123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524 |
- #!/bin/sh
- # bachir soussi chiadmi
- #
- # http://www.debian.org/doc/manuals/securing-debian-howto/
- # https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
- # https://www.linode.com/docs/websites/lamp/lamp-server-on-debian-7-wheezy/
- # http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
- #
- echo '\033[35m
- ____ __ _ _____
- / __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
- / / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
- / /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
- /_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
- \033[0m'
- echo "\033[35;1mThis script has been tested only on Linux Debian 7 \033[0m"
- echo "Please run this script as root"
- echo -n "Should we start? [Y|n] "
- read yn
- yn=${yn:-y}
- if [ "$yn" != "y" ]; then
- echo "aborting script!"
- exit
- fi
- # get the current position
- _cwd="$(pwd)"
- echo '\033[35m
- __ ______ __________ ___ ____ ______
- / / / / __ \/ ____/ __ \/ | / __ \/ ____/
- / / / / /_/ / / __/ /_/ / /| | / / / / __/
- / /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
- \____/_/ \____/_/ |_/_/ |_/_____/_____/
- \033[0m'
- apt-get update
- apt-get upgrade
- echo '\033[35m
- __ ____
- / |/ (_)_________
- / /|_/ / / ___/ ___/
- / / / / (__ ) /__
- /_/ /_/_/____/\___/
- \033[0m'
- apt-get install vim
- echo '\033[35m
- __ _____ ____ ____ _______ __
- / / / / | / __ \/ __ \/ ____/ | / /
- / /_/ / /| | / /_/ / / / / __/ / |/ /
- / __ / ___ |/ _, _/ /_/ / /___/ /| /
- /_/ /_/_/ |_/_/ |_/_____/_____/_/ |_/
- \033[0m'
- echo "\033[35;1mInstalling harden \033[0m"
- sleep 3
- apt-get install harden
- echo "\033[92;1mHarden instaled\033[Om"
- echo '\033[35m
- ______________ _______ _____ __ __
- / ____/ _/ __ \/ ____/ | / / | / / / /
- / /_ / // /_/ / __/ | | /| / / /| | / / / /
- / __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
- /_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
- \033[0m'
- echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
- sleep 3
- apt-get install ufw
- ufw allow ssh
- ufw allow http
- ufw enable
- ufw status verbose
- echo "\033[92;1mufw installed and firwall configured\033[Om"
- echo '\033[35m
- ______ _ _____ __
- / ____/___ _(_) /__ \ / /_ ____ _____
- / /_ / __ `/ / /__/ // __ \/ __ `/ __ \
- / __/ / /_/ / / // __// /_/ / /_/ / / / /
- /_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
- \033[0m'
- echo "\033[35;1mInstalling fall2ban \033[0m"
- apt-get install fail2ban
- cat "$_cwd"/assets/fail2ban.jail.conf > /etc/fail2ban/jail.conf
- echo "\033[92;1mfail2ban installed and configured\033[Om"
- echo '\033[35m
- __ __ __
- / /______ ____ _____/ /______/ /
- / //_/ __ \/ __ \/ ___/ //_/ __ /
- / ,< / / / / /_/ / /__/ ,< / /_/ /
- /_/|_/_/ /_/\____/\___/_/|_|\__,_/
- \033[0m'
- echo "\033[35;1mInstalling knockd \033[0m"
- sleep 3
- apt-get install knockd
- echo -n "define a sequence number for opening (as 7000,8000,9000) : "
- read sq1
- echo -n "define a sequence number for closing (as 9000,8000,7000) : "
- read sq2
- sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
- sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
- sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
- echo "\033[92;1mknockd installed and configured\033[Om"
- echo "\033[92;1mplease note these sequences for future knocking\033[Om"
- echo "opening : $sq1 ; closing : $sq2"
- echo '\033[35m
- __ _______ __________
- / / / / ___// ____/ __ \
- / / / /\__ \/ __/ / /_/ /
- / /_/ /___/ / /___/ _, _/
- \____//____/_____/_/ |_|
- \033[0m'
- echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
- sleep 3
- echo -n "Enter user name: "
- read user
- # read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
- adduser "$user"
- echo "adding $user to admin group and limiting su to the admin group"
- groupadd admin
- usermod -a -G admin "$user"
- dpkg-statoverride --update --add root admin 4750 /bin/su
- echo "\033[92;1muser $user configured\033[Om"
- echo '\033[35m
- __________ __ __
- / ___/ ___// / / /
- \__ \\__ \/ /_/ /
- ___/ /__/ / __ /
- /____/____/_/ /_/
- \033[0m'
- while [ "$securssh" != "y" ] && [ "$securssh" != "n" ]
- do
- echo -n "Securing ssh (disabling root login)? [y|n] "
- read securssh
- # securssh=${securssh:-y}
- done
- if [ "$securssh" = "y" ]; then
- sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
- sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
- sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
- service ssh reload
- echo "\033[92;1mSSH secured\033[Om"
- else
- echo 'root user can still conect through ssh'
- fi
- echo '\033[35m
- ______ _______ _____
- | ____|__ __| __ \
- | |__ | | | |__) |
- | __| | | | ___/
- | | | | | |
- |_| |_| |_|
- \033[0m'
- echo -n "Should we install ftp server? [Y|n] "
- read yn
- yn=${yn:-y}
- if [ "$yn" != "y" ]; then
- echo "installing proftpd"
- apt-get install proftpd
- while [ "$_server_name" = "" ]
- do
- read -p "enter a server name ? " _server_name
- if [ "$_server_name" != "" ]; then
- read -p "is server name $_server_name correcte [y|n] " validated
- if [ "$validated" = "y" ]; then
- break
- else
- _server_name=""
- fi
- fi
- done
- echo "Configuring proftpd"
- cp "$_cwd"/assets/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf
- sed -ir "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf
- ufw allow ftp
- addgroup ftpuser
- echo "ftp installtion done"
- echo "to permit to a user to connect through ftp, add him to the ftpuser group"
- echo "FTP users are jailed on their home by default"
- fi
- # TODO : allow ssh/ftp connection only from given ips
- echo "\033[35;1mInstalling AMP web server \033[0m"
- echo '\033[35m
- ___ __ ___
- / | ____ ____ ______/ /_ ___ |__ \
- / /| | / __ \/ __ `/ ___/ __ \/ _ \__/ /
- / ___ |/ /_/ / /_/ / /__/ / / / __/ __/
- /_/ |_/ .___/\__,_/\___/_/ /_/\___/____/
- /_/
- \033[0m'
- echo "\033[35;1mInstalling Apache2 \033[0m"
- sleep 3
- apt-get install apache2
- a2enmod rewrite
- cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
- # Change logrotate for Apache2 log files to keep 10 days worth of logs
- sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
- sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
- # Remove Apache server information from headers.
- sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security
- sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security
- service apache2 restart
- echo "\033[92;1mApache2 installed\033[Om"
- echo '\033[35m
- __ ___ __
- / |/ /_ ___________ _/ /
- / /|_/ / / / / ___/ __ `/ /
- / / / / /_/ (__ ) /_/ / /
- /_/ /_/\__, /____/\__, /_/
- /____/ /_/
- \033[0m'
- echo "\033[35;1minstalling Mysql \033[0m"
- sleep 3
- apt-get install mysql-server
- mysql_secure_installation
- echo "\033[92;1mmysql installed\033[Om"
- echo '\033[35m
- ____ __ ______
- / __ \/ / / / __ \
- / /_/ / /_/ / /_/ /
- / ____/ __ / ____/
- /_/ /_/ /_/_/
- \033[0m'
- echo "\033[35;1mInstalling PHP \033[0m"
- sleep 3
- apt-get install php5 php-pear php5-gd
- echo "Configuring PHP"
- cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.back
- sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" /etc/php5/apache2/php.ini
- sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" /etc/php5/apache2/php.ini
- sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" /etc/php5/apache2/php.ini
- sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" /etc/php5/apache2/php.ini
- sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" /etc/php5/apache2/php.ini
- sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" /etc/php5/apache2/php.ini
- # following command doesn't work, make teh change manualy
- #sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
- echo "register_globals = Off" >> /etc/php5/apache2/php.ini
- mkdir /var/log/php
- chown www-data /var/log/php
- apt-get install php5-mysql
- echo "\033[92;1mphp installed\033[Om"
- echo '\033[35m
- __ __ ___ ___ __ _
- ____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
- / __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
- / /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
- / .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
- /_/ /_/ /____/
- \033[0m'
- echo "\033[35;1mInstalling phpMyAdmin \033[0m"
- apt-get install phpmyadmin
- # echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
- ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin.conf
- echo "\033[35;1msecuring phpMyAdmin \033[0m"
- sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
- cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
- echo -n "define a user name for phpmyadmin : "
- read un
- htpasswd -c /etc/phpmyadmin/.htpasswd $un
- service apache2 restart
- echo "\033[92;1mphpMyAdmin installed\033[Om"
- echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
- echo '\033[35m
- __ __
- _ __/ /_ ____ _____/ /_
- | | / / __ \/ __ \/ ___/ __/
- | |/ / / / / /_/ (__ ) /_
- |___/_/ /_/\____/____/\__/
- \033[0m'
- echo "\033[35;1mVHOST install \033[0m"
- while [ "$vh" != "y" ] && [ "$vh" != "n" ]
- do
- echo -n "Should we install a vhost? [y|n] "
- read vh
- # vh=${vh:-y}
- done
- if [ "$vh" = "y" ]; then
- while [ "$_host_name" = "" ]
- do
- read -p "enter a hostname ? " _host_name
- if [ "$_host_name" != "" ]; then
- read -p "is hostname $_host_name correcte [y|n] " validated
- if [ "$validated" = "y" ]; then
- break
- else
- _host_name=""
- fi
- fi
- done
- cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
- sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
- mkdir -p /srv/www/"$_host_name"/public_html
- mkdir /srv/www/"$_host_name"/logs
- #set proper right to user will handle the app
- chown -R root:admin /srv/www/"$_host_name"/
- chmod -R g+w /srv/www/"$_host_name"/
- chmod -R g+r /srv/www/"$_host_name"/
- # create a shortcut to the site
- mkdir /home/"$user"/www/
- chown "$user":admin /home/"$user"/www/
- ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name"
- #activate the vhost
- a2ensite "$_host_name".conf
- #restart apache
- service apache2 restart
- echo "\033[92;1mvhost $_host_name configured\033[Om"
- else
- echo "Vhost installation aborted"
- fi
- echo '\033[35m
- __ ___ _ __ __ __ ___ _
- / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
- / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
- /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
- \033[0m'
- echo "\033[35;1mInstalling Munin \033[0m"
- sleep 3
- # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
- apt-get install munin munin-node munin-plugins-extra
- # Configure Munin
- # enable plugins
- ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
- ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
- ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
- ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
- ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
- ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
- ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
- ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
- ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
- ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
- # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
- # dbdir, htmldir, logdir, rundir, and tmpldir
- sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
- sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
- sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
- sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
- sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
- sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
- # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
- sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
- htpasswd -c /etc/munin/munin-htpasswd admin
- sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
- service apache2 restart
- service munin-node restart
- echo "\033[92;1mMunin installed\033[Om"
- echo "\033[35;1mInstalling Monit \033[0m"
- sleep 3
- # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
- apt-get install monit
- # TODO setup monit rc
- cat "$_cwd"/assets/monitrc > /etc/monit/monitrc
- # TODO setup webaccess
- passok=0
- while [ "$passok" = "0" ]
- do
- echo -n "Write web access password to monit"
- read passwda
- echo -n "ReWrite web access password to monit"
- read passwdb
- if [ "$passwda" = "$passwdb" ]; then
- sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
- passok=1
- else
- echo "pass words don't match, please try again"
- fi
- done
- # TODO setup mail settings
- sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
- mkdir /var/www/html/monit
- echo "hello" > /var/www/html/monit/token
- service monit start
- echo "\033[92;1mMonit installed\033[Om"
- echo '\033[35m
- ___ __ __
- / |_ _______/ /_____ _/ /_
- / /| | | /| / / ___/ __/ __ `/ __/
- / ___ | |/ |/ (__ ) /_/ /_/ / /_
- /_/ |_|__/|__/____/\__/\__,_/\__/
- \033[0m'
- echo "\033[35;1mInstalling Awstat \033[0m"
- sleep 3
- apt-get install awstats
- # Configure AWStats
- temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
- if [ $temp -lt 1 ]; then
- echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
- fi
- # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
- sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
- echo "\033[92;1mAwstat installed\033[Om"
- # echo '\033[35m
- # ______________ _______
- # /_ __/ ____/ |/ / __ \
- # / / / __/ / /|_/ / /_/ /
- # / / / /___/ / / / ____/
- # /_/ /_____/_/ /_/_/
- # \033[0m'
- # function check_tmp_secured {
- # temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
- # temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
- # if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
- # return 1
- # else
- # return 0
- # fi
- # } # End function check_tmp_secured
- # function secure_tmp_tmpfs {
- # cp /etc/fstab /etc/fstab.bak
- # # Backup /tmp
- # cp -Rpf /tmp /tmpbackup
- # rm -rf /tmp
- # mkdir /tmp
- # mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
- # chmod 1777 /tmp
- # echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
- # # Restore /tmp
- # cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
- # #Remove old tmp dir
- # rm -rf /tmpbackup
- # # Backup /var/tmp and link it to /tmp
- # mv /var/tmp /var/tmpbackup
- # ln -s /tmp /var/tmp
- # # Copy the old data back
- # cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
- # # Remove old tmp dir
- # rm -rf /var/tmpbackup
- # echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
- # } # End function secure_tmp_tmpfs
- # check_tmp_secured
- # if [ $? = 0 ]; then
- # secure_tmp_tmpfs
- # else
- # echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
- # fi
- echo '\033[35m
- ____ __ _______ __
- / __ \____ / /_ / ____(_) /__ _____
- / / / / __ \/ __/ / /_ / / / _ \/ ___/
- / /_/ / /_/ / /_ / __/ / / / __(__ )
- /_____/\____/\__/ /_/ /_/_/\___/____/
- \033[0m'
- #installing better prompt and some goodies for root
- echo "\033[35;1mInstalling shell prompt for root \033[0m"
- sleep 3
- echo "cloning github.com/bachy/dotfiles-server"
- git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
- source ~/.bashrc
- echo "\033[92;1mDot files installed for root, you should installed them manually for $USER\033[0m"
- # TODO add warning message on ssh connection if system needs updates
- # TODO install and configure tmux
- echo '\033[35m
- __
- ___ ____ ____/ /
- / _ \/ __ \/ __ /
- / __/ / / / /_/ /
- \___/_/ /_/\__,_/
- \033[0m'
- echo "\033[35;1m* * script done * * \033[0m"
|