |
| 103 | 105 | ||
init.sh
| @@ -15,7 +15,7 @@ Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033 | |||
| 15 | 15 | OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}" | |
| 16 | 16 | ||
| 17 | 17 | print_ok(){ echo -e "${OK} $1"; } | |
| 18 | - | print_error(){echo -e "${ERROR} $1"; } | |
| 18 | + | print_error(){ echo -e "${ERROR} $1"; } | |
| 19 | 19 | print_warn(){ echo -e "${WARN} $1"; } | |
| 20 | 20 | ||
| 21 | 21 | #----------------------------------- | |
| @@ -36,7 +36,7 @@ areYouSure(){ | |||
| 36 | 36 | run_local(){ print_ok "Local: $*"; "$@"; } | |
| 37 | 37 | run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; } | |
| 38 | 38 | wait_ssh(){ | |
| 39 | - | print_ok "Waiting for SSH on $SERVER..." | |
| 39 | + | print_ok "Waiting for SSH on $SERVER... (Running ssh $REMOTE_USER@$SERVER)" | |
| 40 | 40 | until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do | |
| 41 | 41 | print_warn "SSH not ready, retrying in 5s..." | |
| 42 | 42 | sleep 5 | |
| @@ -90,14 +90,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE | |||
| 90 | 90 | ||
| 91 | 91 | # 6) Generate & persist random password (once) | |
| 92 | 92 | if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then | |
| 93 | - | PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass") | |
| 93 | + | # In this case, the password is already set | |
| 94 | 94 | print_ok "Reusing existing password for $NEWUSER" | |
| 95 | + | PASS_NEW=$(<"/etc/$NEWUSER.pass") | |
| 95 | 96 | else | |
| 96 | 97 | PASS_NEW=$(uuidgen) | |
| 97 | 98 | print_ok "Setting password for $NEWUSER" | |
| 98 | 99 | run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd" | |
| 99 | 100 | run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null" | |
| 100 | - | print_ok "New password generated for $NEWUSER" | |
| 101 | + | print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!" | |
| 101 | 102 | fi | |
| 102 | 103 | ||
| 103 | 104 | # 7) Copy SSH key (only if absent) | |
| @@ -215,3 +216,25 @@ run_remote "sudo apt-get autoremove -y --purge && \ | |||
| 215 | 216 | sudo apt-get autoremove -y sysbench --purge" | |
| 216 | 217 | ||
| 217 | 218 | print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |
| 219 | + | ||
| 220 | + | # After this script, server will: | |
| 221 | + | ||
| 222 | + | # * Only allow SSH key login | |
| 223 | + | # * Root login disabled, password authentication disabled | |
| 224 | + | # * Have a new hostname set | |
| 225 | + | # * Have a new user with sudo privileges and can log in via SSH | |
| 226 | + | # * Have a random password stored securely at /etc/<new_user>.pass | |
| 227 | + | # * Have SSH key copied to authorized_keys so you can log in without a password | |
| 228 | + | # * Be hardened with UFW, Fail2Ban and allowed SSH connections(only) | |
| 229 | + | # * Have BBR enabled for better network performance | |
| 230 | + | # * Have the latest HWE kernel installed | |
| 231 | + | # * Have the best mirror selected for package updates | |
| 232 | + | # * Have snap removed | |
| 233 | + | # * Have CPU performance tuned to 'performance' mode | |
| 234 | + | # * Have timezone set to GMT | |
| 235 | + | # * Have all unnecessary users removed (Check /etc/passwd for remaining users) | |
| 236 | + | # * Have all unnecessary packages removed | |
| 237 | + | # * Have the latest updates installed | |
| 238 | + | # * Have sysbench installed for performance testing | |
| 239 | + | # * Have a final benchmark run to verify CPU performance | |
| 240 | + | # * Have a final cleanup of unnecessary packages | |
init.sh
| @@ -1,6 +1,6 @@ | |||
| 1 | 1 | #!/usr/bin/env bash | |
| 2 | 2 | #=============================================================================== | |
| 3 | - | # Concise server preparation script with error confirmation | |
| 3 | + | # Concise server preparation script with error confirmation (idempotent) | |
| 4 | 4 | #=============================================================================== | |
| 5 | 5 | ||
| 6 | 6 | set -euo pipefail | |
| @@ -14,8 +14,8 @@ export DEBIAN_FRONTEND=noninteractive | |||
| 14 | 14 | Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m" | |
| 15 | 15 | OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}" | |
| 16 | 16 | ||
| 17 | - | print_ok(){ echo -e "${OK} $1"; } | |
| 18 | - | print_error(){ echo -e "${ERROR} $1"; } | |
| 17 | + | print_ok(){ echo -e "${OK} $1"; } | |
| 18 | + | print_error(){echo -e "${ERROR} $1"; } | |
| 19 | 19 | print_warn(){ echo -e "${WARN} $1"; } | |
| 20 | 20 | ||
| 21 | 21 | #----------------------------------- | |
| @@ -33,10 +33,10 @@ areYouSure(){ | |||
| 33 | 33 | #----------------------------------- | |
| 34 | 34 | # Helpers | |
| 35 | 35 | #----------------------------------- | |
| 36 | - | run_local(){ print_ok "Local: $*"; "$@"; } | |
| 37 | - | run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; } | |
| 36 | + | run_local(){ print_ok "Local: $*"; "$@"; } | |
| 37 | + | run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; } | |
| 38 | 38 | wait_ssh(){ | |
| 39 | - | print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)" | |
| 39 | + | print_ok "Waiting for SSH on $SERVER..." | |
| 40 | 40 | until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do | |
| 41 | 41 | print_warn "SSH not ready, retrying in 5s..." | |
| 42 | 42 | sleep 5 | |
| @@ -61,13 +61,18 @@ run_local sudo apt-get install -y sshpass | |||
