webserver-config/install/000-update-install.sh

66 lines
1.5 KiB
Bash
Raw Normal View History

#!/bin/bash
# Check if script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run as root or with sudo"
exit 1
fi
# Update and upgrade packages
apt update
apt upgrade -y
# Install Nginx, UFW, NTP, and fail2ban
apt install nginx ufw ntp fail2ban -y
# Install PHP and necessary modules
apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-mysql php-sqlite3 -y
# Set timezone
timedatectl set-timezone UTC
# UFW Setup
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 'Nginx Full'
ufw --force enable
# Create custom fail2ban configuration
cat > /etc/fail2ban/jail.d/server.conf << EOL
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
2024-10-24 02:55:32 +00:00
maxretry = 20
bantime = 86400
2024-10-23 23:27:59 +00:00
action = iptables-multiport[name=sshd]
nginx-banned-ips
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
2024-10-24 02:55:32 +00:00
maxretry = 20
bantime = 3600
2024-10-23 23:27:59 +00:00
action = iptables-multiport[name=nginx-http-auth]
nginx-banned-ips
EOL
# SSH hardening
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh
# Ensure fail2ban jail.local exists
if [ ! -f /etc/fail2ban/jail.local ]; then
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
fi
# Restart fail2ban to apply changes
systemctl restart fail2ban
echo "Server setup and fail2ban configuration completed."