luandro · April 16, 2025 23:53
diff --git a/all-setup.sh b/all-setup.sh
 #!/usr/bin/env bash
 set -e

 # Location of raw scripts
 RAW_URL="https://gist.githubusercontent.com/luandro/00177d5429c2416ad82440035ac3e6ed/raw"

 echo "=== RUNNING HARDENING SCRIPT ==="
 curl -fsSL "$RAW_URL/harden-ubuntu.sh" -o /tmp/harden-ubuntu.sh
 chmod +x /tmp/harden-ubuntu.sh
 sudo /tmp/harden-ubuntu.sh

 echo "=== RUNNING SWAP SETUP SCRIPT ==="
 curl -fsSL "$RAW_URL/swap-setup.sh" -o /tmp/swap-setup.sh
 chmod +x /tmp/swap-setup.sh
 sudo /tmp/swap-setup.sh

 echo "=== RUNNING DOCKER MIGRATE SCRIPT ==="
 curl -fsSL "$RAW_URL/migrate-docker.sh" -o /tmp/migrate-docker.sh
 chmod +x /tmp/migrate-docker.sh
 sudo /tmp/migrate-docker.sh

 echo "=== ALL SETUP TASKS COMPLETE ==="
diff --git a/harden-ubuntu.sh b/harden-ubuntu.sh
 #!/usr/bin/env bash
 set -e

 echo "=== Ubuntu 22.04 Server Hardening ==="

 # 1. Add Admin User Prompt and Creation
 read -rp "Enter the NEW username to create for admin access: " NEWUSER
 if id "$NEWUSER" &>/dev/null; then
  echo "User $NEWUSER already exists."
 else
  adduser "$NEWUSER"
 fi
 usermod -aG sudo "$NEWUSER"

 # SSH Key (optional)
 read -rp "Paste PUBLIC SSH key for $NEWUSER (Enter for skip): " PUBKEY
 if [ -n "$PUBKEY" ]; then
  mkdir -p /home/$NEWUSER/.ssh
  echo "$PUBKEY" >> /home/$NEWUSER/.ssh/authorized_keys
  chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
  chmod 700 /home/$NEWUSER/.ssh
  chmod 600 /home/$NEWUSER/.ssh/authorized_keys
 fi

 echo "=== System upgrades and security packages ==="
 apt update && apt -y upgrade

 # REMOVE any old Docker installations to avoid conflicts
 apt remove -y docker docker-engine docker.io containerd runc || true
 apt autoremove -y
 # Clean up anything that might mess up official repo install
 dpkg --purge docker docker-engine docker.io containerd runc || true

 # 2. Install official Docker CE + dependencies (NO docker.io)
 echo "=== Installing Docker from Official Repository ==="
 apt-get update
 apt-get install -y ca-certificates curl gnupg lsb-release

 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
    gpg --dearmor -o /etc/apt/keyrings/docker.gpg

 chmod a+r /etc/apt/keyrings/docker.gpg

 . /etc/os-release
 echo \
  "deb [arch=$(dpkg --print-architecture) \
  signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu \
  $VERSION_CODENAME stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null

 apt-get update
 apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

 # Add user to docker group for docker usage (and create group if needed)
 if ! getent group docker >/dev/null; then groupadd docker; fi
 usermod -aG docker "$NEWUSER"

 echo "=== Enabling unattended upgrades ==="
 apt install -y unattended-upgrades apt-listchanges
 dpkg-reconfigure -plow unattended-upgrades

 echo "=== UFW firewall setup (opens SSH only) ==="
 ufw default deny incoming
 ufw default allow outgoing
 ufw allow OpenSSH
 ufw --force enable

 echo "=== Fail2ban set for SSH ==="
 apt install -y fail2ban
 systemctl enable --now fail2ban

 echo "=== Remove insecure services ==="
 apt -y purge telnet rsh-server xinetd tftp tftpd-hpa vsftpd ftp || true

 echo "=== SSH Server hardening ==="
 read -rp "Disable SSH root login? (y/N): " disable_root
 if [[ "${disable_root,,}" == "y" ]]; then
  sed -i.bak -E 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
 fi
 read -rp "Disable password authentication (key-based only)? (y/N): " disable_pwd
 if [[ "${disable_pwd,,}" == "y" ]]; then
  sed -i -E 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
 fi
 systemctl reload sshd

 echo "=== sysctl network hardening ==="
 cat <<EOF > /etc/sysctl.d/60-security-hardening.conf
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv4.conf.all.log_martians = 1
 EOF
 sysctl -p /etc/sysctl.d/60-security-hardening.conf

