update INSTALL scripts
This commit is contained in:
parent
4175b0786e
commit
5a73820959
|
@ -1,11 +1,64 @@
|
|||
#!/bin/bash
|
||||
# Run this as super user
|
||||
# This part is for installing go language and setting up a user account
|
||||
# Run this as root user
|
||||
# This part is for hardening the server and setting up a user account
|
||||
|
||||
if [ `whoami` != "root" ];
|
||||
then
|
||||
echo "You must run this script as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
USER="tmuser"
|
||||
ADMIN_EMAIL="ENTER_ADMIN_EMAIL"
|
||||
OPEN_PORTS=(46656 46657 46658 46659 46660 46661 46662 46663 46664 46665 46666 46667 46668 46669 46670 46671)
|
||||
WHITELIST=()
|
||||
|
||||
# update and upgrade
|
||||
apt-get update -y
|
||||
apt-get upgrade -y
|
||||
|
||||
# fail2ban for monitoring logins
|
||||
apt-get install -y fail2ban
|
||||
|
||||
# set up the network time daemon
|
||||
apt-get install -y ntp
|
||||
|
||||
# install dependencies
|
||||
apt-get install -y make screen gcc git mercurial libc6-dev pkg-config libgmp-dev
|
||||
useradd tmuser -d /home/tmuser
|
||||
usermod -aG sudo tmuser
|
||||
mkdir /home/tmuser
|
||||
chown -R tmuser:tmuser /home/tmuser
|
||||
su tmuser
|
||||
|
||||
# set up firewall
|
||||
echo "ENABLE FIREWALL ..."
|
||||
# copy in the ssh config with locked down settings
|
||||
source ssh_config.sh
|
||||
echo "$SSHCONFIG" > /etc/ssh/sshd_config
|
||||
service ssh restart
|
||||
# white list ssh access
|
||||
for ip in "${WHITELIST[@]}"; do
|
||||
ufw allow from $ip to any port $SSHPORT
|
||||
done
|
||||
if [ ${#WHITELIST[@]} -eq 0 ]; then
|
||||
ufw allow $SSHPORT
|
||||
fi
|
||||
# open ports
|
||||
for port in "${OPEN_PORTS[@]}"; do
|
||||
ufw allow $port
|
||||
done
|
||||
# apply
|
||||
ufw enable
|
||||
|
||||
# watch the logs and have them emailed to me
|
||||
apt-get install -y logwatch
|
||||
echo "/usr/sbin/logwatch --output mail --mailto $ADMIN_EMAIL --detail high" >> /etc/cron.daily/00logwatch
|
||||
|
||||
# set up user account
|
||||
echo "CREATE USER $USER ..."
|
||||
useradd $USER -d /home/$USER
|
||||
# This user should not have root access.
|
||||
# usermod -aG sudo $USER
|
||||
mkdir /home/$USER
|
||||
cp /etc/skel/.bashrc .
|
||||
cp /etc/skel/.profile .
|
||||
chown -R $USER:$USER /home/$USER
|
||||
|
||||
echo "Done setting env. Switching to $USER..."
|
||||
su $USER
|
||||
|
|
|
@ -2,21 +2,28 @@
|
|||
# Run this as tmuser user
|
||||
# This part is for installing go
|
||||
|
||||
if [ `whoami` != "root" ];
|
||||
if [ `whoami` == "root" ];
|
||||
then
|
||||
cd /home/tmuser
|
||||
mkdir gocode
|
||||
wget https://storage.googleapis.com/golang/go1.4.2.src.tar.gz
|
||||
tar -xzvf go*.tar.gz
|
||||
cd go/src
|
||||
./make.bash
|
||||
cd /home/tmuser
|
||||
cp /etc/skel/.bashrc .
|
||||
mkdir -p /home/tmuser/go/src
|
||||
echo 'export GOROOT=/home/tmuser/go' >> /home/tmuser/.bashrc
|
||||
echo 'export GOPATH=/home/tmuser/gocode' >> /home/tmuser/.bashrc
|
||||
echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> /home/tmuser/.bashrc
|
||||
source ~/.bashrc
|
||||
else
|
||||
echo "should not be root to run install_golang.sh"
|
||||
echo "You should not run this script as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
USER=`whoami`
|
||||
PWD=`pwd`
|
||||
|
||||
# get dependencies
|
||||
# sudo apt-get install -y make screen gcc git mercurial libc6-dev pkg-config libgmp-dev
|
||||
|
||||
# install golang
|
||||
cd /home/$USER
|
||||
mkdir gocode
|
||||
wget https://storage.googleapis.com/golang/go1.4.2.src.tar.gz
|
||||
tar -xzvf go*.tar.gz
|
||||
cd go/src
|
||||
./make.bash
|
||||
mkdir -p /home/$USER/go/src
|
||||
echo 'export GOROOT=/home/$USER/go' >> /home/$USER/.bashrc
|
||||
echo 'export GOPATH=/home/$USER/gocode' >> /home/$USER/.bashrc
|
||||
echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> /home/$USER/.bashrc
|
||||
source /home/$USER/.bashrc
|
||||
cd $PWD
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
#!/bin/bash
|
||||
|
||||
SSHCONFIG="# Package generated configuration file
|
||||
# See the sshd_config(5) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
Port 20
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
#ListenAddress ::
|
||||
#ListenAddress 0.0.0.0
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 1024
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication no
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
PermitEmptyPasswords no
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
PasswordAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
X11Forwarding yes
|
||||
X11DisplayOffset 10
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
UsePAM yes
|
||||
"
|
Loading…
Reference in New Issue