Last active
November 11, 2025 07:40
-
-
Save rameerez/f92ada0c83c2ecf9654cbadbc6adbbca to your computer and use it in GitHub Desktop.
Revisions
-
rameerez revised this gist
Jul 29, 2024 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,6 +42,9 @@ if [[ $EUID -ne 0 ]]; then exit 1 fi # Fix for PS1 unbound variable echo 'if [ -z "${PS1-}" ]; then return; fi' | cat - /etc/bash.bashrc > temp && mv temp /etc/bash.bashrc # Update and upgrade system print_message "${YELLOW}" "Updating and upgrading system..." apt-get update -y && apt-get upgrade -y @@ -196,9 +199,6 @@ echo 'Unattended-Upgrade::Allowed-Origins { # alias top='btop' # EOF # Apply aliases to current session source /etc/bash.bashrc -
Jul 29, 2024 . 1 changed file with 9 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -140,8 +140,8 @@ print_message "${YELLOW}" "Setting up SSL certificate renewal..." echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null # Install additional useful tools # print_message "${YELLOW}" "Installing additional tools..." # apt-get install -y bat btop lsd # Basic monitoring print_message "${YELLOW}" "Setting up basic system monitoring..." @@ -188,16 +188,16 @@ echo 'Unattended-Upgrade::Allowed-Origins { };' > /etc/apt/apt.conf.d/50unattended-upgrades # Set up aliases # print_message "${YELLOW}" "Setting up aliases..." # cat <<EOF >> /etc/bash.bashrc # Aliases # alias ls='lsd -lah' # alias cat='batcat' # alias top='btop' # EOF # Fix for PS1 unbound variable # echo 'if [ -z "${PS1-}" ]; then return; fi' | cat - /etc/bash.bashrc > temp && mv temp /etc/bash.hashrc # Apply aliases to current session source /etc/bash.bashrc -
Jul 29, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -191,7 +191,7 @@ echo 'Unattended-Upgrade::Allowed-Origins { print_message "${YELLOW}" "Setting up aliases..." cat <<EOF >> /etc/bash.bashrc # Aliases alias ls='lsd -lah' alias cat='batcat' alias top='btop' EOF -
Jul 29, 2024 . 1 changed file with 7 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -190,11 +190,15 @@ echo 'Unattended-Upgrade::Allowed-Origins { # Set up aliases print_message "${YELLOW}" "Setting up aliases..." cat <<EOF >> /etc/bash.bashrc # Aliases alias ls='lsd' alias cat='batcat' alias top='btop' EOF # Fix for PS1 unbound variable echo 'if [ -z "${PS1-}" ]; then return; fi' | cat - /etc/bash.bashrc > temp && mv temp /etc/bash.hashrc # Apply aliases to current session source /etc/bash.bashrc @@ -203,4 +207,6 @@ print_message "${YELLOW}" "Cleaning up..." apt-get autoremove -y apt-get clean # Final message print_message "${GREEN}" "Setup complete! Please reboot the system to apply all changes." print_message "${YELLOW}" "Note: Some changes may require a logout/login to take effect." -
Jul 29, 2024 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -143,11 +143,11 @@ echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(rando print_message "${YELLOW}" "Installing additional tools..." apt-get install -y bat btop lsd # Basic monitoring print_message "${YELLOW}" "Setting up basic system monitoring..." apt-get install -y sysstat systemctl enable sysstat systemctl start sysstat # Enable and configure auditd print_message "${YELLOW}" "Configuring auditd..." -
Jul 29, 2024 . 1 changed file with 25 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,6 +27,15 @@ print_message() { echo -e "${color}${ALIEN} ${message}${NC}" } # Function to handle errors handle_error() { print_message "${RED}" "An error occurred. Exiting..." exit 1 } # Set up error handling trap 'handle_error' ERR # Check if script is run as root if [[ $EUID -ne 0 ]]; then print_message "${RED}" "This script must be run as root" @@ -43,13 +52,14 @@ apt-get install -y ufw fail2ban curl wget gnupg lsb-release ca-certificates apt- # Set up firewall print_message "${YELLOW}" "Configuring firewall..." ufw --force reset ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow http ufw allow https ufw allow 2376/tcp # Docker TLS port echo "y" | ufw enable # Configure fail2ban print_message "${YELLOW}" "Configuring fail2ban..." @@ -67,9 +77,19 @@ systemctl restart fail2ban # Harden SSH configuration print_message "${YELLOW}" "Hardening SSH configuration..." if [ -f /etc/ssh/sshd_config ]; then sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config if systemctl is-active --quiet ssh; then systemctl restart ssh elif systemctl is-active --quiet sshd; then systemctl restart sshd else print_message "${RED}" "SSH service not found. Please check your SSH configuration." fi else print_message "${RED}" "SSH configuration file not found. Please check your SSH installation." fi # Install and configure Docker print_message "${YELLOW}" "Installing Docker..." @@ -89,14 +109,10 @@ cat <<EOF > /etc/docker/daemon.json "icc": false, "live-restore": true, "userland-proxy": false, "no-new-privileges": true } EOF systemctl enable docker systemctl restart docker -
Jul 29, 2024 . 1 changed file with 47 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,29 +7,42 @@ set -euo pipefail # --- AESTHETICS --- # Define color codes for echo messages GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' # Define the escape sequence for the alien emoji (U+1F47D) ALIEN='\xF0\x9F\x91\xBD' # Define the variable for resetting the color back to the default NC='\033[0m' # Function to print colorized output with alien emoji print_message() { local color=$1 local message=$2 echo -e "${color}${ALIEN} ${message}${NC}" } # Check if script is run as root if [[ $EUID -ne 0 ]]; then print_message "${RED}" "This script must be run as root" exit 1 fi # Update and upgrade system print_message "${YELLOW}" "Updating and upgrading system..." apt-get update -y && apt-get upgrade -y # Install essential packages print_message "${YELLOW}" "Installing essential packages..." apt-get install -y ufw fail2ban curl wget gnupg lsb-release ca-certificates apt-transport-https software-properties-common # Set up firewall print_message "${YELLOW}" "Configuring firewall..." ufw default deny incoming ufw default allow outgoing ufw allow ssh @@ -39,7 +52,7 @@ ufw allow 2376/tcp # Docker TLS port ufw enable # Configure fail2ban print_message "${YELLOW}" "Configuring fail2ban..." cat <<EOF > /etc/fail2ban/jail.local [sshd] enabled = true @@ -53,18 +66,18 @@ systemctl enable fail2ban systemctl restart fail2ban # Harden SSH configuration print_message "${YELLOW}" "Hardening SSH configuration..." sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd # Install and configure Docker print_message "${YELLOW}" "Installing Docker..." curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh # Configure Docker daemon print_message "${YELLOW}" "Configuring Docker daemon..." mkdir -p /etc/docker cat <<EOF > /etc/docker/daemon.json { @@ -88,47 +101,47 @@ systemctl enable docker systemctl restart docker # Install Docker Compose print_message "${YELLOW}" "Installing Docker Compose..." DOCKER_COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4) curl -L "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose # Create docker user and group print_message "${YELLOW}" "Creating docker user and group..." adduser --system --group --shell /bin/bash docker usermod -aG docker docker # Set up Docker network print_message "${YELLOW}" "Setting up Docker network..." docker network create --driver bridge private # Install and configure Nginx print_message "${YELLOW}" "Installing and configuring Nginx..." apt-get install -y nginx certbot python3-certbot-nginx # Set up SSL certificate renewal print_message "${YELLOW}" "Setting up SSL certificate renewal..." echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null # Install additional useful tools print_message "${YELLOW}" "Installing additional tools..." apt-get install -y bat btop lsd # Set up system monitoring print_message "${YELLOW}" "Setting up system monitoring..." apt-get install -y prometheus node-exporter systemctl enable prometheus node-exporter systemctl start prometheus node-exporter # Enable and configure auditd print_message "${YELLOW}" "Configuring auditd..." apt-get install -y auditd audispd-plugins auditctl -e 1 systemctl enable auditd systemctl start auditd # Set up log rotation print_message "${YELLOW}" "Configuring log rotation..." cat <<EOF > /etc/logrotate.d/docker-logs /var/lib/docker/containers/*/*.log { rotate 7 @@ -141,7 +154,7 @@ cat <<EOF > /etc/logrotate.d/docker-logs EOF # Harden kernel parameters print_message "${YELLOW}" "Hardening kernel parameters..." cat <<EOF >> /etc/sysctl.conf net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 @@ -152,15 +165,26 @@ EOF sysctl -p # Set up automatic security updates print_message "${YELLOW}" "Setting up automatic security updates..." apt-get install -y unattended-upgrades echo 'Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };' > /etc/apt/apt.conf.d/50unattended-upgrades # Set up aliases print_message "${YELLOW}" "Setting up aliases..." cat <<EOF >> /etc/bash.bashrc alias ls='lsd' alias cat='batcat' alias top='btop' EOF # Apply aliases to current session source /etc/bash.bashrc # Clean up print_message "${YELLOW}" "Cleaning up..." apt-get autoremove -y apt-get clean print_message "${GREEN}" "Setup complete! Please reboot the system to apply all changes." -
