-
-
Save rufoa/f153e1fd5c13e1fc5a52 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sed -i '/^#\?PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config | |
| service ssh reload | |
| aptitude update | |
| aptitude safe-upgrade -y | |
| aptitude -R install -y debconf-utils | |
| echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections | |
| echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections | |
| aptitude -R install -y iptables iptables-persistent openvpn fail2ban | |
| sed -i '/^#\?net.ipv4.ip_forward/c\net.ipv4.ip_forward=1' /etc/sysctl.conf | |
| sysctl -p | |
| cat <<EOF > /etc/iptables/rules.v4 | |
| *nat | |
| :PREROUTING ACCEPT | |
| :INPUT ACCEPT | |
| :OUTPUT ACCEPT | |
| :POSTROUTING ACCEPT | |
| -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE | |
| COMMIT | |
| *filter | |
| :INPUT DROP | |
| :FORWARD ACCEPT | |
| :OUTPUT ACCEPT | |
| :fail2ban-ssh - | |
| -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p udp -m udp --dport 1194 -j ACCEPT | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m state --state INVALID -j DROP | |
| -A INPUT -p tcp --dport 22 -j fail2ban-ssh | |
| -A INPUT -p icmp -j ACCEPT | |
| -A INPUT -i tun+ -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A fail2ban-ssh -j RETURN | |
| COMMIT | |
| EOF | |
| iptables-restore < /etc/iptables/rules.v4 | |
| cat <<EOF > /etc/iptables/rules.v6 | |
| *filter | |
| :INPUT DROP | |
| :FORWARD ACCEPT | |
| :OUTPUT ACCEPT | |
| -A INPUT -p ipv6-icmp -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m state --state INVALID -j DROP | |
| COMMIT | |
| EOF | |
| ip6tables-restore < /etc/iptables/rules.v6 | |
| cat <<EOF > /etc/openvpn/server-udp.conf | |
| dev tun | |
| proto udp | |
| port 1194 | |
| ifconfig 10.9.0.1 10.9.0.2 | |
| secret server.key | |
| user nobody | |
| group nogroup | |
| persist-key | |
| persist-tun | |
| verb 0 | |
| EOF | |
| openvpn --genkey --secret /etc/openvpn/server.key | |
| chmod 600 /etc/openvpn/server.key | |
| service openvpn restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment