#!/bin/sh # intializing for sakura VPS on CentOS release 6.2 (Final) ## # Global variables ## CENT_OS_VERSION='CentOS release 6.2 (Final)' USER='work user name' PORT='10022' MAIL='your email' PUB_KEY='your ssh public key' ## # private ## _abort() { echo "***************" echo " ERR($1):${2}" echo "***************" exit $(($1)) } _warn() { echo "***************" echo " WARN:${1}" echo "***************" } _echo_and_exec() { echo "-- ${1}" $1 } _backup_file() { if [ -f $1 ]; then cp -p $1 "${1}_$(date +%Y%m%d_%H%M%S)" else _warn "$1 is not found." fi } _yumi() { echo "-- yum install -y ${1}" yum install -y $1 } ## # procs ## initialize() { # check os version local os_ver=$(cat /etc/redhat-release) if [ "$os_ver" != "$CENT_OS_VERSION" ]; then _abort 1 "${os_ver} is not supported." fi # check global variables if [ "$USER" = '' -o "$PORT" = '' -o "$MAIL" = '' -o "$PUB_KEY" = '' ]; then _abort 2 "Global variables are not specified. Check your script." fi clear } create_user() { echo '-- change root password' passwd echo echo "-- create user ${USER}" useradd $USER passwd $USER usermod -G wheel $USER _echo_and_exec "id ${USER}" } # add: auth required pam_wheel.so use_uid # http://www.usupi.org/sysad/105.html change_pamd_su() { local file=/etc/pam.d/su _backup_file $file cat << EOS > $file 2>&1 auth sufficient pam_rootok.so auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so EOS echo "-- modified ${file}" } change_sudores() { local file=/etc/sudoers _backup_file $file cat << EOS >> $file 2>&1 %wheel ALL=(ALL) NOPASSWD: ALL EOS echo "-- modified ${file}" } change_sshd_config() { local file=/etc/ssh/sshd_config _backup_file $file cat << EOS > $file 2>&1 # initial settings Port $PORT Protocol 2 SyslogFacility AUTHPRIV ChallengeResponseAuthentication no GSSAPICleanupCredentials yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server # modify settings PasswordAuthentication no GSSAPIAuthentication no UsePAM no # add settings PermitRootLogin no PermitEmptyPasswords no EOS echo "-- modified ${file}" local ssh_home="/home/$USER/.ssh/" mkdir $ssh_home echo $PUB_KEY > ${ssh_home}/authorized_keys chmod 600 ${ssh_home}/authorized_keys chown -R $USER:$USER ${ssh_home} chmod 700 $ssh_home echo "-- created #{ssh_home}" service sshd restart echo "-- restart sshd" } change_iptables() { local file=/etc/sysconfig/iptables _backup_file $file cat << EOS > $file 2>&1 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $PORT -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT EOS echo "-- modified ${file}" /etc/init.d/iptables restart echo "-- restart iptables" } change_aliases() { local file="/etc/aliases" _backup_file $file echo "root: $MAIL" >> $file newaliases echo "-- modified ${file}" } # for mysql5.5 add_repos() { # remi for mysql5.5 rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm echo "-- added remi repos" } install_services() { # http #_yumi install httpd httpd-devel #/etc/init.d/mysqld httpd #chkconfig httpd on # nginx # when installing passenger #_yumi nginx #/etc/init.d/nginx start #chkconfig nginx on # git _yumi 'git nmap' # sqlite _yumi 'sqlite sqlite-devel' # ruby _yumi 'openssl-devel curl-devel readline-devel zlib-devel libxml2 libxml2-devel libxslt-devel libyaml-devel libffi-devel' # capistrano(nokogiri) _yumi 'libxml2 libxml2-devel libxslt libxslt-devel' # sphinx _yumi sphinx # python-setuptools(easy_install) _yumi 'python-devel python-setuptools' # monit _yumi monit chkconfig monit on # hg echo "-- easy_install Mercurial" easy_install Mercurial # mysql _yumi 'mysql mysql-server mysql-devel --enablerepo=remi,remi-test' /etc/init.d/mysqld start chkconfig mysqld on } disable_services() { chkconfig auditd off chkconfig haldaemon off chkconfig mdmonitor off chkconfig messagebus off chkconfig netfs off chkconfig restorecond off chkconfig smartd off echo '-- disabled services' chkconfig --list } yum_update() { yum -y update } #setup_mysql() { # #mysql_install_db # #mysql_secure_installation # ## data load # #mysql_upgrade #} #setup_nginx() { # # #} finalize() { echo 'Done! You should restart.' } main() { initialize # os settings create_user change_pamd_su change_sudores change_sshd_config change_iptables change_aliases # service add_repos install_services disable_services yum_update # setup #setup_mysql #setup_nginx finalize } ## # execute ## main