zipizap/vps.sh

## vps.sh
#PROLOGUE: all this should be run as root, otherwise stated

#update && upgrade:
apt-get update && apt-get upgrade -y

#create a new user
adduser user_x

#create group admin (funny enough, it does not exist, although its accounted in the /etc/sudoers file):
addgroup --system admin

#add user root and user_x into group admin:
adduser root admin
adduser user_x admin

#personal-style: let user sudo without password
echo "user_x ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers


#setup etckeeper
#  - it controls /etc changes with a  .git repo, on APT install/upgrade/remove, and with daily CRON job
#  - see http://evilrouters.net/2011/02/18/using-etckeeper-with-git-on-ubuntu/
apt-get -y install git-core
git config --global user.name "root"
git config --global user.email "root@vps4"
apt-get -y install etckeeper
sed '/#VCS="git"/ s/^#//; /VCS="bzr"/ s/^/#/' -i /etc/etckeeper/etckeeper.conf
etckeeper init
etckeeper commit "Initial commit."
#  - basic usage is:
#    # Everyday a cron job wil commit changes in /etc into /etc/.git
#    # After editing  some /etc file, you can commit manually with:
#    cd /etc
#    sudo etckeeper commit "apache2 security hardened"
#    # You can see the changes of previous commits
#    sudo git status
#    sudo git log
#    sudo git log --oneline
#    sudo git log --summary
#    sudo git log -1 -p
#    # Use this as a *read-only* tool to see changes, but dont change the working directory (like go back and forth between commit changing /etc) or it will mess up your system! be read-only !

#sshd hardening
# .change port
sed 's/^Port 22$/Port 122/g' -i /etc/ssh/sshd_config
# .disable root login (this avoids a LOT of brute-force attempts...)
sed 's/^PermitRootLogin.*/PermitRootLogin no/g' -i /etc/ssh/sshd_config
# .only allow users which belong to group ssh_allow
addgroup ssh_allow
adduser user_x ssh_allow
echo '# :) Only allow login to users belonging to group ssh_allow
AllowGroups ssh_allow
' >> /etc/ssh/sshd_config
restart ssh

#install public key for user "pete" from remote-host into server "vpsserver", for passwordless ssh connection
#to be run in the remote-host
remote-host$ ssh-copy-id pete@vpsserver

#apt: assume "yes" to all questions
echo 'APT::Get::Assume-Yes "true";' >> /etc/apt/apt.conf.d/99apt_get_assume_yes
chmod 644 /etc/apt/apt.conf.d/99apt_get_assume_yes

#apt: setup automatic install of security updates every day
## POS-NOTE:
##   - this will install only security updates, it will not do normal updates (it could)
##   - if needed, it will reboot after upgrading (like on kernel upgrades)
##   - check logs of automatic updates in /var/log/unattended-upgrades
apt-get install -y unattended-upgrades
echo '
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
' > /etc/apt/apt.conf.d/10periodic
sed '
s_//\(Unattended-Upgrade::Remove-Unused-Dependencies\) "false";_\1 "true";_g
s_//\(Unattended-Upgrade::Automatic-Reboot\) "false";_\1 "true";_g' \
-i /etc/apt/apt.conf.d/50unattended-upgrades

#firewall: leave ssh access and close all other ports
## a) for XEN/KVM virtualized machines:
# ufw limit ssh/tcp
# ufw enable
## b) for OpenVz (and possibly docker) virtualized containers
## see https://help.ubuntu.com/community/IptablesHowTo
iptables -L -v -n # List existing rules - there should be none, or else think before continuing...
iptables -F       # Flush or remove existing rules
iptables -A INPUT -i lo -j ACCEPT                                   # lo
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    # maintain existing connections (like an active ssh session)

iptables -A INPUT -p tcp --dport 22 -j ACCEPT                       # ssh
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT                       # http
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT                      # https
#iptables -A INPUT -p tcp --dport 1234 -j ACCEPT                     # add new ports here as needed. Order matters

### Transmission ###
#iptables -A INPUT -p udp --dport 51413 -j ACCEPT                              # transmission peers UDP - to public internet
#iptables -A INPUT -p tcp --dport 51413 -j ACCEPT                              # transmission peers TCP - to public internet
#iptables -A INPUT -p tcp --dport 9091 -s 192.168.0.0/24 -j ACCEPT             # transmission rpc       - only local network

### Ipfs ###
#iptables -A INPUT -p tcp --dport 4001 -j ACCEPT                               # IPFS swarm   - to public internet
#iptables -A INPUT -p tcp --dport 5001 -s 192.168.0.0/24 -j ACCEPT             # IPFS API     - only local network
#iptables -A INPUT -p tcp --dport 8080 -s 192.168.0.0/24 -j ACCEPT             # IPFS gateway - only local network

