|
@@ -0,0 +1,403 @@
|
|
1
|
+#!/bin/bash
|
|
2
|
+
|
|
3
|
+DOMAIN_NAME=$1
|
|
4
|
+MY_USERNAME=$2
|
|
5
|
+
|
|
6
|
+# Directory where source code is downloaded and compiled
|
|
7
|
+INSTALL_DIR=/root/build
|
|
8
|
+
|
|
9
|
+function initial_setup {
|
|
10
|
+ apt-get -y update
|
|
11
|
+ apt-get -y dist-upgrade
|
|
12
|
+ apt-get -y install ca-certificates emacs24
|
|
13
|
+}
|
|
14
|
+
|
|
15
|
+function install_editor {
|
|
16
|
+ update-alternatives --set editor /usr/bin/emacs24
|
|
17
|
+}
|
|
18
|
+
|
|
19
|
+function enable_backports {
|
|
20
|
+ echo "deb http://ftp.us.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
|
|
21
|
+}
|
|
22
|
+
|
|
23
|
+function remove_proprietary_repos {
|
|
24
|
+ sed 's/ non-free//g' /etc/apt/sources.list > /tmp/sources.list
|
|
25
|
+ cp -f /tmp/sources.list /etc/apt/sources.list
|
|
26
|
+}
|
|
27
|
+
|
|
28
|
+function update_the_kernel {
|
|
29
|
+ cd /opt/scripts/tools
|
|
30
|
+ ./update_kernel.sh --kernel v3.15.10-bone7
|
|
31
|
+}
|
|
32
|
+
|
|
33
|
+function enable_zram {
|
|
34
|
+ echo "options zram num_devices=1" >> /etc/modprobe.d/zram.conf
|
|
35
|
+ echo "#!/bin/bash" > /etc/init.d/zram
|
|
36
|
+ echo "### BEGIN INIT INFO" >> /etc/init.d/zram
|
|
37
|
+ echo "# Provides: zram" >> /etc/init.d/zram
|
|
38
|
+ echo "# Required-Start:" >> /etc/init.d/zram
|
|
39
|
+ echo "# Required-Stop:" >> /etc/init.d/zram
|
|
40
|
+ echo "# Default-Start: 2 3 4 5" >> /etc/init.d/zram
|
|
41
|
+ echo "# Default-Stop: 0 1 6" >> /etc/init.d/zram
|
|
42
|
+ echo "# Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM)" >> /etc/init.d/zram
|
|
43
|
+ echo "# Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram" >> /etc/init.d/zram
|
|
44
|
+ echo "### END INIT INFO" >> /etc/init.d/zram
|
|
45
|
+ echo "start() {" >> /etc/init.d/zram
|
|
46
|
+ echo " # get the number of CPUs" >> /etc/init.d/zram
|
|
47
|
+ echo " num_cpus=$(grep -c processor /proc/cpuinfo)" >> /etc/init.d/zram
|
|
48
|
+ echo " # if something goes wrong, assume we have 1" >> /etc/init.d/zram
|
|
49
|
+ echo " [ \"$num_cpus\" != 0 ] || num_cpus=1" >> /etc/init.d/zram
|
|
50
|
+ echo " # set decremented number of CPUs" >> /etc/init.d/zram
|
|
51
|
+ echo " decr_num_cpus=$((num_cpus - 1))" >> /etc/init.d/zram
|
|
52
|
+ echo " # get the amount of memory in the machine" >> /etc/init.d/zram
|
|
53
|
+ echo " mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching '[[:digit:]]+')" >> /etc/init.d/zram
|
|
54
|
+ echo " mem_total=$((mem_total_kb * 1024))" >> /etc/init.d/zram
|
|
55
|
+ echo " # load dependency modules" >> /etc/init.d/zram
|
|
56
|
+ echo " modprobe zram num_devices=$num_cpus" >> /etc/init.d/zram
|
|
57
|
+ echo " # initialize the devices" >> /etc/init.d/zram
|
|
58
|
+ echo " for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
|
|
59
|
+ echo " echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize" >> /etc/init.d/zram
|
|
60
|
+ echo " done" >> /etc/init.d/zram
|
|
61
|
+ echo " # Creating swap filesystems" >> /etc/init.d/zram
|
|
62
|
+ echo " for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
|
|
63
|
+ echo " mkswap /dev/zram$i" >> /etc/init.d/zram
|
|
64
|
+ echo " done" >> /etc/init.d/zram
|
|
65
|
