External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-17 09:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

improve formatting

Browse Source
This commit is contained in:
buildplan 2025-10-20 09:49:12 +01:00 committed by GitHub
parent d5160b4863
commit ce273650c6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -20,6 +20,8 @@
This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks.
-----
## Features
* **Secure User Management**: Creates a new `sudo` user and disables root SSH access.
@ -40,6 +42,8 @@ This script automates the initial setup and security hardening of a fresh Debian
* **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`.
* **Automation-Friendly**: Supports `--quiet` mode for automated provisioning.
-----
## Installation & Usage
### Prerequisites
@ -117,6 +121,8 @@ sudo -E ./du_setup.sh --quiet
>
> Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
-----
## What It Does
| Task | Description |
@ -140,7 +146,9 @@ sudo -E ./du_setup.sh --quiet
| **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. |
| **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
## Provider Package Cleanup (Since v0.70)
-----
## Provider Package Cleanup
Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security.
@ -162,6 +170,8 @@ Cleanup is optional but recommended for commercial VPS environments to reduce at
* Default provisioning users (ubuntu, debian, admin, cloud-user)
* Unexpected SSH keys in `/root/.ssh/authorized_keys`
-----
## Post-Reboot Verification
After rebooting, verify the setup:
@ -192,6 +202,8 @@ After rebooting, verify the setup:
* Check results: `sudo less /var/log/setup_harden_security_audit_*.log`
* Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output
-----
## Tested On
* Debian 12, 13
@ -200,6 +212,8 @@ After rebooting, verify the setup:
* Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers
* Tailscale: Standard network, custom self-hosted servers
-----
## Important Notes
* **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space.
@ -210,6 +224,8 @@ After rebooting, verify the setup:
* For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic.
* For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations.
-----
## Troubleshooting
### SSH Lockout Recovery
@ -302,6 +318,8 @@ If Tailscale fails to connect:
* Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
* Check VPS firewall for Tailscale traffic.
-----
## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
This script is open-source and provided "as is" without warranty. Use at your own risk.