Last active
November 10, 2020 19:18
-
-
Save mandreko/8468845 to your computer and use it in GitHub Desktop.
Ubuntu 13.10 Secure Script (In Progress)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Set Configuration values for postfix | |
| #debconf-set-selections <<< "postfix postfix/root_address string hostess" | |
| #debconf-set-selections <<< "postfix postfix/rfc1035_violation boolean false" | |
| #debconf-set-selections <<< "postfix postfix/relay_restrictions_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/mydomain_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/mynetworks string 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" | |
| #debconf-set-selections <<< "postfix postfix/mailname string www.mattandreko.com" | |
| #debconf-set-selections <<< "postfix postfix/tlsmgr_upgrade_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/recipient_delim string +"" | |
| #debconf-set-selections <<< "postfix postfix/main_mailer_type select Satellite system" | |
| #debconf-set-selections <<< "postfix postfix/destinations string www.mattandreko.com, localhost.mattandreko.com, localhost" | |
| #debconf-set-selections <<< "postfix postfix/retry_upgrade_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/kernel_version_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/not_configured error" | |
| #debconf-set-selections <<< "postfix postfix/sqlite_warning boolean" | |
| #debconf-set-selections <<< "postfix postfix/mailbox_limit string 0" | |
| #debconf-set-selections <<< "postfix postfix/relayhost string smtp.gmail.com" | |
| #debconf-set-selections <<< "postfix postfix/procmail boolean false" | |
| #debconf-set-selections <<< "postfix postfix/bad_recipient_delimiter error" | |
| #debconf-set-selections <<< "postfix postfix/protocols select all" | |
| #debconf-set-selections <<< "postfix postfix/chattr boolean false" | |
| # Add and remove packages | |
| #echo "deb http://ppa.launchpad.net/mandreko/apache/ubuntu saucy main | |
| #deb-src http://ppa.launchpad.net/mandreko/apache/ubuntu saucy main" > /etc/apt/sources.list.d/mandreko-apache.list | |
| #apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4329BDDE5605B601 | |
| apt-get update | |
| DEBIAN_FRONTEND='noninteractive' apt-get -y install git apache2 iodine znc auditd ntp aide apt-show-versions libpam-cracklib libapache2-mod-evasive libapache2-mod-spamhaus libapache2-mod-security2 acct clamav-daemon logcheck syslog-summary rkhunter | |
| dpkg --purge landscape-common | |
| # Configure firewall rules | |
| ufw allow http | |
| ufw allow https | |
| ufw allow ssh | |
| yes | ufw enable | |
| # Secure shared memory | |
| echo -en "tmpfs\t/dev/shm\ttmpfs\tdefaults,noexec,nosuid\t0\t0" >> /etc/fstab | |
| # Secure SSH | |
| sed -i "s/^PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config | |
| sed -i "s/^#PasswordAuthentication .*/PasswordAuthentication no/" /etc/ssh/sshd_config | |
| echo "DebianBanner no" >> /etc/ssh/sshd_config | |
| echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour" >> /etc/ssh/sshd_config | |
| echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config | |
| # Secure Apache | |
| sed -i "s/^ServerTokens .*/ServerTokens Prod/" /etc/apache2/conf-available/security.conf | |
| sed -i "s/^ServerSignature .*/ServerSignature Off/" /etc/apache2/conf-available/security.conf | |
| sed -i "s/^TraceEnable .*/TraceEnable Off/" /etc/apache2/conf-available/security.conf | |
| echo "Header unset ETag" >> /etc/apache2/conf-available/security.conf | |
| echo "FileETag None" >> /etc/apache2/conf-available/security.conf | |
| sed -i "s/^#Header set X-Content-Type-Options: \"nosniff\"/Header set X-Content-Type-Options: \"nosniff\"/" /etc/apache2/conf-available/security.conf | |
| sed -i "s/^#Header set X-Frame-Options: \"sameorigin\"/Header set X-Frame-Options: \"sameorigin\"/" /etc/apache2/conf-available/security.conf | |
| echo "Header set X-XSS-Protection \"1; mode=block\"" >> /etc/apache2/conf-available/security.conf | |
| echo "Header set X-Permitted-Cross-Domain-Policies: master-only" >> /etc/apache2/conf-available/security.conf | |
| a2enmod headers | |
| # Configure mod_evasive | |
| sed -i "s/#DOSHashTableSize .*/DOSHashTableSize 3097/" /etc/apache2/mods-enabled/evasive.conf | |
| sed -i "s/#DOSPageCount .*/DOSPageCount 2/" /etc/apache2/mods-enabled/evasive.conf | |
| sed -i "s/#DOSSiteCount .*/DOSSiteCount 50/" /etc/apache2/mods-enabled/evasive.conf | |
