install-debian-server.sh 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412
  1. #!/bin/sh
  2. # bachir soussi chiadmi
  3. #
  4. # http://www.debian.org/doc/manuals/securing-debian-howto/
  5. # https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
  6. # https://www.linode.com/docs/websites/lamp/lamp-server-on-debian-7-wheezy/
  7. # http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
  8. #
  9. echo '
  10. ____ __ _ _____
  11. / __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
  12. / / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
  13. / /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
  14. /_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
  15. '
  16. echo "\033[35;1mThis script has been tested only on Linux Debian 7 \033[0m"
  17. echo "Please run this script as root"
  18. echo -n "Should we start? [Y|n] "
  19. read yn
  20. yn=${yn:-y}
  21. if [ "$yn" != "y" ]; then
  22. echo "aborting script!"
  23. exit
  24. fi
  25. # get the current position
  26. _cwd="$(pwd)"
  27. echo '
  28. __ ______ __________ ___ ____ ______
  29. / / / / __ \/ ____/ __ \/ | / __ \/ ____/
  30. / / / / /_/ / / __/ /_/ / /| | / / / / __/
  31. / /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
  32. \____/_/ \____/_/ |_/_/ |_/_____/_____/
  33. '
  34. apt-get update
  35. apt-get upgrade
  36. echo '
  37. __ ____
  38. / |/ (_)_________
  39. / /|_/ / / ___/ ___/
  40. / / / / (__ ) /__
  41. /_/ /_/_/____/\___/
  42. '
  43. apt-get install vim
  44. # TODO colorize vim
  45. cat "syntax on" >> ~/.vimrc
  46. # TODO colorize ls
  47. cat "$_cwd"/assets/.bashrc > ~/.bashrc
  48. echo '
  49. __ _____ ____ ____ _______ __
  50. / / / / | / __ \/ __ \/ ____/ | / /
  51. / /_/ / /| | / /_/ / / / / __/ / |/ /
  52. / __ / ___ |/ _, _/ /_/ / /___/ /| /
  53. /_/ /_/_/ |_/_/ |_/_____/_____/_/ |_/
  54. '
  55. echo "\033[35;1mInstalling harden \033[0m"
  56. sleep 3
  57. apt-get install harden
  58. echo "Harden instaled"
  59. echo "033[92;1m* * *033[Om"
  60. echo '
  61. ______________ _______ _____ __ __
  62. / ____/ _/ __ \/ ____/ | / / | / / / /
  63. / /_ / // /_/ / __/ | | /| / / /| | / / / /
  64. / __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
  65. /_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
  66. '
  67. echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
  68. sleep 3
  69. apt-get install ufw
  70. ufw allow ssh
  71. ufw allow http
  72. ufw enable
  73. ufw status verbose
  74. echo "ufw installed and firwall configured"
  75. echo "033[92;1m* * *033[Om"
  76. echo '
  77. ______ _ _____ __
  78. / ____/___ _(_) /__ \ / /_ ____ _____
  79. / /_ / __ `/ / /__/ // __ \/ __ `/ __ \
  80. / __/ / /_/ / / // __// /_/ / /_/ / / / /
  81. /_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
  82. '
  83. echo "\033[35;1mInstalling fall2ban \033[0m"
  84. apt-get install fail2ban
  85. cat "$_cwd"/assets/fail2ban.jail.conf > /etc/fail2ban/jail.conf
  86. echo "fail2ban installed and configured"
  87. echo "033[92;1m* * *033[Om"
  88. echo '
  89. __ __ __
  90. / /______ ____ _____/ /______/ /
  91. / //_/ __ \/ __ \/ ___/ //_/ __ /
  92. / ,< / / / / /_/ / /__/ ,< / /_/ /
  93. /_/|_/_/ /_/\____/\___/_/|_|\__,_/
  94. '
  95. echo "\033[35;1mInstalling knockd \033[0m"
  96. echo "031[92;1m!! Experimental !!033[Om"
  97. sleep 3
  98. apt-get install knockd
  99. echo -n "define a sequence number for opening (as 7000,8000,9000) : "
  100. read sq1
  101. echo -n "define a sequence number for closing (as 9000,8000,7000) : "
  102. read sq2
  103. sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
  104. sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
  105. sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
  106. echo "knockd installed and configured"
  107. echo "please note these sequences then hit enter to continue"
  108. echo -n "opening : $sq1 ; closing : $sq2"
  109. echo "031[92;1m!! PLEASE CHECK THESE VALUES on /etc/knockd.conf !!033[Om"
  110. echo "033[92;1m* * *033[Om"
  111. echo '
  112. __ _______ __________
  113. / / / / ___// ____/ __ \
  114. / / / /\__ \/ __/ / /_/ /
  115. / /_/ /___/ / /___/ _, _/
  116. \____//____/_____/_/ |_|
  117. '
  118. echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
  119. sleep 3
  120. echo -n "Enter user name: "
  121. read user
  122. # read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
  123. adduser "$user"
  124. echo "adding $user to admin group and limiting su to the admin group"
  125. groupadd admin
  126. usermod -a -G admin "$user"
  127. dpkg-statoverride --update --add root admin 4750 /bin/su
  128. echo "user $user configured"
  129. echo "033[92;1m* * *033[Om"
  130. echo '
  131. __________ __ __
  132. / ___/ ___// / / /
  133. \__ \\__ \/ /_/ /
  134. ___/ /__/ / __ /
  135. /____/____/_/ /_/
  136. '
  137. while [ "$securssh" != "y" ] && [ "$securssh" != "n" ]
  138. do
  139. echo -n "Securing ssh (disabling root login)? [y|n] "
  140. read securssh
  141. # securssh=${securssh:-y}
  142. done
  143. if [ "$securssh" = "y" ]; then
  144. sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
  145. sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
  146. sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
  147. service ssh reload
  148. echo "SSH secured"
  149. else
  150. echo 'root user can still conect through ssh'
  151. fi
  152. echo "033[92;1m* * *033[Om"
  153. # TODO : allow ssh/ftp connection only from given ips
  154. echo "\033[35;1mInstalling AMP web server \033[0m"
  155. echo '
  156. ___ __ ___
  157. / | ____ ____ ______/ /_ ___ |__ \
  158. / /| | / __ \/ __ `/ ___/ __ \/ _ \__/ /
  159. / ___ |/ /_/ / /_/ / /__/ / / / __/ __/
  160. /_/ |_/ .___/\__,_/\___/_/ /_/\___/____/
  161. /_/
  162. '
  163. echo "\033[35;1mInstalling Apache2 \033[0m"
  164. sleep 3
  165. apt-get install apache2
  166. a2enmod rewrite
  167. cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
  168. # Change logrotate for Apache2 log files to keep 10 days worth of logs
  169. sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
  170. sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
  171. # Remove Apache server information from headers.
  172. sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security
  173. sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security
  174. service apache2 restart
  175. echo "Apache2 installed"
  176. echo "033[92;1m* * *033[Om"
  177. echo '
  178. __ ___ __
  179. / |/ /_ ___________ _/ /
  180. / /|_/ / / / / ___/ __ `/ /
  181. / / / / /_/ (__ ) /_/ / /
  182. /_/ /_/\__, /____/\__, /_/
  183. /____/ /_/
  184. '
  185. echo "\033[35;1minstalling Mysql \033[0m"
  186. sleep 3
  187. apt-get install mysql-server
  188. mysql_secure_installation
  189. echo "mysql installed"
  190. echo "033[92;1m* * *033[Om"
  191. echo '
  192. ____ __ ______
  193. / __ \/ / / / __ \
  194. / /_/ / /_/ / /_/ /
  195. / ____/ __ / ____/
  196. /_/ /_/ /_/_/
  197. '
  198. echo "\033[35;1mInstalling PHP \033[0m"
  199. sleep 3
  200. apt-get install php5 php-pear php5-gd
  201. echo "Configuring PHP"
  202. cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.back
  203. sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" /etc/php5/apache2/php.ini
  204. sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" /etc/php5/apache2/php.ini
  205. sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" /etc/php5/apache2/php.ini
  206. sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" /etc/php5/apache2/php.ini
  207. sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" /etc/php5/apache2/php.ini
  208. sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" /etc/php5/apache2/php.ini
  209. # following command doesn't work, make teh change manualy
  210. #sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
  211. echo "register_globals = Off" >> /etc/php5/apache2/php.ini
  212. mkdir /var/log/php
  213. chown www-data /var/log/php
  214. apt-get install php5-mysql
  215. echo "php installed"
  216. echo "033[92;1m* * *033[Om"
  217. echo '
  218. __ __ ___ ___ __ _
  219. ____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
  220. / __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
  221. / /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
  222. / .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
  223. /_/ /_/ /____/
  224. '
  225. echo "\033[35;1mInstalling phpMyAdmin \033[0m"
  226. apt-get install phpmyadmin
  227. echo "phpMyAdmin installed"
  228. echo "033[92;1m* * *033[Om"
  229. echo '
  230. __ __
  231. _ __/ /_ ____ _____/ /_
  232. | | / / __ \/ __ \/ ___/ __/
  233. | |/ / / / / /_/ (__ ) /_