+ echo " # Switch the swaps on" >> /etc/init.d/zram
|
|
66
|
+ echo " for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
|
|
67
|
+ echo " swapon -p 100 /dev/zram$i" >> /etc/init.d/zram
|
|
68
|
+ echo " done" >> /etc/init.d/zram
|
|
69
|
+ echo "}" >> /etc/init.d/zram
|
|
70
|
+ echo "stop() {" >> /etc/init.d/zram
|
|
71
|
+ echo " # get the number of CPUs" >> /etc/init.d/zram
|
|
72
|
+ echo " num_cpus=$(grep -c processor /proc/cpuinfo)" >> /etc/init.d/zram
|
|
73
|
+ echo " # set decremented number of CPUs" >> /etc/init.d/zram
|
|
74
|
+ echo " decr_num_cpus=$((num_cpus - 1))" >> /etc/init.d/zram
|
|
75
|
+ echo " # Switching off swap" >> /etc/init.d/zram
|
|
76
|
+ echo " for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
|
|
77
|
+ echo " if [ \"$(grep /dev/zram$i /proc/swaps)\" != \"\" ]; then" >> /etc/init.d/zram
|
|
78
|
+ echo " swapoff /dev/zram$i" >> /etc/init.d/zram
|
|
79
|
+ echo " sleep 1" >> /etc/init.d/zram
|
|
80
|
+ echo " fi" >> /etc/init.d/zram
|
|
81
|
+ echo " done" >> /etc/init.d/zram
|
|
82
|
+ echo " sleep 1" >> /etc/init.d/zram
|
|
83
|
+ echo " rmmod zram" >> /etc/init.d/zram
|
|
84
|
+ echo "}" >> /etc/init.d/zram
|
|
85
|
+ echo "case \"$1\" in" >> /etc/init.d/zram
|
|
86
|
+ echo " start)" >> /etc/init.d/zram
|
|
87
|
+ echo " start" >> /etc/init.d/zram
|
|
88
|
+ echo " ;;" >> /etc/init.d/zram
|
|
89
|
+ echo " stop)" >> /etc/init.d/zram
|
|
90
|
+ echo " stop" >> /etc/init.d/zram
|
|
91
|
+ echo " ;;" >> /etc/init.d/zram
|
|
92
|
+ echo " restart)" >> /etc/init.d/zram
|
|
93
|
+ echo " stop" >> /etc/init.d/zram
|
|
94
|
+ echo " sleep 3" >> /etc/init.d/zram
|
|
95
|
+ echo " start" >> /etc/init.d/zram
|
|
96
|
+ echo " ;;" >> /etc/init.d/zram
|
|
97
|
+ echo " *)" >> /etc/init.d/zram
|
|
98
|
+ echo " echo \"Usage: $0 {start|stop|restart}\"" >> /etc/init.d/zram
|
|
99
|
+ echo " RETVAL=1" >> /etc/init.d/zram
|
|
100
|
+ echo "esac" >> /etc/init.d/zram
|
|
101
|
+ echo "exit $RETVAL" >> /etc/init.d/zram
|
|
102
|
+ chmod +x /etc/init.d/zram
|
|
103
|
+ update-rc.d zram defaults
|
|
104
|
+}
|
|
105
|
+
|
|
106
|
+function hardware_random_number_generator
|
|
107
|
+ apt-get -y install rng-tools
|
|
108
|
+ sed 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools > /tmp/rng-tools
|
|
109
|
+ cp -f /tmp/rng-tools /etc/default/rng-tools
|
|
110
|
+ service rng-tools restart
|
|
111
|
+}
|
|
112
|
+
|
|
113
|
+function configure_ssh {
|
|
114
|
+ sed 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
115
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
116
|
+ sed 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
117
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
118
|
+ sed 's/ServerKeyBits 1024/ServerKeyBits 4096/g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
119
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
120
|
+ sed 's/TCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
121
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
122
|
+ sed 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
123
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
124
|
+ sed 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config > /tmp/sshd_config
|
|
125
|
+ cp -f /tmp/sshd_config /etc/ssh/sshd_config