| sed -i "s/#DOSPageInterval .*/DOSPageInterval 1/" /etc/apache2/mods-enabled/evasive.conf | |
| sed -i "s/#DOSSiteInterval .*/DOSSiteInterval 1/" /etc/apache2/mods-enabled/evasive.conf | |
| sed -i "s/#DOSBlockingPeriod .*/DOSBlockingPeriod 10/" /etc/apache2/mods-enabled/evasive.conf | |
| # Configure mod_spamhaus | |
| touch /etc/spamhaus.wl | |
| sed -i "s/#MS_WhiteList .*/MS_WhiteList \/etc\/spamhaus.wl/" /etc/apache2/mods-enabled/spamhaus.conf | |
| sed -i "s/#MS_CacheSize .*/MS_CacheSize 256/" /etc/apache2/mods-enabled/spamhaus.conf | |
| # Configure mod-security | |
| mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf | |
| # Disable un-used modules | |
| a2dismod alias | |
| a2dismod authn_file | |
| a2dismod authz_host | |
| a2dismod authz_user | |
| a2dismod autoindex | |
| a2dismod status | |
| # Enable mods that commonly used | |
| a2enmod rewrite | |
| a2enmod alias | |
| a2enmod expires | |
| # Restart service | |
| service apache2 restart | |
| # Secure umask | |
| sed -i "s/^UMASK .*/UMASK 027/" /etc/login.defs | |
| sed -i "s/^PASS_MAX_DAYS .*/PASS_MAX_DAYS 60/" /etc/login.defs | |
| sed -i "s/^umask .*/umask 027/" /etc/init.d/rc | |
| # Disable firewire storage | |
| sed -i "s/^#blacklist firewire-ohci/blacklist firewire-ohci/" /etc/modprobe.d/blacklist-firewire.conf | |
| sed -i "s/^#blacklist firewire-sbp2/blacklist firewire-sbp2/" /etc/modprobe.d/blacklist-firewire.conf | |
| # Disable USB storage | |
| echo -en "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf | |
| # Secure PostFix banner | |
| sed -i "s/^smtpd_banner = .*/smtpd_banner = \$myhostname ESMTP/" /etc/postfix/main.cf | |
| # Add login banners | |
| echo "******************************************************************** | |
| * * | |
| * This system is for the use of authorized users only. Usage of * | |
| * this system may be monitored and recorded by system personnel. * | |
| * * | |
| * Anyone using this system expressly consents to such monitoring * | |
| * and is advised that if such monitoring reveals possible * | |
| * evidence of criminal activity, system personnel may provide the * | |
| * evidence from such monitoring to law enforcement officials. * | |
| * * | |
| ********************************************************************" > /etc/issue | |
| echo "******************************************************************** | |
| * * | |
| * This system is for the use of authorized users only. Usage of * | |
| * this system may be monitored and recorded by system personnel. * | |
| * * | |
| * Anyone using this system expressly consents to such monitoring * | |
| * and is advised that if such monitoring reveals possible * | |
| * evidence of criminal activity, system personnel may provide the * | |
| * evidence from such monitoring to law enforcement officials. * | |
| * * | |
| ********************************************************************" > /etc/issue.net | |
| # Disable core dumps | |
| echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile | |
| echo -en "*\thard\tcore\t0">>/etc/security/limits.conf | |
| echo -en "*\tsoft\tcore\t0">>/etc/security/limits.conf | |
| # Configure sysctl | |
| echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/60-kernel-hardening.conf | |
| echo "kernel.core_uses_pid=1" >> /etc/sysctl.d/60-kernel-hardening.conf | |
| echo "kernel.ctrl-alt-del=0" >> /etc/sysctl.d/60-kernel-hardening.conf | |
| echo "kernel.sysrq=0" >> /etc/sysctl.d/60-kernel-hardening.conf | |
| echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.bootp_relay=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.forwarding=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.mc_forwarding=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.proxy_arp=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.conf.default.log_martians=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/60-network-security.conf | |
| echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/60-network-security.conf | |
| service procps start | |
| #initialize aide db | |
| aide.wrapper -i | |
| # Configure logcheck | |
| sed -i "s/#SYSLOGSUMMARY=.*/SYSLOGSUMMARY=1/" /etc/logcheck/logcheck.conf | |
| echo "/var/log/apache2/error.log | |
| /var/log/mail.err | |
| /var/log/clamav/clamav.log | |
| /var/log/clamav/freshclam.log | |
| /var/log/aide/aide.log | |
| /var/log/rkhunter.log" >> /etc/logcheck/logcheck.logfiles | |
| # Configure Clam daily scan | |
| echo '#!/bin/sh | |
| freshclam --quiet | |
| clamscan -r /' > /etc/cron.daily/clamav | |
| chmod 755 /etc/cron.daily/clamav | |
| # Configure rkhunter daily scan | |
| echo '#!/bin/sh | |
| rkhunter -c --cronjob' > /etc/cron.daily/rkhunter | |
| chmod 755 /etc/cron.daily/rkhunter | |
| ############################## | |
| # Custom personal deployment # | |
| ############################## | |
| # Add users | |
| adduser hostess --diabled-password --gecos "" --force-badname | |
| adduser mattandreko.com --disabled-password --gecos "" --home /srv/www/mattandreko.com/ --force-badname | |
| # Enforce password changing on next login | |
| passwd -e hostess | |
| passwd -e mattandreko.com | |
| # Add sudo privileges to user | |
| usermod -a -G sudo hostess | |
| # Deploy SSH configuration | |
| mkdir /home/hostess/.ssh | |
| ssh-keygen -t rsa -N "" -f /home/hostess/.ssh/id_rsa | |
| echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7lycUor/c861GeARol7mufaGiXdWEi1NdR2F1iNJKr/2SwbkpBnmsKr+2ko8wk+x2KQzPHkNNNoTO3BUsc1BvInyLlTqmi9L3EjVBxmeprKVIUX/2jLC4wh1V4UVSODU+DCzu1OiNfFos1Tto28p/ZA6mTPm4WrcH5rFTpnzUagS+4EpuPlBjOOCIjL2cphpFV+TvbbFrWyGtB9LIDXajx9Dw5wsyI7SyCIwpgG9zBzg2WuYf5OQcKcSB+OgEzXy2tWTT4og98EI4A26FZ9EdvvwJATQ3gvkmGKh913PvU3528gDt7R5DnkaCHt6hVCaa9JOR5b/W9DCCDGjcw31j mandreko@420-sc02j364hdkq5-man" > /home/hostess/.ssh/authorized_keys | |
| chmod 600 /home/hostess/.ssh/authorized_keys | |
| chown -R hostess.hostess /home/hostess/.ssh | |
| mkdir /srv/www/mattandreko.com/.ssh | |
| ssh-keygen -t rsa -N "" -f /srv/www/mattandreko.com/.ssh/id_rsa | |
| echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7lycUor/c861GeARol7mufaGiXdWEi1NdR2F1iNJKr/2SwbkpBnmsKr+2ko8wk+x2KQzPHkNNNoTO3BUsc1BvInyLlTqmi9L3EjVBxmeprKVIUX/2jLC4wh1V4UVSODU+DCzu1OiNfFos1Tto28p/ZA6mTPm4WrcH5rFTpnzUagS+4EpuPlBjOOCIjL2cphpFV+TvbbFrWyGtB9LIDXajx9Dw5wsyI7SyCIwpgG9zBzg2WuYf5OQcKcSB+OgEzXy2tWTT4og98EI4A26FZ9EdvvwJATQ3gvkmGKh913PvU3528gDt7R5DnkaCHt6hVCaa9JOR5b/W9DCCDGjcw31j mandreko@420-sc02j364hdkq5-man" > /srv/www/mattandreko.com/.ssh/authorized_keys | |
| chmod 600 /srv/www/mattandreko.com/.ssh/authorized_keys | |
| chown -R mattandreko.com:mattandreko.com /srv/www/mattandreko.com/.ssh | |
| # Create website folders | |
| mkdir -p /srv/www/mattandreko.com/{logs,public_html,src} | |
| chown mattandreko.com:mattandreko.com /srv/www/mattandreko.com/{logs,public_html,src} | |
| # Enable SSL module | |
| a2enmod ssl | |
| #install ssl private key - TODO | |
| # Configure logcheck email address | |
| sed -i "s/SENDMAILTO=\".*\"/SENDMAILTO=\"mandreko@gmail.com\"/" /etc/logcheck/logcheck.conf | |
| # Create certificate files (public only) | |
| echo '-----BEGIN CERTIFICATE----- | |
| MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW | |
| MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg | |
| Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh | |
| dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB | |
| jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT | |
| IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0 | |
| YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB | |
| IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE | |
| gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA | |
| pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv | |
| kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/ | |
| ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5 | |
| xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID | |
| AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD | |
| VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul | |
| F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov | |
| L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0 | |
| YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3 | |
| dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0 | |
| c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu | |
| BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0 | |
| BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl | |
| LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp | |
| tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen | |
| xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw | |
| xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X | |
| t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI | |
| RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi | |
| YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L | |
| WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN | |
| SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD | |
| wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L | |
| p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un | |
| 0q6Dp6jOW6c= | |
| -----END CERTIFICATE-----' > /etc/apache2/ssl/sub.class1.server.ca.pem | |
| echo '-----BEGIN CERTIFICATE----- | |
| MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW | |
| MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg | |
| Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh | |
| dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9 | |
| MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi | |
| U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh | |
| cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA | |
| A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk | |
| pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf | |
| OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C | |
| Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT | |
| Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi | |
| HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM | |
| Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w | |
| +2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+ | |
| Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3 | |
| Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B | |
| 26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID | |
| AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE | |
| FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j | |
| ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js | |
| LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM | |
| BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 | |
| Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy | |
| dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh | |
| cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh | |
| YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg | |
| dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp | |
| bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ | |
| YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT | |
| TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ | |
| 9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8 | |
| jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW | |
| FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz | |
| ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1 | |
| ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L | |
| EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu | |
| L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq | |
| yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC | |
| O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V | |
| um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh | |
| NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14= | |
| -----END CERTIFICATE-----' > /etc/apache2/ssl/ca.pem | |
| echo '-----BEGIN CERTIFICATE----- | |
| MIIHaDCCBlCgAwIBAgIDDaIIMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ | |
| TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 | |
| YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg | |
| MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMjI5MTMyMzAy | |
| WhcNMTQxMjMwMTYzNTAwWjBzMQswCQYDVQQGEwJVUzEcMBoGA1UEAxMTd3d3Lm1h | |
| dHRhbmRyZWtvLmNvbTFGMEQGCSqGSIb3DQEJARY3NWYxOTRjZGIxZTk3NDk2MDg0 | |
| NDZkZWEyZjI2MjFkZTkucHJvdGVjdEB3aG9pc2d1YXJkLmNvbTCCAiIwDQYJKoZI | |
| hvcNAQEBBQADggIPADCCAgoCggIBAKXSXj/3Q3qv34Fm0uJQ3acdS8fIPCrFIoiH | |
| 4sJJ1+oDLd8y0pq/f81eDOUxk6mYpCKVtAzcXxybt3vp9Ec7bQHCz2ri533qffyq | |
| Jc83fbncQ32me7gD8BzOBIYrXZanoy0ClFjvUDkADzPStW3oYGn0zWQ+yMbNqcyf | |
| Uz7engWK7ftxGxmFLOFU6zN8vEZvlURuHDG5veM9cNi3b9wI+JF78hnnPBaz892j | |
| GL2a2c7ln8SAew6WsM/lTaX2DdQFMciFAJBQ82XMjJ49F5vW0/t4qS+TT9y/bCWR | |
| HuQNK9JSfDzxiyMcEqInuEJtVtFuNMth+1OK7SGAOv2Z2ZYma+Xl78VFoGNYoIlI | |
| y/aod3GC5OH204sbLhM2QDWEP3R/yeaNAVMC1qNhrTlyVk1HfEPKMiydG3j9wewg | |
| qBMGlyyGv0LM632h1WkjwrOURPztz5gD7DPkpHMvhCSOHArxHqvxZZ0IUtb6u8MX | |
| Po6lxnlUbGdnrseJZzCIyF0aXzrj8nBLEdkExhCjWko6+SL+0eXUnNocZGpojHxA | |
| I77WPoAIFTy49qH13gd2cndjgW2bj45a9fGJysgfzP4MNkOFdBcTYoBjU8jllDmW | |
