Skip to content

pniaps/linux-server-bootstrap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Linux Server Bootstrap 🚀

An automated, idempotent Bash script designed for the baseline initialization, optimization, and foundational hardening of newly deployed Linux servers (Debian/Ubuntu).

⚠️ Disclaimer: This script provides a basic, foundational configuration baseline. True production-grade hardening is a continuous process. Depending on your infrastructure architecture, there are always additional security layers to consider (see the Roadmap section below).

⚡ Instant Execution (No Download Needed)

You can execute this script directly on your newly deployed server via the command line without downloading the file or cloning the repository.

Option 1: Interactive Mode (Prompts for Inputs)

Log into your clean server as root via SSH and run:

curl -sSL https://raw.githubusercontent.com/pniaps/linux-server-bootstrap/main/setup.sh | bash

Note: During execution, you will be asked for a custom SSH port. Press Enter to keep the default port 22 safe, or type a custom one (e.g., 4815).

Option 2: Automated Mode (Headless / Zero Prompts)

Perfect for CI/CD or automation pipelines. Pass environment variables directly inline:

curl -sSL https://raw.githubusercontent.com/pniaps/linux-server-bootstrap/main/setup.sh | GITHUB_USER="pniaps" NEW_USER="pnia" SSH_PORT="4815" HOSTNAME="example.com" bash


✨ Features & Baseline Actions

This script adheres to the principle of idempotence (it can be run multiple times safely without ruining existing states or generating duplicate blocks).

  1. Timezone Alignment: Sets the system clock architecture to Europe/Madrid.
  2. Dedicated Admin Account: Requests a username (e.g., pnia), configures the user with administrative sudo privileges, and bypasses password prompts for efficient terminal usage.
  3. GitHub SSH Key Injection: Safely downloads your public cryptographic keys from GitHub and maps them to the new user's authorized_keys file (automatically bypassing preexisting duplicates).
  4. SSH Service Hardening:
    • Enforces exclusive public-key cryptographic authentication (disallows standard passwords).
    • Rejects direct root account logins.
    • Optional Port Shifting: Modifies the port (e.g., to 4815) only if explicitly defined by the user. If left as 22, the standard port is kept for safety.
    • Safety Guard: Applies these SSH adjustments only once by validating against a backup file state.
  5. Smart Hostname Setup: Prompts for a custom hostname (supports root domains like example.com or subdomains like vps.example.com). If left blank, it preserves the current one. It automatically cleans and maps the name to 127.0.1.1 in /etc/hosts to prevent sudo command timeouts and internal resolution lag. 6Security Patches: Installs and hooks unattended-upgrades to automatically patch high-priority security vulnerabilities.

🛠️ Essential Prerequisites

  • Ensure you have uploaded at least one public SSH key to your GitHub account (https://github.com/your_username.keys).
  • Critical: If you change the SSH port from default 22 to a custom one, you must explicitly allow inbound TCP traffic on that new port in your provider's external cloud firewall (AWS Security Groups, DigitalOcean Firewalls, etc.) before running this setup. Otherwise, you will be locked out immediately upon completion.

🗺️ Next Steps & Security Roadmap

Because this script only builds a basic baseline, here are highly recommended additions you should implement manually or script based on your specific requirements:

  • Network Perimeter Security: Install and configure ufw or nftables to drop all inbound traffic except on designated application ports.
  • Intrusion Prevention: Deploy Fail2Ban to actively monitor authorization logs and block offending IPs abusing open ports.
  • Audit Trail Log Management: Centralize system events and setup log forwarding to an external SIEM tool.
  • Kernel Hardening: Tune /etc/sysctl.conf parameters to mitigate network layer exploits (e.g., disabling IP forwarding, enabling source validation).
  • Process Monitoring: Set up resource triggers and lightweight monitoring agents (e.g., Prometheus Node Exporter, Datadog).

Distributed under the MIT License. Feel free to fork, adapt, and refine.

About

Foundational bootstrap and initial hardening script for newly deployed Linux VPS servers.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Contributors

Languages