Last active
March 31, 2018 14:04
-
-
Save jult/77862136e19e5e072b1866154e43cd95 to your computer and use it in GitHub Desktop.
Base install over debian 9 x64 minimal server, with certbot, webmin, csf&lfd and fail2ban
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Filesystem ext4 | |
## Run as root | |
# Check if user has root privileges | |
if [[ $EUID -ne 0 ]]; then | |
echo "You must run the script as root or using sudo" | |
exit 1 | |
fi | |
apt-get update && apt install lsb-release wget bash curl debhelper apt-transport-https -y | |
## Reconfigure Dash | |
echo "dash dash/sh boolean false" | debconf-set-selections | |
dpkg-reconfigure -f noninteractive dash > /dev/null 2>&1 | |
mv /etc/apt/sources.list /etc/apt/sources.list_$$.bkp | |
echo "deb http://ftp.stw-bonn.de/debian/ stretch main contrib non-free | |
deb-src http://ftp.stw-bonn.de/debian/ stretch main contrib non-free | |
deb http://security.debian.org/ stretch/updates main contrib non-free | |
deb-src http://security.debian.org/ stretch/updates main contrib non-free | |
deb http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free | |
deb-src http://ftp.stw-bonn.de/debian/ stretch-updates main contrib non-free | |
# stretch-backports | |
deb http://httpredir.debian.org/debian/ stretch-backports main contrib non-free | |
deb-src http://httpredir.debian.org/debian/ stretch-backports main contrib non-free | |
# debian multimedia | |
deb [arch=i386,amd64] http://www.deb-multimedia.org stretch main non-free" > /etc/apt/sources.list | |
echo "# nginx pre built packages | |
deb http://nginx.org/packages/mainline/debian/ stretch nginx | |
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list | |
#echo "# php7.1 repo debian 9 | |
#deb https://packages.sury.org/php/ stretch main" > /etc/apt/sources.list.d/php7.list | |
wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb && dpkg -i deb-multimedia-keyring_2016.8.1_all.deb | |
wget https://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key | |
#curl https://packages.sury.org/php/apt.gpg | apt-key add - | |
echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list | |
cd /tmp | |
wget http://www.webmin.com/jcameron-key.asc && apt-key add jcameron-key.asc | |
apt update && apt dist-upgrade && apt autoclean && apt autoremove -y | |
# installing webmin | |
apt-get -y install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libwww-perl | |
apt-get -y install unzip zoo unzip bzip2 arj nomarch lzop cabextract daemon zip binutils net-tools sudo webmin | |
# csf firewall | |
cd /usr/src | |
wget https://download.configserver.com/csf.tgz | |
tar -xzf csf.tgz | |
cd csf | |
sh install.sh | |
sh /usr/local/csf/bin/remove_apf_bfd.sh | |
# tools etc. | |
apt-get -y install mc htop multitail rsync ssh openssh-server openssl dnsmasq resolvconf ntp ntpdate | |
apt-get -y install unattended-upgrades apt-listchanges ca-certificates | |
apt-get -y install git autoconf automake libtool build-essential flex bison software-properties-common dirmngr | |
apt-get -y install certbot -t stretch-backports | |
# fixing the "Last login:" for ssh; | |
touch /var/log/lastlog | |
chgrp utmp /var/log/lastlog | |
chmod 664 /var/log/lastlog | |
## To secure the MariaDB / MySQL installation and to disable the test database, run this command: | |
sed -i 's|bind-address|#bind-address|' /etc/mysql/mariadb.conf.d/50-server.cnf | |
sed -i 's|# this is only for embedded server|sql_mode=NO_ENGINE_SUBSTITUTION|' /etc/mysql/mariadb.conf.d/50-server.cnf | |
mysql_secure_installation | |
service mysql restart | |
# mail with blazing fast dovecot CLucene text-search | |
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server getmail4 rkhunter | |
apt-get -y install -t stretch-backports dovecot-lucene dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd --allow-unauthenticated | |
apt-get -y install amavisd-new spamassassin clamav clamav-daemon clamav-docs | |
apt-get -y install libnet-ldap-perl libauthen-sasl-perl libio-string-perl libio-socket-ssl-perl libnet-ident-perl libnet-dns-perl postgrey | |
# Path to the PHP FastCGI binary: php-cgi7.1 | |
# Path to the php.ini directory: /etc/php/7.1/cgi/php.ini | |
# Path to the PHP-FPM init script: php7.1-fpm | |
# Path to the php.ini directory: /etc/php/7.1/fpm/php.ini | |
# Path to the PHP-FPM pool directory: /etc/php/7.1/fpm/pool.d | |
# The cli version for e.g. cron jobs has the name php7.1. | |
#apt-get -y install php7.1 php7.1-cli php7.1-cgi php7.1-fpm php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php7.1-imap php7.1-mcrypt php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring | |
#apt-get -y install php-pear php-imagick php-bcmath php-zipphp-memcache php-gettext | |
#apt-get -y install mcrypt imagemagick ssl-cert | |
# nginx 1.13.x with ALPN and HTTP 2.0 etc. | |
apt-get -y install -t stretch-backports nginx --allow-unauthenticated | |
### Install HHVM | |
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xB4112585D386EB94 | |
add-apt-repository https://dl.hhvm.com/debian | |
apt-get update && apt-get -y install hhvm | |
update-rc.d -f hhvm remove | |
echo 'hhvm.mysql.socket = /var/run/mysqld/mysqld.sock' >> /etc/hhvm/php.ini | |
# Change ini do PHP | |
sed -i 's|;cgi.fix_pathinfo=1|cgi.fix_pathinfo=0|' /etc/ph*/*/php.ini | |
sed -i 's|upload_max_filesize = 2M|upload_max_filesize = 256M|' /etc/ph*/*/php.ini | |
sed -i 's|post_max_size = 8M|post_max_size = 256M|' /etc/ph*/*/php.ini | |
sed -i 's|error_reporting = E_ALL & ~E_DEPRECATED|error_reporting = E_ERROR|' /etc/ph*/*/php.ini | |
sed -i 's|short_open_tag = Off|short_open_tag = On|' /etc/ph*/*/php.ini | |
sed -i "s|;date.timezone =|date.timezone = 'Europe\/Ljubljana'|" /etc/ph*/*/php.ini | |
service php7.1-fpm restart | |
apt-get -y install pure-ftpd-common pure-ftpd-mysql fcgiwrap fail2ban | |
sed -i 's|VIRTUALCHROOT=false|VIRTUALCHROOT=true|' /etc/default/pure-ftpd-common | |
## echo 1 > /etc/pure-ftpd/conf/TLS | |
mkdir -p /etc/ssl/private/ | |
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem | |
chmod 600 /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart | |
# merging CSF blocks with fail2ban | |
sed -i "s|enabled = true|enabled = false|g" /etc/fail2ban/jail.conf | |
sed -i -e "s|banaction = |banaction = csf-ip-deny\n#banaction = |" /etc/fail2ban/jail.conf | |
echo "# send fail2ban blocks to CSF | |
[Definition] | |
actionstart = | |
actionstop = | |
actioncheck = | |
actionban = csf -d <ip> Added by Fail2Ban for <name> | |
actionunban = csf -dr <ip> | |
[Init] | |
name = default" > /etc/fail2ban/action.d/csf-ip-deny.conf | |
echo "[Definition] | |
# Count all bans in the logfile | |
failregex = fail2ban.actions: WARNING [(.*)] Ban | |
# Ignore our own bans, to keep our counts exact. | |
# In your config, name your jail 'fail2ban', or change this line! | |
ignoreregex = fail2ban.actions: WARNING [fail2ban] Ban" > /etc/fail2ban/filter.d/fail2ban.conf | |
echo "[pure-ftpd] | |
enabled = true | |
port = ftp | |
filter = pure-ftpd | |
action = csf-ip-deny[name=pure-ftpd] | |
logpath = /var/log/syslog | |
maxretry = 4 | |
[dovecot] | |
enabled = true | |
filter = dovecot | |
action = csf-ip-deny[name=dovecot] | |
logpath = /var/log/mail.log | |
maxretry = 5 | |
[postfix-sasl] | |
enabled = true | |
port = smtp | |
filter = postfix-sasl | |
action = csf-ip-deny[name=postfix-sasl] | |
logpath = /var/log/mail.log | |
maxretry = 6" > /etc/fail2ban/jail.local | |
echo "# protecting WordPress in fail2ban | |
[INCLUDES] | |
before = common.conf | |
[Definition] | |
_daemon = wordpress | |
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ | |
ignoreregex = | |
########################################## | |
# Option: ignoreregex | |
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
# Values: TEXT | |
# ^ ignore blog owner IP addresses!" > /etc/fail2ban/filter.d/wordpress.conf | |
# stuff I forgot: | |
apt-get -y install haveged dnsutils awstats geoip-database libclass-dbi-mysql-perl | |
rm -f /etc/cron.d/awstats | |
# for Jailkit (chroot ssh users)! https://olivier.sessink.nl/jailkit/faq.html | |
cd /tmp | |
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz | |
tar xvfz jailkit-2.19.tar.gz | |
cd jailkit-2.19 | |
echo 5 > debian/compat | |
./debian/rules binary | |
cd .. | |
dpkg -i jailkit_2.19-1_*.deb | |
rm -rf jailkit-2.19* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using fail2ban alongside LFD is up for discussion;
fail2ban doesn't offer very user-friendly white-list or black-list options, where CSF&LFD does.
Considering dropping fail2ban entirely, looking how it goes using both..