| WOZtEbg2bEr8t1xbDYL39ODTIZP1xhtkPaUNu8HasX/Vs/c5RfLOcEL/TU6o0Od0 | |
| T1yDcC47AgMBAAGjggLpMIIC5TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDATBgNV | |
| HSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUMy9mrzjXOXnybd7QrmJV4tKNZVgw | |
| HwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUwLwYDVR0RBCgwJoITd3d3 | |
| Lm1hdHRhbmRyZWtvLmNvbYIPbWF0dGFuZHJla28uY29tMIIBVgYDVR0gBIIBTTCC | |
| AUkwCAYGZ4EMAQIBMIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJo | |
| dHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB | |
| 6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhp | |
| cyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3Mg | |
| MSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9s | |
| aWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj | |
| b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNV | |
| HR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5j | |
| cmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0 | |
| YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0 | |
| cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5zZXJ2ZXIuY2Eu | |
| Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG | |
| 9w0BAQsFAAOCAQEATwCaD8Of1aPXq1i+LkhHKACxhFx/5/Zazc6u1ES09e4ZGc/c | |
| g6M7EuR0xGG5aJIJkKWrlYHBCFEjiy27BbW8/gqCttobjOtgIkWXvQ1PIPFdOwDe | |
| Ehv77tkW4RM6rlGfRVFnNGwkWn8kCeZaskYlvDknmH6c0pV6tQekl3HqB/zCKm8x | |
| Od9G51TFk6lR/UMsGTVF4J1nfAkGZ+Sq7juhqwSwd6bqyhxOMpg/pGMoFFvwYhRO | |
| jjB3GWPmqRUIw2vYujh+QmUMzz98HxNVeqDt8NNvkd7E6iL38xYIh1hOfQ329wXB | |
| d0vXCl9QE2xkYrfzC0JgnWCbKuOkNgBLkQFw5w== | |
| -----END CERTIFICATE-----' > /etc/apache2/ssl/mattandreko.com.crt | |
| # Create site configuration file | |
| echo '<VirtualHost *:80> | |
| ServerAdmin mandreko@gmail.com | |
| ServerName mattandreko.com | |
| ServerAlias www.mattandreko.com | |
| ServerAlias andreko.info | |
| ServerAlias www.andreko.info | |
| DocumentRoot /srv/www/mattandreko.com/public_html/ | |
| ErrorLog /srv/www/mattandreko.com/logs/error.log | |
| CustomLog /srv/www/mattandreko.com/logs/access.log combined | |
| Options -Indexes | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | |
| </IfModule> | |
| </VirtualHost> | |
| <IfModule mod_ssl.so> | |
| <VirtualHost *:443> | |
| DocumentRoot /srv/www/mattandreko.com/public_html/ | |
| ErrorLog /srv/www/mattandreko.com/logs/error.log | |
| CustomLog /srv/www/mattandreko.com/logs/access.log combined | |
| SSLEngine on | |
| SSLCertificateFile /etc/apache2/ssl/mattandreko.com.crt | |
| SSLCertificateKeyFile /etc/apache2/ssl/mattandreko.com.key | |
| SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem | |
| SSLCACertificateFile /etc/apache2/ssl/ca.pem | |
| CustomLog /srv/www/mattandreko.com/logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |
| Options -Indexes | |
| Header add Strict-Transport-Security \"max-age=15768000\" | |
| </VirtualHost> | |
| </IfModule>' >> /etc/apache2/sites-available/mattandreko.com.conf | |
| a2ensite mattandreko.com | |
| # Configure postfix as a GMail relay | |
| smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | |
| smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |
| smtp_sasl_auth_enable = yes | |
| smtp_sasl_password_maps = hash:/etc/postfix/sasl_password | |
| smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt | |
| smtp_sasl_security_options = | |
| smtp_tls_policy_maps = hash:/etc/postfix/tls_policy | |
| myhostname = www.mattandreko.com | |
| mydestination = www.mattandreko.com, localhost.mattandreko.com, localhost | |
| relayhost = [smtp.gmail.com]:587 | |
| mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 | |
| echo 'www.mattandreko.com' > /etc/mailname | |
| echo '[smtp.gmail.com]:587 mandreko:<password_here>' > /etc/postfix/sasl_password | |
| postmap /etc/postfix/sasl_password | |
| chown postfix /etc/postfix/sasl_password* | |
| echo '[smtp.gmail.com]:587 encrypt' > /etc/postfix/tls_policy | |
| postmap /etc/postfix/tls_policy | |
| # Set logcheck to email me | |
| sed -i "s/SENDMAILTO=\".*/SENDMAILTO=\"mandreko@gmail.com\"/" /etc/logcheck/logcheck.conf | |
| # Reboot for all configuration changes, kernel updates, etc to load | |
| reboot | |
| # Manual remaining items: | |
| # 1. Deploy Apache SSL cert private key | |
| # 2. Change user password | |
| # 3. Set password for relaying in /etc/postfix/sasl_password and run postmap | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment