2024-11-05 14:36:20 +03:00
|
|
|
echo -e "Read carefully throughout this script and correct it for your needs.
|
|
|
|
Then run it as root. Are you ready? (y/N)"
|
|
|
|
read ready
|
|
|
|
# default answer: answer not set or it's first letter is not `y` or `Y`
|
|
|
|
if [ -v $ready ] || ([ ${ready::1} != "y" ] && [ ${ready::1} != "Y" ])
|
|
|
|
then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Add user to system ##
|
|
|
|
echo -e "Enter username if you want to create new user or
|
|
|
|
add existing user to 'wheel' group; enter nothing to skip"
|
|
|
|
read username
|
|
|
|
if [ ! -v $username ]
|
|
|
|
then
|
|
|
|
if ! getent passwd $username >/dev/null # user doesn't exist yet
|
|
|
|
then
|
|
|
|
useradd -m $username
|
|
|
|
password=$(openssl rand -base64 9)
|
|
|
|
echo -e "password\npassword" | passwd $username --stdin
|
|
|
|
fi
|
|
|
|
# if wheel group exists, add the user to it
|
|
|
|
if getent group wheel > /dev/null
|
|
|
|
then
|
|
|
|
usermod -aG wheel $username
|
|
|
|
else
|
|
|
|
no_wheel=true
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Configure ssh ##
|
|
|
|
echo -e "Enter new ssh port (> 1024 and < 65535)"
|
|
|
|
read port
|
|
|
|
if [ ! -v $port ]
|
|
|
|
then
|
|
|
|
if ss -tunlp | grep :${port} > /dev/null
|
|
|
|
then
|
|
|
|
echo -e "port ${port} is already in use, aborting"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
ssh_port=$port
|
|
|
|
# sometimes port 22 is already commented in config,
|
|
|
|
# but 22 port can be needed if new port is not available
|
|
|
|
echo "Port 22" | tee -a /etc/ssh/sshd_config
|
|
|
|
echo "Port ${port}" | tee -a /etc/ssh/sshd_config
|
|
|
|
sshd -t && systemctl restart sshd
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo -e "sshPort not set, aborting"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Configure firewall ##
|
|
|
|
if [ $(command -v firewall-cmd > /dev/null) ] && [ $(firewall-cmd --state) = "running" ]
|
|
|
|
then
|
|
|
|
firewall-cmd --list-all
|
|
|
|
firewall-cmd --permanent --add-port=80/tcp
|
|
|
|
firewall-cmd --permanent --add-port=443/tcp
|
|
|
|
firewall-cmd --permanent --add-port=${ssh_port}/tcp
|
|
|
|
firewall-cmd --reload
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Configure SELinux ##
|
|
|
|
command -v semanage > /dev/null && semanage port -a -t ssh_port_t -p tcp ${ssh_port}
|
|
|
|
|
|
|
|
## for podman ##
|
|
|
|
# allow user apps (including podman) use ports from 80 and above
|
|
|
|
echo "net.ipv4.ip_unprivileged_port_start=80" > /etc/sysctl.d/unprivileged-ports.conf
|
|
|
|
sysctl --system
|
|
|
|
if [ -v $username ]
|
|
|
|
then
|
|
|
|
echo -e "Enter username for which to enable long-running services"
|
|
|
|
read username
|
|
|
|
fi
|
|
|
|
# allow non-logged user to run long-running services, such as podman container
|
|
|
|
if [ ! -v $username ]
|
|
|
|
then
|
|
|
|
loginctl enable-linger $username
|
|
|
|
else
|
|
|
|
echo -e "username not set, aborting"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Summary ##
|
|
|
|
echo -e "
|
|
|
|
---- Summary ----
|
|
|
|
"
|
|
|
|
if [ ! -v $password ]
|
|
|
|
then
|
|
|
|
echo -e "New user ${username} is created with password:
|
|
|
|
${password}
|
|
|
|
don't forget to change it with
|
|
|
|
passwd ${username}
|
|
|
|
"
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo -e "Check that ssh is available at port ${ssh_port} then close
|
|
|
|
port 22 commenting line(s)
|
|
|
|
Port 22
|
|
|
|
in /etc/ssh/sshd_config and running
|
|
|
|
systemctl restart sshd
|
|
|
|
"
|
|
|
|
|
|
|
|
echo -e "Then you are ready to log out from the server, then log in as ${username}
|
|
|
|
with new ssh port ${ssh_port}.
|
|
|
|
"
|
|
|
|
|
2024-11-11 23:06:58 +03:00
|
|
|
echo -e "If you encouner problems, try to reboot server first, to restart services.
|
|
|
|
"
|
|
|
|
|