jimjeffers/a_starting_point

## a_starting_point
# To use this script run:
curl -O https://raw.github.com/gist/1395181/d9147fd2aa0ca24ec609c188438d1eec60f8ffb4/bootstrap.sh; chmod +x bootstrap.sh; sudo ./bootstrap.sh

# Also the script assumes a group with admin privileges
# called admin already exists. If it does not you may want
# to check by running visudo:
#
# Create sudo group:
# (may not be necessary LTS now has admin group by default)
visudo
%admin  ALL=(ALL)
ALL # /usr/sbin/groupadd admin

## bootstrap.sh
echo ""
echo ""
echo "Checking your linux release:"
echo ""
cat /etc/lsb-release
echo ""
echo ""
echo "BOOTSTRAP:"
echo "----------------------------------------"
echo "This will configure a default user, secure your SSH, and supply some utility scripts for further installation of system essentials, ruby, etc."
echo ""
while true; do
    read -p "Do you wish to bootstrap this server? (yes or no):" yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done
echo ""
echo "STEP ONE: SETUP YOUR USER ACCOUNT."
echo "----------------------------------------"
echo "We're going to disable root authentication and create a user account to access the server."
echo ""
echo -n "Enter your username for this server: "
read DEFAULT_USERNAME

# Setup my user account.
/usr/sbin/adduser $DEFAULT_USERNAME
/usr/sbin/usermod -a -G admin $DEFAULT_USERNAME

# Setup SSH for my user.
mkdir /home/$DEFAULT_USERNAME/.ssh
touch /home/$DEFAULT_USERNAME/.ssh/authorized_keys
chown -R $DEFAULT_USERNAME:$DEFAULT_USERNAME /home/$DEFAULT_USERNAME/.ssh
chmod 700 /home/$DEFAULT_USERNAME/.ssh
chmod 600 /home/$DEFAULT_USERNAME/.ssh/authorized_keys

# Update SSH config.
echo ""
echo ""
echo "STEP TWO: UPDATE YOUR SSH SETTINGS."
echo "----------------------------------------"
echo "Your SSH configuration will now be opened in nano with suggested modifications."
echo ""
while true; do
    read -p "Do you want to continue? (yes or no): " yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done
curl -O https://raw.github.com/gist/1395181/51d243e28e66b5341057dc75bab72347fe8fc3af/sshmods
echo AllowUsers $DEFAULT_USERNAME >> sshmods
echo "# --------------------------------------------------" >> sshmods
cat /etc/ssh/sshd_config >> sshmods
cp /etc/ssh/sshd_config ./sshd_config.backup
mv sshmods /etc/ssh/sshd_config
nano /etc/ssh/sshd_config

# Setup default IPTables
echo ""
echo ""
echo "STEP THREE: IPTABLES"
echo "----------------------------------------"
echo "Some default IP rules will now be opened in nano. ENSURE THE PORT MATCHES THE PORT YOU SET IN YOUR SSH CONFIG! i.e. 30000"
echo ""
while true; do
    read -p "Do you want to continue? (yes or no): " yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

/sbin/iptables -F
curl -O https://raw.github.com/gist/1395181/cee84792277eb77c6dd5b1afabc815622896324f/iptables.up.rules
mv iptables.up.rules /etc/iptables.up.rules
nano /etc/iptables.up.rules
/sbin/iptables-restore < /etc/iptables.up.rules
/sbin/iptables -L
curl -O https://raw.github.com/gist/1395181/c1a1ebe10fb9c9d4fe4c9f28c217b5d101b857f9/iptables
mv iptables /etc/network/if-pre-up.d/iptables
echo ""
echo "iptables will automatically be reloaded via the script installed here: /etc/network/if-pre-up.d/iptables"
chmod +x /etc/network/if-pre-up.d/iptables

echo ""
echo "All done! Now just some final changes."

echo "--------------------------------------------"
echo "Grabbing utility scripts for further setup."
echo "--------------------------------------------"
echo ""
echo ""

# Download various bootstrap script
curl -O https://raw.github.com/gist/450334/3e439622391fb8d42063c1bce231c4e794d16cac/Ruby_1.9.3_on_Ubuntu_10.4
mv Ruby_1.9.3_on_Ubuntu_10.4 install_ruby_1.9.3.sh
chmod +x install_ruby_1.9.3.sh
echo "-----------------------------------------"
echo "Installed: install_ruby_1.9.3.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/b10fc3f3fd91c391ed7836e9b373bc8e471b2584/update_bashrc.sh
chmod +x update_bashrc.sh
echo "-----------------------------------------"
echo "Installed: update_bashrc.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/ad20e58b0c8a4d0df41585bc30f03940db553be3/setup_locale.sh
chmod +x setup_locale.sh
echo "-----------------------------------------"
echo "Installed: setup_locale.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/40ad21645817a29ef6d3408c2cd42fcb955d8ce3/safe_upgrade.sh
chmod +x safe_upgrade.sh
echo "-----------------------------------------"
echo "Installed: safe_upgrade.sh"
echo ""
echo ""

# Reload SSH
echo "FINAL STEPS:"
echo "-----------------------------------------"
echo "All done! Now just install the safe upgrades:"
echo "./safe_upgrade.sh"
echo ""
echo "Then, once you have added your SSH keys be sure to run:"
echo "/etc/init.d/ssh reload"
echo ""
echo ""

## iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

## iptables.up.rules
*filter


#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT


#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

## prompt_and_aliases
# Custom Prompt
PS1='\[\033[0;35m\]\u@\h\[\033[0;33m\] \w\[\033[00m\]: '

alias free="free -m"
alias update="sudo aptitude update"
alias install="sudo aptitude install"
alias upgrade="sudo aptitude safe-upgrade"
alias remove="sudo aptitude remove"

## safe_upgrade.sh
# Update System
sudo aptitude update
sudo aptitude safe-upgrade
sudo aptitude install build-essential
# I consider git mandatory.
sudo aptitude install git-core

## setup_locale.sh
# Setup Locale
/usr/bin/locale
sudo /usr/sbin/locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

## sshmods
# Suggested Changes to config
# --------------------------------------------------
# Port 30000
# Protocol 2
# PermitRootLogin no
# PasswordAuthentication no
# UseDNS no

## update_bashrc.sh
# Add .bashrc mixins.
mv .bashrc .bashrc.backup
curl -O
https://raw.github.com/gist/1395181/215c0c41c78538196143a8566ab6ae5ce1e7e373/prompt_and_aliases
cat prompt_and_aliases >> .bashrc
rm prompt_and_aliases
nano .bashrc
	# To use this script run:
	curl -O https://raw.github.com/gist/1395181/d9147fd2aa0ca24ec609c188438d1eec60f8ffb4/bootstrap.sh; chmod +x bootstrap.sh; sudo ./bootstrap.sh

	# Also the script assumes a group with admin privileges
	# called admin already exists. If it does not you may want
	# to check by running visudo:
	#
	# Create sudo group:
	# (may not be necessary LTS now has admin group by default)
	visudo
	%admin ALL=(ALL)
	ALL # /usr/sbin/groupadd admin
	echo ""
	echo ""
	echo "Checking your linux release:"
	echo ""
	cat /etc/lsb-release
	echo ""
	echo ""
	echo "BOOTSTRAP:"
	echo "----------------------------------------"
	echo "This will configure a default user, secure your SSH, and supply some utility scripts for further installation of system essentials, ruby, etc."
	echo ""
	while true; do
	read -p "Do you wish to bootstrap this server? (yes or no):" yn
	case $yn in
	[Yy]* ) break;;
	[Nn]* ) exit;;
	* ) echo "Please answer yes or no.";;
	esac
	done
	echo ""
	echo "STEP ONE: SETUP YOUR USER ACCOUNT."
	echo "----------------------------------------"
	echo "We're going to disable root authentication and create a user account to access the server."
	echo ""
	echo -n "Enter your username for this server: "
	read DEFAULT_USERNAME

	# Setup my user account.
	/usr/sbin/adduser $DEFAULT_USERNAME
	/usr/sbin/usermod -a -G admin $DEFAULT_USERNAME

	# Setup SSH for my user.
	mkdir /home/$DEFAULT_USERNAME/.ssh
	touch /home/$DEFAULT_USERNAME/.ssh/authorized_keys
	chown -R $DEFAULT_USERNAME:$DEFAULT_USERNAME /home/$DEFAULT_USERNAME/.ssh
	chmod 700 /home/$DEFAULT_USERNAME/.ssh
	chmod 600 /home/$DEFAULT_USERNAME/.ssh/authorized_keys

	# Update SSH config.
	echo ""
	echo ""
	echo "STEP TWO: UPDATE YOUR SSH SETTINGS."
	echo "----------------------------------------"
	echo "Your SSH configuration will now be opened in nano with suggested modifications."
	echo ""
	while true; do
	read -p "Do you want to continue? (yes or no): " yn
	case $yn in
	[Yy]* ) break;;
	[Nn]* ) exit;;
	* ) echo "Please answer yes or no.";;
	esac
	done
	curl -O https://raw.github.com/gist/1395181/51d243e28e66b5341057dc75bab72347fe8fc3af/sshmods
	echo AllowUsers $DEFAULT_USERNAME >> sshmods
	echo "# --------------------------------------------------" >> sshmods
	cat /etc/ssh/sshd_config >> sshmods
	cp /etc/ssh/sshd_config ./sshd_config.backup
	mv sshmods /etc/ssh/sshd_config
	nano /etc/ssh/sshd_config

