瀏覽代碼

Beginning of install script

Bob Mottram 10 年之前
父節點
當前提交
262295fc27
共有 1 個文件被更改,包括 403 次插入0 次删除
  1. 403
    0
      install-freedombone.sh

+ 403
- 0
install-freedombone.sh 查看文件

@@ -0,0 +1,403 @@
1
+#!/bin/bash
2
+
3
+DOMAIN_NAME=$1
4
+MY_USERNAME=$2
5
+
6
+# Directory where source code is downloaded and compiled
7
+INSTALL_DIR=/root/build
8
+
9
+function initial_setup {
10
+  apt-get -y update
11
+  apt-get -y dist-upgrade
12
+  apt-get -y install ca-certificates emacs24
13
+}
14
+
15
+function install_editor {
16
+  update-alternatives --set editor /usr/bin/emacs24
17
+}
18
+
19
+function enable_backports {
20
+  echo "deb http://ftp.us.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
21
+}
22
+
23
+function remove_proprietary_repos {
24
+  sed 's/ non-free//g' /etc/apt/sources.list > /tmp/sources.list
25
+  cp -f /tmp/sources.list /etc/apt/sources.list
26
+}
27
+
28
+function update_the_kernel {
29
+  cd /opt/scripts/tools
30
+  ./update_kernel.sh --kernel v3.15.10-bone7
31
+}
32
+
33
+function enable_zram {
34
+  echo "options zram num_devices=1" >> /etc/modprobe.d/zram.conf
35
+  echo "#!/bin/bash" > /etc/init.d/zram
36
+  echo "### BEGIN INIT INFO" >> /etc/init.d/zram
37
+  echo "# Provides: zram" >> /etc/init.d/zram
38
+  echo "# Required-Start:" >> /etc/init.d/zram
39
+  echo "# Required-Stop:" >> /etc/init.d/zram
40
+  echo "# Default-Start: 2 3 4 5" >> /etc/init.d/zram
41
+  echo "# Default-Stop: 0 1 6" >> /etc/init.d/zram
42
+  echo "# Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM)" >> /etc/init.d/zram
43
+  echo "# Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram" >> /etc/init.d/zram
44
+  echo "### END INIT INFO" >> /etc/init.d/zram
45
+  echo "start() {" >> /etc/init.d/zram
46
+  echo "    # get the number of CPUs" >> /etc/init.d/zram
47
+  echo "    num_cpus=$(grep -c processor /proc/cpuinfo)" >> /etc/init.d/zram
48
+  echo "    # if something goes wrong, assume we have 1" >> /etc/init.d/zram
49
+  echo "    [ \"$num_cpus\" != 0 ] || num_cpus=1" >> /etc/init.d/zram
50
+  echo "    # set decremented number of CPUs" >> /etc/init.d/zram
51
+  echo "    decr_num_cpus=$((num_cpus - 1))" >> /etc/init.d/zram
52
+  echo "    # get the amount of memory in the machine" >> /etc/init.d/zram
53
+  echo "    mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching '[[:digit:]]+')" >> /etc/init.d/zram
54
+  echo "    mem_total=$((mem_total_kb * 1024))" >> /etc/init.d/zram
55
+  echo "    # load dependency modules" >> /etc/init.d/zram
56
+  echo "    modprobe zram num_devices=$num_cpus" >> /etc/init.d/zram
57
+  echo "    # initialize the devices" >> /etc/init.d/zram
58
+  echo "    for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
59
+  echo "    echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize" >> /etc/init.d/zram
60
+  echo "    done" >> /etc/init.d/zram
61
+  echo "    # Creating swap filesystems" >> /etc/init.d/zram
62
+  echo "    for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
63
+  echo "    mkswap /dev/zram$i" >> /etc/init.d/zram
64
+  echo "    done" >> /etc/init.d/zram
65
+  echo "    # Switch the swaps on" >> /etc/init.d/zram
66
+  echo "    for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
67
+  echo "    swapon -p 100 /dev/zram$i" >> /etc/init.d/zram
68
+  echo "    done" >> /etc/init.d/zram
69
+  echo "}" >> /etc/init.d/zram
70
+  echo "stop() {" >> /etc/init.d/zram
71
+  echo "    # get the number of CPUs" >> /etc/init.d/zram
72
+  echo "    num_cpus=$(grep -c processor /proc/cpuinfo)" >> /etc/init.d/zram
73
+  echo "    # set decremented number of CPUs" >> /etc/init.d/zram
74
+  echo "    decr_num_cpus=$((num_cpus - 1))" >> /etc/init.d/zram
75
+  echo "    # Switching off swap" >> /etc/init.d/zram
76
+  echo "    for i in $(seq 0 $decr_num_cpus); do" >> /etc/init.d/zram
77
+  echo "    if [ \"$(grep /dev/zram$i /proc/swaps)\" != \"\" ]; then" >> /etc/init.d/zram
78
+  echo "    swapoff /dev/zram$i" >> /etc/init.d/zram
79
+  echo "    sleep 1" >> /etc/init.d/zram
80
+  echo "    fi" >> /etc/init.d/zram
81
+  echo "    done" >> /etc/init.d/zram
82
+  echo "    sleep 1" >> /etc/init.d/zram
83
+  echo "    rmmod zram" >> /etc/init.d/zram
84
+  echo "}" >> /etc/init.d/zram
85
+  echo "case \"$1\" in" >> /etc/init.d/zram
86
+  echo "    start)" >> /etc/init.d/zram
87
+  echo "        start" >> /etc/init.d/zram
88
+  echo "        ;;" >> /etc/init.d/zram
89
+  echo "    stop)" >> /etc/init.d/zram
90
+  echo "        stop" >> /etc/init.d/zram
91
+  echo "        ;;" >> /etc/init.d/zram
92
+  echo "    restart)" >> /etc/init.d/zram
93
+  echo "        stop" >> /etc/init.d/zram
94
+  echo "        sleep 3" >> /etc/init.d/zram
95
+  echo "        start" >> /etc/init.d/zram
96
+  echo "        ;;" >> /etc/init.d/zram
97
+  echo "    *)" >> /etc/init.d/zram
98
+  echo "        echo \"Usage: $0 {start|stop|restart}\"" >> /etc/init.d/zram
99
+  echo "        RETVAL=1" >> /etc/init.d/zram
100
+  echo "esac" >> /etc/init.d/zram
101
+  echo "exit $RETVAL" >> /etc/init.d/zram
102
+  chmod +x /etc/init.d/zram
103
+  update-rc.d zram defaults
104
+}
105
+
106
+function hardware_random_number_generator
107
+  apt-get -y install rng-tools
108
+  sed 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools > /tmp/rng-tools
109
+  cp -f /tmp/rng-tools /etc/default/rng-tools
110
+  service rng-tools restart
111
+}
112
+
113
+function configure_ssh {
114
+  sed 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config
115
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
116
+  sed 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config > /tmp/sshd_config
117
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
118
+  sed 's/ServerKeyBits 1024/ServerKeyBits 4096/g' /etc/ssh/sshd_config > /tmp/sshd_config
119
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
120
+  sed 's/TCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config > /tmp/sshd_config
121
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
122
+  sed 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config > /tmp/sshd_config
123
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
124
+  sed 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config > /tmp/sshd_config
125
+  cp -f /tmp/sshd_config /etc/ssh/sshd_config
126
+  echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
127
+  echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
128
+  echo "Ciphers aes256-ctr,aes128-ctr" >> /etc/ssh/sshd_config
129
+  echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
130
+  KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1" >> /etc/ssh/sshd_config
131
+  service ssh restart
132
+  apt-get -y install fail2ban
133
+}
134
+
135
+function regenerate_ssh_keys {
136
+  rm -f /etc/ssh/ssh_host_*
137
+  dpkg-reconfigure openssh-server
138
+  service ssh restart
139
+}
140
+
141
+function set_your_domain_name {
142
+  echo "$DOMAIN_NAME" > /etc/hostname
143
+  hostname $DOMAIN_NAME
144
+  echo "127.0.1.1  $DOMAIN_NAME" >> /etc/hosts
145
+}
146
+
147
+function time_synchronisation {
148
