SegHaxx/setup.sh

## setup.sh
# AlmaLinux 9 Paranoid Server Setup

# starting from a fresh install this will:
# establish a trusted ssh key login
# create an admin user with sudo rights
# then disable direct root login as much as possible

# you should be comfortable with how ssh key authentication works before you do this

# on your local cyberdeck, generate an ssh key if you haven't already
# ssh-keygen -t ed25519

# copy ssh key to server
ssh-copy-id root@<serverip>
# login as root
ssh root@<serverip>
# create our admin user with sudo rights
# use your own username for convenience
adduser -G wheel <username>
passwd <username>
# copy the ssh key over to it
install -o <username> -g <username> -m 700 -d ~<username>/.ssh
install -o <username> -g <username> -m 600 ~/.ssh/authorized_keys ~<username>/.ssh/
exit

# login as admin
# make sure this works using an authorised key before you proceed because we're turning everything else off
ssh <serverip>

# lock down sshd, absolutely no root login or plain passwords
sudo rm -rfv /root/.ssh
sudo sed -i 's/^\(#\)\(PermitRootLogin \)\(.*\)$/\2no/' /etc/ssh/sshd_config
sudo sed -i 's/^\(#\)\(PasswordAuthentication \)\(.*\)$/\2no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# disable root password
sudo passwd -d root
sudo passwd -l root

# remove some crap i don't need
# sudo dnf remove sssd\* iw\*-firmware
# don't install extra crap
echo 'install_weak_deps=False' | sudo tee -a /etc/dnf/dnf.conf
# make sure we're up to date
sudo dnf update

# enable selinux since racknerd doesn't by default
sudo sed -i 's/^\(SELINUX=\)\(.*\)$/\1enforcing/' /etc/selinux/config
# and reboot, relabel will take some time
sudo reboot

# you now have an absolutely locked down server that can only be accessed
# via the admin user and an authorized key
	# AlmaLinux 9 Paranoid Server Setup

	# starting from a fresh install this will:
	# establish a trusted ssh key login
	# create an admin user with sudo rights
	# then disable direct root login as much as possible

	# you should be comfortable with how ssh key authentication works before you do this

	# on your local cyberdeck, generate an ssh key if you haven't already
	# ssh-keygen -t ed25519

	# copy ssh key to server
	ssh-copy-id root@<serverip>
	# login as root
	ssh root@<serverip>
	# create our admin user with sudo rights
	# use your own username for convenience
	adduser -G wheel <username>
	passwd <username>
	# copy the ssh key over to it
	install -o <username> -g <username> -m 700 -d ~<username>/.ssh
	install -o <username> -g <username> -m 600 ~/.ssh/authorized_keys ~<username>/.ssh/
	exit

	# login as admin
	# make sure this works using an authorised key before you proceed because we're turning everything else off
	ssh <serverip>

	# lock down sshd, absolutely no root login or plain passwords
	sudo rm -rfv /root/.ssh
	sudo sed -i 's/^\(#\)\(PermitRootLogin \)\(.*\)$/\2no/' /etc/ssh/sshd_config
	sudo sed -i 's/^\(#\)\(PasswordAuthentication \)\(.*\)$/\2no/' /etc/ssh/sshd_config
	sudo systemctl restart sshd
	# disable root password
	sudo passwd -d root
	sudo passwd -l root

	# remove some crap i don't need
	# sudo dnf remove sssd\* iw\*-firmware
	# don't install extra crap
	echo 'install_weak_deps=False' \| sudo tee -a /etc/dnf/dnf.conf
	# make sure we're up to date
	sudo dnf update

	# enable selinux since racknerd doesn't by default
	sudo sed -i 's/^\(SELINUX=\)\(.*\)$/\1enforcing/' /etc/selinux/config
	# and reboot, relabel will take some time
	sudo reboot

	# you now have an absolutely locked down server that can only be accessed
	# via the admin user and an authorized key
No results found