upgrade, misc, user, ufw, fail2ban

bin/checkroot.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$EUID" -ne 0 ]; then
+  echo -e "Please run as root"
+  exit
+fi

bin/fail2ban.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo -e '\033[35m
+    ______      _ _____   __
+   / ____/___ _(_) /__ \ / /_  ____ _____
+  / /_  / __ `/ / /__/ // __ \/ __ `/ __ \
+ / __/ / /_/ / / // __// /_/ / /_/ / / / /
+/_/    \__,_/_/_//____/_.___/\__,_/_/ /_/
+\033[0m'
+echo -e "\033[35;1mInstalling fall2ban \033[0m"
+
+. checkroot.sh
+
+sleep 2
+
+apk add fail2ban
+# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+# ToDo ask for email and configure jail.local with it
+rc-update add fail2ban
+# rc-update start fail2ban
+# service fail2ban start
+/etc/init.d/fail2ban start
+
+echo -e "\033[92;1mfail2ban installed and configured\033[Om"

bin/firewall.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+echo -e '\033[35m
+    ______________  _______       _____    __    __
+   / ____/  _/ __ \/ ____/ |     / /   |  / /   / /
+  / /_   / // /_/ / __/  | | /| / / /| | / /   / /
+ / __/ _/ // _, _/ /___  | |/ |/ / ___ |/ /___/ /___
+/_/   /___/_/ |_/_____/  |__/|__/_/  |_/_____/_____/
+\033[0m'
+echo -e "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
+
+. checkroot.sh
+sleep 2
+
+# TODO use awall instead of ufw ?
+
+# ufw
+apk add ufw
+ufw allow ssh # knockd will open the ssh port
+ufw allow http
+ufw allow https
+# TODO ask for allowing ssh for some ip
+
+ufw enable
+ufw status verbose
+echo -e "\033[92;1mufw installed and firwall configured\033[Om"

bin/lemp.sh

@@ -0,0 +1 @@
+#!/bin/sh

bin/misc.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+echo -e '\033[35m
+    __  ____
+   /  |/  (_)_________
+  / /|_/ / / ___/ ___/
+ / /  / / (__  ) /__
+/_/  /_/_/____/\___/
+
+\033[0m'
+
+. checkroot.sh
+
+sleep 2
+
+echo '@edge http://dl-cdn.alpinelinux.org/alpine/edge/main
+@edgecommunity http://dl-cdn.alpinelinux.org/alpine/edge/community
+@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories
+
+apk add vim curl
+# sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
+# locale-gen
+# apt-get --yes --force-yes install ntp
+# dpkg-reconfigure tzdata
+apk add tmux etckeeper htop lynx unzip # needrestart
+
+echo -e "\033[92;1mMisc done \033[Om"

bin/upgrade.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# TODO check if root
+
+echo '\033[35m
+   __  ______  __________  ___    ____  ______
+  / / / / __ \/ ____/ __ \/   |  / __ \/ ____/
+ / / / / /_/ / / __/ /_/ / /| | / / / / __/
+/ /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
+\____/_/    \____/_/ |_/_/  |_/_____/_____/
+\033[0m'
+
+. checkroot.sh
+
+apk update
+apk upgrade

bin/user.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+echo -e '\033[35m
+   __  _______ __________
+  / / / / ___// ____/ __ \
+ / / / /\__ \/ __/ / /_/ /
+/ /_/ /___/ / /___/ _, _/
+\____//____/_____/_/ |_|
+\033[0m'
+echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
+
+. checkroot.sh
+
+sleep 3
+
+echo -n "Enter user name: "
+read user
+while [ "$user" = "" ]
+do
+  read -p "enter a user name ? " user
+  if [ "$user" != "" ]; then
+    # check if user already exists
+    if id "$user" >/dev/null 2>&1; then
+      echo "user $user alreday exists, you must provide a non existing user name."
+      user=""
+    else
+      read -p "is user name $user correcte [y|n] " validated
+      if [ "$validated" = "y" ]; then
+        break
+      else
+        user=""
+      fi
+    fi
+  fi
+done
+
+
+# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
+adduser "$user"
+# TODO limiting su to the admin group
+# echo "adding $user to admin group and limiting su to the admin group"
+# groupadd admin
+# usermod -a -G admin "$user"
+# allow admin group to su
+# dpkg-statoverride --update --add root admin 4750 /bin/su
+# echo -e "\033[92;1muser $user configured\033[Om"

install.sh

@@ -0,0 +1,32 @@
+#! /bin/sh
+
+echo -e '\033[35m
+    _   _      _            _    ___ __  __ ___
+   /_\ | |_ __(_)_ _  ___  | |  | __|  \/  | _ \
+  / _ \| | '_ \ | ' \/ -_) | |__| _|| |\/| |  _/
+ /_/ \_\_| .__/_|_||_\___| |____|___|_|  |_|_|
+         |_|
+\033[0m'
+echo -e "\033[35;1mThis script has been tested only on Alpine Linux \033[0m"
+
+. bin/checkroot.sh
+
+echo -n "Should we start? [Y|n] "
+read yn
+yn=${yn:-y}
+if [ "$yn" != "y" ]; then
+  echo -e "aborting script!"
+  exit
+fi
+
+# get the current position
+_cwd="$(pwd)"
+
+. bin/upgrade
+. bin/user.sh
+. bin/misc.sh
+. bin/firewall.sh
+. bin/fail2ban.sh
+
+
+. bin/lemp.sh

readme.md

@@ -1,16 +1,21 @@
 # Install web server and secure it on alpine linux
 
-- [ ] Fail2ban
-- [ ] Ufw
+- [x] upgrade
+- [x] adduser
+- [x] misc
+- [x] Ufw (to be replaced by awall)
+- [x] Fail2ban
 - [ ] Proftpd
 - [ ] Knockd
-- [ ] Nginx
 - [ ] Mariadb
-- [ ] php7.0-fpm
-- [ ] redis
+- [ ] php7-fpm
+- [ ] Nginx
+- [ ] letsencrypt
 - [ ] vhosts
+- [ ] redis
 - [ ] git barre repos
 - [ ] zabbix-agent
+- [ ] urbackup-client
 - [ ] dotfiles and more
 
 ## how to use it