Last active
May 11, 2016 10:54
-
-
Save Grandpa-Jones/28d6588c980975931c84 to your computer and use it in GitHub Desktop.
Hardens DNET Masternodes Hosted at http://my.mp-hosting.co.uk/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##################################################### | |
# Change settings here!!! | |
##################################################### | |
username="changeme" | |
sshport="54814" # <-- change to random high port! | |
keepdnetdata="no" # <-- "yes" or "no" | |
##################################################### | |
## Nothing to edit below this line. ## | |
# get the password from the command line | |
echo "Enter a password for $username (it will not be masked):" | |
printf "Password: " | |
read clearpass | |
# set locale | |
locale-gen en_US en_US.UTF-8 hu_HU hu_HU.UTF-8 | |
dpkg-reconfigure locales | |
update-locale | |
# calculate password for useradd and add the user | |
pwsalt=`perl -e 'printf "%08X", rand(0xffffffff)'` | |
password=`perl -e 'printf "%s", crypt($ARGV[0], "\\$6\\$$ARGV[1]\\$")' $clearpass $pwsalt` | |
useradd -m -p $password -s /bin/bash $username | |
# determine home folder | |
homefolder=`eval echo "~$username"` | |
# stop the masternode in case it is running | |
/root/darknet-cli stop | |
# move the dnet data dir to new user (if it exists) | |
if [ -d /root/.darknet ]; then | |
if [ $keepdnetdata == "yes" ]; then | |
mv /root/.darknet $homefolder | |
fi | |
fi | |
# move the dnet executables to the user's home dir | |
mv /root/darknet* $homefolder | |
# remove apache -- it's not needed | |
service apache2 stop | |
apt-get -y remove apache2* | |
# add our user to sudoers | |
sed -i.bak s/sudo:x:27:$/sudo:x:27:$username/ /etc/group | |
# disallow root login via ssh and change port | |
sed -i.bak "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config | |
sed -i'' "s/Port 22/Port $sshport/" /etc/ssh/sshd_config | |
service ssh restart | |
# don't keep a history file because they are security problem | |
echo "HISTFILE=/dev/null" >> $homefolder/.profile | |
echo "HISTFILE=/dev/null" >> /root/.profile | |
# change all ownership | |
chown -R $username:$username $homefolder | |
# indicate success | |
echo Sucessful Termination. Don\'t forget to test login remotely with: | |
echo | |
echo ssh -p $sshport $username@`ip route get 8.8.8.8 | awk '{print $NF; exit}'` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most linux vps are poorly configured for security out of the box. For example, they will have apache2 enabled, use the root account as the primary login, allow root remote login by ssh, run ssh over port 22, and even have bash history enabled. I created this script to fix these major issues.
This script by no means hardens for production, but it's good enough for masternodes like DNET, where the masternode output is kept on a remote server.
To use this script, you have to edit the file with the username and a new random high port number for ssh. It is recommended not to use the defaults.
Download the script like this:
wget https://gist.github.com/Grandpa-Jones/28d6588c980975931c84/raw/5b69f15f67ea90819ff844a7058da6e6ce612a21/dnet-hardener.sh
Then edit it at the top.
pico dnet-hardener.sh
Then run it:
bash dnet-hardener.sh
It will prompt for the new user's password (which will show when you type it, so make sure no one is looking over your shoulder). The final instructions give you a hint how to access the machine as the new user.
Test the remote login for the new user before logging out as root or you will need to reinstall your VM.