Created
December 2, 2008 07:07
-
-
Save vanpelt/31036 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# very helpful is: https://help.ubuntu.com/community/IptablesHowTo -brendan | |
# | |
# type: sudo iptables -L to see the current rules | |
# | |
set -eu | |
UPLINK="eth0" | |
# Change this next line so it lists all your network interfaces, including lo | |
INTERFACES="lo eth0" | |
# Change this line so that it lists the assigned numbers or symbolic names (from | |
# /etc/services) of all the services that you'd like to provide to the general | |
# public. If you don't want any services enabled, set it to "" | |
SERVICES="http https ssh" | |
#Add ips that you whish to give full access to here | |
#ALLOW="66.66.66.66" | |
ALLOW="$ALLOW 127.0.0.1" | |
if [ "$1" = "restart" ] | |
then | |
set -e | |
$0 stop | |
$0 start | |
elif [ "$1" = "start" ] | |
then | |
echo "Starting firewall..." | |
echo "All ports for these hosts:" $ALLOW | |
echo "Full internet for these services:" $SERVICES | |
iptables -P INPUT DROP | |
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
for x in ${ALLOW} | |
do | |
iptables -A INPUT -s ${x} -j ACCEPT | |
done | |
# Enable public access to certain services | |
for x in ${SERVICES} | |
do | |
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT | |
done | |
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset | |
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable | |
# Explicitly disable ECN | |
if [ -e /proc/sys/net/ipv4/tcp_ecn ] | |
then | |
echo 0 > /proc/sys/net/ipv4/tcp_ecn | |
fi | |
# Disable spoofing on all interfaces | |
for x in ${INTERFACES} | |
do | |
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter | |
done | |
elif [ "$1" = "stop" ] | |
then | |
echo "Stopping firewall..." | |
iptables -F INPUT | |
iptables -P INPUT ACCEPT | |
# Turn off NAT/masquerading, if any | |
iptables -t nat -F POSTROUTING | |
elif [ "$1" = "" ] | |
then | |
echo "ERROR didn't specify start, stop, or restart." | |
exit 1 | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set -eux | |
echo welcome to my awesome machine yo! > /etc/motd | |
###### USERS ###### | |
groupadd wheel | |
# best dotfiles evar | |
for f in .inputrc .vimrc .zshrc; do | |
curl dotfiles.org/~brendano/$f > /etc/skel/$f | |
done | |
echo "alias ll='ls -l'" >> /etc/skel/.bashrc | |
# sudo gem install will pick up this, makes things go way faster | |
echo 'gem: --no-ri --no-rdoc' > /etc/skel/.gemrc | |
for f in .inputrc .vimrc .zshrc .gemrc; do | |
cp /etc/skel/$f /root | |
done | |
USERS="yourself deployer" | |
for u in $USERS; do | |
useradd -m -G users,wheel -s /bin/bash $u | |
yes 123something | passwd $u | |
mkdir -p /home/$u/.ssh | |
done | |
chmod +w /etc/sudoers | |
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers | |
chmod -w /etc/sudoers | |
###### SSH ###### | |
perl -pi -e 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config | |
# perl -pi -e 's/^UsePAM.*/UsePAM no/' /etc/ssh/sshd_config | |
## host-based auth ... outgoing works but not incoming. | |
cp /root/dl.hosts /etc/ssh/shosts.equiv | |
perl -pi -e 's/^HostbasedAuthentication.*/HostbasedAuthentication yes/' /etc/ssh/sshd_config | |
ssh-keyscan -t rsa $(cat /root/dl.hosts) > /etc/ssh/ssh_known_hosts | |
# added this to sshd_config, incoming still doesnt work --> RhostsRSAAuthentication yes | |
cat >> /etc/ssh/ssh_config <<EOF | |
## for outgoing ssh'ing | |
EnableSSHKeysign yes | |
HostbasedAuthentication yes | |
EOF | |
/etc/init.d/ssh reload | |
######### FIREWALL ############# | |
mv firewall /etc/init.d | |
update-rc.d firewall defaults | |
/etc/init.d/firewall start | |
###### PATHS ###### | |
DEPLOYER_PATHS="/var/conf /var/www" | |
mkdir -p $DEPLOYER_PATHS | |
chown -R deployer.deployer $DEPLOYER_PATHS | |
chmod a+w /var/log # deployer-run processes need this | |
###### PACKAGES ###### | |
# faster than the default mirror | |
echo " | |
deb http://ubuntu.osuosl.org/ubuntu/ intrepid main restricted universe | |
deb http://ubuntu.osuosl.org/ubuntu/ intrepid-updates main restricted universe | |
" > /etc/apt/sources.list.d/osuosl.list | |
apt-get update | |
apt-get install -y ruby-full libsqlite3-ruby libpgsql-ruby rubygems | |
apt-get install -y build-essential git-core rsync lsof | |
apt-get install -y vim zsh nano | |
update-alternatives --set editor /usr/bin/vim.basic # otherwise nano is default in many places, egads! crontab -e then keeps pulling it up, which is very sad. | |
#Might need to do this... | |
#wget http://rubyforge.org/frs/download.php/38646/rubygems-1.2.0.tgz | |
###### GOD ###### | |
mkdir -p /var/conf/god | |
echo "God.load('/var/conf/god/*.conf')" > /var/conf/god.conf | |
gem install god | |
mv god.init /etc/init.d/god | |
update-rc.d god defaults | |
/etc/init.d/god start | |
###### MEMCACHED ###### | |
apt-get install -y memcached | |
gem install memcache-client | |
# need to adjust /etc/memcached.conf | |
# should already be signed up for startup | |
###### MAIL ###### | |
# ok this really should be via cap since so much config... | |
# please just press "enter" through all the postfix menus: "Internet Host". | |
apt-get install -y postfix mailx | |
ruby -r erb -e 'puts ERB.new(File.read("postfix_main.cf.erb")).result' > /etc/postfix/main.cf | |
/etc/init.d/postfix restart | |
echo "messages are great" | mail info@doloreslabs.com -s "hello i'm up! love, `hostname`" | |
###### LOGROTATE ###### | |
apt-get install -y logrotate | |
echo " | |
/var/www/facestat/shared/log/*.log { | |
daily | |
missingok | |
rotate 14 | |
compress | |
delaycompress | |
notifempty | |
copytruncate | |
} | |
" > /etc/logrotate.d/facestat |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment