Last active
March 7, 2020 15:39
-
-
Save tg12/ba068dd5895bfa9e3d30fde3c19be9e7 to your computer and use it in GitHub Desktop.
Ultimate Sysadmin Script, run on fresh install of Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#If possible, add something in for choosing [1] Configure Basics [2] Configure Security [3] Configure VMware Tools [4] Configure All. This might require Perl. | |
#set -x | |
#read -p "Configure this server to be on 192.168.1.3/24?" yn | |
#while true; do | |
#case $yn in | |
# [Yy]* ) | |
# echo "What IP address will be assigned to this server?" | |
# read ADDRESS | |
# cat <<EOF > /etc/network/interfaces | |
# This file describes the network interfaces available on your system | |
# and how to activate them. For more information, see interfaces(5). | |
# | |
# The loopback network interface | |
#auto lo | |
#iface lo inet loopback | |
# | |
# The primary network interface | |
#auto eth0 | |
#iface eth0 inet static | |
#address $ADDRESS | |
#netmask 255.255.255.240 | |
#gateway 192.168.1.1 | |
#dns-nameservers 8.8.8.8 8.8.4.4 | |
#EOF | |
# break;; | |
# [Nn]* ) break;; | |
# * ) echo "Please answer [y]es or [n]o." ;; | |
#esac | |
#done | |
adduser wibble | |
usermod -aG sudo wibble | |
echo '# Allow members of group sudo to execute any command' >> /etc/sudoers | |
echo '%sudo ALL=(ALL:ALL) ALL' >> /etc/sudoers | |
echo 'jenkins ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers | |
echo 'wibble ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers | |
# Optional, XanMod Kernel and some other things I use. | |
# https://xanmod.org/ | |
echo 'deb http://deb.xanmod.org releases main' | sudo tee /etc/apt/sources.list.d/xanmod-kernel.list && wget -qO - https://dl.xanmod.org/gpg.key | sudo apt-key add - | |
echo 'net.core.default_qdisc = cake' | sudo tee /etc/sysctl.d/90-override.conf | |
# Update apt-get and upgrade any installed packages | |
apt-get update && apt-get -y dist-upgrade | |
# Install NTP, OpenSSH, Fail2Ban, PSAD | |
debconf-set-selections <<< "postfix postfix/main_mailer_type select No configuration" | |
apt-get install -y ntp openssh-server fail2ban psad linux-xanmod glances htop nmap bleachbit git python3-pip iperf3 easy-rsa iptables-persistent tuned | |
# OpenVPN Server - Optional | |
# https://github.com/angristan/openvpn-install | |
# curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh | |
# chmod +x openvpn-install.sh | |
# Disable root login on SSH and decrease grace time | |
sed -i '/LoginGraceTime/ c\LoginGraceTime 60' /etc/ssh/sshd_config | |
sed -i '/PermitRootLogin/ c\PermitRootLogin no' /etc/ssh/sshd_config | |
sed -i '/StrictModes/ c\StrictModes yes' /etc/ssh/sshd_config | |
service ssh restart | |
# Disable IPv6 | |
cat <<END >> /etc/sysctl.conf | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
net.ipv6.conf.lo.disable_ipv6 = 1 | |
END | |
# Log martians, deny ICMP routing | |
sed -i '/net.ipv4.conf.all.log_martians/ c\net.ipv4.conf.all.log_martians = 1' /etc/sysctl.conf | |
sed -i '/net.ipv4.conf.all.accept_source_route/ c\net.ipv4.conf.all.accept_source_route = 0' /etc/sysctl.conf | |
sed -i '/net.ipv4.conf.all.send_redirects/ c\net.ipv4.conf.all.send_redirects = 0' /etc/sysctl.conf | |
sed -i '/net.ipv4.conf.all.accept_redirects/ c\net.ipv4.conf.all.accept_redirects = 0' /etc/sysctl.conf | |
sed -i '/net.ipv4.ip_no_pmtu_disc/ c\net.ipv4.ip_no_pmtu_disc = 1' /etc/sysctl.conf | |
# Configure the firewall | |
iptables -F | |
iptables -A INPUT -p tcp --dport 22 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
################################################################# | |
# Add your services here | |
################################################################# | |
iptables -A INPUT -f -j DROP | |
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT #OpenVPN Server | |
iptables -A INPUT -p udp --dport 1194 -j ACCEPT #OpenVPN Server | |
iptables -A INPUT -p tcp --dport 53 -j ACCEPT #DNS Server | |
iptables -A INPUT -p udp --dport 53 -j ACCEPT #DNS Server | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #http | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #http(s) | |
iptables -A INPUT -p tcp --dport 19999 -j ACCEPT #netdata | |
iptables -A INPUT -p tcp --dport 5201 -j ACCEPT #iperf3 | |
iptables -A INPUT -p udp --dport 5201 -j ACCEPT #iperf3 | |
iptables -A INPUT -m state --state INVALID -j DROP | |
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP | |
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #ICMP | |
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT | |
iptables -I INPUT 1 -i lo -j ACCEPT | |
iptables -P INPUT DROP | |
# iptables -N LOGGING | |
# iptables -A INPUT -j LOGGING | |
# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 | |
# iptables -A LOGGING -j DROP | |
# iptables -A FORWARD -j LOG | |
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections | |
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections | |
iptables-save > /etc/iptables/rules.v4 | |
# Fail2Ban Configuration | |
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
sed -i '21s/.*/ignoreip = 127.0.0.1\/8 192.168.0.0\/16 192.168.1.1\/24/' /etc/fail2ban/jail.local | |
sed -i '22s/600/1800/' /etc/fail2ban/jail.local | |
sed -i '23s/.*/maxretry = 5/' /etc/fail2ban/jail.local | |
sed -i '24s/.*/findtime = 1200/' /etc/fail2ban/jail.local | |
sed -i '99s/6/5/' /etc/fail2ban/jail.local | |
cat <<FIN >> /etc/fail2ban/jail.local | |
[ssh-repeater] | |
enabled = true | |
port = ssh | |
filter = sshd | |
action = iptables-repeater[name=ssh] | |
sendmail-whois[name=SSH-repeater, dest=root, sender=root] | |
logpath = /var/log/auth.log | |
maxretry = 25 | |
findtime = 31536000 | |
bantime = 31536000 | |
# This section is needed if wp-fail2ban is installed as a plugin on Wordpress | |
#[wordpress-auth-repeater] | |
#enabled = true | |
#port = http,https | |
#filter = wordpress | |
#action = iptables-repeater[name=wordpress] | |
# sendmail-whois[name=wordpress-repeater, dest=root, sender=root] | |
#logpath = /var/log/auth.log | |
#maxretry = 35 | |
#findtime = 31536000 | |
#bantime = 31536000 | |
FIN | |
touch /etc/fail2ban/action.d/iptables-repeater.conf | |
cat <<"endOFfile" > /etc/fail2ban/action.d/iptables-repeater.conf | |
# Fail2ban configuration file | |
# | |
# Author: Phil Hagen <phil@identityvector.com> | |
# | |
[Definition] | |
# Option: actionstart | |
# Notes.: command executed once at the start of Fail2Ban. | |
# Values: CMD | |
# | |
actionstart = iptables -N fail2ban-REPEAT-<name> | |
iptables -A fail2ban-REPEAT-<name> -j RETURN | |
iptables -I INPUT -j fail2ban-REPEAT-<name> | |
# set up from the static file | |
cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done | |
# Option: actionstop | |
# Notes.: command executed once at the end of Fail2Ban | |
# Values: CMD | |
# | |
actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name> | |
iptables -F fail2ban-REPEAT-<name> | |
iptables -X fail2ban-REPEAT-<name> | |
# Option: actioncheck | |
# Notes.: command executed once before each actionban command | |
# Values: CMD | |
# | |
actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name> | |
# Option: actionban | |
# Notes.: command executed when banning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: <ip> IP address | |
# <failures> number of failures | |
# <time> unix timestamp of the ban time | |
# Values: CMD | |
# | |
actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP | |
# also put into the static file to re-populate after a restart | |
! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name> | |
# Option: actionunban | |
# Notes.: command executed when unbanning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: <ip> IP address | |
# <failures> number of failures | |
# <time> unix timestamp of the ban time | |
# Values: CMD | |
# | |
actionunban = /bin/true | |
[Init] | |
# Defaut name of the chain | |
# | |
name = REPEAT | |
endOFfile | |
service fail2ban restart | |
# PSAD Configuration | |
cp /etc/psad/psad.conf /etc/psad/psad.conf.orig | |
sed -i "s/_CHANGEME_;/${HOSTNAME};/" /etc/psad/psad.conf | |
sed -i 's/HOME_NET any;/HOME_NET 192.168.1.1\/24;/' /etc/psad/psad.conf | |
sed -i 's/var\/log\/messages/var\/log\/syslog/' /etc/psad/psad.conf | |
sed -i '/ENABLE_AUTO_IDS N;/ c\ENABLE_AUTO_IDS Y;' /etc/psad/psad.conf | |
sed -i '/AUTO_IDS_DANGER_LEVEL/ c\AUTO_IDS_DANGER_LEVEL 4;' /etc/psad/psad.conf | |
echo '127.0.0.0/8 0;' >> /etc/psad/auto_dl | |
echo '192.168.1.1/24 0;' >> /etc/psad/auto_dl | |
psad --sig-update | |
service psad restart | |
# Add psad sig-update to weekly root crontab | |
crontab -l > /tmp/mycron | |
echo '00 06 * * 1 psad --sig-update' >> /tmp/mycron | |
crontab /tmp/mycron | |
rm /tmp/mycron | |
# VMware Tools install, Optional if you are using a VM | |
# mkdir /mnt/cdrom | |
# mount /dev/cdrom /mnt/cdrom | |
# VMWT=$(ls /mnt/cdrom/VMwareTools*) | |
# tar xzvf "$VMWT" -C /tmp/ | |
# /tmp/vmware-tools-distrib/vmware-install.pl -d | |
# Optional, update Python 3 packages | |
pip3 freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip3 install -U | |
# for RPi ONLY | |
# rpi-update | |
#see Redhat Tuning Guide. | |
service tuned start | |
tuned-adm list | |
tuned-adm profile throughput-performance | |
service tuned restart | |
# Clean up | |
apt-get autoclean -y | |
apt-get autoremove -y | |
# Think of CCleaner Alternative | |
bleachbit --list | grep -E "[a-z0-9_\-]+\.[a-z0-9_\-]+" | grep -v system.free_disk_space | xargs bleachbit --clean | |
# Removes all but current Kernel | |
dpkg --list | grep linux-image | awk '{ print $2 }' | sort -V | sed -n '/'`uname -r`'/q;p' | xargs sudo apt-get -y purge | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment