{"id":51240753,"url":"https://github.com/punkyard/firstb00t","last_synced_at":"2026-06-29T00:01:38.681Z","repository":{"id":356745659,"uuid":"1231293972","full_name":"punkyard/firstb00t","owner":"punkyard","description":"Hardening script for fresh Linux servers","archived":false,"fork":false,"pushed_at":"2026-05-09T14:20:38.000Z","size":13,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-09T15:45:36.162Z","etag":null,"topics":["bash","bash-script","debian","firstboot","linux","script","server"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/punkyard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-06T20:30:18.000Z","updated_at":"2026-05-09T14:20:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/punkyard/firstb00t","commit_stats":null,"previous_names":["punkyard/firstb00t"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/punkyard/firstb00t","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punkyard%2Ffirstb00t","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punkyard%2Ffirstb00t/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punkyard%2Ffirstb00t/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punkyard%2Ffirstb00t/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/punkyard","download_url":"https://codeload.github.com/punkyard/firstb00t/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punkyard%2Ffirstb00t/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34907985,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-28T02:00:05.809Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","bash-script","debian","firstboot","linux","script","server"],"created_at":"2026-06-29T00:01:36.539Z","updated_at":"2026-06-29T00:01:38.675Z","avatar_url":"https://github.com/punkyard.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# firstb00t\n\nHardening script for fresh Linux servers\nlinux, bash, debian, server, script, bash-script, firstboot\n\n# 🚧 Work in progress.\n\n## Purpose\n\nThese `*-firstb00t.sh` scripts harden Linux servers on their very first boot from a single ssh-command run by `root` or `sudo` user.\n\n## What it does\n\nAll major steps are prompted (confirm before action) in this order:\n\n0. check root + Debian compatibility (12/13), network check\n1. bootstrap apt: `apt-get update` + install `sudo` + `wget` (installs wget if missing)\n2. create/verify sudo admin user\n3. set hostname + timezone\n4. install `nala` (then use `nala` for remaining package installs)\n5. install baseline tools (`curl`, `btop`)\n6. firewall + SSH port prompt:\n\t- choose backend: UFW or nftables\n\t- choose SSH port\n\t- optional keep port `22` as honeypot when using custom port\n7. SSH hardening: `PermitRootLogin no`, optional `PasswordAuthentication no`, `AllowUsers`, SSH reload\n8. Fail2Ban setup:\n\t- auto-detect SSH client IP for whitelist\n\t- prompt for extra whitelist IP/CIDRs (local/public)\n\t- forever ban (`bantime=-1`) with whitelist safety net\n9. optional security services:\n\t- unattended-upgrades\n\t- AppArmor\n\t- rkhunter\n10. FTP policy prompt (skip or configure)\n11. optional container engine:\n\t- Docker CE (installs `ca-certificates` + `gnupg` only when needed for Docker repo)\n\t- or Podman\n\t- prompt volume root folder for bind-mounts/backup (default `/mnt/docker/volumes`; Docker images stay in `/var/lib/docker`)\n12. add admin SSH public key (idempotent; no duplicate key lines)\n13. print summary + suggested `btop` usage\n\n\n## Repository contents\n\n- `debian-firstb00t.sh` — main hardening script\n- `README.md` — project overview\n\n\n## Quick start\n\nRun the appropriate command on your server at first boot as root.\n\nFor Debian 10, 11, 12, 13:\n```sh\nwget -qO- https://raw.githubusercontent.com/punkyard/firstb00t/main/debian-firstb00t.sh | bash\n```\n\nRequirements:\n\n- Debian 12 or 13 server with network access\n- root shell or root SSH login\n- `bash` available (default on Debian)\n\n### Options\n\n1. run script and answer prompts step-by-step\n2. duplicate the .env.sample file and pre-fill your answers to these questions and let the script run automatically\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunkyard%2Ffirstb00t","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpunkyard%2Ffirstb00t","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunkyard%2Ffirstb00t/lists"}