installer

dinamical.sh

#!/bin/bash

while echo $1 | grep -q ^-; do
    eval $( echo $1 | sed 's/^-//' )=$2
    shift
    shift
done

msg(){
    
    echo -e "\033[0;32m $1\e[0m"

    # TAIL TELEGRAM
    if [[ $tailTelegram ]]; then
        curl -s -X POST https://api.telegram.org/${tailTelegram}/sendMessage -d text="$1" -d chat_id=-146803356
    fi

}

msg "Installing security server from *desarrolloactivo.com*. "

SSHPort=2222

rootpassword="testing"

URL="https://desarrolloactivo.com/scripts/"

# IMPORT CONFIG FILE
if [[ -f $CONFIG_FILE ]]; then
        . $CONFIG_FILE
fi

# SWAP SPACE
if [[ $swap == yes ]]; then
    msg "CREATING SWAP SPACE"
    sudo fallocate -l 6G /swapfile
    sudo chmod 600 /swapfile
    sudo mkswap /swapfile
    sudo swapon /swapfile
    sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
fi

# FIX LOCALES
msg "FIXING LOCALES"
echo LC_ALL=\'en_US.UTF-8\' >> /etc/environment
sudo locale-gen en_US.UTF-8
export LC_ALL=C
sudo dpkg-reconfigure locales

# FIX DIALOG
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y dialog

#comment #GRUB_HIDDEN_TIMEOUT=0
msg "SETTING GRUB_HIDDEN_TIMEOUT=0"
sed -i '/GRUB_HIDDEN_TIMEOUT/s/^/#/g' /etc/default/grub
sudo update-grub

# ADD SAFE USER
msg "ADDING SAFE USER"
useradd -s /bin/bash -m -d /home/ubuntu -c "ubuntu" ubuntu
gpasswd -a ubuntu sudo
echo ubuntu:$rootpassword | /usr/sbin/chpasswd

# COPY AUTHORIZED_KEYS TO UBUNTU .SSH USER
msg "COPING AUTHORIZED_KEYS TO UBUNTU .SSH USER"
sudo -u ubuntu ssh-keygen -q -b 4096 -t rsa -N "" -f ~ubuntu/.ssh/id_rsa
cat ~/.ssh/authorized_keys > ~ubuntu/.ssh/authorized_keys
chown ubuntu:ubuntu ~ubuntu/.ssh/authorized_keys

# UPDATE & UPGRADE SYSTEM
msg "UPDATING AND UPGRADING SYSTEM"
apt-get -y update;
apt-get -y upgrade;
apt-get -y dist-upgrade;
apt-get -y autoremove;

# ADD SOME LIBRARY
msg "ADDING SOME LIBRARY"
apt-get install -y curl openssl libssl-dev pkg-config;
apt-get install unzip

# NGINX
if [[ $nginx == yes ]]; then
    msg "INSTALLING NGINX"
    source <(curl ${URL}"nginx.sh")
    # SSL
    if [[ $ssl == yes ]]; then
        source <(curl ${URL}"ssl.sh")
    fi    
fi

# NODEJS + NPM UPDATE
if [[ $nodejs == yes ]]; then
    msg "INSTALLING NODEJS"
    curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
    apt-get install -y nodejs
    apt-get install -y build-essential
    npm update npm -g
    node -v

    sudo npm install -g npm-update-outdated
fi

# GIT
if [[ $gitinst ]]; then
    msg "INSTALLING GIT"
    source <(curl ${URL}"git-inst.sh")
fi

# ADD-GITHUB-RSA-PUB
if [[ $github ]]; then
    msg "ADDING GITHUB-RSA-PUB"
    source <(curl ${URL}"github.sh") ${github}
fi

# PM2
if [[ $pm2 == yes ]]; then
    msg "INSTALLING PM2"
    npm install pm2 -g
    sudo su -c "env PATH=$PATH:/usr/bin pm2 startup linux -u ubuntu --hp /home/ubuntu"
fi

# PM2-GUI
if [[ $pm2gui == yes ]]; then
    msg "INSTALLING PM2-GUI / authorization = AuTh"
    sudo ufw allow 8088/tcp

    sudo npm install pm2-gui -g
    cp ./usr/lib/node_modules/pm2-gui/pm2-gui.ini /etc/pm2-gui.ini

    su - ubuntu -c "pm2 start /usr/lib/node_modules/pm2-gui/pm2-gui.js --name pm2-gui"
    su - ubuntu -c "pm2 save"
    
    # sudo pm2 start /usr/lib/node_modules/pm2-gui/pm2-gui.js --name pm2-gui
    # sudo pm2 save
fi

# HTOP
if [[ $htop == yes ]]; then
    msg "INSTALLING HTOP"
    source <(curl ${URL}"htop.sh")
fi

# GULP
if [[ $gulp == yes ]]; then
    msg "INSTALLING GULP"
    npm install --global gulp
fi

# MONGODB
if [[ $mongodb == yes ]]; then
    msg "INSTALLING MONGODB"
    source <(curl ${URL}"mongodb.sh")
fi

# BANNER
if [[ $banner == yes ]]; then
    msg "CREATING BANNER SECURITY LOGIN"
    source <(curl ${URL}"banner.sh")
fi

# DACMS
if [[ $dacms == yes ]]; then
    msg "INSTALLING DACMS SERVER"
    source <(curl ${URL}"dacms.sh")
fi

# UFW
if [[ $ufw == yes ]]; then
    msg "INSTALLING UFW FIREWALL"
    source <(curl ${URL}"ufw.sh")
fi

# SECLOGIN
if [[ $secLogin == yes ]]; then
    msg "CONFIGURING SOME SECURE PARAMETERS"

    sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
    # sed -i 's/^\(PermitRootLogin\s\)[yY][eE][sS]/\1without-password/' /etc/ssh/sshd_config
    sed -i -e '/^UsePAM/s/^.*$/UsePAM no/' /etc/ssh/sshd_config
    sed -i -e '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
fi

# ChangeSSHPort
if [[ $SSHPort != 22 ]]; then
    msg "CHANGING DEFAULT SSH PORT 22 TO 2222"
    sed -i -e '/^Port/s/^.*$/Port '${SSHPort}'/' /etc/ssh/sshd_config
fi

# FAIL2BAN
if [[ $fail2ban == yes ]]; then
    msg "INSTALLING AND CONFIGURING FAIL2BAN"
    source <(curl ${URL}"fail2ban.sh")
fi

# NTP
if [[ $ntp == yes ]]; then
    msg "INSTALLING AND CONFIGURING NTP"
    source <(curl ${URL}"ntp.sh")
fi

# SECURITY CHECK
if [[ $securityCheck == yes ]]; then
    msg "INSTALLING SECURITY CHECK APPLICATION"
    sudo apt-get install -y lynis
fi

# UNATTEDED-UPGRADES
if [[ $unattended == yes ]]; then
    msg "INSTALLING AND CONFIGURING UNATTENDED SYSTEM"
    source <(curl ${URL}"unattended.sh")
fi

# ECOSYSTEM
if [[ $ecosystem == yes ]]; then
    msg "STARTING PM2 ecosystem.json"
    source <(curl ${URL}"ecosystem.sh") 
fi

msg "END INSTALATION / http://${host}:8088/auth"

service ssh restart

fail2ban.sh

#!/bin/bash

sudo apt-get update -y
sudo apt-get install fail2ban -y

#sudo apt-get -y install ufw fail2ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

cat > /etc/fail2ban/jail.local << "EOF"

#
# FAIL2BAN SETUP CONFIG
#

[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
# Testing to 10 default 3600
findtime  = 10

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is choses as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@localhost

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]

# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# SSH servers
#

[sshd]
enabled = true
port = 2222
filter = sshd
banaction = ufw
logpath = /var/log/auth.log
maxretry = 3

[sshd-ddos]
enabled = true
banaction = ufw
port    = 2222
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3

[apache-badbots]
enabled  = true
banaction = ufw
port    = http,https
filter   = apache-badbots
logpath  = /var/log/auth.log
bantime  = 172800
maxretry = 2

[nginx-http-auth]
enabled = true
banaction = ufw
port = http,https
filter = nginx-http-auth
logpath = /var/log/auth.log
maxretry = 3

[nginx-botsearch]

port     = http,https
logpath  = /var/log/auth.log
maxretry = 2

#
# Mail servers
#

[sendmail-auth]

port    = submission,465,smtp
logpath = %(syslog_mail)s


[sendmail-reject]

port     = smtp,465,submission
logpath  = %(syslog_mail)s

EOF

# ------------------------------------------------------------------------------------------

# IGNORE IP + LOCAL IP
IGNORE_IP="127.0.0.1/8 $(curl ipinfo.io/ip)"

sudo service fail2ban restart