| 61 | 61 | run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts | |
| 62 | 62 | wait_ssh | |
| 63 | 63 | ||
| 64 | - | # 3) Hostname & reboot | |
| 65 | - | print_ok "Setting hostname to $HOSTNAME" | |
| 66 | - | run_remote "sudo hostnamectl set-hostname $HOSTNAME" | |
| 67 | - | run_remote "sudo reboot" || true | |
| 68 | - | print_ok "Server rebooting..." | |
| 69 | - | sleep 5 | |
| 70 | - | wait_ssh | |
| 64 | + | # 3) Hostname & reboot (only if changed) | |
| 65 | + | CURRENT_HOST=$(run_remote "hostname") | |
| 66 | + | if [[ "$CURRENT_HOST" != "$HOSTNAME" ]]; then | |
| 67 | + | print_ok "Setting hostname to $HOSTNAME" | |
| 68 | + | run_remote "sudo hostnamectl set-hostname $HOSTNAME" | |
| 69 | + | run_remote "sudo reboot" || true | |
| 70 | + | print_ok "Server rebooting..." | |
| 71 | + | sleep 5 | |
| 72 | + | wait_ssh | |
| 73 | + | else | |
| 74 | + | print_ok "Hostname already '$HOSTNAME', skipping" | |
| 75 | + | fi | |
| 71 | 76 | ||
| 72 | 77 | # 4) Create or verify new user | |
| 73 | 78 | if run_remote "id -u $NEWUSER" &>/dev/null; then | |
| @@ -80,36 +85,47 @@ fi | |||
| 80 | 85 | # 5) Grant sudo & set up passwordless | |
| 81 | 86 | print_ok "Granting sudo to $NEWUSER" | |
| 82 | 87 | run_remote "sudo usermod -aG sudo $NEWUSER" | |
| 83 | - | ||
| 84 | 88 | print_ok "Setting passwordless sudo for $NEWUSER" | |
| 85 | 89 | run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER" | |
| 86 | 90 | ||
| 87 | - | # 6) Generate & set random password | |
| 88 | - | PASS_NEW=$(uuidgen) | |
| 89 | - | print_ok "Setting password for $NEWUSER" | |
| 90 | - | run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd" | |
| 91 | - | print_ok "New password for $NEWUSER: $PASS_NEW" | |
| 91 | + | # 6) Generate & persist random password (once) | |
| 92 | + | if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then | |
| 93 | + | PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass") | |
| 94 | + | print_ok "Reusing existing password for $NEWUSER" | |
| 95 | + | else | |
| 96 | + | PASS_NEW=$(uuidgen) | |
| 97 | + | print_ok "Setting password for $NEWUSER" | |
| 98 | + | run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd" | |
| 99 | + | run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null" | |
| 100 | + | print_ok "New password generated for $NEWUSER" | |
| 101 | + | fi | |
| 92 | 102 | ||
| 93 | - | # 7) Copy SSH key | |
| 103 | + | # 7) Copy SSH key (only if absent) | |
| 94 | 104 | [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa | |
| 95 | - | print_ok "Copying SSH key" | |
| 96 | - | sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER" | |
| 105 | + | PUBKEY=$(<~/.ssh/id_rsa.pub) | |
| 106 | + | print_ok "Ensuring SSH key in authorized_keys" | |
| 107 | + | run_remote "mkdir -p /home/$NEWUSER/.ssh && \ | |
| 108 | + | sudo bash -c 'grep -qxF \"$PUBKEY\" /home/$NEWUSER/.ssh/authorized_keys 2>/dev/null || \ | |
| 109 | + | echo \"$PUBKEY\" >> /home/$NEWUSER/.ssh/authorized_keys' && \ | |
| 110 | + | sudo chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh && \ | |
| 111 | + | sudo chmod 700 /home/$NEWUSER/.ssh && \ | |
| 112 | + | sudo chmod 600 /home/$NEWUSER/.ssh/authorized_keys" | |
| 97 | 113 | ||
| 98 | 114 | # Switch to new user for subsequent operations | |
| 99 | - | print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER" | |
| 115 | + | print_ok "Switching to new user $NEWUSER" | |
| 100 | 116 | REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW" | |
| 101 | 117 | wait_ssh | |
| 102 | 118 | ||
| 103 | 119 | # 8) Harden SSH | |
| 104 | 120 | print_ok "Hardening SSH settings" | |
| 105 | - | run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config" | |
| 106 | - | run_remote "sudo systemctl restart sshd" | |
| 121 | + | run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \ | |
| 122 | + | s/PasswordAuthentication yes/PasswordAuthentication no/; \ | |
| 123 | + | s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \ | |
| 124 | + | sudo systemctl restart sshd" | |
| 107 | 125 | ||
| 108 | 126 | # 9) Remove other non-system users | |
| 109 | 127 | print_ok "Removing other users" | |
| 110 | - | others=$(run_remote \ | |
| 111 | - | "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd") | |
| 112 | - | ||
| 128 | + | others=$(run_remote "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd") | |
| 113 | 129 | for u in $others; do | |
| 114 | 130 | print_warn "Deleting user $u" | |
| 115 | 131 | run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u" | |
| @@ -117,18 +133,17 @@ done | |||
| 117 | 133 | ||
| 118 | 134 | # 10) Reset machine-id | |
| 119 | 135 | print_ok "Resetting machine-id" | |
| 120 | - | run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id" | |
| 121 | - | run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id" | |
| 136 | + | run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id && \ | |
| 137 | + | sudo systemd-machine-id-setup && \ | |
| 138 | + | sudo cp /etc/machine-id /var/lib/dbus/machine-id" | |
| 122 | 139 | ||
| 123 | 140 | # 11) Enable UFW & OpenSSH | |
| 124 | 141 | print_ok "Enabling UFW firewall" | |
| 125 | - | run_remote "sudo apt-get install -y ufw" | |
| 126 | - | run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable" | |
| 142 | + | run_remote "sudo apt-get install -y ufw && sudo ufw allow OpenSSH && echo y | sudo ufw enable" | |
| 127 | 143 | ||
