eth bootstrap notes

master
Jeff Moe 4 years ago
parent 65b1bcabc4
commit e867c9e163

@ -0,0 +1,200 @@
#!/bin/bash
set -x
exit
passwd # root
# copy over ssh key
chmod og-rwx ~debian
mkdir -p ~debian/.ssh
cp -p ~root/authorized_keys ~debian/.ssh/
chmod -R og-rwx ~debian/.ssh
chown -R debian:debian ~debian/.ssh
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
rm -f /etc/apt/sources.list.d/*.list
cat > /etc/apt/sources.list <<EOF
deb http://deb.debian.org/debian/ buster-backports main
deb http://deb.debian.org/debian/ buster main
deb http://deb.debian.org/debian/ buster-updates main
deb http://security.debian.org/ buster/updates main
EOF
echo "RESUME=none" > /etc/initramfs-tools/conf.d/resume
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
# XXX nameservers
echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf
apt-get update
iptables -L -n || DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install iptables
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 42661 -j ACCEPT
# Ethereum
-A INPUT -p tcp --dport 30303 -j ACCEPT
-A INPUT -p udp --dport 30303 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules
cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload
apt-get update
apt-get -y autoremove --purge
apt-get -y purge --autoremove \
apache2 \
chrony \
exim4-base \
exim4-config \
man-db \
manpages \
postfix \
reportbug \
rpcbind \
snmpd \
unscd \
xinetd
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
bzip2 \
ca-certificates \
debian-archive-keyring \
haveged \
host \
less \
locales \
lsb-release \
net-tools \
parted \
psmisc \
sudo \
traceroute \
vim \
wget
apt-get clean
adduser debian sudo
echo ":syntax on" > ~/.vimrc
# XXX turn off macros in clusterssh
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
cat /etc/sudoers
echo ":syntax on" > ~debian/.vimrc
# TEST XMR LOGIN BEFORE REBOOT!
# Port 42661
sed -i \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
-e 's/\#Port 22/Port 42661/g' \
-e 's/\PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication no/PasswordAuthentication no/g' \
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
-e 's/X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo "AllowUsers debian" >> /etc/ssh/sshd_config
for i in plymouth rpcbind rsync saslauthd unattended-upgrades
do echo $i
/usr/sbin/update-rc.d $i stop
/usr/sbin/update-rc.d $i disable
done
# keep quiet for now am6 console serial is slow ? rm quiet
#sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
#sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
# GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8 ipv6.disable=1"
grub-install /dev/sda
update-grub
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p
cat /etc/network/interfaces
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cat /etc/hosts
cat /etc/hostname
hostname > /etc/hostname
echo "127.0.1.1 `hostname`" >> /etc/hosts
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
systemctl restart sshd
# TEST SSH
# ssh xmr@foo
# sudo su -
# reboot
Loading…
Cancel
Save