 echo "=== Setting secure file permissions ==="
 chmod 600 /etc/ssh/ssh_host_*_key || true
 chmod 600 /etc/shadow
 chmod 644 /etc/passwd

 echo "=== Final clean-up ==="
 apt autoremove -y

 echo "=== Hardened! Please verify that $NEWUSER can SSH and use sudo before closing root sessions. ==="
diff --git a/migrate-docker.sh b/migrate-docker.sh
 #!/usr/bin/env bash

 set -e

 DEFAULT_DOCKER_DIR="/var/lib/docker"
 DEFAULT_CONTAINERD_DIR="/var/lib/containerd"
 DOCKER_DAEMON_DIR="/etc/docker"
 DOCKER_DAEMON_JSON="$DOCKER_DAEMON_DIR/daemon.json"

 echo "Docker data will be migrated to a new location."
 read -rp "Enter the absolute path for the NEW Docker data folder (e.g., /mnt/bigdisk/docker): " NEW_DOCKER_DIR

 if [[ -z "$NEW_DOCKER_DIR" ]] || [[ "$NEW_DOCKER_DIR" != /* ]]; then
  echo "You must provide an absolute path."
  exit 1
 fi

 NEW_CONTAINERD_DIR="${NEW_DOCKER_DIR}/containerd"

 echo "Stopping Docker service..."
 systemctl stop docker
 systemctl stop containerd || true

 echo "Migrating Docker data..."
 mkdir -p "$NEW_DOCKER_DIR"
 rsync -aHAX --info=progress2 "$DEFAULT_DOCKER_DIR/" "$NEW_DOCKER_DIR/"

 if [ -d "$DEFAULT_CONTAINERD_DIR" ]; then
  mkdir -p "$NEW_CONTAINERD_DIR"
  rsync -aHAX --info=progress2 "$DEFAULT_CONTAINERD_DIR/" "$NEW_CONTAINERD_DIR/"
 fi

 if [ -f "$DOCKER_DAEMON_JSON" ]; then
  cp "$DOCKER_DAEMON_JSON" "$DOCKER_DAEMON_JSON.bak.$(date +%s)"
 fi

 echo "Updating Docker config at $DOCKER_DAEMON_JSON..."
 mkdir -p "$DOCKER_DAEMON_DIR"
 cat > "$DOCKER_DAEMON_JSON" <<EOF
 {
  "data-root": "$NEW_DOCKER_DIR"
 }
 EOF

 read -rp "Remove old $DEFAULT_DOCKER_DIR and $DEFAULT_CONTAINERD_DIR? (type YES): " CONFIRM
 if [ "$CONFIRM" = "YES" ]; then
  rm -rf "$DEFAULT_DOCKER_DIR"
  [ -d "$DEFAULT_CONTAINERD_DIR" ] && rm -rf "$DEFAULT_CONTAINERD_DIR"
  echo "Old data removed."
 else
  echo "Skipping deletion."
 fi

 systemctl start docker
 systemctl status docker

 echo "Docker migration complete."
diff --git a/swap-setup.sh b/swap-setup.sh
 #!/usr/bin/env bash
 set -e

 MEM_GB=$(awk '/MemTotal/ {printf "%.0f", $2/1024/1024}' /proc/meminfo)
 DEF_SWAP=$((MEM_GB * 2))
 read -rp "How much swap (GB) do you want [default: ${DEF_SWAP}]: " SWAP_GB
 SWAP_GB=${SWAP_GB:-$DEF_SWAP}

 if [[ ! $SWAP_GB =~ ^[0-9]+$ ]]; then
  echo "Invalid swap size. Exiting."
  exit 1
 fi

 echo "=== Setting up a ${SWAP_GB}G swap file ==="
 SWAPFILE="/swapfile"

 fallocate -l "${SWAP_GB}G" $SWAPFILE || dd if=/dev/zero of=$SWAPFILE bs=1G count=$SWAP_GB
 chmod 600 $SWAPFILE
 mkswap $SWAPFILE
 swapon $SWAPFILE

 if ! grep -q "^/swapfile" /etc/fstab; then
  echo "$SWAPFILE none swap sw 0 0" >> /etc/fstab
 fi

 sysctl vm.swappiness=10
 echo "vm.swappiness=10" > /etc/sysctl.d/99-swappiness.conf

 echo "=== Swap setup complete! ==="
 swapon --show
 free -h
	#!/usr/bin/env bash
	set -e