| 128 | 144 | # 12) Install & configure Fail2Ban | |
| 129 | 145 | print_ok "Installing Fail2Ban" | |
| 130 | - | run_remote "sudo apt-get update" | |
| 131 | - | run_remote "sudo apt-get install -y fail2ban" | |
| 146 | + | run_remote "sudo apt-get update && sudo apt-get install -y fail2ban" | |
| 132 | 147 | print_ok "Configuring Fail2Ban" | |
| 133 | 148 | run_remote <<'EOF' | |
| 134 | 149 | sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ | |
| @@ -144,17 +159,17 @@ EOJ | |||
| 144 | 159 | sudo systemctl restart fail2ban | |
| 145 | 160 | EOF | |
| 146 | 161 | print_ok "Fail2Ban setup complete" | |
| 147 | - | run_remote "sudo fail2ban-client status sshd" | |
| 148 | 162 | ||
| 149 | - | # 13) Enable BBR | |
| 163 | + | # 13) Enable BBR (only once) | |
| 150 | 164 | print_ok "Enabling BBR congestion control" | |
| 151 | - | #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'" | |
| 152 | 165 | run_remote <<'EOF' | |
| 153 | - | sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL | |
| 166 | + | grep -q 'net.ipv4.tcp_congestion_control = bbr' /etc/sysctl.d/99-bbr.conf 2>/dev/null || { | |
| 167 | + | sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL | |
| 154 | 168 | net.core.default_qdisc = fq | |
| 155 | 169 | net.ipv4.tcp_congestion_control = bbr | |
| 156 | 170 | SYSCTL | |
| 157 | - | sudo sysctl --system | |
| 171 | + | sudo sysctl --system | |
| 172 | + | } | |
| 158 | 173 | EOF | |
| 159 | 174 | ||
| 160 | 175 | # 14) Select best mirror & update | |
| @@ -178,15 +193,16 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor | |||
| 178 | 193 | ||
| 179 | 194 | # 18) Performance tuning | |
| 180 | 195 | print_ok "Tuning CPU performance & timezone" | |
| 181 | - | run_remote "sudo apt-get install -y linux-tools-$(uname -r)" | |
| 182 | - | run_remote "sudo apt-get install -y cpupower" || true | |
| 183 | - | run_remote "sudo cpupower frequency-set -g performance" || true | |
| 184 | - | run_remote "sudo timedatectl set-timezone GMT" | |
| 196 | + | run_remote "sudo apt-get install -y linux-tools-$(uname -r) cpupower && \ | |
| 197 | + | sudo cpupower frequency-set -g performance || true && \ | |
| 198 | + | sudo timedatectl set-timezone GMT" | |
| 185 | 199 | ||
| 186 | 200 | # 19) Remove snap | |
| 187 | 201 | print_ok "Removing snapd" | |
| 188 | - | run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd" | |
| 189 | - | run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF | |
| 202 | + | run_remote "sudo systemctl disable --now snapd && \ | |
| 203 | + | dpkg -l snapd &>/dev/null && sudo apt-get purge -y snapd && \ | |
| 204 | + | sudo rm -rf /snap /var/lib/snapd /var/cache/snapd && \ | |
| 205 | + | sudo tee /etc/apt/preferences.d/no-snap.pref > /dev/null <<EOF | |
| 190 | 206 | Package: snapd | |
| 191 | 207 | Pin: release a=* | |
| 192 | 208 | Pin-Priority: -10 | |
| @@ -194,8 +210,8 @@ EOF" | |||
| 194 | 210 | ||
| 195 | 211 | # 20) Final cleanup & benchmark | |
| 196 | 212 | print_ok "Final autoremove & benchmark" | |
| 197 | - | run_remote "sudo apt-get autoremove -y --purge" | |
| 198 | - | run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run" | |
| 199 | - | run_remote "sudo apt-get autoremove -y sysbench --purge" | |
| 200 | - | print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |
| 213 | + | run_remote "sudo apt-get autoremove -y --purge && \ | |
| 214 | + | sudo apt-get install -y sysbench && sysbench cpu --threads=$(nproc) run && \ | |
| 215 | + | sudo apt-get autoremove -y sysbench --purge" | |
| 201 | 216 | ||
| 217 | + | print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |
init.sh
| @@ -125,7 +125,28 @@ print_ok "Enabling UFW firewall" | |||
| 125 | 125 | run_remote "sudo apt-get install -y ufw" | |
| 126 | 126 | run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable" | |
| 127 | 127 | ||
| 128 | - | # 12) Enable BBR | |
| 128 | + | # 12) Install & configure Fail2Ban | |
| 129 | + | print_ok "Installing Fail2Ban" | |
| 130 | + | run_remote "sudo apt-get update" | |
| 131 | + | run_remote "sudo apt-get install -y fail2ban" | |
| 132 | + | print_ok "Configuring Fail2Ban" | |
| 133 | + | run_remote <<'EOF' | |
| 134 | + | sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ | |
| 135 | + | [sshd] | |
| 136 | + | enabled = true | |
| 137 | + | port = ssh | |
| 138 | + | filter = sshd | |
| 139 | + | logpath = /var/log/auth.log | |
| 140 | + | maxretry = 3 | |
| 141 | + | findtime = 600 | |
| 142 | + | bantime = 3600 | |
| 143 | + | EOJ | |
| 144 | + | sudo systemctl restart fail2ban | |
| 145 | + | EOF | |
| 146 | + | print_ok "Fail2Ban setup complete" | |
| 147 | + | run_remote "sudo fail2ban-client status sshd" | |
| 148 | + | ||
| 149 | + | # 13) Enable BBR | |
| 129 | 150 | print_ok "Enabling BBR congestion control" | |
| 130 | 151 | #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'" | |
| 131 | 152 | run_remote <<'EOF' | |
| @@ -136,33 +157,33 @@ SYSCTL | |||
| 136 | 157 | sudo sysctl --system | |
| 137 | 158 | EOF | |
| 138 | 159 | ||
| 139 | - | # 13) Select best mirror & update | |
| 160 | + | # 14) Select best mirror & update | |
| 140 | 161 | print_ok "Selecting best mirror & updating" | |
| 141 | 162 | run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash" | |
| 142 | 163 | run_remote "sudo apt-get update" | |
| 143 | 164 | ||
| 144 | - | # 14) Install latest HWE kernel | |
| 165 | + | # 15) Install latest HWE kernel | |