+  apt-get -y install build-essential automake git pkg-config autoconf libtool libssl-dev
149
+  apt-get -y remove ntpdate
150
+  mkdir $INSTALL_DIR
151
+  cd $INSTALL_DIR
152
+  git clone https://github.com/ioerror/tlsdate.git
153
+  cd $INSTALL_DIR/tlsdate
154
+  ./autogen.sh
155
+  ./configure
156
+  make
157
+  make install
158
+
159
+  echo "#!/bin/bash" > /usr/bin/updatedate
160
+  echo "TIMESOURCE=google.com" >> /usr/bin/updatedate
161
+  echo "TIMESOURCE2=www.ptb.de" >> /usr/bin/updatedate
162
+  echo "LOGFILE=/var/log/tlsdate.log" >> /usr/bin/updatedate
163
+  echo "TIMEOUT=5" >> /usr/bin/updatedate
164
+  echo "EMAIL=$MY_USERNAME@$DOMAIN_NAME" >> /usr/bin/updatedate
165
+  echo "# File which contains the previous date as a number" >> /usr/bin/updatedate
166
+  echo "BEFORE_DATE_FILE=/var/log/tlsdateprevious.txt" >> /usr/bin/updatedate
167
+  echo "# File which contains the previous date as a string" >> /usr/bin/updatedate
168
+  echo "BEFORE_FULLDATE_FILE=/var/log/tlsdate.txt" >> /usr/bin/updatedate
169
+  echo "DATE_BEFORE=$(date)" >> /usr/bin/updatedate
170
+  echo "BEFORE=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
171
+  echo "BACKWARDS_BETWEEN=0" >> /usr/bin/updatedate
172
+  echo "# If the date was previously set" >> /usr/bin/updatedate
173
+  echo "if [[ -f \"$BEFORE_DATE_FILE\" ]]; then" >> /usr/bin/updatedate
174
+  echo "    BEFORE_FILE=$(cat $BEFORE_DATE_FILE)" >> /usr/bin/updatedate
175
+  echo "    BEFORE_FULLDATE=$(cat $BEFORE_FULLDATE_FILE)" >> /usr/bin/updatedate
176
+  echo "    # is the date going backwards?" >> /usr/bin/updatedate
177
+  echo "    if (( BEFORE_FILE > BEFORE )); then" >> /usr/bin/updatedate
178
+  echo "        echo -n \"Date went backwards between tlsdate updates. \" >> $LOGFILE" >> /usr/bin/updatedate
179
+  echo "        echo -n \"$BEFORE_FILE > $BEFORE, \" >> $LOGFILE" >> /usr/bin/updatedate
180
+  echo "        echo \"$BEFORE_FULLDATE > $DATE_BEFORE\" >> $LOGFILE" >> /usr/bin/updatedate
181
+  echo "        # Send a warning email" > /usr/bin/updatedate
182
+  echo "        echo $(tail $LOGFILE -n 2) | mail -s \"tlsdate anomaly\" $EMAIL" >> /usr/bin/updatedate
183
+  echo "        # Try another time source" >> /usr/bin/updatedate
184
+  echo "        TIMESOURCE=$TIMESOURCE2" >> /usr/bin/updatedate
185
+  echo "        # try running without any parameters" >> /usr/bin/updatedate
186
+  echo "        tlsdate >> $LOGFILE" >> /usr/bin/updatedate
187
+  echo "        BACKWARDS_BETWEEN=1" >> /usr/bin/updatedate
188
+  echo "    fi" >> /usr/bin/updatedate
189
+  echo "fi" >> /usr/bin/updatedate
190
+  echo "# Set the date" >> /usr/bin/updatedate
191
+  echo "/usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE -p 443 >> $LOGFILE" >> /usr/bin/updatedate
192
+  echo "DATE_AFTER=$(date)" >> /usr/bin/updatedate
193
+  echo "AFTER=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
194
+  echo "# After setting the date did it go backwards?" >> /usr/bin/updatedate
195
+  echo "if (( AFTER < BEFORE )); then" >> /usr/bin/updatedate
196
+  echo "    echo \"Incorrect date: $DATE_BEFORE -> $DATE_AFTER\" >> $LOGFILE" >> /usr/bin/updatedate
197
+  echo "    # Send a warning email" >> /usr/bin/updatedate
198
+  echo "    echo $(tail $LOGFILE -n 2) | mail -s \"tlsdate anomaly\" $EMAIL" >> /usr/bin/updatedate
199
+  echo "    # Try resetting the date from another time source" >> /usr/bin/updatedate
200
+  echo "    /usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE2 -p 443 >> $LOGFILE" >> /usr/bin/updatedate
201
+  echo "    DATE_AFTER=$(date)" >> /usr/bin/updatedate