	# Location of raw scripts
	RAW_URL="https://gist.githubusercontent.com/luandro/00177d5429c2416ad82440035ac3e6ed/raw"

	echo "=== RUNNING HARDENING SCRIPT ==="
	curl -fsSL "$RAW_URL/harden-ubuntu.sh" -o /tmp/harden-ubuntu.sh
	chmod +x /tmp/harden-ubuntu.sh
	sudo /tmp/harden-ubuntu.sh

	echo "=== RUNNING SWAP SETUP SCRIPT ==="
	curl -fsSL "$RAW_URL/swap-setup.sh" -o /tmp/swap-setup.sh
	chmod +x /tmp/swap-setup.sh
	sudo /tmp/swap-setup.sh

	echo "=== RUNNING DOCKER MIGRATE SCRIPT ==="
	curl -fsSL "$RAW_URL/migrate-docker.sh" -o /tmp/migrate-docker.sh
	chmod +x /tmp/migrate-docker.sh
	sudo /tmp/migrate-docker.sh

	echo "=== ALL SETUP TASKS COMPLETE ==="
	#!/usr/bin/env bash
	set -e

	echo "=== Ubuntu 22.04 Server Hardening ==="

	# 1. Add Admin User Prompt and Creation
	read -rp "Enter the NEW username to create for admin access: " NEWUSER
	if id "$NEWUSER" &>/dev/null; then
	echo "User $NEWUSER already exists."
	else
	adduser "$NEWUSER"
	fi
	usermod -aG sudo "$NEWUSER"

	# SSH Key (optional)
	read -rp "Paste PUBLIC SSH key for $NEWUSER (Enter for skip): " PUBKEY
	if [ -n "$PUBKEY" ]; then
	mkdir -p /home/$NEWUSER/.ssh
	echo "$PUBKEY" >> /home/$NEWUSER/.ssh/authorized_keys
	chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
	chmod 700 /home/$NEWUSER/.ssh
	chmod 600 /home/$NEWUSER/.ssh/authorized_keys
	fi

	echo "=== System upgrades and security packages ==="
	apt update && apt -y upgrade

	# REMOVE any old Docker installations to avoid conflicts
	apt remove -y docker docker-engine docker.io containerd runc \|\| true
	apt autoremove -y
	# Clean up anything that might mess up official repo install
	dpkg --purge docker docker-engine docker.io containerd runc \|\| true

	# 2. Install official Docker CE + dependencies (NO docker.io)
	echo "=== Installing Docker from Official Repository ==="
	apt-get update
	apt-get install -y ca-certificates curl gnupg lsb-release

	install -m 0755 -d /etc/apt/keyrings
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| \
	gpg --dearmor -o /etc/apt/keyrings/docker.gpg

	chmod a+r /etc/apt/keyrings/docker.gpg

	. /etc/os-release
	echo \
	"deb [arch=$(dpkg --print-architecture) \
	signed-by=/etc/apt/keyrings/docker.gpg] \
	https://download.docker.com/linux/ubuntu \
	$VERSION_CODENAME stable" \| \
	tee /etc/apt/sources.list.d/docker.list > /dev/null

	apt-get update
	apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

	# Add user to docker group for docker usage (and create group if needed)
	if ! getent group docker >/dev/null; then groupadd docker; fi
	usermod -aG docker "$NEWUSER"

	echo "=== Enabling unattended upgrades ==="
	apt install -y unattended-upgrades apt-listchanges
	dpkg-reconfigure -plow unattended-upgrades

	echo "=== UFW firewall setup (opens SSH only) ==="
	ufw default deny incoming
	ufw default allow outgoing
	ufw allow OpenSSH
	ufw --force enable

	echo "=== Fail2ban set for SSH ==="
	apt install -y fail2ban
	systemctl enable --now fail2ban

	echo "=== Remove insecure services ==="
	apt -y purge telnet rsh-server xinetd tftp tftpd-hpa vsftpd ftp \|\| true

	echo "=== SSH Server hardening ==="
	read -rp "Disable SSH root login? (y/N): " disable_root
	if [[ "${disable_root,,}" == "y" ]]; then
	sed -i.bak -E 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
	fi
	read -rp "Disable password authentication (key-based only)? (y/N): " disable_pwd
	if [[ "${disable_pwd,,}" == "y" ]]; then
	sed -i -E 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
	fi
	systemctl reload sshd

