Starting to put together a script to be converted into Puppet or Chef for setup of server using Bonsaiframework approach.
If you don't know what you're doing yet, make sure to follow the expanded instructions.
Code Block | ||
---|---|---|
| ||
#!/bin/bash # This is not yet ready to use as an automatic script. # # MINIMAL SOFTWARESECURITY ON HOST # sudo apt-get install fail2ban # # MINIMAL SOFTWARE AND UPDATES to copy and past from this script # sudo apt-get --assume-yes install ntp sudo apt-get update sudo apt-get --assume-yes dist-upgrade sudo apt-get --assume-yes install wget man htop # on super secure system (ie your host container) you might NOT install sudo apt-get --assume-yes install wget telnet # # allow staff to use sudo # # allow staff users to have root access through sudo sudo su - root cd /etc/sudoers.d/ sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff exit # # SSH for HOST and CONTAINER # # install ssh sudo apt-get --assume-yes install ssh # disable ssh user password authentication sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # If you have slow ssh connection issues this can mean DNS related to server hosting system is not working properly. # In cases where you cannot fix this (ie work environment) then disable. # Only used FROM option in an authorized_keys file and you want to filter by names and not just IPs. # echo '# Disable reverse DNS lookup to prevent slow login' | sudo tee -a /etc/ssh/sshd_config # echo 'UseDNS no' | sudo tee -a /etc/ssh/sshd_config # # MINIMAL SOFTWARE ON CONTAINER # Software below is required to run the other scripts ie download keys # sudo apt-get --assume-yes install mlocate wget # # ACCOUNTS # # # I should add a setp in here to verify that sudo works with the staff acounts # Create Staff Users sudo useradd -d /home/tin.pham -m -g staff -u 2000 -c "Support Tin Pham" -s /bin/bash tin.pham sudo usermod -a -G adm tin.pham sudo passwd tin.pham sudo su - tin.pham mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys cd ~/.ssh wget www.bonsaiframework.com/tscripts/publicKey.tin.pham cat publicKey.tin.pham >> authorized_keys rm publicKey.tin.pham exit # make sure to leave the user sudo useradd -d /home/roderick.fongyee -m -g staff -u 2505 -c "Support Roderick Fongyee" -s /bin/bash roderick.fongyee sudo usermod -a -G adm roderick.fongyee sudo passwd roderick.fongyee sudo su - roderick.fongyee mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys cd ~/.ssh wget www.bonsaiframework.com/tscripts/publicKey.roderick.fongyee cat publicKey.roderick.fongyee >> authorized_keys rm publicKey.roderick.fongyee exit # make sure to leave the user sudo addgroup --gid 3000 serveradmin sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin sudo usermod -a -G adm serveradmin sudo passwd serveradmin # add public key here if intention is to allow remote login sudo su - serveradmin mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys cd ~/.ssh wget www.bonsaiframework.com/tscripts/publicKey.serveradmin cat publicKey.serveradmin >> authorized_keys rm publicKey.serveradmin exit # make sure to leave the user # # SECURE SSH # # Currently SSH can use keys, but falls back to passwords if keys fail. # Once you confirm you can log in successfully with keys AND use sudo with your account # Only then, disable passwords to protect from brute force. # Disable ssh user password authentication. # Note: not necessary for LXD created images as this is already set to be no sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck # We'll edit quickly with sed cd /etc/ssh/ sudo sed -i.sedautobck 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # Confirm your change worked. If you get nothing back you are good. cmp -s $_ $_.sedautobck && echo "sed did not work, your files are identical." # restart ssh for the change to take effect, sudo service ssh restart # Make sure to try starting a new terminal and connecting with a non-ssh enabled account. # You will see the error "Permission denied (publickey). # Your system is now safer. ################ Leave the default account and log into your main account # # CLEANUP # # Logout and delete default ubuntu account for containers # Interesting, in a lxc setup, once my main account was created, left and logged back in, it appeared to automatically delete default ubuntu user. # Test this scenario again. sudo userdel -r ubuntu sudo userdel -r setupadmin # Make sure to reboot for any kernel updates to take effect sudo reboot # Clean Up sudo apt-get autoclean # use this if you only want to clean out nolonger used packages sudo apt-get clean # clean out all downloaded packages - I usually use this one sudo apt-get autoremove # cleans out unused packages # Setup firewall # .... however is following this next add the instructions here |