I use some automation with custom script for Debian VPS Setup with Shell Script. As a subscriber to multiple VPS providers, I often find myself repeating the same setup steps whenever I provision or recreate a server. These steps include disk encryption, firewall configuration, installing essential utilities, and customizing the environment. To streamline this process, I initially created an automation script in early 2024.
Introduction
In mid 2025, I migrated content from my old site pages.amarvyas.in to this site. I updated this script recently and am sharing the improved version to help others automate their Debian VPS setups. This guide provides a script to automate the initial configuration of a Debian VPS, focusing on security and usability.
Summary
This guide provides a method to automate the initial setup of a Debian VPS, using Debian VPS Setup with Shell Script. It covers disk encryption with LUKS, installing essential utilities (curl, wget, rclone, neofetch, etc.), configuring a firewall (ufw) with IPv6 support, hardening SSH, setting up unattended upgrades, and installing fail2ban for intrusion prevention. The script is designed to save time and ensure a consistent, secure configuration across multiple VPS instances.
यह गाइड डेबियन वीपीएस की प्रारंभिक सेटअप को स्वचालित करने के लिए एक स्क्रिप्ट प्रदान करता है। इसमें LUKS के साथ डिस्क एन्क्रिप्शन, आवश्यक यूटिलिटीज (curl, wget, rclone, neofetch, आदि) की स्थापना, IPv6 समर्थन के साथ फ़ायरवॉल (ufw) का कॉन्फ़िगरेशन, SSH को मजबूत करना, अनअटेंडेड अपग्रेड की स्थापना, और घुसपैठ रोकथाम के लिए फेल2बन की स्थापना शामिल है। यह स्क्रिप्ट समय बचाने और कई वीपीएस इंस्टेंस पर एक सुसंगत, सुरक्षित कॉन्फ़िगरेशन सुनिश्चित करने के लिए डिज़ाइन की गई है।
Notes
- This script is designed for Debian-based VPS installations and assumes command-line access.
- It’s crucial to adapt the script to your specific needs. Pay close attention to the ‘user’ variable and SSH port configuration.
- Save the script as
debian-setup.sh, make it executable (chmod +x debian-setup.sh), and run it with sudo privileges (./debian-setup.sh). - Tested on Debian 12 Bookworm. Adaptations may be required for other distributions.
- Original script was generated using chatGPT, the update was created with assistance from google Gemini. Original script is retained on second page of this post for archival purposes
Debian VPS Setup with Shell Script
#!/bin/bash
# Set variables
USER="yourusername" # Replace with your actual username
SSH_PORT="2222" # Replace with your desired SSH port
# Step 1: Update .bashrc for user with aliases
cat << EOF >> /home/$USER/.bashrc
alias dl='cd ~/Downloads'
alias doc='cd ~/Documents'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias myhome='cd ~'
alias grep='grep --color=auto'
alias apti='sudo apt-get -y install'
alias aptu='sudo apt-get update && sudo apt-get -y upgrade'
alias ll='ls -alFh'
alias ls='ls --color=auto'
alias ping='ping -c 6'
alias ping6='ping6 -c 6'
alias rsync='ionice -c2 -n7 rsync'
EOF
# Update the source for the user
source /home/$USER/.bashrc
# Step 2: Update the Debian installation
$ sudo aptu
# Step 3: Install essential utilities
$ sudo apti curl wget rclone neofetch fortune ufw cryptsetup unattended-upgrades fail2ban
# Step 4: Configure ufw
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw enable
$ sudo ufw allow 80/tcp,443/tcp,$SSH_PORT/tcp,21,53/udp
# Step 5: Enable UFW for IPv6
$ sudo sed -i 's/IPV6=no/IPV6=yes/g' /etc/default/ufw
$ sudo ufw reload
# Step 6: Harden SSH configuration
$ sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config #Disable root login
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config #Disable password authentication, rely on keys
$ sudo echo "ClientAliveInterval 20" >> /etc/ssh/sshd_config
$ sudo echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
$ sudo sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
$ sudo sed -i "s/#Port 22/Port $SSH_PORT/g" /etc/ssh/sshd_config #Change SSH port
$ sudo systemctl restart sshd
# Step 7: Configure unattended upgrades
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
$ sudo apti apt-listchanges #Optional, but recommended
# Step 8: Configure Fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local #Copy config to local
$ sudo sed -i "s/port = ssh/port = $SSH_PORT/g" /etc/fail2ban/jail.local #Update SSH port in fail2ban
$ sudo systemctl restart fail2ban
echo "Debian VPS setup complete! Remember to log out and back in to apply .bashrc changes."
Detailed Explanation of Steps
- .bashrc Aliases: Adds convenient aliases to your user’s shell environment. Adapt these to your personal preferences.
- Update System: Ensures your system is running the latest packages.
- Install Utilities: Installs essential tools such as
curl,wget,rclone(for cloud storage),neofetch(system information),fortune(for fun),ufw(firewall),cryptsetup(disk encryption),unattended-upgrades(automatic security updates) andfail2ban(intrusion prevention). - Configure UFW: Sets up a basic firewall configuration, denying incoming connections and allowing outgoing connections. It opens ports for SSH (remember to change the default!), HTTP (80), HTTPS (443), FTP (21), and DNS (53).
- Enable IPv6 for UFW: Ensures the firewall protects both IPv4 and IPv6 traffic.
- Harden SSH:
- Disables root login via SSH. Always use a regular user with
sudo. - Disables password authentication. Use SSH keys for enhanced security. You should set up SSH keys *before* running this script and disabling password authentication.
- Changes the default SSH port to a non-standard port to reduce automated attacks. **Important:** Make sure to update your SSH client configuration to use the new port.
- Sets `ClientAliveInterval` and `ClientAliveCountMax` to prevent dropped SSH connections.
- Disables X11 forwarding in the Debian VPS Setup with Shell Script.
- Disables root login via SSH. Always use a regular user with
- Configure Unattended Upgrades: Sets up automatic security updates to keep your system protected.
- Configure Fail2ban: Installs and configures fail2ban to automatically block IP addresses that exhibit malicious behavior, such as repeated failed login attempts. The script updates the SSH port in the fail2ban configuration to match the custom SSH port.
Considerations for Debian VPS Setup with Shell Script
- Disk Encryption: While this script *installs*
cryptsetup, it *doesn’t* automatically encrypt your existing disk. Disk encryption typically needs to be configured during OS installation (e.g., via netboot.xyz). Refer to the Debian installation guide for details on setting up LUKS encryption during installation. - SSH Keys: Before disabling password authentication, ensure you have properly configured SSH key-based authentication. Otherwise, you risk locking yourself out of your server.
- Firewall Rules: Adjust the firewall rules to match your specific application requirements.
- Usernames: Replace
yourusernamewith your actual username. - Unattended Upgrades and Reboots: Be aware that unattended upgrades, by default, can trigger automatic reboots when kernel updates are installed. This can be disruptive for production servers. If you prefer to manage reboots manually, you can disable automatic reboots by configuring the
/etc/apt/apt.conf.d/50unattended-upgradesfile. See below for instructions. - Testing: Always test your configuration after running the script. Verify that you can connect via SSH on the new port, that the firewall is active, and that unattended upgrades are configured correctly.
Disabling Automatic Reboots (Unattended Upgrades – Optional)
If you find that unattended upgrades are causing unwanted reboots, you can disable this behavior. Edit the /etc/apt/apt.conf.d/50unattended-upgrades file:
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Find the line:
Unattended-Upgrade::Automatic-Reboot "true";
Change it to:
Unattended-Upgrade::Automatic-Reboot "false";
Save the file and exit. You will now need to reboot the server manually after kernel updates are installed.
References for Debian VPS Setup with Shell Script
Last updated: June 9, 2025. This post was Created by Amar Vyas, updated with assistance from AI tools. For comments, suggestions, or feedback, please contact contact+av@amarvyas.in.