  234. |___/_/ /_/\____/____/\__/
  235. '
  236. echo "\033[35;1mVHOST install \033[0m"
  237. while [ "$vh" != "y" ] && [ "$vh" != "n" ]
  238. do
  239. echo -n "Should we install a vhost? [y|n] "
  240. read vh
  241. # vh=${vh:-y}
  242. done
  243. if [ "$vh" = "y" ]; then
  244. while [ "$_host_name" = "" ]
  245. do
  246. read -p "enter a hostname ? " _host_name
  247. if [ "$_host_name" != "" ]; then
  248. read -p "is hostname $_host_name correcte [y|n] " validated
  249. if [ "$validated" = "y" ]; then
  250. break
  251. else
  252. _host_name=""
  253. fi
  254. fi
  255. done
  256. cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
  257. sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
  258. mkdir -p /srv/www/"$_host_name"/public_html
  259. mkdir /srv/www/"$_host_name"/logs
  260. #set proper right to user will handle the app
  261. chown -R root:admin /srv/www/"$_host_name"/
  262. chmod -R g+w /srv/www/"$_host_name"/
  263. chmod -R g+r /srv/www/"$_host_name"/
  264. # create a shortcut to the site
  265. mkdir /home/"$user"/www/
  266. chown "$user":admin /home/"$user"/www/
  267. ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name"
  268. #activate the vhost
  269. a2ensite "$_host_name".conf
  270. #restart apache
  271. service apache2 restart
  272. echo "vhost $_host_name configured"
  273. else
  274. echo "Vhost installation aborted"
  275. fi
  276. echo "033[92;1m* * *033[Om"
  277. echo '
  278. ___ __ __
  279. / |_ _______/ /_____ _/ /_
  280. / /| | | /| / / ___/ __/ __ `/ __/
  281. / ___ | |/ |/ (__ ) /_/ /_/ / /_
  282. /_/ |_|__/|__/____/\__/\__,_/\__/
  283. '
  284. echo "\033[35;1mInstalling Awstat \033[0m"
  285. sleep 3
  286. apt-get install awstats
  287. # Configure AWStats
  288. temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
  289. if [ $temp -lt 1 ]; then
  290. echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
  291. fi
  292. # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
  293. sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
  294. echo "Awstat installed"
  295. echo "033[92;1m* * *033[Om"
  296. # echo '
  297. # ______________ _______
  298. # /_ __/ ____/ |/ / __ \
  299. # / / / __/ / /|_/ / /_/ /
  300. # / / / /___/ / / / ____/
  301. # /_/ /_____/_/ /_/_/
  302. # '
  303. # function check_tmp_secured {
  304. # temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
  305. # temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
  306. # if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
  307. # return 1
  308. # else
  309. # return 0
  310. # fi
  311. # } # End function check_tmp_secured
  312. # function secure_tmp_tmpfs {
  313. # cp /etc/fstab /etc/fstab.bak
  314. # # Backup /tmp
  315. # cp -Rpf /tmp /tmpbackup
  316. # rm -rf /tmp
  317. # mkdir /tmp
  318. # mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
  319. # chmod 1777 /tmp
  320. # echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
  321. # # Restore /tmp
  322. # cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
  323. # #Remove old tmp dir
  324. # rm -rf /tmpbackup
  325. # # Backup /var/tmp and link it to /tmp
  326. # mv /var/tmp /var/tmpbackup
  327. # ln -s /tmp /var/tmp
  328. # # Copy the old data back
  329. # cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
  330. # # Remove old tmp dir
  331. # rm -rf /var/tmpbackup
  332. # echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
  333. # } # End function secure_tmp_tmpfs
  334. # check_tmp_secured
  335. # if [ $? = 0 ]; then
  336. # secure_tmp_tmpfs
  337. # else
  338. # echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
  339. # fi
  340. echo '
  341. ____ __
  342. / __ \_________ ____ ___ ____ / /_
  343. / /_/ / ___/ __ \/ __ `__ \/ __ \/ __/
  344. / ____/ / / /_/ / / / / / / /_/ / /_
  345. /_/ /_/ \____/_/ /_/ /_/ .___/\__/
  346. /_/
  347. '
  348. #installing better prompt and some goodies for root
  349. echo "\033[35;1mInstalling shell prompt for root \033[0m"
  350. sleep 3
  351. git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
  352. source ~/.bashrc
  353. echo "done"
  354. echo "033[92;1m* * *033[Om"
  355. echo '
  356. __
  357. ___ ____ ____/ /
  358. / _ \/ __ \/ __ /
  359. / __/ / / / /_/ /
  360. \___/_/ /_/\__,_/
  361. '
  362. echo "\033[35;1m* * script done * * \033[0m"