External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-18 02:05:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

improve formatting

Browse Source
This commit is contained in:
buildplan 2025-10-20 09:49:12 +01:00 committed by GitHub
parent d5160b4863
commit ce273650c6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -20,6 +20,8 @@
This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks. This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks.
-----
## Features ## Features
* **Secure User Management**: Creates a new `sudo` user and disables root SSH access. * **Secure User Management**: Creates a new `sudo` user and disables root SSH access.
@ -40,6 +42,8 @@ This script automates the initial setup and security hardening of a fresh Debian
* **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`. * **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`.
* **Automation-Friendly**: Supports `--quiet` mode for automated provisioning. * **Automation-Friendly**: Supports `--quiet` mode for automated provisioning.
-----
## Installation & Usage ## Installation & Usage
### Prerequisites ### Prerequisites
@ -117,6 +121,8 @@ sudo -E ./du_setup.sh --quiet
> >
> Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). > Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
-----
## What It Does ## What It Does
| Task | Description | | Task | Description |
@ -140,7 +146,9 @@ sudo -E ./du_setup.sh --quiet
| **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. | | **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. |
| **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. | | **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
## Provider Package Cleanup (Since v0.70) -----
## Provider Package Cleanup
Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security. Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security.
@ -162,6 +170,8 @@ Cleanup is optional but recommended for commercial VPS environments to reduce at
* Default provisioning users (ubuntu, debian, admin, cloud-user) * Default provisioning users (ubuntu, debian, admin, cloud-user)
* Unexpected SSH keys in `/root/.ssh/authorized_keys` * Unexpected SSH keys in `/root/.ssh/authorized_keys`
-----
## Post-Reboot Verification ## Post-Reboot Verification
After rebooting, verify the setup: After rebooting, verify the setup:
@ -192,6 +202,8 @@ After rebooting, verify the setup:
* Check results: `sudo less /var/log/setup_harden_security_audit_*.log` * Check results: `sudo less /var/log/setup_harden_security_audit_*.log`
* Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output * Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output
-----
## Tested On ## Tested On
* Debian 12, 13 * Debian 12, 13
@ -200,6 +212,8 @@ After rebooting, verify the setup:
* Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers * Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers
* Tailscale: Standard network, custom self-hosted servers * Tailscale: Standard network, custom self-hosted servers
-----
## Important Notes ## Important Notes
* **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space. * **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space.
@ -210,6 +224,8 @@ After rebooting, verify the setup:
* For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic. * For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic.
* For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations. * For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations.
-----
## Troubleshooting ## Troubleshooting
### SSH Lockout Recovery ### SSH Lockout Recovery
@ -302,6 +318,8 @@ If Tailscale fails to connect:
* Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641` * Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
* Check VPS firewall for Tailscale traffic. * Check VPS firewall for Tailscale traffic.
-----
## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE) ## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
This script is open-source and provided "as is" without warranty. Use at your own risk. This script is open-source and provided "as is" without warranty. Use at your own risk.