#!/bin/sh # bachir soussi chiadmi # # http://www.debian.org/doc/manuals/securing-debian-howto/ # https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics # https://www.linode.com/docs/websites/lamp/lamp-server-on-debian-7-wheezy/ # http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/ # echo '\033[35m ____ __ _ _____ / __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____ / / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/ / /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ / /_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/ \033[0m' echo "\033[35;1mThis script has been tested only on Linux Debian 7 \033[0m" echo "Please run this script as root" echo -n "Should we start? [Y|n] " read yn yn=${yn:-y} if [ "$yn" != "y" ]; then echo "aborting script!" exit fi # get the current position _cwd="$(pwd)" echo '\033[35m __ ______ __________ ___ ____ ______ / / / / __ \/ ____/ __ \/ | / __ \/ ____/ / / / / /_/ / / __/ /_/ / /| | / / / / __/ / /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___ \____/_/ \____/_/ |_/_/ |_/_____/_____/ \033[0m' apt-get update apt-get upgrade echo '\033[35m __ ____ / |/ (_)_________ / /|_/ / / ___/ ___/ / / / / (__ ) /__ /_/ /_/_/____/\___/ \033[0m' apt-get install vim echo '\033[35m __ _____ ____ ____ _______ __ / / / / | / __ \/ __ \/ ____/ | / / / /_/ / /| | / /_/ / / / / __/ / |/ / / __ / ___ |/ _, _/ /_/ / /___/ /| / /_/ /_/_/ |_/_/ |_/_____/_____/_/ |_/ \033[0m' echo "\033[35;1mInstalling harden \033[0m" sleep 3 apt-get install harden echo "\033[92;1mHarden instaled\033[Om" echo '\033[35m ______________ _______ _____ __ __ / ____/ _/ __ \/ ____/ | / / | / / / / / /_ / // /_/ / __/ | | /| / / /| | / / / / / __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___ /_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/ \033[0m' echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m" sleep 3 apt-get install ufw ufw allow ssh ufw allow http ufw enable ufw status verbose echo "\033[92;1mufw installed and firwall configured\033[Om" echo '\033[35m ______ _ _____ __ / ____/___ _(_) /__ \ / /_ ____ _____ / /_ / __ `/ / /__/ // __ \/ __ `/ __ \ / __/ / /_/ / / // __// /_/ / /_/ / / / / /_/ \__,_/_/_//____/_.___/\__,_/_/ /_/ \033[0m' echo "\033[35;1mInstalling fall2ban \033[0m" apt-get install fail2ban cat "$_cwd"/assets/fail2ban.jail.conf > /etc/fail2ban/jail.conf service fail2ban restart echo "\033[92;1mfail2ban installed and configured\033[Om" echo '\033[35m __ __ __ / /______ ____ _____/ /______/ / / //_/ __ \/ __ \/ ___/ //_/ __ / / ,< / / / / /_/ / /__/ ,< / /_/ / /_/|_/_/ /_/\____/\___/_/|_|\__,_/ \033[0m' echo "\033[35;1mInstalling knockd \033[0m" sleep 3 apt-get install knockd echo -n "define a sequence number for opening (as 7000,8000,9000) : " read sq1 echo -n "define a sequence number for closing (as 9000,8000,7000) : " read sq2 sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd echo "\033[92;1mknockd installed and configured\033[Om" echo "\033[92;1mplease note these sequences for future knocking\033[Om" echo "opening : $sq1 ; closing : $sq2" echo '\033[35m __ _______ __________ / / / / ___// ____/ __ \ / / / /\__ \/ __/ / /_/ / / /_/ /___/ / /___/ _, _/ \____//____/_____/_/ |_| \033[0m' echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m" sleep 3 echo -n "Enter user name: " read user # read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1 adduser "$user" echo "adding $user to admin group and limiting su to the admin group" groupadd admin usermod -a -G admin "$user" dpkg-statoverride --update --add root admin 4750 /bin/su echo "\033[92;1muser $user configured\033[Om" echo '\033[35m __ ______ ______ / |/ / | / _/ / / /|_/ / /| | / // / / / / / ___ |_/ // /___ /_/ /_/_/ |_/___/_____/ \033[0m' echo "\033[35;1mEnable mail sending for php \033[0m" # http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13 sleep 3 dpkg-reconfigure exim4-config service exim4 restart # dkim spf # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 echo "\033[35;1mConfiguring DKIM \033[0m" while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ] do echo -n "Should we install dkim for exim4 ? [y|n] " read installdkim done if [ "$installdkim" = "y" ]; then echo -n "Choose a domain for dkim: " read domain selector=$(date +%Y%m%d) mkdir /etc/exim4/dkim openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem chmod 440 /etc/exim4/dkim/"$domain"-private.pem cp "$_cwd"/assets/exima4_dkim.conf /etc/exim4/conf.d/main/00_local_macros sed -ir "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros sed -ir "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros update-exim4.conf service exim4 restart echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n" echo "your public key is : \n" cat /etc/exim4/dkim/"$domain".pem echo "press any key to continue." read continu else echo 'dkim not installed' fi echo '\033[35m __________ __ __ / ___/ ___// / / / \__ \\__ \/ /_/ / ___/ /__/ / __ / /____/____/_/ /_/ \033[0m' while [ "$securssh" != "y" ] && [ "$securssh" != "n" ] do echo -n "Securing ssh (disabling root login)? [y|n] " read securssh # securssh=${securssh:-y} done if [ "$securssh" = "y" ]; then sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config service ssh reload echo "\033[92;1mSSH secured\033[Om" else echo 'root user can still conect through ssh' fi echo '\033[35m ______ _______ _____ | ____|__ __| __ \ | |__ | | | |__) | | __| | | | ___/ | | | | | | |_| |_| |_| \033[0m' echo -n "Should we install ftp server? [Y|n] " read yn yn=${yn:-y} if [ "$yn" != "y" ]; then echo "installing proftpd" apt-get install proftpd while [ "$_server_name" = "" ] do read -p "enter a server name ? " _server_name if [ "$_server_name" != "" ]; then read -p "is server name $_server_name correcte [y|n] " validated if [ "$validated" = "y" ]; then break else _server_name="" fi fi done echo "Configuring proftpd" cp "$_cwd"/assets/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf sed -ir "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf ufw allow ftp addgroup ftpuser echo "ftp installtion done" echo "to permit to a user to connect through ftp, add him to the ftpuser group" echo "FTP users are jailed on their home by default" fi # TODO : allow ssh/ftp connection only from given ips echo "\033[35;1mInstalling AMP web server \033[0m" echo '\033[35m ___ __ ___ / | ____ ____ ______/ /_ ___ |__ \ / /| | / __ \/ __ `/ ___/ __ \/ _ \__/ / / ___ |/ /_/ / /_/ / /__/ / / / __/ __/ /_/ |_/ .___/\__,_/\___/_/ /_/\___/____/ /_/ \033[0m' echo "\033[35;1mInstalling Apache2 \033[0m" sleep 3 apt-get install apache2 a2enmod rewrite cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf # Change logrotate for Apache2 log files to keep 10 days worth of logs sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2 sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2 # Remove Apache server information from headers. sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security service apache2 restart echo "\033[92;1mApache2 installed\033[Om" echo '\033[35m __ ___ __ / |/ /_ ___________ _/ / / /|_/ / / / / ___/ __ `/ / / / / / /_/ (__ ) /_/ / / /_/ /_/\__, /____/\__, /_/ /____/ /_/ \033[0m' echo "\033[35;1minstalling Mysql \033[0m" sleep 3 apt-get install mysql-server mysql_secure_installation echo "\033[92;1mmysql installed\033[Om" echo '\033[35m ____ __ ______ / __ \/ / / / __ \ / /_/ / /_/ / /_/ / / ____/ __ / ____/ /_/ /_/ /_/_/ \033[0m' echo "\033[35;1mInstalling PHP \033[0m" sleep 3 apt-get install php5 php-pear php5-gd echo "Configuring PHP" cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.back sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" /etc/php5/apache2/php.ini sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" /etc/php5/apache2/php.ini sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" /etc/php5/apache2/php.ini sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" /etc/php5/apache2/php.ini sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" /etc/php5/apache2/php.ini sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" /etc/php5/apache2/php.ini # following command doesn't work, make teh change manualy #sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini echo "register_globals = Off" >> /etc/php5/apache2/php.ini mkdir /var/log/php chown www-data /var/log/php apt-get install php5-mysql echo "\033[92;1mphp installed\033[Om" echo '\033[35m __ __ ___ ___ __ _ ____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___ / __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \ / /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / / / .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/ /_/ /_/ /____/ \033[0m' echo "\033[35;1mInstalling phpMyAdmin \033[0m" apt-get install phpmyadmin # echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin.conf echo "\033[35;1msecuring phpMyAdmin \033[0m" sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/" cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess echo -n "define a user name for phpmyadmin : " read un htpasswd -c /etc/phpmyadmin/.htpasswd $un service apache2 restart echo "\033[92;1mphpMyAdmin installed\033[Om" echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om" echo '\033[35m __ __ _ __/ /_ ____ _____/ /_ | | / / __ \/ __ \/ ___/ __/ | |/ / / / / /_/ (__ ) /_ |___/_/ /_/\____/____/\__/ \033[0m' echo "\033[35;1mVHOST install \033[0m" while [ "$vh" != "y" ] && [ "$vh" != "n" ] do echo -n "Should we install a vhost? [y|n] " read vh # vh=${vh:-y} done if [ "$vh" = "y" ]; then while [ "$_host_name" = "" ] do read -p "enter a hostname ? " _host_name if [ "$_host_name" != "" ]; then read -p "is hostname $_host_name correcte [y|n] " validated if [ "$validated" = "y" ]; then break else _host_name="" fi fi done cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf mkdir -p /srv/www/"$_host_name"/public_html mkdir /srv/www/"$_host_name"/logs #set proper right to user will handle the app chown -R root:admin /srv/www/"$_host_name"/ chmod -R g+w /srv/www/"$_host_name"/ chmod -R g+r /srv/www/"$_host_name"/ # create a shortcut to the site mkdir /home/"$user"/www/ chown "$user":admin /home/"$user"/www/ ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name" #activate the vhost a2ensite "$_host_name".conf #restart apache service apache2 restart echo "\033[92;1mvhost $_host_name configured\033[Om" else echo "Vhost installation aborted" fi echo '\033[35m __ ___ _ __ __ __ ___ _ / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__ / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \ /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/ \033[0m' echo "\033[35;1mInstalling Munin \033[0m" sleep 3 # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/ apt-get install munin munin-node munin-plugins-extra # Configure Munin # enable plugins ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_ ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_ ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/ # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/ # dbdir, htmldir, logdir, rundir, and tmpldir sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf htpasswd -c /etc/munin/munin-htpasswd admin sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf service apache2 restart service munin-node restart echo "\033[92;1mMunin installed\033[Om" echo "\033[35;1mInstalling Monit \033[0m" sleep 3 # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/ apt-get install monit # TODO setup monit rc cat "$_cwd"/assets/monitrc > /etc/monit/monitrc # TODO setup webaccess passok=0 while [ "$passok" = "0" ] do echo -n "Write web access password to monit" read passwda echo -n "ReWrite web access password to monit" read passwdb if [ "$passwda" = "$passwdb" ]; then sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc passok=1 else echo "pass words don't match, please try again" fi done # TODO setup mail settings sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc mkdir /var/www/html/monit echo "hello" > /var/www/html/monit/token service monit start echo "\033[92;1mMonit installed\033[Om" echo '\033[35m ___ __ __ / |_ _______/ /_____ _/ /_ / /| | | /| / / ___/ __/ __ `/ __/ / ___ | |/ |/ (__ ) /_/ /_/ / /_ /_/ |_|__/|__/____/\__/\__,_/\__/ \033[0m' echo "\033[35;1mInstalling Awstat \033[0m" sleep 3 apt-get install awstats # Configure AWStats temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l` if [ $temp -lt 1 ]; then echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local fi # Disable Awstats from executing every 10 minutes. Put a hash in front of any line. sed -i 's/^[^#]/#&/' /etc/cron.d/awstats echo "\033[92;1mAwstat installed\033[Om" # echo '\033[35m # ______________ _______ # /_ __/ ____/ |/ / __ \ # / / / __/ / /|_/ / /_/ / # / / / /___/ / / / ____/ # /_/ /_____/_/ /_/_/ # \033[0m' # function check_tmp_secured { # temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l` # temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l` # if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then # return 1 # else # return 0 # fi # } # End function check_tmp_secured # function secure_tmp_tmpfs { # cp /etc/fstab /etc/fstab.bak # # Backup /tmp # cp -Rpf /tmp /tmpbackup # rm -rf /tmp # mkdir /tmp # mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp # chmod 1777 /tmp # echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab # # Restore /tmp # cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1 # #Remove old tmp dir # rm -rf /tmpbackup # # Backup /var/tmp and link it to /tmp # mv /var/tmp /var/tmpbackup # ln -s /tmp /var/tmp # # Copy the old data back # cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1 # # Remove old tmp dir # rm -rf /var/tmpbackup # echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m" # } # End function secure_tmp_tmpfs # check_tmp_secured # if [ $? = 0 ]; then # secure_tmp_tmpfs # else # echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m" # fi echo '\033[35m ____ __ _______ __ / __ \____ / /_ / ____(_) /__ _____ / / / / __ \/ __/ / /_ / / / _ \/ ___/ / /_/ / /_/ / /_ / __/ / / / __(__ ) /_____/\____/\__/ /_/ /_/_/\___/____/ \033[0m' #installing better prompt and some goodies for root echo "\033[35;1mInstalling shell prompt for root \033[0m" sleep 3 echo "cloning github.com/bachy/dotfiles-server" git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~ source ~/.bashrc echo "\033[92;1mDot files installed for root, you should installed them manually for $USER\033[0m" # TODO add warning message on ssh connection if system needs updates # TODO install and configure tmux echo '\033[35m ___ __ __ __ __ __ / | __ __/ /_____ / / / /___ ____/ /___ _/ /____ / /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \ / ___ / /_/ / /_/ /_/ / / /_/ / /_/ / /_/ / /_/ / /_/ __/ /_/ |_\__,_/\__/\____/ \____/ .___/\__,_/\__,_/\__/\___/ /_/ \033[0m' # https://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-wheezy # https://www.bisolweb.com/tutoriels/serveur-vps-ovh-partie-5-installation-apticron/ echo "\033[35;1mInstalling apticron \033[0m" apt-get install apticron sleep 3 echo -n "Enter an email: " read email sed -ir "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf # sed -ir "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf sed -ir "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf echo "\033[92;1mApticron installed and configured\033[0m" echo '\033[35m __ ___ ____ ____/ / / _ \/ __ \/ __ / / __/ / / / /_/ / \___/_/ /_/\__,_/ \033[0m' echo "\033[35;1m* * script done * * \033[0m"