forksand
/
forksand-it-manual
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add some scripts to run on a fresh install for SharkFork VMs

Browse Source
master
Jeff Moe 7 years ago
parent 83a1eb1262
commit c410b58392
4 changed files with 1176 additions and 0 deletions
Show Stats Download Patch File Download Diff File

294
source/resources/apps/sharkfork-bootstrap/forksand-sf-admin-bootstrap
Unescape View File

@ -0,0 +1,294 @@
#!/bin/bash
# forksand-sf-admin-bootstrap
# GPLv3+
# This script does some initial setup and config
# Log script
exec > >(tee /root/bootstrap-sf-admin.log) 2>/root/bootstrap-sf-admin.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Use apt-cache
echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "jebba"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
# Firewall
# Create iptables startup script (is this still needed? From squeeze era)
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 26101 -j ACCEPT
# Allow web port 80 for Letsencrypt
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SMTP
#-A INPUT -p tcp --dport 25 -j ACCEPT
# Allow SMTPS
#-A INPUT -p tcp --dport 465 -j ACCEPT
# Allow SMTP-MSA
#-A INPUT -p tcp --dport 587 -j ACCEPT
# Allow IMAP SSL
#-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules
cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
# scriptlet for root to reload firewall rules
cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# NTP SharkTech. They firewall outside ntp.
sed -i \
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
/etc/ntp.conf
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
/etc/init.d/ntp restart
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Don't load IPv6 kernel modules.
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
# Disable IPv6 with sysctl.
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p
cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'
apt clean
exit 0
# Reboot

294
source/resources/apps/sharkfork-bootstrap/forksand-sf-dev-bootstrap
Unescape View File

@ -0,0 +1,294 @@
#!/bin/bash
# forksand-sf-dev-bootstrap
# GPLv3+
# This script does some initial setup and config
# Log script
exec > >(tee /root/bootstrap-sf-dev.log) 2>/root/bootstrap-sf-dev.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Use apt-cache
echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "jebba"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
# Firewall
# Create iptables startup script (is this still needed? From squeeze era)
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 26101 -j ACCEPT
# Allow web port 80 for Letsencrypt
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SMTP
#-A INPUT -p tcp --dport 25 -j ACCEPT
# Allow SMTPS
#-A INPUT -p tcp --dport 465 -j ACCEPT
# Allow SMTP-MSA
#-A INPUT -p tcp --dport 587 -j ACCEPT
# Allow IMAP SSL
#-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules
cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
# scriptlet for root to reload firewall rules
cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# NTP SharkTech. They firewall outside ntp.
sed -i \
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
/etc/ntp.conf
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
/etc/init.d/ntp restart
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Don't load IPv6 kernel modules.
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
# Disable IPv6 with sysctl.
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p
cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'
apt clean
exit 0
# Reboot

294
source/resources/apps/sharkfork-bootstrap/forksand-sf-internal-bootstrap
Unescape View File

@ -0,0 +1,294 @@
#!/bin/bash
# forksand-sf-internal-bootstrap
# GPLv3+
# This script does some initial setup and config
# Log script
exec > >(tee /root/bootstrap-sf-internal.log) 2>/root/bootstrap-sf-internal.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Use apt-cache
echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "jebba"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
# Firewall
# Create iptables startup script (is this still needed? From squeeze era)
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 26101 -j ACCEPT
# Allow web port 80 for Letsencrypt
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SMTP
#-A INPUT -p tcp --dport 25 -j ACCEPT
# Allow SMTPS
#-A INPUT -p tcp --dport 465 -j ACCEPT
# Allow SMTP-MSA
#-A INPUT -p tcp --dport 587 -j ACCEPT
# Allow IMAP SSL
#-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules
cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
# scriptlet for root to reload firewall rules
cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# NTP SharkTech. They firewall outside ntp.
sed -i \
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
/etc/ntp.conf
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
/etc/init.d/ntp restart
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Don't load IPv6 kernel modules.
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
# Disable IPv6 with sysctl.
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p
cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'
apt clean
exit 0
# Reboot

294
source/resources/apps/sharkfork-bootstrap/forksand-sf-production-bootstrap
Unescape View File

@ -0,0 +1,294 @@
#!/bin/bash
# forksand-sf-production-bootstrap
# GPLv3+
# This script does some initial setup and config
# Log script
exec > >(tee /root/bootstrap-sf-production.log) 2>/root/bootstrap-sf-production.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Use apt-cache
echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "jebba"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
# Firewall
# Create iptables startup script (is this still needed? From squeeze era)
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 26101 -j ACCEPT
# Allow web port 80 for Letsencrypt
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SMTP
#-A INPUT -p tcp --dport 25 -j ACCEPT
# Allow SMTPS
#-A INPUT -p tcp --dport 465 -j ACCEPT
# Allow SMTP-MSA
#-A INPUT -p tcp --dport 587 -j ACCEPT
# Allow IMAP SSL
#-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules
cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
# scriptlet for root to reload firewall rules
cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
qemu-guest-agent \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# NTP SharkTech. They firewall outside ntp.
sed -i \
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
/etc/ntp.conf
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
/etc/init.d/ntp restart
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Don't load IPv6 kernel modules.
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
# Disable IPv6 with sysctl.
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p
cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'
apt clean
exit 0
# Reboot
Write Preview
Loading…
Cancel
Save