202
+  echo "    AFTER=$(date -d "$Y-$M-$D" '+%s')" >> /usr/bin/updatedate
203
+  echo "else" >> /usr/bin/updatedate
204
+  echo "    echo -n $TIMESOURCE >> $LOGFILE" >> /usr/bin/updatedate
205
+  echo "    if [[ -f \"$BEFORE_DATE_FILE\" ]]; then" >> /usr/bin/updatedate
206
+  echo "        echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
207
+  echo "        echo -n $BEFORE_FILE >> $LOGFILE" >> /usr/bin/updatedate
208
+  echo "    fi" >> /usr/bin/updatedate
209
+  echo "    echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
210
+  echo "    echo -n $BEFORE >> $LOGFILE" >> /usr/bin/updatedate
211
+  echo "    echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
212
+  echo "    echo -n $AFTER >> $LOGFILE" >> /usr/bin/updatedate
213
+  echo "    echo -n \" \" >> $LOGFILE" >> /usr/bin/updatedate
214
+  echo "    echo $DATE_AFTER >> $LOGFILE" >> /usr/bin/updatedate
215
+  echo "fi" >> /usr/bin/updatedate
216
+  echo "# Log the last date" >> /usr/bin/updatedate
217
+  echo "if [ BACKWARDS_BETWEEN == 0 ]; then" >> /usr/bin/updatedate
218
+  echo "    echo \"$AFTER\" > $BEFORE_DATE_FILE" >> /usr/bin/updatedate
219
+  echo "    echo \"$DATE_AFTER\" > $BEFORE_FULLDATE_FILE" >> /usr/bin/updatedate
220
+  echo "    exit 0" >> /usr/bin/updatedate
221
+  echo "else" >> /usr/bin/updatedate
222
+  echo "    exit 1" >> /usr/bin/updatedate
223
+  echo "fi" >> /usr/bin/updatedate
224
+  chmod +x /usr/bin/updatedate
225
+  echo "*/15           * *   *   *   root /usr/bin/updatedate" >> /etc/crontab
226
+  service cron restart
227
+
228
+  echo "#!/bin/bash" > /etc/init.d/tlsdate
229
+  echo "# /etc/init.d/tlsdate" >> /etc/init.d/tlsdate
230
+  echo "### BEGIN INIT INFO" >> /etc/init.d/tlsdate
231
+  echo "# Provides:          tlsdate" >> /etc/init.d/tlsdate
232
+  echo "# Required-Start:    $remote_fs $syslog" >> /etc/init.d/tlsdate
233
+  echo "# Required-Stop:     $remote_fs $syslog" >> /etc/init.d/tlsdate
234
+  echo "# Default-Start:     2 3 4 5" >> /etc/init.d/tlsdate
235
+  echo "# Default-Stop:      0 1 6" >> /etc/init.d/tlsdate
236
+  echo "# Short-Description: Initially calls tlsdate with the timewarp option" >> /etc/init.d/tlsdate
237
+  echo "# Description:       Initially calls tlsdate with the timewarp option" >> /etc/init.d/tlsdate
238
+  echo "### END INIT INFO" >> /etc/init.d/tlsdate
239
+  echo "# Author: Bob Mottram <bob@robotics.uk.to>" >> /etc/init.d/tlsdate
240
+  echo "PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin'" >> /etc/init.d/tlsdate
241
+  echo "LOGFILE=\"/var/log/tlsdate.log\"" >> /etc/init.d/tlsdate
242
+  echo "TLSDATECOMMAND=\"tlsdate --timewarp -l -H www.ptb.de -p 443 >> $LOGFILE\"" >> /etc/init.d/tlsdate
243
+  echo "#Start-Stop here" >> /etc/init.d/tlsdate
244
+  echo "case "$1" in" >> /etc/init.d/tlsdate
245
+  echo "  start)" >> /etc/init.d/tlsdate
246
+  echo "    echo "tlsdate started"" >> /etc/init.d/tlsdate
247
+  echo "    $TLSDATECOMMAND" >> /etc/init.d/tlsdate
248
+  echo "    ;;" >> /etc/init.d/tlsdate
249
+  echo "  stop)" >> /etc/init.d/tlsdate
250
+  echo "    echo "tlsdate stopped"" >> /etc/init.d/tlsdate
251
+  echo "    ;;" >> /etc/init.d/tlsdate
252
+  echo "  restart)" >> /etc/init.d/tlsdate
253
+  echo "    echo "tlsdate restarted"" >> /etc/init.d/tlsdate
254
+  echo "    $TLSDATECOMMAND" >> /etc/init.d/tlsdate
255
+  echo "    ;;" >> /etc/init.d/tlsdate
256
+  echo "    *)" >> /etc/init.d/tlsdate
257
+  echo "  echo "Usage: $0 {start|stop|restart}"" >> /etc/init.d/tlsdate
258
+  echo "  exit 1" >> /etc/init.d/tlsdate
