Last active
October 26, 2018 09:41
-
-
Save kittolau/b9db168df72c7a7dd7c9 to your computer and use it in GitHub Desktop.
Ubuntu 14.04 mangement Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
sudo su | |
#============================ | |
#Create deploy user | |
DEPLOY_USER=deploy | |
DEPLOY_USER_PASSWORD=deploy | |
#============================ | |
#create deploy user | |
adduser --disabled-password --gecos "" ${DEPLOY_USER} | |
sudo adduser ${DEPLOY_USER} sudo | |
echo "${DEPLOY_USER}:${DEPLOY_USER_PASSWORD}" | chpasswd | |
#crreate .ssh folder | |
mkdir -p /home/${DEPLOY_USER}/.ssh | |
chmod 700 /home/${DEPLOY_USER}/.ssh | |
#cat the key for this user to .ssh/authorized_keys | |
touch /home/${DEPLOY_USER}/.ssh/authorized_keys | |
#change home file owned by deploy user | |
chown ${DEPLOY_USER}:${DEPLOY_USER} /home/${DEPLOY_USER} -R | |
#turnoff ssh password authentication | |
if grep -q '^PasswordAuthentication.*$' "/etc/ssh/sshd_config"; then | |
echo "PasswordAuthentication is not commented, turning off explicitly..." | |
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
elif grep -q '^#PasswordAuthentication' "/etc/ssh/sshd_config"; | |
then | |
echo "PasswordAuthentication is commented , turning off explicitly..." | |
sed -i 's/^#PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
else | |
echo "PasswordAuthentication is not turned on , skipping..." | |
fi | |
sudo service ssh restart | |
#switch to deploy user | |
su - deploy | |
#exit deploy user | |
exit | |
#exit root | |
exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#check existing swap file | |
#sudo swapon -s | |
#check if existing disk has space | |
#df | |
#write empty to /swapfile | |
sudo dd if=/dev/zero of=/swapfile bs=1024 count=256k | |
# prepare the swap file by creating a linux swap area | |
sudo mkswap /swapfile | |
#activating the swap file | |
sudo swapon /swapfile | |
#This file will last on the virtual private server until the machine reboots. | |
#You can ensure that the swap is permanent by adding it to the fstab file | |
#sudo nano /etc/fstab | |
#Paste in the following line: | |
#/swapfile none swap sw 0 0 | |
#Swappiness in the file should be set to 10. Skipping this step may cause both poor performance, | |
#whereas setting it to 10 will cause swap to act as an emergency buffer, preventing out-of-memory crashes. | |
#You can do this with the following commands: | |
#echo 10 | sudo tee /proc/sys/vm/swappiness | |
#echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf | |
#to prevent the file from being world-readable, | |
#you should set up the correct permissions on the swap file: | |
#sudo chown root:root /swapfile | |
#sudo chmod 0600 /swapfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#============================ | |
# no home dir, no login | |
# used to run service | |
USERNAME=mysysusr | |
#============================ | |
sudo useradd -r $USERNAME | |
#may need to create home dir for running some application | |
#sudo mkdir /home/$USERNAME | |
#sudo chown $USERNAME:$USERNAME /home/$USERNAME |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cat /dev/null > ~/.bash_history && history |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vim /etc/httpd/conf/httpd.conf | |
# User daemon -> User www | |
# Group daemon -> Group wwwgroup | |
#add user and group | |
useradd www | |
groupadd wwwgroup | |
mkdir /www | |
chown -R www:wwwgroup /www | |
useradd wwwserver | |
useradd www | |
useradd alice | |
useradd bob | |
useradd charlie | |
# Q7 | |
# http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-var | |
mkdir /www/users/bob | |
mkdir /www/users/alice | |
touch /www/users/bob/url.html | |
touch /www/users/alice/url.html | |
# for multi user serverfault | |
# http://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work | |
# edit umask | |
# vim /etc/login.defs | |
# find UMASK, change from 022 to 007 | |
groupadd www_bob | |
usermod -a -G www_bob www | |
usermod -a -G www_bob bob | |
chown -R wwwserver:www_bob /www/users/bob | |
chmod 2770 /www/users/bob | |
groupadd www_alice | |
usermod -a -G www_alice www | |
usermod -a -G www_alice alice | |
chown -R wwwserver:www_alice /www/users/alice | |
# setgid: http://www.toptip.ca/2010/03/linux-setgid-on-directory.html | |
chmod 2770 /www/users/alice | |
#restart webserver | |
/etc/httpd/bin/apachectl -k restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
sudo su | |
#============================ | |
#Create deploy user | |
DEPLOY_USER=deploy | |
#============================ | |
#add %sudo if sudoers does not exist | |
if grep -q '^%sudo' "/etc/sudoers"; then | |
echo "%sudo exists in sudoers, skip adding..." | |
else | |
echo "%sudo does not exists in sudoers, adding..." | |
chmod u+w /etc/sudoers | |
echo "%sudo ALL=(ALL:ALL) ALL" >> /etc/sudoers | |
chmod u-w /etc/sudoers | |
fi | |
#add passwordless %{{DEPLOY_USER}} | |
if grep -q '^%${DEPLOY_USER}' "/etc/sudoers"; then | |
echo "%${DEPLOY_USER} exists in sudoers, skip adding passwordless %{{DEPLOY_USER}} ..." | |
else | |
echo "%${DEPLOY_USER} does not exists in sudoers, adding passwordless %{{DEPLOY_USER}} ..." | |
chmod u+w /etc/sudoers | |
echo "%${DEPLOY_USER} ALL = (ALL) NOPASSWD: ALL" >> /etc/sudoers | |
chmod u-w /etc/sudoers | |
fi | |
exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#[1]+ Stopped myprogram | |
#where 1 is the number displayed in ctrl+z | |
# disown make the program ignore SIGHUP signal | |
$ disown -h %1 | |
#bg: this resumes the running of the program in the background and a message is displayed confirming that. | |
$ bg 1 | |
#[1]+ myprogram & |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#used bash login (bash -l) instead of bash stdin (bash -s) in order for rvm to work | |
ssh {{DEPLOY_USER}}@{{STAGE}}_{{SERVER_IP}} 'bash -l' < ./server/remote_repo_create.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#set timezone interactively | |
#dpkg-reconfigure tzdata | |
#install ntp | |
sudo apt-get install ntp | |
#set timezone | |
echo "Asia/Hong_Kong" | sudo tee /etc/timezone | |
sudo dpkg-reconfigure --frontend noninteractive tzdata | |
#for more ntp server http://www.pool.ntp.org/en/ | |
#update time from ntp server | |
sudo service ntp stop | |
ntpdate stdtime.gov.hk 3.tw.pool.ntp.org 1.asia.pool.ntp.org 2.asia.pool.ntp.org | |
sudo service ntp start | |
#add to ntp pool | |
echo "server stdtime.gov.hk" >> /etc/ntp.conf | |
echo "server 3.tw.pool.ntp.org" >> /etc/ntp.conf | |
echo "server 1.asia.pool.ntp.org" >> /etc/ntp.conf | |
echo "server 2.asia.pool.ntp.org" >> /etc/ntp.conf | |
sudo service ntp restart | |
##set datetime manualy | |
#sudo date --set "25 Sep 2013 15:00:00" | |
##set time from system time to hardware time | |
#hwclock --systohc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SERVER_ROOT_PRIVATE_KEY_LOCATION=/vagrant/key/serverrootkey | |
# #vagrant cp root key to ~/.ssh | |
# #notice putty need to export OpenSSL key | |
# cp $SERVER_ROOT_PRIVATE_KEY_LOCATION ~/.ssh | |
# chmod 600 ~/.ssh/serverkey | |
#add a new key | |
ssh-add ~/.ssh/serverkey | |
#start key agent | |
eval `ssh-agent -s` | |
#delete all key | |
ssh-add -D |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1 | |
#generate key pair | |
ssh-keygen | |
#copy the public to the ~/.ssh/authorized_keys, which is the user your key is used to log in | |
#to turn off password login | |
sudo nano /etc/ssh/sshd_config | |
#then comment out the directive called PasswordAuthentication | |
# PasswordAuthentication no | |
#restart the service | |
sudo service ssh restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
watch -n 1 free -m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
sudo su - root | |
#Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
#Accept all incoming connections from 127.0.0.1. | |
iptables -A INPUT -s 127.0.0.1 -j ACCEPT | |
#Allow SSH, HTTP/S and PING incoming connections. | |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
# Allow ping | |
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
#Allows all outbound traffic | |
#You can modify this to only allow certain traffic | |
iptables -A OUTPUT -j ACCEPT | |
#If there are services already connnected, do not drop them. | |
#Accepts all established inbound connections | |
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
#Reject everything else. | |
iptables -A INPUT -j REJECT | |
iptables -A FORWARD -j REJECT | |
#The problem with IPTables is that it forgets your rules once you reboot. | |
#You need to save them and restore them during reboot when the network interface comes up. | |
#First, dump all the rules to a file using iptables-save. | |
#dump all rules using iptables-save | |
iptables-save > /etc/iptables.rules | |
#Now you need to add it just before the network interface comes up. | |
#You can do that by editing the /etc/network/interfaces file. | |
#vim /etc/network/interfaces | |
#Just after the definition of the eth0 interface add the a line for pre-up. | |
#This runs a command specified just before bringing up the interface. | |
#The last couple of lines of the file should now look something like this. | |
#iface eth0 inet dhcp | |
#pre-up iptables-restore < /etc/iptables.rules | |
#OR | |
echo "#!/bin/sh" > /etc/network/if-up.d/iptables | |
echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-up.d/iptables | |
chmod +x /etc/network/if-up.d/iptables | |
#Now you can reboot the system and verify if the rules apply after reboot. | |
sudo iptables -L |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment