Pastein: #!/bin/bash if [ "$EUID" -ne 0 ]; then exit 1 fi apt install libpam-modules libpam-modules-bin libpam-pwquality ufw -y if ! grep -q "pam_faillock.so deny=2" /etc/pam.d/common-auth 2>/dev/

Загрузка данных
#!/bin/bash

if [ "$EUID" -ne 0 ]; then
  exit 1
fi

apt install libpam-modules libpam-modules-bin libpam-pwquality ufw -y

if ! grep -q "pam_faillock.so deny=2" /etc/pam.d/common-auth 2>/dev/null; then
  if [ -f "/lib/x86_64-linux-gnu/security/pam_faillock.so" ] || [ -f "/usr/lib/x86_64-linux-gnu/security/pam_faillock.so" ]; then
    sed -i '/pam_faillock.so/d' /etc/pam.d/common-auth
    sed -i '1iauth required pam_faillock.so preauth deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
    sed -i '/pam_unix.so/a auth sufficient pam_faillock.so authsucc deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
    sed -i '/pam_deny.so/a auth required pam_faillock.so preauth silent deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
  elif [ -f "/lib/x86_64-linux-gnu/security/pam_tally2.so" ] && ! grep -q "pam_tally2.so" /etc/pam.d/common-auth; then
    echo "auth required pam_tally2.so deny=2 unlock_time=900 even_deny_root" >> /etc/pam.d/common-auth
    echo "account required pam_tally2.so" >> /etc/pam.d/common-auth
  fi
fi

if [ ! -f /etc/security/pwquality.conf.bak ]; then
  cp /etc/security/pwquality.conf /etc/security/pwquality.conf.bak 2>/dev/null
fi
cat > /etc/security/pwquality.conf << EOF
minlen = 9
lcredit = -3
ucredit = -3
dcredit = -1
ocredit = -2
usercheck = 1
EOF

if [ ! -f /usr/local/bin/check_extra.sh ]; then
  cat > /usr/local/bin/check_extra.sh << 'EOF'
#!/bin/bash
PASSWORD="$1"
USERNAME="$2"
if echo "$PASSWORD" | grep -qE '[0-9]{7,11}'; then
  exit 1
fi
if echo "$PASSWORD" | grep -qE '[0-9]{2,4}'; then
  exit 1
fi
exit 0
EOF
  chmod +x /usr/local/bin/check_extra.sh
fi

if ! grep -q "check_extra.sh" /etc/pam.d/common-password; then
  sed -i '/pam_pwquality.so/a password optional pam_exec.so seteuid /usr/local/bin/check_extra.sh' /etc/pam.d/common-password
fi

if ! id "franzliszt" &>/dev/null; then
  useradd -m -s /bin/bash franzliszt
  passwd franzliszt
fi

if [ ! -f /etc/sudoers.d/franzliszt ]; then
  echo "franzliszt ALL=(ALL:ALL) ALL" > /etc/sudoers.d/franzliszt
  chmod 440 /etc/sudoers.d/franzliszt
fi

if ! ufw status | grep -q "9000:9100/udp"; then
  ufw allow 9000:9100/udp
fi

if [ ! -f /etc/ufw/applications.d/myapp ]; then
  mkdir -p /etc/ufw/applications.d
  cat > /etc/ufw/applications.d/myapp << EOF
[MyApp]
title=My Application
description=Килейкин Андрей
ports=8080/tcp|8080/udp|4799/tcp|4799/udp
EOF
  ufw app update MyApp
  ufw allow MyApp
fi

if ! ufw status | grep -q "2333 DENY"; then
  ufw deny 2333
fi

if ! id "testuser" &>/dev/null; then
  useradd -m -s /bin/bash testuser
fi

groupadd astra-admin 2>/dev/null
if ! groups testuser | grep -q "astra-admin"; then
  usermod -aG astra-admin testuser
fi

if [ ! -f /etc/sudoers.d/testuser-journalctl ]; then
  echo "testuser ALL=(ALL) NOPASSWD: /usr/bin/journalctl" > /etc/sudoers.d/testuser-journalctl
  chmod 440 /etc/sudoers.d/testuser-journalctl
fi

ufw reload
Больше возможностей при регистрации:
