jult/install_core_for_deb9.sh

## install_core_for_deb9.sh
#!/bin/bash
## Filesystem ext4
## Run as root

# Check if user has root privileges
if [[ $EUID -ne 0 ]]; then
echo "You must run the script as root or using sudo"
   exit 1
fi

apt-get update && apt install lsb-release wget bash curl debhelper apt-transport-https -y

## Reconfigure Dash
echo "dash dash/sh boolean false" | debconf-set-selections
dpkg-reconfigure -f noninteractive dash > /dev/null 2>&1

mv /etc/apt/sources.list /etc/apt/sources.list_$$.bkp

echo "deb http://ftp.stw-bonn.de/debian/ stretch main contrib non-free
deb-src http://ftp.stw-bonn.de/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
deb http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free
deb-src http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free

# stretch-backports
deb http://httpredir.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch-backports main contrib non-free

# debian multimedia
deb [arch=i386,amd64] http://www.deb-multimedia.org stretch main non-free" > /etc/apt/sources.list

echo "# nginx pre built packages
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list

#echo "# php7.1 repo debian 9
#deb https://packages.sury.org/php/ stretch main" > /etc/apt/sources.list.d/php7.list
wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb && dpkg -i deb-multimedia-keyring_2016.8.1_all.deb
wget https://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key
#curl https://packages.sury.org/php/apt.gpg | apt-key add -

echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
cd /tmp
wget http://www.webmin.com/jcameron-key.asc && apt-key add jcameron-key.asc

apt update && apt dist-upgrade && apt autoclean && apt autoremove -y

# installing webmin
apt-get -y install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libwww-perl
apt-get -y install unzip zoo unzip bzip2 arj nomarch lzop cabextract daemon zip binutils net-tools sudo webmin
# csf firewall
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
sh /usr/local/csf/bin/remove_apf_bfd.sh

# tools etc.
apt-get -y install mc htop multitail rsync ssh openssh-server openssl dnsmasq resolvconf ntp ntpdate
apt-get -y install unattended-upgrades apt-listchanges ca-certificates
apt-get -y install git autoconf automake libtool build-essential flex bison software-properties-common dirmngr
apt-get -y install certbot -t stretch-backports

# fixing the "Last login:" for ssh;
touch /var/log/lastlog
chgrp utmp /var/log/lastlog
chmod 664 /var/log/lastlog

## To secure the MariaDB / MySQL installation and to disable the test database, run this command:
sed -i 's|bind-address|#bind-address|' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's|# this is only for embedded server|sql_mode=NO_ENGINE_SUBSTITUTION|' /etc/mysql/mariadb.conf.d/50-server.cnf
mysql_secure_installation
service mysql restart

# mail with blazing fast dovecot CLucene text-search
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server getmail4 rkhunter
apt-get -y install -t stretch-backports dovecot-lucene dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd --allow-unauthenticated
apt-get -y install amavisd-new spamassassin clamav clamav-daemon clamav-docs
apt-get -y install libnet-ldap-perl libauthen-sasl-perl libio-string-perl libio-socket-ssl-perl libnet-ident-perl libnet-dns-perl postgrey

# Path to the PHP FastCGI binary: php-cgi7.1
# Path to the php.ini directory: /etc/php/7.1/cgi/php.ini
# Path to the PHP-FPM init script: php7.1-fpm
# Path to the php.ini directory: /etc/php/7.1/fpm/php.ini
# Path to the PHP-FPM pool directory: /etc/php/7.1/fpm/pool.d
# The cli version for e.g. cron jobs has the name php7.1.

#apt-get -y install php7.1 php7.1-cli php7.1-cgi php7.1-fpm php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php7.1-imap php7.1-mcrypt php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring
#apt-get -y install php-pear php-imagick php-bcmath php-zipphp-memcache php-gettext
#apt-get -y install mcrypt imagemagick ssl-cert
# nginx 1.13.x with ALPN and HTTP 2.0 etc.
apt-get -y install -t stretch-backports nginx --allow-unauthenticated

### Install HHVM
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xB4112585D386EB94
add-apt-repository https://dl.hhvm.com/debian
apt-get update && apt-get -y install hhvm
update-rc.d -f hhvm remove
echo 'hhvm.mysql.socket = /var/run/mysqld/mysqld.sock' >> /etc/hhvm/php.ini

# Change ini do PHP
sed -i 's|;cgi.fix_pathinfo=1|cgi.fix_pathinfo=0|' /etc/ph*/*/php.ini
sed -i 's|upload_max_filesize = 2M|upload_max_filesize = 256M|' /etc/ph*/*/php.ini
sed -i 's|post_max_size = 8M|post_max_size = 256M|' /etc/ph*/*/php.ini
sed -i 's|error_reporting = E_ALL & ~E_DEPRECATED|error_reporting =  E_ERROR|' /etc/ph*/*/php.ini
sed -i 's|short_open_tag = Off|short_open_tag = On|' /etc/ph*/*/php.ini
sed -i "s|;date.timezone =|date.timezone = 'Europe\/Ljubljana'|" /etc/ph*/*/php.ini

service php7.1-fpm restart

apt-get -y install pure-ftpd-common pure-ftpd-mysql fcgiwrap fail2ban

sed -i 's|VIRTUALCHROOT=false|VIRTUALCHROOT=true|' /etc/default/pure-ftpd-common

## echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart

# merging CSF blocks with fail2ban
sed -i "s|enabled  = true|enabled  = false|g" /etc/fail2ban/jail.conf
sed -i -e "s|banaction = |banaction = csf-ip-deny\n#banaction = |" /etc/fail2ban/jail.conf

echo "# send fail2ban blocks to CSF
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

[Init]
name = default" > /etc/fail2ban/action.d/csf-ip-deny.conf

echo "[Definition]
# Count all bans in the logfile
failregex = fail2ban.actions: WARNING [(.*)] Ban
# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex = fail2ban.actions: WARNING [fail2ban] Ban" > /etc/fail2ban/filter.d/fail2ban.conf

echo "[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
action   = csf-ip-deny[name=pure-ftpd]
logpath = /var/log/syslog
maxretry = 4

[dovecot]
enabled = true
filter = dovecot
action   = csf-ip-deny[name=dovecot]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
action   = csf-ip-deny[name=postfix-sasl]
logpath = /var/log/mail.log
maxretry = 6" > /etc/fail2ban/jail.local

echo "# protecting WordPress in fail2ban
[INCLUDES]
before = common.conf

[Definition]
_daemon = wordpress
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
ignoreregex =
##########################################
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
# ^ ignore blog owner IP addresses!" > /etc/fail2ban/filter.d/wordpress.conf

# stuff I forgot:
apt-get -y install haveged dnsutils awstats geoip-database libclass-dbi-mysql-perl
rm -f /etc/cron.d/awstats

# for Jailkit (chroot ssh users)! https://olivier.sessink.nl/jailkit/faq.html
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
./debian/rules binary
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
	#!/bin/bash
	## Filesystem ext4
	## Run as root

	# Check if user has root privileges
	if [[ $EUID -ne 0 ]]; then
	echo "You must run the script as root or using sudo"
	exit 1
	fi

	apt-get update && apt install lsb-release wget bash curl debhelper apt-transport-https -y

	## Reconfigure Dash
	echo "dash dash/sh boolean false" \| debconf-set-selections
	dpkg-reconfigure -f noninteractive dash > /dev/null 2>&1

	mv /etc/apt/sources.list /etc/apt/sources.list_$$.bkp

	echo "deb http://ftp.stw-bonn.de/debian/ stretch main contrib non-free
	deb-src http://ftp.stw-bonn.de/debian/ stretch main contrib non-free

	deb http://security.debian.org/ stretch/updates main contrib non-free
	deb-src http://security.debian.org/ stretch/updates main contrib non-free
	deb http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free
	deb-src http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free

	# stretch-backports
	deb http://httpredir.debian.org/debian/ stretch-backports main contrib non-free
	deb-src http://httpredir.debian.org/debian/ stretch-backports main contrib non-free

	# debian multimedia
	deb [arch=i386,amd64] http://www.deb-multimedia.org stretch main non-free" > /etc/apt/sources.list

	echo "# nginx pre built packages
	deb http://nginx.org/packages/mainline/debian/ stretch nginx
	deb-src http://nginx.org/packages/mainline/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list

	#echo "# php7.1 repo debian 9
	#deb https://packages.sury.org/php/ stretch main" > /etc/apt/sources.list.d/php7.list
	wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb && dpkg -i deb-multimedia-keyring_2016.8.1_all.deb
	wget https://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key
	#curl https://packages.sury.org/php/apt.gpg \| apt-key add -

	echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
	cd /tmp
	wget http://www.webmin.com/jcameron-key.asc && apt-key add jcameron-key.asc

	apt update && apt dist-upgrade && apt autoclean && apt autoremove -y

	# installing webmin
	apt-get -y install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libwww-perl
	apt-get -y install unzip zoo unzip bzip2 arj nomarch lzop cabextract daemon zip binutils net-tools sudo webmin
	# csf firewall
	cd /usr/src
	wget https://download.configserver.com/csf.tgz
	tar -xzf csf.tgz
	cd csf
	sh install.sh
	sh /usr/local/csf/bin/remove_apf_bfd.sh

	# tools etc.
	apt-get -y install mc htop multitail rsync ssh openssh-server openssl dnsmasq resolvconf ntp ntpdate
	apt-get -y install unattended-upgrades apt-listchanges ca-certificates
	apt-get -y install git autoconf automake libtool build-essential flex bison software-properties-common dirmngr
	apt-get -y install certbot -t stretch-backports

	# fixing the "Last login:" for ssh;
	touch /var/log/lastlog
	chgrp utmp /var/log/lastlog
	chmod 664 /var/log/lastlog

	## To secure the MariaDB / MySQL installation and to disable the test database, run this command:
	sed -i 's\|bind-address\|#bind-address\|' /etc/mysql/mariadb.conf.d/50-server.cnf
	sed -i 's\|# this is only for embedded server\|sql_mode=NO_ENGINE_SUBSTITUTION\|' /etc/mysql/mariadb.conf.d/50-server.cnf
	mysql_secure_installation
	service mysql restart

	# mail with blazing fast dovecot CLucene text-search
	apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server getmail4 rkhunter
	apt-get -y install -t stretch-backports dovecot-lucene dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd --allow-unauthenticated
	apt-get -y install amavisd-new spamassassin clamav clamav-daemon clamav-docs
	apt-get -y install libnet-ldap-perl libauthen-sasl-perl libio-string-perl libio-socket-ssl-perl libnet-ident-perl libnet-dns-perl postgrey

	# Path to the PHP FastCGI binary: php-cgi7.1
	# Path to the php.ini directory: /etc/php/7.1/cgi/php.ini
	# Path to the PHP-FPM init script: php7.1-fpm
	# Path to the php.ini directory: /etc/php/7.1/fpm/php.ini
	# Path to the PHP-FPM pool directory: /etc/php/7.1/fpm/pool.d
	# The cli version for e.g. cron jobs has the name php7.1.

	#apt-get -y install php7.1 php7.1-cli php7.1-cgi php7.1-fpm php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php7.1-imap php7.1-mcrypt php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring
	#apt-get -y install php-pear php-imagick php-bcmath php-zipphp-memcache php-gettext
	#apt-get -y install mcrypt imagemagick ssl-cert
	# nginx 1.13.x with ALPN and HTTP 2.0 etc.
	apt-get -y install -t stretch-backports nginx --allow-unauthenticated

	### Install HHVM
	apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xB4112585D386EB94
	add-apt-repository https://dl.hhvm.com/debian
	apt-get update && apt-get -y install hhvm
	update-rc.d -f hhvm remove
	echo 'hhvm.mysql.socket = /var/run/mysqld/mysqld.sock' >> /etc/hhvm/php.ini

	# Change ini do PHP
	sed -i 's\|;cgi.fix_pathinfo=1\|cgi.fix_pathinfo=0\|' /etc/ph//php.ini
	sed -i 's\|upload_max_filesize = 2M\|upload_max_filesize = 256M\|' /etc/ph//php.ini
	sed -i 's\|post_max_size = 8M\|post_max_size = 256M\|' /etc/ph//php.ini
	sed -i 's\|error_reporting = E_ALL & ~E_DEPRECATED\|error_reporting = E_ERROR\|' /etc/ph//php.ini
	sed -i 's\|short_open_tag = Off\|short_open_tag = On\|' /etc/ph//php.ini
	sed -i "s\|;date.timezone =\|date.timezone = 'Europe\/Ljubljana'\|" /etc/ph//php.ini

	service php7.1-fpm restart

	apt-get -y install pure-ftpd-common pure-ftpd-mysql fcgiwrap fail2ban

	sed -i 's\|VIRTUALCHROOT=false\|VIRTUALCHROOT=true\|' /etc/default/pure-ftpd-common

	## echo 1 > /etc/pure-ftpd/conf/TLS
	mkdir -p /etc/ssl/private/
	openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
	chmod 600 /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart

	# merging CSF blocks with fail2ban
	sed -i "s\|enabled = true\|enabled = false\|g" /etc/fail2ban/jail.conf
	sed -i -e "s\|banaction = \|banaction = csf-ip-deny\n#banaction = \|" /etc/fail2ban/jail.conf

	echo "# send fail2ban blocks to CSF
	[Definition]
	actionstart =
	actionstop =
	actioncheck =
	actionban = csf -d <ip> Added by Fail2Ban for <name>
	actionunban = csf -dr <ip>

	[Init]
	name = default" > /etc/fail2ban/action.d/csf-ip-deny.conf

	echo "[Definition]
	# Count all bans in the logfile
	failregex = fail2ban.actions: WARNING [(.*)] Ban
	# Ignore our own bans, to keep our counts exact.
	# In your config, name your jail 'fail2ban', or change this line!
	ignoreregex = fail2ban.actions: WARNING [fail2ban] Ban" > /etc/fail2ban/filter.d/fail2ban.conf

	echo "[pure-ftpd]
	enabled = true
	port = ftp
	filter = pure-ftpd
	action = csf-ip-deny[name=pure-ftpd]
	logpath = /var/log/syslog
	maxretry = 4

	[dovecot]
	enabled = true
	filter = dovecot
	action = csf-ip-deny[name=dovecot]
	logpath = /var/log/mail.log
	maxretry = 5

	[postfix-sasl]
	enabled = true
	port = smtp
	filter = postfix-sasl
	action = csf-ip-deny[name=postfix-sasl]
	logpath = /var/log/mail.log
	maxretry = 6" > /etc/fail2ban/jail.local

	echo "# protecting WordPress in fail2ban
	[INCLUDES]
	before = common.conf

	[Definition]
	_daemon = wordpress
	failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
	ignoreregex =
	##########################################
	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# Values: TEXT
	# ^ ignore blog owner IP addresses!" > /etc/fail2ban/filter.d/wordpress.conf

	# stuff I forgot:
	apt-get -y install haveged dnsutils awstats geoip-database libclass-dbi-mysql-perl
	rm -f /etc/cron.d/awstats

	# for Jailkit (chroot ssh users)! https://olivier.sessink.nl/jailkit/faq.html
	cd /tmp
	wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
	tar xvfz jailkit-2.19.tar.gz
	cd jailkit-2.19
	echo 5 > debian/compat
	./debian/rules binary
	cd ..
	dpkg -i jailkit_2.19-1_*.deb
	rm -rf jailkit-2.19*