| 145 | 166 | print_ok "Installing latest HWE kernel" | |
| 146 | 167 | run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)" | |
| 147 | 168 | ||
| 148 | - | # 15) Reboot & wait | |
| 169 | + | # 16) Reboot & wait | |
| 149 | 170 | print_ok "Rebooting server" | |
| 150 | 171 | run_remote "sudo reboot" || true | |
| 151 | 172 | sleep 5 | |
| 152 | 173 | wait_ssh | |
| 153 | 174 | ||
| 154 | - | # 16) Final updates & cleanup | |
| 175 | + | # 17) Final updates & cleanup | |
| 155 | 176 | print_ok "Installing upgrades & cleanup" | |
| 156 | 177 | run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y" | |
| 157 | 178 | ||
| 158 | - | # 17) Performance tuning | |
| 179 | + | # 18) Performance tuning | |
| 159 | 180 | print_ok "Tuning CPU performance & timezone" | |
| 160 | 181 | run_remote "sudo apt-get install -y linux-tools-$(uname -r)" | |
| 161 | 182 | run_remote "sudo apt-get install -y cpupower" || true | |
| 162 | 183 | run_remote "sudo cpupower frequency-set -g performance" || true | |
| 163 | 184 | run_remote "sudo timedatectl set-timezone GMT" | |
| 164 | 185 | ||
| 165 | - | # 18) Remove snap | |
| 186 | + | # 19) Remove snap | |
| 166 | 187 | print_ok "Removing snapd" | |
| 167 | 188 | run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd" | |
| 168 | 189 | run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF | |
| @@ -171,7 +192,7 @@ Pin: release a=* | |||
| 171 | 192 | Pin-Priority: -10 | |
| 172 | 193 | EOF" | |
| 173 | 194 | ||
| 174 | - | # 19) Final cleanup & benchmark | |
| 195 | + | # 20) Final cleanup & benchmark | |
| 175 | 196 | print_ok "Final autoremove & benchmark" | |
| 176 | 197 | run_remote "sudo apt-get autoremove -y --purge" | |
| 177 | 198 | run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run" | |
install_fail2ban.sh(檔案已創建)
| @@ -0,0 +1,41 @@ | |||
| 1 | + | #!/usr/bin/env bash | |
| 2 | + | set -euo pipefail | |
| 3 | + | ||
| 4 | + | echo "[+] Updating package index and installing fail2ban..." | |
| 5 | + | sudo apt update | |
| 6 | + | sudo apt install -y fail2ban | |
| 7 | + | ||
| 8 | + | echo "[+] Writing /etc/fail2ban/jail.local..." | |
| 9 | + | sudo tee /etc/fail2ban/jail.local > /dev/null <<'EOF' | |
| 10 | + | [sshd] | |
| 11 | + | enabled = true | |
| 12 | + | port = ssh | |
| 13 | + | filter = sshd | |
| 14 | + | logpath = /var/log/auth.log | |
| 15 | + | maxretry = 3 | |
| 16 | + | findtime = 600 | |
| 17 | + | bantime = 3600 | |
| 18 | + | EOF | |
| 19 | + | sleep 1 | |
| 20 | + | ||
| 21 | + | echo "[+] Restarting fail2ban service..." | |
| 22 | + | sudo systemctl restart fail2ban | |
| 23 | + | ||
| 24 | + | echo "=== Fail2Ban global status ===" | |
| 25 | + | # Allow script to continue even if fail2ban-client status fails (e.g., socket not yet ready) | |
| 26 | + | sudo fail2ban-client status || true | |
| 27 | + | ||
| 28 | + | echo "=== SSHD jail status ===" | |
| 29 | + | sudo fail2ban-client status sshd || true | |
| 30 | + | ||
| 31 | + | echo "Tip: To view the currently banned IP list again, run:" | |
| 32 | + | echo "sudo fail2ban-client status sshd" | |
| 33 | + | ||
| 34 | + | echo "Tip: To unban an IP address, run:" | |
| 35 | + | echo "sudo fail2ban-client set sshd unbanip <IP_ADDRESS>" | |
| 36 | + | ||
| 37 | + | echo "Tip: To ban an IP address manually, run:" | |
| 38 | + | echo "sudo fail2ban-client set sshd banip <IP_ADDRESS>" | |
| 39 | + | ||
| 40 | + | echo "Tip: To view the fail2ban logs, run:" | |
| 41 | + | echo "sudo journalctl -u fail2ban" | |
init.sh
| @@ -175,6 +175,6 @@ EOF" | |||
| 175 | 175 | print_ok "Final autoremove & benchmark" | |
| 176 | 176 | run_remote "sudo apt-get autoremove -y --purge" | |
| 177 | 177 | run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run" | |
| 178 | - | run remote "sudo apt-get autoremove -y sysbench --purge" | |
| 178 | + | run_remote "sudo apt-get autoremove -y sysbench --purge" | |
| 179 | 179 | print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |
| 180 | 180 | ||
init.sh
| @@ -158,7 +158,7 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor | |||
| 158 | 158 | # 17) Performance tuning | |
| 159 | 159 | print_ok "Tuning CPU performance & timezone" | |
| 160 | 160 | run_remote "sudo apt-get install -y linux-tools-$(uname -r)" | |
| 161 | - | run_remote "sudo apt-get install -y cpupower" | |
| 161 | + | run_remote "sudo apt-get install -y cpupower" || true | |
| 162 | 162 | run_remote "sudo cpupower frequency-set -g performance" || true | |
| 163 | 163 | run_remote "sudo timedatectl set-timezone GMT" | |
| 164 | 164 | ||
init.sh
| @@ -1,287 +1,180 @@ | |||
| 1 | - | #!/bin/bash | |
| 1 | + | #!/usr/bin/env bash | |
| 2 | + | #=============================================================================== | |
| 3 | + | # Concise server preparation script with error confirmation | |
| 4 | + | #=============================================================================== | |
| 2 | 5 | ||
| 3 | - | #========================== | |
| 4 | - | # Set up the environment | |
| 5 | - | #========================== | |
| 6 | - | set -e # exit on error | |
| 7 | - | set -o pipefail # exit on pipeline error | |
| 8 | - | set -u # treat unset variable as error | |
| 9 | - | ||
| 10 | - | #========================== | |
| 11 | - | # Basic Information | |
| 12 | - | #========================== | |
| 6 | + | set -euo pipefail | |
| 13 | 7 | export LC_ALL=C | |
| 14 | 8 | export LANG=en_US.UTF-8 | |
