From 5a73820959561e73fd9e82a9c32857c83b8c465f Mon Sep 17 00:00:00 2001
From: Jae Kwon <jae@tendermint.com>
Date: Thu, 14 May 2015 14:44:23 -0700
Subject: [PATCH] update INSTALL scripts

---
 INSTALL/install_env.sh    | 67 ++++++++++++++++++++++++++++++----
 INSTALL/install_golang.sh | 39 +++++++++++---------
 INSTALL/ssh_config.sh     | 76 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 159 insertions(+), 23 deletions(-)
 create mode 100644 INSTALL/ssh_config.sh

diff --git a/INSTALL/install_env.sh b/INSTALL/install_env.sh
index d65441d1..cc917c1b 100755
--- a/INSTALL/install_env.sh
+++ b/INSTALL/install_env.sh
@@ -1,11 +1,64 @@
 #!/bin/bash
-# Run this as super user
-# This part is for installing go language and setting up a user account
+# Run this as root user
+# This part is for hardening the server and setting up a user account
+
+if [ `whoami` != "root" ];
+then
+  echo "You must run this script as root"
+  exit 1
+fi
+
+USER="tmuser"
+ADMIN_EMAIL="ENTER_ADMIN_EMAIL"
+OPEN_PORTS=(46656 46657 46658 46659 46660 46661 46662 46663 46664 46665 46666 46667 46668 46669 46670 46671)
+WHITELIST=()
+
+# update and upgrade
 apt-get update -y
 apt-get upgrade -y
+
+# fail2ban for monitoring logins
+apt-get install -y fail2ban
+
+# set up the network time daemon
+apt-get install -y ntp
+
+# install dependencies
 apt-get install -y make screen gcc git mercurial libc6-dev pkg-config libgmp-dev
-useradd tmuser -d /home/tmuser
-usermod -aG sudo tmuser
-mkdir /home/tmuser
-chown -R tmuser:tmuser /home/tmuser
-su tmuser
+
+# set up firewall
+echo "ENABLE FIREWALL ..."
+# copy in the ssh config with locked down settings
+source ssh_config.sh
+echo "$SSHCONFIG" > /etc/ssh/sshd_config
+service ssh restart
+# white list ssh access 
+for ip in "${WHITELIST[@]}"; do
+	ufw allow from $ip to any port $SSHPORT
+done
+if [ ${#WHITELIST[@]} -eq 0 ]; then
+	ufw allow $SSHPORT
+fi
+# open ports
+for port in "${OPEN_PORTS[@]}"; do
+	ufw allow $port
+done
+# apply
+ufw enable
+
+# watch the logs and have them emailed to me
+apt-get install -y logwatch
+echo "/usr/sbin/logwatch --output mail --mailto $ADMIN_EMAIL --detail high" >> /etc/cron.daily/00logwatch
+
+# set up user account
+echo "CREATE USER $USER ..."
+useradd $USER -d /home/$USER
+# This user should not have root access.
+# usermod -aG sudo $USER
+mkdir /home/$USER
+cp /etc/skel/.bashrc .
+cp /etc/skel/.profile .
+chown -R $USER:$USER /home/$USER
+
+echo "Done setting env.  Switching to $USER..."
+su $USER
diff --git a/INSTALL/install_golang.sh b/INSTALL/install_golang.sh
index 7939296f..2b69c08f 100755
--- a/INSTALL/install_golang.sh
+++ b/INSTALL/install_golang.sh
@@ -2,21 +2,28 @@
 # Run this as tmuser user
 # This part is for installing go
 
-if [ `whoami` != "root" ];
+if [ `whoami` == "root" ];
 then
-  cd /home/tmuser
-  mkdir gocode
-  wget https://storage.googleapis.com/golang/go1.4.2.src.tar.gz
-  tar -xzvf go*.tar.gz
-  cd go/src
-  ./make.bash
-  cd /home/tmuser
-  cp /etc/skel/.bashrc .
-  mkdir -p /home/tmuser/go/src
-  echo 'export GOROOT=/home/tmuser/go' >> /home/tmuser/.bashrc
-  echo 'export GOPATH=/home/tmuser/gocode' >> /home/tmuser/.bashrc
-  echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> /home/tmuser/.bashrc
-  source ~/.bashrc
-else
-  echo "should not be root to run install_golang.sh"
+  echo "You should not run this script as root"
+  exit 1
 fi
+
+USER=`whoami`
+PWD=`pwd`
+
+# get dependencies
+# sudo apt-get install -y make screen gcc git mercurial libc6-dev pkg-config libgmp-dev
+
+# install golang
+cd /home/$USER
+mkdir gocode
+wget https://storage.googleapis.com/golang/go1.4.2.src.tar.gz
+tar -xzvf go*.tar.gz
+cd go/src
+./make.bash
+mkdir -p /home/$USER/go/src
+echo 'export GOROOT=/home/$USER/go' >> /home/$USER/.bashrc
+echo 'export GOPATH=/home/$USER/gocode' >> /home/$USER/.bashrc
+echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> /home/$USER/.bashrc
+source /home/$USER/.bashrc
+cd $PWD
diff --git a/INSTALL/ssh_config.sh b/INSTALL/ssh_config.sh
new file mode 100644
index 00000000..6181b14e
--- /dev/null
+++ b/INSTALL/ssh_config.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+SSHCONFIG="# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 20
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+#IgnoreUserKnownHosts yes
+
+PermitEmptyPasswords no
+
+ChallengeResponseAuthentication no
+
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+"