About a year ago I wrote this about hardening a fresh server using Ansible. This post has received about 10x as much traffic as anything else I've written. Oddly, admin is the area I'm probably least knowledgable about when it comes to software.
Anyway, the Ansible script I wrote about in that post is out of date. I realized this recently after trying to use it on a fresh install. I went about updating it (Ansible has made some breaking changes since then) and came to the realization that it would be faster and easier to just write a shell script.
That's not to say Ansible (and tools like it) don't have their place. They obviously do. But for one-off installs or occasional use they learning curve is too steep. It's much easier to stay current with shell scripting than it is to stay current with a tool that is constantly being changed (improved) and meant for administering very large installations.
I've stripped this down a bit from the original version. Logwatch, in particular, seemed more annoying than useful. You may or may not want to install that yourself.
A couple of notes about using this:
- This script does two things that when combined can render your instance unusable: It creates a new user and password and disallows ssh from logging in as root. If something goes wrong with the creation of the new user you'll be locked out and / or won't be able to make any root-level changes.
- Also in the potentially unusable category: This script overwrites your /etc/sudoers file. If anything goes wrong here you'll probably have to start over from scratch.
- The script isn't idempotent. For all practical purposes, the individual actions are idempotent, but you should be aware of that.
In other words, only run this on a fresh install and be prepared to have to start over from scratch if anything goes wrong.
The upside to using this is it's easy to change with only basic shell scripting knowledge and it's faster than Ansible to run. Much faster actually. Having said that, Ansible may have made improvements in speed since I used it last.
To actually run it, just run the following commands: