An automated, idempotent Bash script designed for the baseline initialization, optimization, and foundational hardening of newly deployed Linux servers (Debian/Ubuntu).
⚠️ Disclaimer: This script provides a basic, foundational configuration baseline. True production-grade hardening is a continuous process. Depending on your infrastructure architecture, there are always additional security layers to consider (see the Roadmap section below).
You can execute this script directly on your newly deployed server via the command line without downloading the file or cloning the repository.
Log into your clean server as root via SSH and run:
curl -sSL https://raw.githubusercontent.com/pniaps/linux-server-bootstrap/main/setup.sh | bash
Note: During execution, you will be asked for a custom SSH port. Press Enter to keep the default port 22 safe, or type a custom one (e.g., 4815).
Perfect for CI/CD or automation pipelines. Pass environment variables directly inline:
curl -sSL https://raw.githubusercontent.com/pniaps/linux-server-bootstrap/main/setup.sh | GITHUB_USER="pniaps" NEW_USER="pnia" SSH_PORT="4815" HOSTNAME="example.com" bash
This script adheres to the principle of idempotence (it can be run multiple times safely without ruining existing states or generating duplicate blocks).
- Timezone Alignment: Sets the system clock architecture to
Europe/Madrid. - Dedicated Admin Account: Requests a username (e.g.,
pnia), configures the user with administrativesudoprivileges, and bypasses password prompts for efficient terminal usage. - GitHub SSH Key Injection: Safely downloads your public cryptographic keys from GitHub and maps them to the new user's
authorized_keysfile (automatically bypassing preexisting duplicates). - SSH Service Hardening:
- Enforces exclusive public-key cryptographic authentication (disallows standard passwords).
- Rejects direct
rootaccount logins. - Optional Port Shifting: Modifies the port (e.g., to
4815) only if explicitly defined by the user. If left as22, the standard port is kept for safety. - Safety Guard: Applies these SSH adjustments only once by validating against a backup file state.
- Smart Hostname Setup: Prompts for a custom hostname (supports root domains like
example.comor subdomains likevps.example.com). If left blank, it preserves the current one. It automatically cleans and maps the name to127.0.1.1in/etc/hoststo preventsudocommand timeouts and internal resolution lag. 6Security Patches: Installs and hooksunattended-upgradesto automatically patch high-priority security vulnerabilities.
- Ensure you have uploaded at least one public SSH key to your GitHub account (
https://github.com/your_username.keys). - Critical: If you change the SSH port from default 22 to a custom one, you must explicitly allow inbound TCP traffic on that new port in your provider's external cloud firewall (AWS Security Groups, DigitalOcean Firewalls, etc.) before running this setup. Otherwise, you will be locked out immediately upon completion.
Because this script only builds a basic baseline, here are highly recommended additions you should implement manually or script based on your specific requirements:
- Network Perimeter Security: Install and configure
ufwornftablesto drop all inbound traffic except on designated application ports. - Intrusion Prevention: Deploy
Fail2Banto actively monitor authorization logs and block offending IPs abusing open ports. - Audit Trail Log Management: Centralize system events and setup log forwarding to an external SIEM tool.
- Kernel Hardening: Tune
/etc/sysctl.confparameters to mitigate network layer exploits (e.g., disabling IP forwarding, enabling source validation). - Process Monitoring: Set up resource triggers and lightweight monitoring agents (e.g., Prometheus Node Exporter, Datadog).
Distributed under the MIT License. Feel free to fork, adapt, and refine.