| 15 | 9 | export DEBIAN_FRONTEND=noninteractive | |
| 16 | - | export SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" | |
| 17 | - | ||
| 18 | - | #========================== | |
| 19 | - | # Color | |
| 20 | - | #========================== | |
| 21 | - | Green="\033[32m" | |
| 22 | - | Red="\033[31m" | |
| 23 | - | Yellow="\033[33m" | |
| 24 | - | Blue="\033[36m" | |
| 25 | - | Font="\033[0m" | |
| 26 | - | GreenBG="\033[42;37m" | |
| 27 | - | RedBG="\033[41;37m" | |
| 28 | - | OK="${Green}[ OK ]${Font}" | |
| 29 | - | ERROR="${Red}[FAILED]${Font}" | |
| 30 | - | WARNING="${Yellow}[ WARN ]${Font}" | |
| 31 | - | ||
| 32 | - | #========================== | |
| 33 | - | # Print Colorful Text | |
| 34 | - | #========================== | |
| 35 | - | function print_ok() { | |
| 36 | - | echo -e "${OK} ${Blue} $1 ${Font}" | |
| 37 | - | } | |
| 38 | - | ||
| 39 | - | function print_error() { | |
| 40 | - | echo -e "${ERROR} ${Red} $1 ${Font}" | |
| 41 | - | } | |
| 42 | - | ||
| 43 | - | function print_warn() { | |
| 44 | - | echo -e "${WARNING} ${Yellow} $1 ${Font}" | |
| 45 | - | } | |
| 46 | - | ||
| 47 | - | #========================== | |
| 48 | - | # Judge function | |
| 49 | - | #========================== | |
| 50 | - | function judge() { | |
| 51 | - | if [[ 0 -eq $? ]]; then | |
| 52 | - | print_ok "$1 succeeded" | |
| 53 | - | sleep 0.2 | |
| 54 | - | else | |
| 55 | - | print_error "$1 failed" | |
| 56 | - | exit 1 | |
| 57 | - | fi | |
| 58 | - | } | |
| 59 | - | ||
| 60 | - | prepare_host() | |
| 61 | - | { | |
| 62 | - | print_ok "Update apt-get" | |
| 63 | - | sudo apt-get update | |
| 64 | - | judge "Update apt-get" | |
| 65 | - | ||
| 66 | - | print_ok "Install sshpass" | |
| 67 | - | sudo apt-get install -y sshpass | |
| 68 | - | judge "Install sshpass" | |
| 69 | - | } | |
| 70 | 10 | ||
| 71 | - | wait_server_till_can_ssh() | |
| 72 | - | { | |
| 73 | - | userName=$1 | |
| 74 | - | password=$2 | |
| 75 | - | serverName=$3 | |
| 76 | - | ||
| 77 | - | print_ok "Waiting for server to be ready: ssh $userName@$serverName" | |
| 78 | - | while true; do | |
| 79 | - | set +e | |
| 80 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo 'Server is ready'" | |
| 81 | - | if [ $? -eq 0 ]; then | |
| 82 | - | break | |
| 83 | - | fi | |
| 84 | - | print_warn "Server is not ready yet. Retrying..." | |
| 85 | - | sleep 5 | |
| 86 | - | done | |
| 87 | - | ||
| 88 | - | print_ok "Server is ready to connect via ssh" | |
| 89 | - | set -e | |
| 11 | + | #----------------------------------- | |
| 12 | + | # Colors & Prompts | |
| 13 | + | #----------------------------------- | |
| 14 | + | Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m" | |
| 15 | + | OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}" | |
| 16 | + | ||
| 17 | + | print_ok(){ echo -e "${OK} $1"; } | |
| 18 | + | print_error(){ echo -e "${ERROR} $1"; } | |
| 19 | + | print_warn(){ echo -e "${WARN} $1"; } | |
| 20 | + | ||
| 21 | + | #----------------------------------- | |
| 22 | + | # Error handling & confirmation | |
| 23 | + | #----------------------------------- | |
| 24 | + | on_error(){ print_error "Error at line $1."; areYouSure; } | |
| 25 | + | trap 'on_error $LINENO' ERR | |
| 26 | + | ||
| 27 | + | areYouSure(){ | |
| 28 | + | print_warn "Continue despite errors? [y/N]" | |
| 29 | + | read -r ans | |
| 30 | + | case $ans in [yY]*) print_ok "Continuing...";; *) print_error "Aborted."; exit 1;; esac | |
| 90 | 31 | } | |
| 91 | 32 | ||
| 92 | - | prepare_server() | |
| 93 | - | { | |
| 94 | - | userName=$1 | |
| 95 | - | if [ -z "$userName" ]; then | |
| 96 | - | print_error "Please provide username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'" | |
| 97 | - | exit 1 | |
| 98 | - | fi | |
| 99 | - | ||
| 100 | - | password=$2 | |
| 101 | - | if [ -z "$password" ]; then | |
| 102 | - | print_error "Please provide password for user $userName. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'" | |
| 103 | - | exit 1 | |
| 104 | - | fi | |
| 105 | - | ||
| 106 | - | serverName=$3 | |
| 107 | - | if [ -z "$serverName" ]; then | |
| 108 | - | print_error "Please provide server name. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'" | |
| 109 | - | exit 1 | |
| 110 | - | fi | |
| 111 | - | ||
| 112 | - | desiredHostname=$4 | |
| 113 | - | if [ -z "$desiredHostname" ]; then | |
| 114 | - | echo "Please provide desired hostname. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'" | |
| 115 | - | exit 1 | |
| 116 | - | fi | |
| 117 | - | ||
| 118 | - | desiredUsername=$5 | |
| 119 | - | if [ -z "$desiredUsername" ]; then | |
| 120 | - | print_error "Please provide desired username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'" | |
| 121 | - | exit 1 | |
| 122 | - | fi | |
| 123 | - | ||
| 124 | - | prepare_host | |
| 125 | - | ssh-keygen -f "/home/anduin/.ssh/known_hosts" -R $serverName | |
| 126 | - | ||
| 127 | - | wait_server_till_can_ssh $userName $password $serverName | |
| 128 | - | ||
| 129 | - | print_ok "Changing hostname for $serverName to $desiredHostname" | |
| 130 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo hostnamectl set-hostname $desiredHostname" | |
| 131 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sleep 3" | |
| 132 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo reboot" || true | |
| 33 | + | #----------------------------------- | |