### Iperf3 ###
#iptables -A INPUT -p tcp --dport 5200:5209 -j ACCEPT                          # iperf3 TCP
#iptables -A INPUT -p udp --dport 5200:5209 -j ACCEPT                          # iperf3 UDP

iptables -A INPUT -j DROP                                           # drop all other
iptables -L -v -n
### Now is the moment to check if new connections like ssh will work ok... if not then do iptables -F to start over
### At last, lets save the iptables rules permanently, so they work after reboots
iptables-save > /etc/iptables.rules
cat << EOT > /etc/network/if-pre-up.d/iptablesload
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOT
cat << EOT > /etc/network/if-post-down.d/iptablessave
#!/bin/sh
iptables-save > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
   iptables-restore < /etc/iptables.downrules
fi
exit 0
EOT
chmod +x /etc/network/if-post-down.d/iptablessave
chmod +x /etc/network/if-pre-up.d/iptablesload


#dynamic dns: no-ip.com
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar zxvf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
apt-get install -y build-essentials gcc
make && make install
   #fill in username, password, etc, and then
   echo -e '#!/bin/sh\nsudo /usr/local/bin/noip2' | tee /etc/init.d/noip2
   chmod +x /etc/init.d/noip2
   update-rc.d noip2 defaults
   /etc/init.d/noip2

#secure shared memory
# see http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
# Needs reboot to become effective
echo "tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0" >> /etc/fstab

#secure /bin/su to be used only by group admin
dpkg-statoverride --update --add root admin 4750 /bin/su

#Harden network with sysctl settings
#see http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
echo '
## :) harden network with sysctl settings
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
' >> /etc/sysctl.conf

#Prevent IP Spoofing
echo 'nospoof on' >> /etc/host.conf

#Setup fail2ban
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed '
s/^\(bantime  =\) 600/\1 1800/g' \
-i /etc/fail2ban/jail.local
service fail2ban restart

#NTP
apt-get install ntp

#admin tools: htop, nethogs
apt-get install htop nethogs

##TODO:
# make "continuous integration" deployments directly from master branch...


#final reboot
echo -e "\033[1;31m---- Press ENTER to **reboot**, or CTRL-C to skip ----\033[0m"; read; reboot
	#PROLOGUE: all this should be run as root, otherwise stated

	#update && upgrade:
	apt-get update && apt-get upgrade -y

	#create a new user
	adduser user_x

	#create group admin (funny enough, it does not exist, although its accounted in the /etc/sudoers file):
	addgroup --system admin

	#add user root and user_x into group admin:
	adduser root admin
	adduser user_x admin

	#personal-style: let user sudo without password
	echo "user_x ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers


	#setup etckeeper
	# - it controls /etc changes with a .git repo, on APT install/upgrade/remove, and with daily CRON job
	# - see http://evilrouters.net/2011/02/18/using-etckeeper-with-git-on-ubuntu/
	apt-get -y install git-core
	git config --global user.name "root"
	git config --global user.email "root@vps4"
	apt-get -y install etckeeper
	sed '/#VCS="git"/ s/^#//; /VCS="bzr"/ s/^/#/' -i /etc/etckeeper/etckeeper.conf
	etckeeper init
	etckeeper commit "Initial commit."
	# - basic usage is:
	# # Everyday a cron job wil commit changes in /etc into /etc/.git
	# # After editing some /etc file, you can commit manually with:
	# cd /etc
	# sudo etckeeper commit "apache2 security hardened"
	# # You can see the changes of previous commits
	# sudo git status
	# sudo git log
	# sudo git log --oneline
	# sudo git log --summary
	# sudo git log -1 -p
	# # Use this as a read-only tool to see changes, but dont change the working directory (like go back and forth between commit changing /etc) or it will mess up your system! be read-only !

	#sshd hardening
	# .change port
	sed 's/^Port 22$/Port 122/g' -i /etc/ssh/sshd_config
	# .disable root login (this avoids a LOT of brute-force attempts...)
	sed 's/^PermitRootLogin.*/PermitRootLogin no/g' -i /etc/ssh/sshd_config
	# .only allow users which belong to group ssh_allow
	addgroup ssh_allow
	adduser user_x ssh_allow
	echo '# :) Only allow login to users belonging to group ssh_allow
	AllowGroups ssh_allow
	' >> /etc/ssh/sshd_config
	restart ssh

	#install public key for user "pete" from remote-host into server "vpsserver", for passwordless ssh connection
	#to be run in the remote-host
	remote-host$ ssh-copy-id pete@vpsserver

	#apt: assume "yes" to all questions
	echo 'APT::Get::Assume-Yes "true";' >> /etc/apt/apt.conf.d/99apt_get_assume_yes
	chmod 644 /etc/apt/apt.conf.d/99apt_get_assume_yes

