ssh secure, knockd, email (alpha)

assets/knockd.conf

@@ -0,0 +1,12 @@
+[options]
+      logfile = /var/log/knockd.log
+
+[SSH]
+      sequence    = 7000,8000,9000
+      seq_timeout = 5
+      # start_command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+      start_command = ufw allow ssh
+      tcpflags    = syn
+      cmd_timeout   = 600
+      # stop_command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT
+      stop_command = ufw delete allow ssh

bin/email.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+echo '\033[35m
+    __  ______    ______
+   /  |/  /   |  /  _/ /
+  / /|_/ / /| |  / // /
+ / /  / / ___ |_/ // /___
+/_/  /_/_/  |_/___/_____/
+\033[0m'
+echo "\033[35;1mEnable mail sending for php \033[0m"
+
+. bin/checkroot.sh
+
+# get the current position
+_cwd="$(pwd)"
+# check for assets forlder
+_assets="$_cwd/assets"
+if [ ! -d "$_assets" ]; then
+  _assets="$_cwd/../assets"
+  if [ ! -d "$_assets" ]; then
+    echo "!! can't find assets directory !!"
+    exit
+  fi
+fi
+
+# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
+sleep 2
+
+apk add mailx postfix
+
+rc-update add postfix
+/etc/init.d/postfix start
+
+
+
+
+# dkim spf
+# echo "\033[35;1mConfiguring DKIM \033[0m"
+# while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
+# do
+#   echo -n "Should we install dkim for exim4 ? [y|n] "
+#   read installdkim
+# done
+# if [ "$installdkim" = "y" ]; then
+#   echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
+#   read domain
+#   selector=$(date +%Y%m%d)
+#
+#   mkdir /etc/exim4/dkim
+#   openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
+#   openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
+#   chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
+#   chmod 440 /etc/exim4/dkim/"$domain"-private.pem
+#
+#   cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
+#   sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
+#   sed -i -r "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
+#
+#   update-exim4.conf
+#   systemctl restart exim4
+#   echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
+#   echo "your public key is : \n"
+#   cat /etc/exim4/dkim/"$domain".pem
+#   echo "press any key to continue."
+#   read continu
+# else
+#   echo 'dkim not installed'
+# fi

bin/fail2ban.sh

@@ -9,7 +9,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling fall2ban \033[0m"
 
-. checkroot.sh
+. bin/checkroot.sh
 
 sleep 2
 

bin/knockd.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# TODO check if root
+
+echo -e '\033[35m
+    __                    __       __
+   / /______  ____  _____/ /______/ /
+  / //_/ __ \/ __ \/ ___/ //_/ __  /
+ / ,< / / / / /_/ / /__/ ,< / /_/ /
+/_/|_/_/ /_/\____/\___/_/|_|\__,_/
+\033[0m'
+echo -e "\033[35;1mInstalling knockd to control ssh port opening\033[0m"
+
+. bin/checkroot.sh
+
+# get the current position
+_cwd="$(pwd)"
+
+# check for assets forlder
+_assets="$_cwd/assets"
+if [ ! -d "$_assets" ]; then
+  _assets="$_cwd/../assets"
+  if [ ! -d "$_assets" ]; then
+    echo "!! can't find assets directory !!"
+    exit
+  fi
+fi
+
+sleep 2
+apk add knock
+
+
+echo -n "checking if ufw is installed"
+ufw_installed=$(apk list -I | grep "ufw")
+if ! $ufw_installed; then
+  echo -n "ufw installed"
+else
+  . bin/ufw.sh
+fi
+
+mv /etc/knockd.conf /etc/knockd.conf.ori
+cp "$_assets"/knockd.conf /etc/knockd.conf
+echo -n "define a sequence number for opening ssh (as 7000,8000,9000) : "
+read sq
+sed -i "s/7000,8000,9000/$sq/g" /etc/knockd.conf
+
+rc-update add knockd
+/etc/init.d/knockd start
+
+ufw delete allow ssh
+
+echo -e "\033[92;1mknockd installed and configured\033[Om"
+echo -e "\033[92;1mplease note this sequence for future ssh knocking\033[Om"
+echo "$sq"
+sleep 3

bin/misc.sh

@@ -9,7 +9,7 @@ echo -e '\033[35m
 
 \033[0m'
 
-. checkroot.sh
+. bin/checkroot.sh
 
 sleep 2
 
@@ -24,4 +24,5 @@ apk add vim curl
 # dpkg-reconfigure tzdata
 apk add tmux etckeeper htop lynx unzip # needrestart
 
+
 echo -e "\033[92;1mMisc done \033[Om"

bin/ssh.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+echo '\033[35m
+   __________ __  __
+  / ___/ ___// / / /
+  \__ \\__ \/ /_/ /
+ ___/ /__/ / __  /
+/____/____/_/ /_/
+\033[0m'
+
+. bin/ssh.sh
+
+sed -i 's/#PermitRootLogin\ prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config
+sed -i 's/#PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+
+/etc/init.d/sshd restart
+echo "\033[92;1mSSH secured\033[Om"

bin/firewall.sh → bin/ufw.sh

@@ -9,7 +9,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
 
-. checkroot.sh
+. bin/checkroot.sh
 sleep 2
 
 # TODO use awall instead of ufw ?

bin/upgrade.sh

@@ -10,7 +10,7 @@ echo '\033[35m
 \____/_/    \____/_/ |_/_/  |_/_____/_____/
 \033[0m'
 
-. checkroot.sh
+. bin/checkroot.sh
 
 apk update
 apk upgrade

bin/user.sh

@@ -9,7 +9,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
 
-. checkroot.sh
+. bin/checkroot.sh
 
 sleep 3
 

install.sh

@@ -25,8 +25,9 @@ _cwd="$(pwd)"
 . bin/upgrade
 . bin/user.sh
 . bin/misc.sh
-. bin/firewall.sh
+. bin/ufw.sh
 . bin/fail2ban.sh
+. bin/knockd.sh
 
 
-. bin/lemp.sh
+# . bin/lemp.sh

readme.md

@@ -37,8 +37,12 @@ git clone https://figureslibres.io/gogs/bachir/alpine-web-server.git
 su
 cd alpine-web-server
 chmod a+x install.sh
-./install.sh
+. install.sh
 
+```
+4 all script in bin/ can be ran seperatly, but from the repos source exclusively
+```
+. bin/misc.sh
 ```
 
 ## ref