|
|
126
|
+ echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
|
|
127
|
+ echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
|
|
128
|
+ echo "Ciphers aes256-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
|
129
|
+ echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
|
|
130
|
+ KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1" >> /etc/ssh/sshd_config
|
|
131
|
+ service ssh restart
|
|
132
|
+ apt-get -y install fail2ban
|
|
133
|
+}
|
|
134
|
+
|
|
135
|
+function regenerate_ssh_keys {
|
|
136
|
+ rm -f /etc/ssh/ssh_host_*
|
|
137
|
+ dpkg-reconfigure openssh-server
|
|
138
|
+ service ssh restart
|
|
139
|
+}
|
|
140
|
+
|
|
141
|
+function set_your_domain_name {
|
|
142
|
+ echo "$DOMAIN_NAME" > /etc/hostname
|
|
143
|
+ hostname $DOMAIN_NAME
|
|
144
|
+ echo "127.0.1.1 $DOMAIN_NAME" >> /etc/hosts
|
|
145
|
+}
|
|
146
|
+
|
|
147
|
+function time_synchronisation {
|
|
148
|
+ apt-get -y install build-essential automake git pkg-config autoconf libtool libssl-dev
|
|
149
|
+ apt-get -y remove ntpdate
|
|
150
|
+ mkdir $INSTALL_DIR
|
|
151
|
+ cd $INSTALL_DIR
|
|
152
|
+ git clone https://github.com/ioerror/tlsdate.git
|
|
153
|
+ cd $INSTALL_DIR/tlsdate
|
|
154
|
+ ./autogen.sh
|
|
155
|
+ ./configure
|
|
156
|
+ make
|
|
157
|
+ make install
|
|
158
|
+
|
|
159
|
+ echo "#!/bin/bash" > /usr/bin/updatedate
|
|
160
|
+ echo "TIMESOURCE=google.com" >> /usr/bin/updatedate
|
|
161
|
+ echo "TIMESOURCE2=www.ptb.de" >> /usr/bin/updatedate
|
|
162
|
+ echo "LOGFILE=/var/log/tlsdate.log" >> /usr/bin/updatedate
|
|
163
|
+ echo "TIMEOUT=5" >> /usr/bin/updatedate
|
|
164
|
+ echo "EMAIL=$MY_USERNAME@$DOMAIN_NAME" >> /usr/bin/updatedate
|
|
165
|
+ echo "# File which contains the previous date as a number" >> /usr/bin/updatedate
|
|
166
|
+ echo "BEFORE_DATE_FILE=/var/log/tlsdateprevious.txt" >> /usr/bin/updatedate
|
|
167
|
+ echo "# File which contains the previous date as a string" >> /usr/bin/updatedate
|
|
168
|
+ echo "BEFORE_FULLDATE_FILE=/var/log/tlsdate.txt" >> /usr/bin/updatedate
|
|
169
|
+ echo "DATE_BEFORE=$(date)" >> /usr/bin/updatedate
|
|
170
|
+ echo "BEFORE=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
|
|
171
|
+ echo "BACKWARDS_BETWEEN=0" >> /usr/bin/updatedate
|
|
172
|
+ echo "# If the date was previously set" >> /usr/bin/updatedate
|
|
173
|
+ echo "if [[ -f \"$BEFORE_DATE_FILE\" ]]; then" >> /usr/bin/updatedate
|
|
174
|
+ echo " BEFORE_FILE=$(cat $BEFORE_DATE_FILE)" >> /usr/bin/updatedate
|
|
175
|
+ echo " BEFORE_FULLDATE=$(cat $BEFORE_FULLDATE_FILE)" >> /usr/bin/updatedate
|
|
176
|
+ echo " # is the date going backwards?" >> /usr/bin/updatedate
|
|
177
|
+ echo " if (( BEFORE_FILE > BEFORE )); then" >> /usr/bin/updatedate
|
|
178
|
+ echo " echo -n \"Date went backwards between tlsdate updates. \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
179
|
+ echo " echo -n \"$BEFORE_FILE > $BEFORE, \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
180
|
+ echo " echo \"$BEFORE_FULLDATE > $DATE_BEFORE\" >> $LOGFILE" >> /usr/bin/updatedate
|
|
181
|
+ echo " # Send a warning email" > /usr/bin/updatedate
|
|
182
|
+ echo " echo $(tail $LOGFILE -n 2) | mail -s \"tlsdate anomaly\" $EMAIL" >> /usr/bin/updatedate
|
|
183
|
+ echo " # Try another time source" >> /usr/bin/updatedate
|
|
184
|
+ echo " TIMESOURCE=$TIMESOURCE2" >> /usr/bin/updatedate
|
|
185
|
+ echo " # try running without any parameters" >> /usr/bin/updatedate
|
|
186
|
+ echo " tlsdate >> $LOGFILE" >> /usr/bin/updatedate
|
|
187
|
+ echo " BACKWARDS_BETWEEN=1" >> /usr/bin/updatedate
|
|
188
|
+ echo " fi" >> /usr/bin/updatedate
|
|
189
|
+ echo "fi" >> /usr/bin/updatedate
|
|
190
|
+ echo "# Set the date" >> /usr/bin/updatedate
|
|
191
|
+ echo "/usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE -p 443 >> $LOGFILE" >> /usr/bin/updatedate
|
|
192
|
+ echo "DATE_AFTER=$(date)" >> /usr/bin/updatedate
|
|
193
|
+ echo "AFTER=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
|
|
194
|
+ echo "# After setting the date did it go backwards?" >> /usr/bin/updatedate
|
|
195
|
+ echo "if (( AFTER < BEFORE )); then" >> /usr/bin/updatedate
|
|
196
|
+ echo " echo \"Incorrect date: $DATE_BEFORE -> $DATE_AFTER\" >> $LOGFILE" >> /usr/bin/updatedate
|
|
197
|
+ echo " # Send a warning email" >> /usr/bin/updatedate
|
|
198
|
+ echo " echo $(tail $LOGFILE -n 2) | mail -s \"tlsdate anomaly\" $EMAIL" >> /usr/bin/updatedate
|
|
199
|
+ echo " # Try resetting the date from another time source" >> /usr/bin/updatedate
|
|
200
|
+ echo " /usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE2 -p 443 >> $LOGFILE" >> /usr/bin/updatedate
|
|
201
|
+ echo " DATE_AFTER=$(date)" >> /usr/bin/updatedate
|
|
202
|
+ echo " AFTER=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
|
|
203
|
+ echo "else" >> /usr/bin/updatedate
|
|
204
|
+ echo " echo -n $TIMESOURCE >> $LOGFILE" >> /usr/bin/updatedate
|
|
205
|
+ echo " if [[ -f \"$BEFORE_DATE_FILE\" ]]; then" >> /usr/bin/updatedate
|
|
206
|
+ echo " echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
207
|
+ echo " echo -n $BEFORE_FILE >> $LOGFILE" >> /usr/bin/updatedate
|
|
208
|
+ echo " fi" >> /usr/bin/updatedate
|
|
209
|
+ echo " echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
210
|
+ echo " echo -n $BEFORE >> $LOGFILE" >> /usr/bin/updatedate
|
|
211
|
+ echo " echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
212
|
+ echo " echo -n $AFTER >> $LOGFILE" >> /usr/bin/updatedate
|
|
213
|
+ echo " echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
|
|
214
|
+ echo " echo $DATE_AFTER >> $LOGFILE" >> /usr/bin/updatedate
|
|
215
|
+ echo "fi" >> /usr/bin/updatedate
|
|
216
|
+ echo "# Log the last date" >> /usr/bin/updatedate
|
|
217
|
+ echo "if [ BACKWARDS_BETWEEN == 0 ]; then" >> /usr/bin/updatedate
|
|
218
|
+ echo " echo \"$AFTER\" > $BEFORE_DATE_FILE" >> /usr/bin/updatedate
|
|
219
|
+ echo " echo \"$DATE_AFTER\" > $BEFORE_FULLDATE_FILE" >> /usr/bin/updatedate
|
|
220
|
+ echo " exit 0" >> /usr/bin/updatedate
|
|
221
|
+ echo "else" >> /usr/bin/updatedate
|
|
222
|
+ echo " exit 1" >> /usr/bin/updatedate
|
|
223
|
+ echo "fi" >> /usr/bin/updatedate
|
|
224
|
+ chmod +x /usr/bin/updatedate
|
|
225
|
+ echo "*/15 * * * * root /usr/bin/updatedate" >> /etc/crontab
|
|
226
|
+ service cron restart
|
|
227
|
+
|
|
228
|
+ echo "#!/bin/bash" > /etc/init.d/tlsdate
|
|
229
|
+ echo "# /etc/init.d/tlsdate" >> /etc/init.d/tlsdate
|
|
230
|
+ echo "### BEGIN INIT INFO" >> /etc/init.d/tlsdate
|
|
231
|
+ echo "# Provides: tlsdate" >> /etc/init.d/tlsdate
|
|
232
|
+ echo "# Required-Start: $remote_fs $syslog" >> /etc/init.d/tlsdate
|
|
233
|
+ echo "# Required-Stop: $remote_fs $syslog" >> /etc/init.d/tlsdate
|
|
234
|
+ echo "# Default-Start: 2 3 4 5" >> /etc/init.d/tlsdate
|
|
235
|
+ echo "# Default-Stop: 0 1 6" >> /etc/init.d/tlsdate
|
|
236
|
+ echo "# Short-Description: Initially calls tlsdate with the timewarp option" >> /etc/init.d/tlsdate
|
|
237
|
+ echo "# Description: Initially calls tlsdate with the timewarp option" >> /etc/init.d/tlsdate
|
|
238
|
+ echo "### END INIT INFO" >> /etc/init.d/tlsdate
|
|
239
|
+ echo "# Author: Bob Mottram <bob@robotics.uk.to>" >> /etc/init.d/tlsdate
|
|
240
|
+ echo "PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin'" >> /etc/init.d/tlsdate
|
|
241
|
+ echo "LOGFILE=\"/var/log/tlsdate.log\"" >> /etc/init.d/tlsdate
|
|
242
|
+ echo "TLSDATECOMMAND=\"tlsdate --timewarp -l -H www.ptb.de -p 443 >> $LOGFILE\"" >> /etc/init.d/tlsdate
|
|
243
|
+ echo "#Start-Stop here" >> /etc/init.d/tlsdate
|
|
244
|
+ echo "case "$1" in" >> /etc/init.d/tlsdate
|
|
245
|
+ echo " start)" >> /etc/init.d/tlsdate
|
|
246
|
+ echo " echo "tlsdate started"" >> /etc/init.d/tlsdate
|
|
247
|
+ echo " $TLSDATECOMMAND" >> /etc/init.d/tlsdate
|
|
248
|
+ echo " ;;" >> /etc/init.d/tlsdate
|
|
249
|
+ echo " stop)" >> /etc/init.d/tlsdate
|
|
250
|
+ echo " echo "tlsdate stopped"" >> /etc/init.d/tlsdate
|
|
251
|
+ echo " ;;" >> /etc/init.d/tlsdate
|
|
252
|
+ echo " restart)" >> /etc/init.d/tlsdate
|
|
253
|
+ echo " echo "tlsdate restarted"" >> /etc/init.d/tlsdate
|
|
254
|
+ echo " $TLSDATECOMMAND" >> /etc/init.d/tlsdate
|
|
255
|
+ echo " ;;" >> /etc/init.d/tlsdate
|
|
256
|
+ echo " *)" >> /etc/init.d/tlsdate
|
|
257
|
+ echo " echo "Usage: $0 {start|stop|restart}"" >> /etc/init.d/tlsdate
|
|
258
|
+ echo " exit 1" >> /etc/init.d/tlsdate
|
|
259
|
+ echo " ;;" >> /etc/init.d/tlsdate
|
|
260
|
+ echo "esac" >> /etc/init.d/tlsdate
|
|
261
|
+ echo "exit 0" >> /etc/init.d/tlsdate
|
|
262
|
+ chmod +x /etc/init.d/tlsdate
|
|
263
|
+ update-rc.d tlsdate defaults
|
|
264
|
+}
|
|
265
|
+
|
|
266
|
+function defend_against_port_scanning
|
|
267
|
+ apt-get -y install portsentry
|
|
268
|
+}
|
|
269
|
+
|
|
270
|
+function configure_firewall {
|
|
271
|
+ iptables -P INPUT ACCEPT
|
|
272
|
+ ip6tables -P INPUT ACCEPT
|
|
273
|
+ iptables -F
|
|
274
|
+ ip6tables -F
|
|
275
|
+ iptables -X
|
|
276
|
+ ip6tables -X
|
|
277
|
+ iptables -P INPUT DROP
|
|
278
|
+ ip6tables -P INPUT DROP
|
|
279
|
+}
|
|
280
|
+
|
|
281
|
+function configure_firewall_for_email {
|
|
282
|
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
|
|
283
|
+ iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
|
|
284
|
+ iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT
|
|
285
|
+ iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
|
|
286
|
+ iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
|
|
287
|
+}
|
|
288
|
+
|
|
289
|
+function save_firewall_settings {
|
|
290
|
+ # TODO
|
|
291
|
+}
|
|
292
|
+
|
|
293
|
+function configure_internet_protocol {
|
|
294
|
+ sed "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