	# Setup default IPTables
	echo ""
	echo ""
	echo "STEP THREE: IPTABLES"
	echo "----------------------------------------"
	echo "Some default IP rules will now be opened in nano. ENSURE THE PORT MATCHES THE PORT YOU SET IN YOUR SSH CONFIG! i.e. 30000"
	echo ""
	while true; do
	read -p "Do you want to continue? (yes or no): " yn
	case $yn in
	[Yy]* ) break;;
	[Nn]* ) exit;;
	* ) echo "Please answer yes or no.";;
	esac
	done

	/sbin/iptables -F
	curl -O https://raw.github.com/gist/1395181/cee84792277eb77c6dd5b1afabc815622896324f/iptables.up.rules
	mv iptables.up.rules /etc/iptables.up.rules
	nano /etc/iptables.up.rules
	/sbin/iptables-restore < /etc/iptables.up.rules
	/sbin/iptables -L
	curl -O https://raw.github.com/gist/1395181/c1a1ebe10fb9c9d4fe4c9f28c217b5d101b857f9/iptables
	mv iptables /etc/network/if-pre-up.d/iptables
	echo ""
	echo "iptables will automatically be reloaded via the script installed here: /etc/network/if-pre-up.d/iptables"
	chmod +x /etc/network/if-pre-up.d/iptables

	echo ""
	echo "All done! Now just some final changes."

	echo "--------------------------------------------"
	echo "Grabbing utility scripts for further setup."
	echo "--------------------------------------------"
	echo ""
	echo ""

	# Download various bootstrap script
	curl -O https://raw.github.com/gist/450334/3e439622391fb8d42063c1bce231c4e794d16cac/Ruby_1.9.3_on_Ubuntu_10.4
	mv Ruby_1.9.3_on_Ubuntu_10.4 install_ruby_1.9.3.sh
	chmod +x install_ruby_1.9.3.sh
	echo "-----------------------------------------"
	echo "Installed: install_ruby_1.9.3.sh"
	echo ""
	echo ""

	curl -O https://raw.github.com/gist/1395181/b10fc3f3fd91c391ed7836e9b373bc8e471b2584/update_bashrc.sh
	chmod +x update_bashrc.sh
	echo "-----------------------------------------"
	echo "Installed: update_bashrc.sh"
	echo ""
	echo ""

	curl -O https://raw.github.com/gist/1395181/ad20e58b0c8a4d0df41585bc30f03940db553be3/setup_locale.sh
	chmod +x setup_locale.sh
	echo "-----------------------------------------"
	echo "Installed: setup_locale.sh"
	echo ""
	echo ""

	curl -O https://raw.github.com/gist/1395181/40ad21645817a29ef6d3408c2cd42fcb955d8ce3/safe_upgrade.sh
	chmod +x safe_upgrade.sh
	echo "-----------------------------------------"
	echo "Installed: safe_upgrade.sh"
	echo ""
	echo ""

	# Reload SSH
	echo "FINAL STEPS:"
	echo "-----------------------------------------"
	echo "All done! Now just install the safe upgrades:"
	echo "./safe_upgrade.sh"
	echo ""
	echo "Then, once you have added your SSH keys be sure to run:"
	echo "/etc/init.d/ssh reload"
	echo ""
	echo ""
	*filter


	# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	-A INPUT -i lo -j ACCEPT
	-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


	# Accepts all established inbound connections
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


	# Allows all outbound traffic
	# You can modify this to only allow certain traffic
	-A OUTPUT -j ACCEPT


	# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
	-A INPUT -p tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp --dport 443 -j ACCEPT


	# Allows SSH connections
	#
	# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
	#
	-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT


	# Allow ping
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


	# log iptables denied calls
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


	# Reject all other inbound - default deny unless explicitly allowed policy
	-A INPUT -j REJECT
	-A FORWARD -j REJECT

	COMMIT
	# Custom Prompt
	PS1='\[\033[0;35m\]\u@\h\[\033[0;33m\] \w\[\033[00m\]: '

	alias free="free -m"
	alias update="sudo aptitude update"
	alias install="sudo aptitude install"
	alias upgrade="sudo aptitude safe-upgrade"
	alias remove="sudo aptitude remove"
	# Update System
	sudo aptitude update
	sudo aptitude safe-upgrade
	sudo aptitude install build-essential
	# I consider git mandatory.
	sudo aptitude install git-core
	# Setup Locale
	/usr/bin/locale
	sudo /usr/sbin/locale-gen en_US.UTF-8
	sudo /usr/sbin/update-locale LANG=en_US.UTF-8
	# Suggested Changes to config
	# --------------------------------------------------
	# Port 30000
	# Protocol 2
	# PermitRootLogin no
	# PasswordAuthentication no
	# UseDNS no
	# Add .bashrc mixins.
	mv .bashrc .bashrc.backup
	curl -O
	https://raw.github.com/gist/1395181/215c0c41c78538196143a8566ab6ae5ce1e7e373/prompt_and_aliases
	cat prompt_and_aliases >> .bashrc
	rm prompt_and_aliases
	nano .bashrc