Jul 29, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,166 @@ #!/bin/bash # Production Docker Host Setup Script # This script sets up a secure, production-ready Docker host on Ubuntu Server 22.04 LTS # It includes security hardening, performance optimizations, and best practices # CAUTION: This script makes significant system changes. Use at your own risk. set -euo pipefail # Function to print colorized output print_message() { local color=$1 local message=$2 echo -e "\e[${color}m${message}\e[0m" } # Check if script is run as root if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi # Update and upgrade system print_message "33" "Updating and upgrading system..." apt-get update -y && apt-get upgrade -y # Install essential packages print_message "33" "Installing essential packages..." apt-get install -y ufw fail2ban curl wget gnupg lsb-release ca-certificates apt-transport-https software-properties-common # Set up firewall print_message "33" "Configuring firewall..." ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow http ufw allow https ufw allow 2376/tcp # Docker TLS port ufw enable # Configure fail2ban print_message "33" "Configuring fail2ban..." cat <<EOF > /etc/fail2ban/jail.local [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 EOF systemctl enable fail2ban systemctl restart fail2ban # Harden SSH configuration print_message "33" "Hardening SSH configuration..." sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd # Install and configure Docker print_message "33" "Installing Docker..." curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh # Configure Docker daemon print_message "33" "Configuring Docker daemon..." mkdir -p /etc/docker cat <<EOF > /etc/docker/daemon.json { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" }, "icc": false, "live-restore": true, "userland-proxy": false, "no-new-privileges": true, "seccomp-profile": "/etc/docker/seccomp-profile.json" } EOF # Download Docker seccomp profile curl -o /etc/docker/seccomp-profile.json https://raw.githubusercontent.com/docker/engine/master/profiles/seccomp/default.json systemctl enable docker systemctl restart docker # Install Docker Compose print_message "33" "Installing Docker Compose..." DOCKER_COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4) curl -L "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose # Create docker user and group print_message "33" "Creating docker user and group..." adduser --system --group --shell /bin/bash docker usermod -aG docker docker # Set up Docker network print_message "33" "Setting up Docker network..." docker network create --driver bridge private # Install and configure Nginx print_message "33" "Installing and configuring Nginx..." apt-get install -y nginx certbot python3-certbot-nginx # Set up SSL certificate renewal print_message "33" "Setting up SSL certificate renewal..." echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null # Install additional useful tools print_message "33" "Installing additional tools..." apt-get install -y bat btop lsd # Set up system monitoring print_message "33" "Setting up system monitoring..." apt-get install -y prometheus node-exporter systemctl enable prometheus node-exporter systemctl start prometheus node-exporter # Enable and configure auditd print_message "33" "Configuring auditd..." apt-get install -y auditd audispd-plugins auditctl -e 1 systemctl enable auditd systemctl start auditd # Set up log rotation print_message "33" "Configuring log rotation..." cat <<EOF > /etc/logrotate.d/docker-logs /var/lib/docker/containers/*/*.log { rotate 7 daily compress missingok delaycompress copytruncate } EOF # Harden kernel parameters print_message "33" "Hardening kernel parameters..." cat <<EOF >> /etc/sysctl.conf net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 EOF sysctl -p # Set up automatic security updates print_message "33" "Setting up automatic security updates..." apt-get install -y unattended-upgrades echo 'Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };' > /etc/apt/apt.conf.d/50unattended-upgrades # Clean up print_message "33" "Cleaning up..." apt-get autoremove -y apt-get clean print_message "32" "Setup complete! Please reboot the system to apply all changes."