295
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
296
|
+ sed "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
297
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
298
|
+ sed "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
299
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
300
|
+ sed "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
301
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
302
|
+ sed "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
303
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
304
|
+ sed "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
305
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
306
|
+ sed "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
307
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
308
|
+ sed "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
309
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
310
|
+ sed "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
311
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
312
|
+ sed "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf > /tmp/sysctl.conf
|
|
313
|
+ cp -f /tmp/sysctl.conf /etc/sysctl.conf
|
|
314
|
+ echo "# ignore pings" >> /etc/sysctl.conf
|
|
315
|
+ echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
|
|
316
|
+ echo "net.ipv6.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
|
|
317
|
+ echo "# disable ipv6" >> /etc/sysctl.conf
|
|
318
|
+ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
|
|
319
|
+ echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf
|
|
320
|
+ echo "net.ipv4.tcp_syn_retries = 1" >> /etc/sysctl.conf
|
|
321
|
+ echo "# keepalive" >> /etc/sysctl.conf
|
|
322
|
+ echo "net.ipv4.tcp_keepalive_probes = 9" >> /etc/sysctl.conf
|
|
323
|
+ echo "net.ipv4.tcp_keepalive_intvl = 75" >> /etc/sysctl.conf
|
|
324
|
+ echo "net.ipv4.tcp_keepalive_time = 7200" >> /etc/sysctl.conf
|
|
325
|
+}
|
|
326
|
+
|
|
327
|
+function script_to_make_self_signed_certificates {
|
|
328
|
+ echo "#!/bin/bash" > /usr/bin/makecert
|
|
329
|
+ echo "HOSTNAME=$1" >> /usr/bin/makecert
|
|
330
|
+ echo "COUNTRY_CODE=\"US\"" >> /usr/bin/makecert
|
|
331
|
+ echo "AREA=\"Free Speech Zone\"" >> /usr/bin/makecert
|
|
332
|
+ echo "LOCATION=\"Freedomville\"" >> /usr/bin/makecert
|
|
333
|
+ echo "ORGANISATION=\"Freedombone\"" >> /usr/bin/makecert
|
|
334
|
+ echo "UNIT=\"Freedombone Unit\"" >> /usr/bin/makecert
|
|
335
|
+ echo "if ! which openssl > /dev/null ;then" >> /usr/bin/makecert
|
|
336
|
+ echo " echo "$0: openssl is not installed, exiting" 1>&2" >> /usr/bin/makecert
|
|
337
|
+ echo " exit 1" >> /usr/bin/makecert
|
|
338
|
+ echo "fi" >> /usr/bin/makecert
|
|
339
|
+ echo "openssl req -x509 -nodes -days 3650 -sha256 -subj \"/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME\" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt" >> /usr/bin/makecert
|
|
340
|
+ echo "openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam" >> /usr/bin/makecert
|
|
341
|
+ echo "chmod 400 /etc/ssl/private/$HOSTNAME.key" >> /usr/bin/makecert
|
|
342
|
+ echo "chmod 640 /etc/ssl/certs/$HOSTNAME.crt" >> /usr/bin/makecert
|
|
343
|