| 34 | + | # Helpers | |
| 35 | + | #----------------------------------- | |
| 36 | + | run_local(){ print_ok "Local: $*"; "$@"; } | |
| 37 | + | run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; } | |
| 38 | + | wait_ssh(){ | |
| 39 | + | print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)" | |
| 40 | + | until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do | |
| 41 | + | print_warn "SSH not ready, retrying in 5s..." | |
| 133 | 42 | sleep 5 | |
| 134 | - | print_ok "Hostname changed to $desiredHostname" | |
| 135 | - | print_warn "Server is rebooting..." | |
| 136 | - | ||
| 137 | - | wait_server_till_can_ssh $userName $password $serverName | |
| 138 | - | ||
| 139 | - | print_ok "Creating a new user..." | |
| 140 | - | alreadyExist=$(sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "cat /etc/passwd | grep -w $desiredUsername | wc -l") | |
| 141 | - | if [ $alreadyExist -gt 0 ]; then | |
| 142 | - | print_ok "User $desiredUsername already exists." | |
| 143 | - | else | |
| 144 | - | print_ok "Creating user $desiredUsername" | |
| 145 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo adduser $desiredUsername --gecos 'First Last,RoomNumber,WorkPhone,HomePhone' --disabled-password" | |
| 146 | - | judge "User $desiredUsername created" | |
| 147 | - | fi | |
| 148 | - | ||
| 149 | - | print_ok "Adding user $desiredUsername to sudo group" | |
| 150 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo usermod -aG sudo $desiredUsername" | |
| 151 | - | judge "User $desiredUsername created with password" | |
| 152 | - | ||
| 153 | - | print_ok "Allowing user $desiredUsername to run sudo without password" | |
| 154 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo mkdir -p /etc/sudoers.d" | |
| 155 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo touch /etc/sudoers.d/$desiredUsername" | |
| 156 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo '$desiredUsername ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers.d/$desiredUsername" | |
| 157 | - | judge "User $desiredUsername can run sudo without password" | |
| 158 | - | ||
| 159 | - | userPassword=$(uuidgen) | |
| 160 | - | print_ok "Setting password for user $desiredUsername to $userPassword" | |
| 161 | - | sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo $desiredUsername:$userPassword | sudo chpasswd" | |
| 162 | - | judge "Password set for user $desiredUsername as $userPassword" | |
| 163 | - | ||
| 164 | - | ||
| 165 | - | # If ~/ssh/id_rsa.pub does not exist, create it | |
| 166 | - | if [ ! -f ~/.ssh/id_rsa.pub ]; then | |
| 167 | - | print_warn "Creating ssh keys on local machine" | |
| 168 | - | ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa | |
| 169 | - | fi | |
| 170 | - | ||
| 171 | - | print_ok "Copying ssh keys with ssh-copy-id" | |
| 172 | - | sshpass -p $userPassword ssh-copy-id -i ~/.ssh/id_rsa.pub $desiredUsername@$serverName | |
| 173 | - | print_ok "SSH keys copied" | |
| 174 | - | ||
| 175 | - | wait_server_till_can_ssh $desiredUsername $userPassword $serverName | |
| 176 | - | ||
| 177 | - | print_ok "Disabling root login, password login and enabling ssh key login" | |
| 178 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" | |
| 179 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config" | |
| 180 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PubkeyAuthentication no/PubkeyAuthentication yes/g' /etc/ssh/sshd_config" | |
| 181 | - | # Uncomment those lines if they are commented | |
| 182 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config" | |
| 183 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PasswordAuthentication no/PasswordAuthentication no/g' /etc/ssh/sshd_config" | |
| 184 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config" | |
| 185 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl restart ssh*" | |
| 186 | - | judge "Disable root login, password login and enabled ssh key login" | |
| 187 | - | ||
| 188 | - | print_ok "Server is ready for $desiredUsername to login. Deleting other users..." | |
| 189 | - | otherUsers=$(ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat /etc/passwd | grep -v nologin | grep -v false | grep -v root | grep -v sync | grep -v $desiredUsername | cut -d: -f1") | |
| 190 | - | for otherUser in $otherUsers; do | |
| 191 | - | print_warn "Deleting user $otherUser..." | |
| 192 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo pkill -u $otherUser" || true | |
| 193 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo deluser --remove-home $otherUser" | |
| 194 | - | done | |
| 195 | - | ||
| 196 | - | print_ok "Resetting machine-id" | |
| 197 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /etc/machine-id" | |
| 198 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /var/lib/dbus/machine-id" | |
| 199 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemd-machine-id-setup" | |
| 200 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo cp /etc/machine-id /var/lib/dbus/machine-id" | |
| 201 | - | judge "Machine-id reset" | |
| 202 | - | ||
| 203 | - | print_ok "Enabling ufw firewall" | |
| 204 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt-get install -y ufw" | |
| 205 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo ufw allow OpenSSH" | |
| 206 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "echo 'y' | sudo ufw enable" | |
| 207 | - | judge "Ufw firewall enabled" | |
| 208 | - | ||
| 209 | - | print_ok "Enabling BBR if not enabled" | |
| 210 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf" | |
| 211 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf" | |
| 212 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl -p" | |
| 213 | - | judge "BBR enabled" | |
| 214 | - | ||
| 215 | - | print_ok "Selecting best mirror" | |
| 216 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash" | |
| 217 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update" | |
| 218 | - | judge "Best mirror selected" | |
| 219 | - | ||
| 220 | - | print_ok "Installing latest kernel..." | |
| 221 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt search linux-generic-hwe-* | awk -F'/' '/linux-generic-hwe-/ {print $1}' | sort | head -n 1 | xargs -r sudo apt install -y" | |
| 222 | - | judge "Latest kernel installed" | |
| 223 | - | ||
| 224 | - | print_ok "Rebooting server..." | |
| 225 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3" | |
| 226 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true | |
| 227 | - | sleep 5 | |
| 228 | - | print_warn "Server is rebooting..." | |
| 229 | - | ||
| 230 | - | wait_server_till_can_ssh $desiredUsername $userPassword $serverName | |
| 231 | - | ||
| 232 | - | print_ok "Installing updates" | |
| 233 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update" | |
| 234 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt upgrade -y" | |
| 235 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y" | |
| 236 | - | judge "Updates installed" | |
| 237 | - | ||
| 238 | - | print_ok "Rebooting server..." | |
| 239 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3" | |
| 240 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true | |
| 241 | - | sleep 5 | |
| 242 | - | print_warn "Server is rebooting..." | |
| 243 | - | ||
| 244 | - | wait_server_till_can_ssh $desiredUsername $userPassword $serverName | |
| 245 | - | ||
| 246 | - | print_ok "Set CPU to performance mode" | |
| 247 | - | ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo apt install -y linux-tools-common linux-tools-\$(uname -r)" | |
| 248 | - | ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-info" | |
| 249 | - | ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-set -g performance" || true | |
| 250 | - | judge "CPU set to performance mode" | |
| 251 | - | ||
| 252 | - | print_ok "Set timezone to GMT" | |
| 253 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo timedatectl set-timezone GMT" | |
| 254 | - | judge "Timezone set to GMT" | |
| 43 | + | done | |
| 44 | + | print_ok "SSH available." | |
| 45 | + | } | |
| 255 | 46 | ||
| 256 | - | print_ok "Removing snap..." | |
| 257 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl disable --now snapd" | |
| 258 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt purge -y snapd" | |
| 259 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm -rf /snap /var/snap /var/lib/snapd /var/cache/snapd /usr/lib/snapd ~/snap" | |
| 260 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat << EOF | sudo tee -a /etc/apt/preferences.d/no-snap.pref | |
| 47 | + | usage(){ echo "Usage: $0 <orig_user> <orig_pass> <server> <new_hostname> <new_user>"; exit 1; } | |
| 48 | + | ||
| 49 | + | #----------------------------------- | |
| 50 | + | # Main | |
| 51 | + | #----------------------------------- | |
| 52 | + | [ $# -ne 5 ] && usage | |
| 53 | + | USER="$1"; PASS="$2"; SERVER="$3"; HOSTNAME="$4"; NEWUSER="$5" | |
| 54 | + | REMOTE_USER="$USER"; REMOTE_PASS="$PASS" | |
| 55 | + | ||
| 56 | + | # 1) Install sshpass locally | |
| 57 | + | run_local sudo apt-get update -y | |
| 58 | + | run_local sudo apt-get install -y sshpass | |
| 59 | + | ||
| 60 | + | # 2) Clear known_hosts, wait for SSH | |
| 61 | + | run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts | |
| 62 | + | wait_ssh | |
| 63 | + | ||
| 64 | + | # 3) Hostname & reboot | |
| 65 | + | print_ok "Setting hostname to $HOSTNAME" | |
| 66 | + | run_remote "sudo hostnamectl set-hostname $HOSTNAME" | |
| 67 | + | run_remote "sudo reboot" || true | |
| 68 | + | print_ok "Server rebooting..." | |
| 69 | + | sleep 5 | |
| 70 | + | wait_ssh | |
| 71 | + | ||
| 72 | + | # 4) Create or verify new user | |
| 73 | + | if run_remote "id -u $NEWUSER" &>/dev/null; then | |
| 74 | + | print_ok "User $NEWUSER exists" | |
| 75 | + | else | |
| 76 | + | print_ok "Creating user $NEWUSER" | |
| 77 | + | run_remote "sudo adduser --disabled-password --gecos '' $NEWUSER" | |
| 78 | + | fi | |
| 79 | + | ||
| 80 | + | # 5) Grant sudo & set up passwordless | |
| 81 | + | print_ok "Granting sudo to $NEWUSER" | |
| 82 | + | run_remote "sudo usermod -aG sudo $NEWUSER" | |
| 83 | + | ||
| 84 | + | print_ok "Setting passwordless sudo for $NEWUSER" | |
| 85 | + | run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER" | |
| 86 | + | ||
| 87 | + | # 6) Generate & set random password | |
| 88 | + | PASS_NEW=$(uuidgen) | |
| 89 | + | print_ok "Setting password for $NEWUSER" | |
| 90 | + | run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd" | |
| 91 | + | print_ok "New password for $NEWUSER: $PASS_NEW" | |
| 92 | + | ||
| 93 | + | # 7) Copy SSH key | |
| 94 | + | [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa | |
| 95 | + | print_ok "Copying SSH key" | |
| 96 | + | sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER" | |
| 97 | + | ||