	echo "=== sysctl network hardening ==="
	cat <<EOF > /etc/sysctl.d/60-security-hardening.conf
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv4.conf.all.log_martians = 1
	EOF
	sysctl -p /etc/sysctl.d/60-security-hardening.conf

	echo "=== Setting secure file permissions ==="
	chmod 600 /etc/ssh/ssh_host_*_key \|\| true
	chmod 600 /etc/shadow
	chmod 644 /etc/passwd

	echo "=== Final clean-up ==="
	apt autoremove -y

	echo "=== Hardened! Please verify that $NEWUSER can SSH and use sudo before closing root sessions. ==="
	#!/usr/bin/env bash

	set -e

	DEFAULT_DOCKER_DIR="/var/lib/docker"
	DEFAULT_CONTAINERD_DIR="/var/lib/containerd"
	DOCKER_DAEMON_DIR="/etc/docker"
	DOCKER_DAEMON_JSON="$DOCKER_DAEMON_DIR/daemon.json"

	echo "Docker data will be migrated to a new location."
	read -rp "Enter the absolute path for the NEW Docker data folder (e.g., /mnt/bigdisk/docker): " NEW_DOCKER_DIR

	if [[ -z "$NEW_DOCKER_DIR" ]] \|\| [[ "$NEW_DOCKER_DIR" != /* ]]; then
	echo "You must provide an absolute path."
	exit 1
	fi

	NEW_CONTAINERD_DIR="${NEW_DOCKER_DIR}/containerd"

	echo "Stopping Docker service..."
	systemctl stop docker
	systemctl stop containerd \|\| true

	echo "Migrating Docker data..."
	mkdir -p "$NEW_DOCKER_DIR"
	rsync -aHAX --info=progress2 "$DEFAULT_DOCKER_DIR/" "$NEW_DOCKER_DIR/"

	if [ -d "$DEFAULT_CONTAINERD_DIR" ]; then
	mkdir -p "$NEW_CONTAINERD_DIR"
	rsync -aHAX --info=progress2 "$DEFAULT_CONTAINERD_DIR/" "$NEW_CONTAINERD_DIR/"
	fi

	if [ -f "$DOCKER_DAEMON_JSON" ]; then
	cp "$DOCKER_DAEMON_JSON" "$DOCKER_DAEMON_JSON.bak.$(date +%s)"
	fi

	echo "Updating Docker config at $DOCKER_DAEMON_JSON..."
	mkdir -p "$DOCKER_DAEMON_DIR"
	cat > "$DOCKER_DAEMON_JSON" <<EOF
	{
	"data-root": "$NEW_DOCKER_DIR"
	}
	EOF

	read -rp "Remove old $DEFAULT_DOCKER_DIR and $DEFAULT_CONTAINERD_DIR? (type YES): " CONFIRM
	if [ "$CONFIRM" = "YES" ]; then
	rm -rf "$DEFAULT_DOCKER_DIR"
	[ -d "$DEFAULT_CONTAINERD_DIR" ] && rm -rf "$DEFAULT_CONTAINERD_DIR"
	echo "Old data removed."
	else
	echo "Skipping deletion."
	fi

	systemctl start docker
	systemctl status docker

	echo "Docker migration complete."
	#!/usr/bin/env bash
	set -e

	MEM_GB=$(awk '/MemTotal/ {printf "%.0f", $2/1024/1024}' /proc/meminfo)
	DEF_SWAP=$((MEM_GB * 2))
	read -rp "How much swap (GB) do you want [default: ${DEF_SWAP}]: " SWAP_GB
	SWAP_GB=${SWAP_GB:-$DEF_SWAP}

	if [[ ! $SWAP_GB =~ ^[0-9]+$ ]]; then
	echo "Invalid swap size. Exiting."
	exit 1
	fi

	echo "=== Setting up a ${SWAP_GB}G swap file ==="
	SWAPFILE="/swapfile"

	fallocate -l "${SWAP_GB}G" $SWAPFILE \|\| dd if=/dev/zero of=$SWAPFILE bs=1G count=$SWAP_GB
	chmod 600 $SWAPFILE
	mkswap $SWAPFILE
	swapon $SWAPFILE

	if ! grep -q "^/swapfile" /etc/fstab; then
	echo "$SWAPFILE none swap sw 0 0" >> /etc/fstab
	fi

	sysctl vm.swappiness=10
	echo "vm.swappiness=10" > /etc/sysctl.d/99-swappiness.conf

	echo "=== Swap setup complete! ==="
	swapon --show
	free -h