note/tech/linux_secuirty.md

# linux security

## Set in a new linux system

1. Change Root Password
2. Create a new user
3. Disable root login in ssh
4. Add user to sudo group
5. Enable Pubkey Authentication

## Install Applications

1. caddy with forward
2. syncthing
3. cert
4. limit log file size

## System settings
1. auto restart caddy crontab


```shell
# change root password
if [ "$EUID" -ne 0 ]; then
  echo "please run as root"
  exit 1
fi

echo "Please enter new root password: "
passwd
# set location
echo "export LANG=en_US.UTF-8" >> ~/.bashrc
echo "export LANGUAGE=en_US:en" >> ~/.bashrc
echo "export LC_ALL=en_US.UTF-8" >> ~/.bashrc
echo "export LC_TIME=en_US.UTF-8" >> ~/.bashrc
source ~/.bashrc



# enable Pubkey Authentication

sed -i's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
# add user to sudo
apt update -y && apt install sudo -y
# create a new user
echo "Please enter new user name: "
read username

# if user already exists, enter a new username
while id -u $username >/dev/null 2>&1; do
  echo "User $username already exists, please enter a new username: "
  read username
   # 如果username为空，则跳出while循环
  if [ -z "$username" ]; then
    break
  fi
done
if [ $username ]; then
    useradd -m -g $username -G sudo   -s /bin/bash $username
    echo "Please enter new user password: "
    passwd $username
    mkdir /home/$username/.ssh
    touch /home/$username/.ssh/authorized_keys
    chown $username:$username /home/$username/.ssh/authorized_keys
    chmod 600 /home/$username/.ssh/authorized_keys
fi

# disable root login in ssh
sed -i's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# install caddy
apt install curl -y
apt install jq -y
mkdir -p /tmp/caddy
cd /tmp/caddy
RELEASE=$(curl -s "https://api.github.com/repos/klzgrad/forwardproxy/releases/latest" | jq -r .tag_name)
curl -sL "https://github.com/klzgrad/forwardproxy/releases/download/${RELEASE}/caddy-forwardproxy-naive.tar.xz" | tar xJf -
mv caddy-forwardproxy-naive/caddy /usr/bin
cd ..
rm -rf caddy
# caddy systemd
echo "Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=root
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/caddy.service
systemctl enable caddy
# caddy config
mkdir -p /etc/caddy
mkdir -p /var/www/html
# input your domain and email
read -p "Enter your domain: " domain
echo "Your domain is $domain"

read -p "Enter your email: " email
# create caddyfile
echo "Your email is $email"
echo "
{
  order forward_proxy before file_server
}
:443, $domain {
  tls $email
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
  file_server {
    root /var/www/html
  }
}
" > /etc/caddy/Caddyfile
systemctl restart caddy
# check if caddy is running
systemctl status caddy
echo "Your caddy forward user and password is user:pass"

echo "Press and enter to continue"
read -n 1 -s

# limit log file size
sed -i 's/^\#SystemMaxUse=/SystemMaxUse=100M/' /etc/systemd/journald.conf

systemctl restart systemd-journald








```