| 98 | + | # Switch to new user for subsequent operations | |
| 99 | + | print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER" | |
| 100 | + | REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW" | |
| 101 | + | wait_ssh | |
| 102 | + | ||
| 103 | + | # 8) Harden SSH | |
| 104 | + | print_ok "Hardening SSH settings" | |
| 105 | + | run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config" | |
| 106 | + | run_remote "sudo systemctl restart sshd" | |
| 107 | + | ||
| 108 | + | # 9) Remove other non-system users | |
| 109 | + | print_ok "Removing other users" | |
| 110 | + | others=$(run_remote \ | |
| 111 | + | "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd") | |
| 112 | + | ||
| 113 | + | for u in $others; do | |
| 114 | + | print_warn "Deleting user $u" | |
| 115 | + | run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u" | |
| 116 | + | done | |
| 117 | + | ||
| 118 | + | # 10) Reset machine-id | |
| 119 | + | print_ok "Resetting machine-id" | |
| 120 | + | run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id" | |
| 121 | + | run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id" | |
| 122 | + | ||
| 123 | + | # 11) Enable UFW & OpenSSH | |
| 124 | + | print_ok "Enabling UFW firewall" | |
| 125 | + | run_remote "sudo apt-get install -y ufw" | |
| 126 | + | run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable" | |
| 127 | + | ||
| 128 | + | # 12) Enable BBR | |
| 129 | + | print_ok "Enabling BBR congestion control" | |
| 130 | + | #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'" | |
| 131 | + | run_remote <<'EOF' | |
| 132 | + | sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL | |
| 133 | + | net.core.default_qdisc = fq | |
| 134 | + | net.ipv4.tcp_congestion_control = bbr | |
| 135 | + | SYSCTL | |
| 136 | + | sudo sysctl --system | |
| 137 | + | EOF | |
| 138 | + | ||
| 139 | + | # 13) Select best mirror & update | |
| 140 | + | print_ok "Selecting best mirror & updating" | |
| 141 | + | run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash" | |
| 142 | + | run_remote "sudo apt-get update" | |
| 143 | + | ||
| 144 | + | # 14) Install latest HWE kernel | |
| 145 | + | print_ok "Installing latest HWE kernel" | |
| 146 | + | run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)" | |
| 147 | + | ||
| 148 | + | # 15) Reboot & wait | |
| 149 | + | print_ok "Rebooting server" | |
| 150 | + | run_remote "sudo reboot" || true | |
| 151 | + | sleep 5 | |
| 152 | + | wait_ssh | |
| 153 | + | ||
| 154 | + | # 16) Final updates & cleanup | |
| 155 | + | print_ok "Installing upgrades & cleanup" | |
| 156 | + | run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y" | |
| 157 | + | ||
| 158 | + | # 17) Performance tuning | |
| 159 | + | print_ok "Tuning CPU performance & timezone" | |
| 160 | + | run_remote "sudo apt-get install -y linux-tools-$(uname -r)" | |
| 161 | + | run_remote "sudo apt-get install -y cpupower" | |
| 162 | + | run_remote "sudo cpupower frequency-set -g performance" || true | |
| 163 | + | run_remote "sudo timedatectl set-timezone GMT" | |
| 164 | + | ||
| 165 | + | # 18) Remove snap | |
| 166 | + | print_ok "Removing snapd" | |
| 167 | + | run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd" | |
| 168 | + | run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF | |
| 261 | 169 | Package: snapd | |
| 262 | 170 | Pin: release a=* | |
| 263 | 171 | Pin-Priority: -10 | |
| 264 | 172 | EOF" | |
| 265 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo chown root:root /etc/apt/preferences.d/no-snap.pref" | |
| 266 | - | judge "Snap removed" | |
| 267 | 173 | ||
| 268 | - | print_ok "Autoremoving apt packages" | |
| 269 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y --purge" | |
| 270 | - | judge "Apt packages autoremoved" | |
| 271 | - | ||
| 272 | - | print_ok "Benchmarking server..." | |
| 273 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt install -y sysbench" | |
| 274 | - | ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sysbench cpu --threads=\$(nproc) run" | |
| 275 | - | judge "Server benchmarked" | |
| 276 | - | ||
| 277 | - | print_ok "Server is ready for use" | |
| 278 | - | print_ok "ssh $desiredUsername@$serverName" | |
| 279 | - | } | |
| 174 | + | # 19) Final cleanup & benchmark | |
| 175 | + | print_ok "Final autoremove & benchmark" | |
| 176 | + | run_remote "sudo apt-get autoremove -y --purge" | |
| 177 | + | run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run" | |
| 178 | + | run remote "sudo apt-get autoremove -y sysbench --purge" | |
| 179 | + | print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER" | |
| 280 | 180 | ||
| 281 | - | # To use this function: | |
| 282 | - | # Arg1: username | |
| 283 | - | # Arg2: password | |
| 284 | - | # Arg3: servername | |
| 285 | - | # Arg4: Desired hostname | |
| 286 | - | # Arg5: Desired username | |
| 287 | - | prepare_server "$@" | |
mirror.sh
| @@ -42,7 +42,6 @@ function switchSource() { | |||
| 42 | 42 | "http://mirrors.163.com/ubuntu/" # 网易 | |
| 43 | 43 | "http://mirrors.cloud.tencent.com/ubuntu/" # 腾讯云 | |
| 44 | 44 | "http://mirror.aiursoft.cn/ubuntu/" # Aiursoft | |
| 45 | - | "http://mirrors.anduinos.com/ubuntu/" # AnduinOS | |
| 46 | 45 | "http://mirrors.huaweicloud.com/ubuntu/" # 华为云 | |
| 47 | 46 | "http://mirrors.zju.edu.cn/ubuntu/" # 浙江大学 | |
| 48 | 47 | "http://azure.archive.ubuntu.com/ubuntu/" # Azure | |