Last active
June 13, 2025 23:07
-
-
Save DavidHoenisch/870e2aa3ddc86392e830b52194fca251 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| sudo apt update && sudo apt upgrade -y | |
| sudo apt install lynis ufw unattended-upgrades -y | |
| sudo lynis audit system > lynis-scan.txt | |
| sudo useradd web-app | |
| # password complexity rules | |
| cat <<EOF > /etc/security/pwquality.conf | |
| deny = 5 | |
| unlock_time = 900 | |
| minlen=12 | |
| dcredit=-1 | |
| ucredit=-1 | |
| EOF | |
| # firewall configs | |
| sudo ufw allow ssh | |
| sudo ufw allow http | |
| sudo ufw allow https | |
| sudo ufw default deny incoming | |
| sudo ufw default allow outgoing | |
| sudo ufw --force enable | |
| # ssh configs | |
| sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup | |
| # password complexity rules | |
| cat <<EOF >> /etc/ssh/sshd_config | |
| Port 2222 | |
| #PermitRootLogin no | |
| #PublickeyAuthentication yes | |
| #PasswordAuthentication no | |
| EOF | |
| sudo systemctl restart ssh | |
| # configure unattended upgrades | |
| sudo systemctl enable unattended-upgrade | |
| sudo systemctl start unattended-upgrade | |
| # apt cleanup | |
| sudo apt-get autoremove | |
| sudo apt-get autoclean | |
| # setup automated lynis scans | |
| { sudo crontab -l; echo "0 2 * * 0 lynis audit system >> /var/log/lynis-weekly-audit.log"; } | crontab - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment