You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
201 lines
5.1 KiB
201 lines
5.1 KiB
#!/bin/bash
|
|
set -x
|
|
exit
|
|
|
|
passwd # root
|
|
# copy over ssh key
|
|
|
|
chmod og-rwx ~debian
|
|
mkdir -p ~debian/.ssh
|
|
cp -p ~root/authorized_keys ~debian/.ssh/
|
|
chmod -R og-rwx ~debian/.ssh
|
|
chown -R debian:debian ~debian/.ssh
|
|
|
|
|
|
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
|
locale-gen
|
|
update-locale
|
|
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
|
|
|
|
rm -f /etc/apt/sources.list.d/*.list
|
|
|
|
cat > /etc/apt/sources.list <<EOF
|
|
deb http://deb.debian.org/debian/ buster-backports main
|
|
deb http://deb.debian.org/debian/ buster main
|
|
deb http://deb.debian.org/debian/ buster-updates main
|
|
deb http://security.debian.org/ buster/updates main
|
|
EOF
|
|
|
|
echo "RESUME=none" > /etc/initramfs-tools/conf.d/resume
|
|
|
|
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
|
|
|
# XXX nameservers
|
|
echo "nameserver 208.67.222.222" > /etc/resolv.conf
|
|
echo "nameserver 208.67.220.220" >> /etc/resolv.conf
|
|
|
|
apt-get update
|
|
|
|
iptables -L -n || DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install iptables
|
|
|
|
cat > /etc/network/if-pre-up.d/iptables <<EOF
|
|
#!/bin/bash
|
|
# iptables
|
|
/sbin/iptables-restore < /etc/iptables.up.rules
|
|
EOF
|
|
|
|
cat > /etc/iptables.test.rules <<EOF
|
|
# iptables.test.rules
|
|
*filter
|
|
|
|
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Accepts all established inbound connections
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allows all outbound traffic
|
|
# You could modify this to only allow certain traffic
|
|
-A OUTPUT -j ACCEPT
|
|
|
|
# SSH Access Port
|
|
-A INPUT -p tcp --dport 42661 -j ACCEPT
|
|
|
|
# Ethereum
|
|
-A INPUT -p tcp --dport 30303 -j ACCEPT
|
|
-A INPUT -p udp --dport 30303 -j ACCEPT
|
|
|
|
# Allow ping
|
|
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
# log iptables denied calls (access via 'dmesg' command)
|
|
|
|
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
|
|
|
|
# Reject all other inbound - default deny unless explicitly allowed policy:
|
|
-A INPUT -j REJECT
|
|
-A FORWARD -j REJECT
|
|
COMMIT
|
|
EOF
|
|
|
|
touch /etc/iptables.up.rules
|
|
chmod 600 /etc/iptables.up.rules
|
|
chmod 755 /etc/network/if-pre-up.d/iptables
|
|
chmod 600 /etc/iptables.test.rules
|
|
|
|
iptables-restore < /etc/iptables.test.rules
|
|
iptables -L -n
|
|
iptables-save > /etc/iptables.up.rules
|
|
|
|
cat > /root/iptables-reload <<EOF
|
|
iptables-restore < /etc/iptables.test.rules
|
|
iptables-save > /etc/iptables.up.rules
|
|
EOF
|
|
chmod 700 /root/iptables-reload
|
|
|
|
apt-get update
|
|
apt-get -y autoremove --purge
|
|
apt-get -y purge --autoremove \
|
|
apache2 \
|
|
chrony \
|
|
exim4-base \
|
|
exim4-config \
|
|
man-db \
|
|
manpages \
|
|
postfix \
|
|
reportbug \
|
|
rpcbind \
|
|
snmpd \
|
|
unscd \
|
|
xinetd
|
|
|
|
apt-get -y dist-upgrade --download-only
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
|
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
|
-o Dpkg::Options::="--force-confdef" \
|
|
-o Dpkg::Options::="--force-confnew" \
|
|
install \
|
|
bzip2 \
|
|
ca-certificates \
|
|
debian-archive-keyring \
|
|
haveged \
|
|
host \
|
|
less \
|
|
locales \
|
|
lsb-release \
|
|
net-tools \
|
|
parted \
|
|
psmisc \
|
|
sudo \
|
|
traceroute \
|
|
vim \
|
|
wget
|
|
|
|
apt-get clean
|
|
|
|
adduser debian sudo
|
|
|
|
echo ":syntax on" > ~/.vimrc
|
|
|
|
# XXX turn off macros in clusterssh
|
|
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
|
cat /etc/sudoers
|
|
|
|
echo ":syntax on" > ~debian/.vimrc
|
|
|
|
# TEST XMR LOGIN BEFORE REBOOT!
|
|
# Port 42661
|
|
sed -i \
|
|
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
|
|
-e 's/\#Port 22/Port 42661/g' \
|
|
-e 's/\PermitRootLogin yes/PermitRootLogin no/g' \
|
|
-e 's/\#PasswordAuthentication no/PasswordAuthentication no/g' \
|
|
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
|
|
-e 's/X11Forwarding yes/X11Forwarding no/g' \
|
|
/etc/ssh/sshd_config
|
|
|
|
echo "AllowUsers debian" >> /etc/ssh/sshd_config
|
|
|
|
for i in plymouth rpcbind rsync saslauthd unattended-upgrades
|
|
do echo $i
|
|
/usr/sbin/update-rc.d $i stop
|
|
/usr/sbin/update-rc.d $i disable
|
|
done
|
|
|
|
# keep quiet for now am6 console serial is slow ? rm quiet
|
|
#sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
|
|
#sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
|
|
# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
|
|
# GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8 ipv6.disable=1"
|
|
|
|
grub-install /dev/sda
|
|
update-grub
|
|
|
|
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
|
|
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
|
|
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
|
|
cat >> /etc/sysctl.conf <<EOF
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
net.ipv6.conf.default.disable_ipv6 = 1
|
|
net.ipv6.conf.lo.disable_ipv6 = 1
|
|
#net.ipv6.conf.ens3.disable_ipv6 = 1
|
|
EOF
|
|
sysctl -p
|
|
|
|
cat /etc/network/interfaces
|
|
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
|
|
|
cat /etc/hosts
|
|
cat /etc/hostname
|
|
hostname > /etc/hostname
|
|
echo "127.0.1.1 `hostname`" >> /etc/hosts
|
|
|
|
rm /etc/ssh/ssh_host_*
|
|
dpkg-reconfigure openssh-server
|
|
|
|
systemctl restart sshd
|
|
# TEST SSH
|
|
# ssh xmr@foo
|
|
# sudo su -
|
|
# reboot
|