+ echo "chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam" >> /usr/bin/makecert
|
|
344
|
+ echo "/etc/init.d/nginx reload" >> /usr/bin/makecert
|
|
345
|
+ echo "# add the public certificate to a separate directory" >> /usr/bin/makecert
|
|
346
|
+ echo "# so that we can redistribute it easily" >> /usr/bin/makecert
|
|
347
|
+ echo "if [ ! -d /etc/ssl/mycerts ]; then" >> /usr/bin/makecert
|
|
348
|
+ echo " mkdir /etc/ssl/mycerts" >> /usr/bin/makecert
|
|
349
|
+ echo "fi" >> /usr/bin/makecert
|
|
350
|
+ echo "cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts" >> /usr/bin/makecert
|
|
351
|
+ echo "# Create a bundle of your certificates" >> /usr/bin/makecert
|
|
352
|
+ echo "cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt" >> /usr/bin/makecert
|
|
353
|
+ echo "tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt" >> /usr/bin/makecert
|
|
354
|
+ chmod +x /usr/bin/makecert
|
|
355
|
+}
|
|
356
|
+
|
|
357
|
+function configure_email {
|
|
358
|
+ apt-get -y remove postfix
|
|
359
|
+ apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail
|
|
360
|
+ echo "dc_eximconfig_configtype='internet'" > /etc/exim4/update-exim4.conf.conf
|
|
361
|
+ echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf
|
|
362
|
+ echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf
|
|
363
|
+ echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf
|
|
364
|
+ echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf
|
|
365
|
+ echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf
|
|
366
|
+ echo "dc_relay_nets='192.168.1.0/24'" >> /etc/exim4/update-exim4.conf.conf
|
|
367
|
+ echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf
|
|
368
|
+ echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf
|
|
369
|
+ echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf
|
|
370
|
+ echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf
|
|
371
|
+ echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf
|
|
372
|
+ echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf
|
|
373
|
+ update-exim4.conf
|
|
374
|
+ sed "s/START=no/START=yes/g" /etc/default/saslauthd > /tmp/saslauthd
|
|
375
|
+ cp -f /tmp/saslauthd /etc/default/saslauthd
|
|
376
|
+ /etc/init.d/saslauthd start
|
|
377
|
+ makecert exim
|
|
378
|
+ mv /etc/ssl/private/exim.key /etc/exim4
|
|
379
|
+ mv /etc/ssl/certs/exim.crt /etc/exim4
|
|
380
|
+ mv /etc/ssl/certs/exim.dhparam /etc/exim4
|
|
381
|
+ chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
|
|
382
|
+ chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
|
|
383
|
+#editor /etc/exim4/exim4.conf.template
|
|
384
|
+}
|
|
385
|
+
|
|
386
|
+initial_setup
|
|
387
|
+install_editor
|
|
388
|
+enable_backports
|
|
389
|
+remove_proprietary_repos
|
|
390
|
+update_the_kernel
|
|
391
|
+enable_zram
|
|
392
|
+hardware_random_number_generator
|
|
393
|
+configure_ssh
|
|
394
|
+regenerate_ssh_keys
|
|
395
|
+set_your_domain_name
|
|
396
|
+time_synchronisation
|
|
397
|
+defend_against_port_scanning
|
|
398
|
+configure_firewall
|
|
399
|
+configure_firewall_for_email
|
|
400
|
+save_firewall_settings
|
|
401
|
+configure_internet_protocol
|
|
402
|
+script_to_make_self_signed_certificates
|
|
403
|
+configure_email
|