	#apt: setup automatic install of security updates every day
	## POS-NOTE:
	## - this will install only security updates, it will not do normal updates (it could)
	## - if needed, it will reboot after upgrading (like on kernel upgrades)
	## - check logs of automatic updates in /var/log/unattended-upgrades
	apt-get install -y unattended-upgrades
	echo '
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";
	' > /etc/apt/apt.conf.d/10periodic
	sed '
	s_//\(Unattended-Upgrade::Remove-Unused-Dependencies\) "false";_\1 "true";_g
	s_//\(Unattended-Upgrade::Automatic-Reboot\) "false";_\1 "true";_g' \
	-i /etc/apt/apt.conf.d/50unattended-upgrades

	#firewall: leave ssh access and close all other ports
	## a) for XEN/KVM virtualized machines:
	# ufw limit ssh/tcp
	# ufw enable
	## b) for OpenVz (and possibly docker) virtualized containers
	## see https://help.ubuntu.com/community/IptablesHowTo
	iptables -L -v -n # List existing rules - there should be none, or else think before continuing...
	iptables -F # Flush or remove existing rules
	iptables -A INPUT -i lo -j ACCEPT # lo
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # maintain existing connections (like an active ssh session)

	iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
	#iptables -A INPUT -p tcp --dport 80 -j ACCEPT # http
	#iptables -A INPUT -p tcp --dport 443 -j ACCEPT # https
	#iptables -A INPUT -p tcp --dport 1234 -j ACCEPT # add new ports here as needed. Order matters

	### Transmission ###
	#iptables -A INPUT -p udp --dport 51413 -j ACCEPT # transmission peers UDP - to public internet
	#iptables -A INPUT -p tcp --dport 51413 -j ACCEPT # transmission peers TCP - to public internet
	#iptables -A INPUT -p tcp --dport 9091 -s 192.168.0.0/24 -j ACCEPT # transmission rpc - only local network

	### Ipfs ###
	#iptables -A INPUT -p tcp --dport 4001 -j ACCEPT # IPFS swarm - to public internet
	#iptables -A INPUT -p tcp --dport 5001 -s 192.168.0.0/24 -j ACCEPT # IPFS API - only local network
	#iptables -A INPUT -p tcp --dport 8080 -s 192.168.0.0/24 -j ACCEPT # IPFS gateway - only local network

	### Iperf3 ###
	#iptables -A INPUT -p tcp --dport 5200:5209 -j ACCEPT # iperf3 TCP
	#iptables -A INPUT -p udp --dport 5200:5209 -j ACCEPT # iperf3 UDP

	iptables -A INPUT -j DROP # drop all other
	iptables -L -v -n
	### Now is the moment to check if new connections like ssh will work ok... if not then do iptables -F to start over
	### At last, lets save the iptables rules permanently, so they work after reboots
	iptables-save > /etc/iptables.rules
	cat << EOT > /etc/network/if-pre-up.d/iptablesload
	#!/bin/sh
	iptables-restore < /etc/iptables.rules
	exit 0
	EOT
	cat << EOT > /etc/network/if-post-down.d/iptablessave
	#!/bin/sh
	iptables-save > /etc/iptables.rules
	if [ -f /etc/iptables.downrules ]; then
	iptables-restore < /etc/iptables.downrules
	fi
	exit 0
	EOT
	chmod +x /etc/network/if-post-down.d/iptablessave
	chmod +x /etc/network/if-pre-up.d/iptablesload


	#dynamic dns: no-ip.com
	wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
	tar zxvf noip-duc-linux.tar.gz
	cd noip-2.1.9-1/
	apt-get install -y build-essentials gcc
	make && make install
	#fill in username, password, etc, and then
	echo -e '#!/bin/sh\nsudo /usr/local/bin/noip2' \| tee /etc/init.d/noip2
	chmod +x /etc/init.d/noip2
	update-rc.d noip2 defaults
	/etc/init.d/noip2

	#secure shared memory
	# see http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
	# Needs reboot to become effective
	echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab

	#secure /bin/su to be used only by group admin
	dpkg-statoverride --update --add root admin 4750 /bin/su

	#Harden network with sysctl settings
	#see http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
	echo '
	## :) harden network with sysctl settings
	# IP Spoofing protection
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Ignore ICMP broadcast requests
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Disable source packet routing
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Ignore send redirects
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Block SYN attacks
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 2048
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_syn_retries = 5

	# Log Martians
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ignore ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Ignore Directed pings
	net.ipv4.icmp_echo_ignore_all = 1
	' >> /etc/sysctl.conf

	#Prevent IP Spoofing
	echo 'nospoof on' >> /etc/host.conf

	#Setup fail2ban
	apt-get install fail2ban
	cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	sed '
	s/^\(bantime =\) 600/\1 1800/g' \
	-i /etc/fail2ban/jail.local
	service fail2ban restart

	#NTP
	apt-get install ntp

	#admin tools: htop, nethogs
	apt-get install htop nethogs

	##TODO:
	# make "continuous integration" deployments directly from master branch...


	#final reboot
	echo -e "\033[1;31m---- Press ENTER to reboot, or CTRL-C to skip ----\033[0m"; read; reboot