259
+  echo "  ;;" >> /etc/init.d/tlsdate
260
+  echo "esac" >> /etc/init.d/tlsdate
261
+  echo "exit 0" >> /etc/init.d/tlsdate
262
+  chmod +x /etc/init.d/tlsdate
263
+  update-rc.d tlsdate defaults
264
+}
265
+
266
+function defend_against_port_scanning
267
+  apt-get -y install portsentry
268
+}
269
+
270
+function configure_firewall {
271
+  iptables -P INPUT ACCEPT
272
+  ip6tables -P INPUT ACCEPT
273
+  iptables -F
274
+  ip6tables -F
275
+  iptables -X
276
+  ip6tables -X
277
+  iptables -P INPUT DROP
278
+  ip6tables -P INPUT DROP
279
+}
280
+
281
+function configure_firewall_for_email {
282
+  iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
283
+  iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
284
+  iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT
285
+  iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
286
+  iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
287
+}
288
+
289
+function save_firewall_settings {
290
+	# TODO
291
+}
292
+
293
+function configure_internet_protocol {
294
+  sed "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
295
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
296
+  sed "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
297
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
298
+  sed "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
299
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
300
+  sed "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
301
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
302
+  sed "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
303
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
304
+  sed "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf > /tmp/sysctl.conf
305
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
306
+  sed "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
307
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
308
+  sed "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf > /tmp/sysctl.conf
309
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
310
+  sed "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf > /tmp/sysctl.conf
311
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
312
+  sed "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf > /tmp/sysctl.conf
313
+  cp -f /tmp/sysctl.conf /etc/sysctl.conf
314
+  echo "# ignore pings" >> /etc/sysctl.conf
315
+  echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
316
+  echo "net.ipv6.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
317
+  echo "# disable ipv6" >> /etc/sysctl.conf
318
+  echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
319
+  echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf
320
+  echo "net.ipv4.tcp_syn_retries = 1" >> /etc/sysctl.conf
321
+  echo "# keepalive" >> /etc/sysctl.conf
322
+  echo "net.ipv4.tcp_keepalive_probes = 9" >> /etc/sysctl.conf
323
+  echo "net.ipv4.tcp_keepalive_intvl = 75" >> /etc/sysctl.conf
324
+  echo "net.ipv4.tcp_keepalive_time = 7200" >> /etc/sysctl.conf
325
+}
326
+
327
+function script_to_make_self_signed_certificates {
328
+  echo "#!/bin/bash" > /usr/bin/makecert
329
+  echo "HOSTNAME=$1" >> /usr/bin/makecert
330
+  echo "COUNTRY_CODE=\"US\"" >> /usr/bin/makecert
331
+  echo "AREA=\"Free Speech Zone\"" >> /usr/bin/makecert
332
+  echo "LOCATION=\"Freedomville\"" >> /usr/bin/makecert
333
+  echo "ORGANISATION=\"Freedombone\"" >> /usr/bin/makecert
334
+  echo "UNIT=\"Freedombone Unit\"" >> /usr/bin/makecert
335
+  echo "if ! which openssl > /dev/null ;then" >> /usr/bin/makecert
336
+  echo "    echo "$0: openssl is not installed, exiting" 1>&2" >> /usr/bin/makecert
337
+  echo "    exit 1" >> /usr/bin/makecert
338
+  echo "fi" >> /usr/bin/makecert
339
+  echo "openssl req -x509 -nodes -days 3650 -sha256 -subj \"/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME\" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt" >> /usr/bin/makecert
340
+  echo "openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam" >> /usr/bin/makecert
341
+  echo "chmod 400 /etc/ssl/private/$HOSTNAME.key" >> /usr/bin/makecert
342
+  echo "chmod 640 /etc/ssl/certs/$HOSTNAME.crt" >> /usr/bin/makecert
343
+  echo "chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam" >> /usr/bin/makecert
344
+  echo "/etc/init.d/nginx reload" >> /usr/bin/makecert
345
+  echo "# add the public certificate to a separate directory" >> /usr/bin/makecert
346
+  echo "# so that we can redistribute it easily" >> /usr/bin/makecert
347
+  echo "if [ ! -d /etc/ssl/mycerts ]; then" >> /usr/bin/makecert
348
+  echo "  mkdir /etc/ssl/mycerts" >> /usr/bin/makecert
349
+  echo "fi" >> /usr/bin/makecert
350
+  echo "cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts" >> /usr/bin/makecert
351
+  echo "# Create a bundle of your certificates" >> /usr/bin/makecert
352
+  echo "cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt" >> /usr/bin/makecert
353
+  echo "tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt" >> /usr/bin/makecert
354
+  chmod +x /usr/bin/makecert
355
+}
356
+
357
+function configure_email {
358
+  apt-get -y remove postfix
359
+  apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail
360
+  echo "dc_eximconfig_configtype='internet'" > /etc/exim4/update-exim4.conf.conf
361
+  echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf
362
+  echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf
363
+  echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf
364
+  echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf
365
+  echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf
366
+  echo "dc_relay_nets='192.168.1.0/24'" >> /etc/exim4/update-exim4.conf.conf
367
+  echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf
368
+  echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf
369
+  echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf
370
+  echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf
371
+  echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf
372
+  echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf
373
+  update-exim4.conf
374
+  sed "s/START=no/START=yes/g" /etc/default/saslauthd > /tmp/saslauthd
375
+  cp -f /tmp/saslauthd /etc/default/saslauthd
376
+  /etc/init.d/saslauthd start
377
+  makecert exim
378
+  mv /etc/ssl/private/exim.key /etc/exim4
379
+  mv /etc/ssl/certs/exim.crt /etc/exim4
380
+  mv /etc/ssl/certs/exim.dhparam /etc/exim4
381
+  chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
382
+  chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
383
+#editor /etc/exim4/exim4.conf.template
384
+}
385
+
386
+initial_setup
387
+install_editor
388
+enable_backports
389
+remove_proprietary_repos
390
+update_the_kernel
391
+enable_zram
392
+hardware_random_number_generator
393
+configure_ssh
394
+regenerate_ssh_keys
395
+set_your_domain_name
396
+time_synchronisation
397
+defend_against_port_scanning
398
+configure_firewall
399
+configure_firewall_for_email
400
+save_firewall_settings
401
+configure_internet_protocol
402
+script_to_make_self_signed_certificates
403
+configure_email