#!/bin/bash # forksand-sf-internal-bootstrap # GPLv3+ # This script does some initial setup and config # Log script exec > >(tee /root/bootstrap-sf-internal.log) 2>/root/bootstrap-sf-internal.err set -x # Set locale echo "en_US.UTF-8 UTF-8" > /etc/locale.gen locale-gen update-locale # XXX Set timezone ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime # Use apt-cache echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf # Set up git for tracking. XXX Ansible... XXX apt-get -y install git sudo cd /etc git init chmod og-rwx /etc/.git cat > /etc/.gitignore <<EOF prelink.cache *.swp ld.so.cache adjtime blkid.tab blkid.tab.old mtab resolv.conf asound.state mtab.fuselock aliases.db EOF git config --global user.name "jebba" git config --global user.email moe@forksand.com cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.' # Firewall # Create iptables startup script (is this still needed? From squeeze era) cat > /etc/network/if-pre-up.d/iptables <<EOF #!/bin/bash # iptables /sbin/iptables-restore < /etc/iptables.up.rules EOF cat > /etc/iptables.test.rules <<EOF # iptables.test.rules *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # SSH Access Port -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 26101 -j ACCEPT # Allow web port 80 for Letsencrypt #-A INPUT -p tcp --dport 80 -j ACCEPT # Allow SMTP #-A INPUT -p tcp --dport 25 -j ACCEPT # Allow SMTPS #-A INPUT -p tcp --dport 465 -j ACCEPT # Allow SMTP-MSA #-A INPUT -p tcp --dport 587 -j ACCEPT # Allow IMAP SSL #-A INPUT -p tcp --dport 993 -j ACCEPT # Allow ping #-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT EOF touch /etc/iptables.up.rules chmod 600 /etc/iptables.up.rules chmod 755 /etc/network/if-pre-up.d/iptables chmod 600 /etc/iptables.test.rules iptables-restore < /etc/iptables.test.rules iptables -L -n iptables-save > /etc/iptables.up.rules cd /etc ; git add . ; git commit -a -m 'Set up firewall.' # scriptlet for root to reload firewall rules cat > /root/iptables-reload <<EOF iptables-restore < /etc/iptables.test.rules iptables-save > /etc/iptables.up.rules EOF chmod 700 /root/iptables-reload # SET UP APT # cat > /etc/apt/sources.list <<EOF deb http://mirrors.kernel.org/debian/ stretch-backports main deb http://mirrors.kernel.org/debian/ stretch main deb http://mirrors.kernel.org/debian/ stretch-updates main deb http://security.debian.org/ stretch/updates main EOF # Make apt use IPv4: echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4 git add /etc/apt/apt.conf.d/99force-ipv4 git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4 cd /etc ; git add . ; git commit -a -m 'Set up apt.' # UPGRADE SERVER apt-get update apt-get -y dist-upgrade --download-only DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade cd /etc ; git add . ; git commit -a -m 'Update base install' apt-get -y --download-only install \ --no-install-recommends \ apt-transport-https \ bzip2 \ ca-certificates \ colordiff \ curl \ debian-archive-keyring \ exuberant-ctags \ git \ host \ less \ locales \ lsb-release \ man-db \ manpages \ molly-guard \ net-tools \ ntp \ openssh-server \ python3 \ qemu-guest-agent \ rsync \ telnet \ traceroute \ vim \ vim-scripts DEBIAN_FRONTEND=noninteractive apt-get -y \ -o Dpkg::Options::="--force-confdef" \ -o Dpkg::Options::="--force-confnew" \ install \ --no-install-recommends \ apt-transport-https \ bzip2 \ ca-certificates \ colordiff \ curl \ debian-archive-keyring \ exuberant-ctags \ git \ host \ less \ locales \ lsb-release \ man-db \ manpages \ molly-guard \ net-tools \ ntp \ openssh-server \ python3 \ qemu-guest-agent \ rsync \ telnet \ traceroute \ vim \ vim-scripts cd /etc ; git add . ; git commit -a -m 'Install base packages' # NTP SharkTech. They firewall outside ntp. sed -i \ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \ /etc/ntp.conf cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).' /etc/init.d/ntp restart # Small user tweaks echo :syntax on > ~/.vimrc echo :syntax on > /home/jebba/.vimrc chown jebba:jebba /home/jebba/.vimrc echo export EDITOR=vi >> /root/.bashrc # XXX Passwordless sudo XXX Ya, probably remove sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers adduser jebba sudo cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' # SSH config XXX sed cruft sed -i \ -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ /etc/ssh/sshd_config echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config # Need to update/fix for Debian Buster (testing/10). This line breaks Buster: #echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config # XXX Add admins as only allowed ssh users # XXX add user for ansbile echo "AllowUsers jebba" >> /etc/ssh/sshd_config cd /etc ; git add . ; git commit -a -m 'Set up sshd' systemctl restart sshd # Startup XXX disable unneeded. for i in rsync exim4 saned do echo $i /usr/sbin/update-rc.d $i disable done # XXX KILL THIS, listening on public port (firewalled, but still): # tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' # GRUB sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub update-grub cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' # Don't load IPv6 kernel modules. echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf echo alias ivp6 off >> /etc/modprobe.d/aliases.conf # Disable IPv6 with sysctl. cat >> /etc/sysctl.conf <<EOF net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.ens3.disable_ipv6 = 1 EOF sysctl -p cd /etc ; git add . ; git commit -a -m 'Disable IPv6' # Fix network to come up on boot sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces cd /etc ; git add . ; git commit -a -m 'Auto start network' # XXX not sure why this is getting installed: apt-get -y autoremove cd /etc ; git add . ; git commit -a -m 'autoremove' apt clean exit 0 # Reboot