#!/bin/bash ### 1. VARIABLES MOTD="/etc/update-motd.d/01-custom" REBOOTBIN="/usr/sbin/reboot" REBOOTBINOLD="/usr/sbin/reboot.old" SHUTBIN="/usr/sbin/shut" SCRIPTSDIR="/root/scripts" REBOOTHANDLER="/root/scripts/reboot_handler.sh" CRONTABTMP="/tmp/crontab.root.tmp" HOSTNAME=$(hostname) KEYFILE="/root/.ssh/id_ed25519" ## 2. ALIASES echo "alias ll='ls -l --color=auto'" >> ~/.bashrc echo "alias l='ls -lAh --color=auto'" >> ~/.bashrc source ~/.bashrc ## 3. UPDATE & ESSENTIALS apt update && apt -o Dpkg::Options::="--force-confold" upgrade -y apt install -y vim inxi fastfetch htop ncdu net-tools timedatectl set-timezone Europe/Paris # VIM CONFIG VIMDEF=$(find /usr/share/vim -type f -name defaults.vim | head -n1) [ -f "$VIMDEF" ] && sed -i 's/set mouse=a/set mouse=/g' "$VIMDEF" # MOTD CUSTOMIZATION rm -rf /etc/motd /etc/update-motd.d/* cat << 'EOF' > $MOTD #!/bin/bash RED='\033[0;31m' BLUE='\033[0;34m' NC='\033[0m' # No Color echo -e "${RED} GENERAL SYSTEM INFORMATION ${NC}" echo script -q -c '/usr/bin/fastfetch' /dev/null echo echo -e "${RED} SYSTEM DISK USAGE ${NC}" export TERM=xterm; inxi -D echo echo -e "${RED} LAST REBOOT STATUS ${NC}" tail -n 4 /var/log/reboot.log echo apt update -qq > /dev/null 2>&1 updates=$(apt list --upgradable 2>/dev/null | grep -v "^Listing" | wc -l) if [ "$updates" -gt 0 ]; then echo -e "${RED} APT UPDATE RESULT ${NC}" echo "$updates package updates available" fi EOF chmod +x $MOTD ### 4. Hardening binaries # REBOOT WRAPPER mv $REBOOTBIN $REBOOTBINOLD cat << 'EOF' > $REBOOTBIN #!/bin/bash touch /var/log/restart-flag sleep 1 /usr/sbin/reboot.old EOF chmod +x $REBOOTBIN # SHUTDOWN WRAPPER cat << 'EOF' > $SHUTBIN #!/bin/bash touch /var/log/restart-flag sleep 1 shutdown -h now EOF chmod +x $SHUTBIN ### 5. REBOOT HANDLER mkdir -p $SCRIPTSDIR cat << 'EOF' > $REBOOTHANDLER #!/bin/bash FLAG='/var/log/restart-flag' FLAG2='/var/log/scheduled-flag' LOG='/var/log/reboot.log' if [ -f "$FLAG" ]; then echo '--------------------------------' >> "$LOG" date >> "$LOG" echo '* REBOOT OK : command exec *' >> "$LOG" echo '--------------------------------' >> "$LOG" rm -f "$FLAG" elif [ -f "$FLAG2" ]; then echo '---------------------------------' >> "$LOG" date >> "$LOG" echo '* REBOOT PLANNED : crontab *' >> "$LOG" echo '---------------------------------' >> "$LOG" rm -f "$FLAG2" else date >> "$LOG" echo '* REBOOT ERROR : not planned *' >> "$LOG" echo '---------------------------------' >> "$LOG" fi EOF chmod +x $REBOOTHANDLER # CRONTAB SETUP crontab -l 2>/dev/null > $CRONTABTMP || true echo "@reboot /root/scripts/reboot_handler.sh" >> $CRONTABTMP crontab $CRONTABTMP rm -f $CRONTABTMP # INIT LOG FILE touch /var/log/reboot.log ### 6. Ajout route VPN echo "up ip route add 10.8.0.0/24 via 192.168.1.200" >> /etc/network/interfaces systemctl restart networking ### 7. Hardening SSH echo "AllowUsers root@192.168.1.250 #(PC_Aurel)" >> /etc/ssh/sshd_config echo "AllowUsers root@10.8.0.3 #(asus_r409l via VPN)" >> /etc/ssh/sshd_config systemctl restart sshd # Préparation clé SSH root mkdir -p /root/.ssh chmod 700 /root/.ssh ssh-keygen -t ed25519 -C "$HOSTNAME" -f "$KEYFILE" -N "" # Ajouter la clé publique dans authorized_keys cat "${KEYFILE}.pub" >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys ### 8. Création du script first-login cat << 'EOF' > /root/first-login.sh #!/bin/bash KEYFILE="/root/.ssh/id_ed25519" echo echo "===============================" echo " Clé privée SSH à conserver !" echo "===============================" echo cat "${KEYFILE}" echo echo "===============================" # Suppression de la clé privée rm -f "${KEYFILE}" # Durcissement SSH sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config sed -i 's/^#\?AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd # Désactivation du hook rm -f /root/.bash_firstlogin EOF chmod +x /root/first-login.sh # Hook pour exécuter first-login au premier login root echo "/root/first-login.sh" > /root/.bash_firstlogin # Ajout dans .bashrc if ! grep -q bash_firstlogin /root/.bashrc; then echo '[ -f /root/.bash_firstlogin ] && bash /root/.bash_firstlogin' >> /root/.bashrc fi