-
Notifications
You must be signed in to change notification settings - Fork 1
/
server.sh
327 lines (277 loc) · 14.8 KB
/
server.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
#!/bin/bash
#
# --------------------------------------------------------------------
# This is a free shell script under GNU GPL version 3.0 or above
# -------------------------------------------------------------------------
#
# This script automatically set up a new *Debian* server (IMPORTANT : Debian!), by doing these actions :
#
# * Modification of the root password
# * Adding .email & .forward with the official root email
# * Sending an email to check sendmail
# * Adds French accents to shell
# * Define an hostname for the server
# * Creating users
# * Securing SSH
# * Update the system
# * Install unattended-upgrades
# * Install Fail2Ban
# * Install and set some security for :
# ** Apache
# *** Disable modules : userdir suexec cgi cgid dav include autoindex authn_file status env headers proxy proxy_balancer proxy_http headers
# *** Enable modules : expires rewrite setenvif ssl
# ** Mysql
# *** Execute mysql_secure_installation script
# ** PHP
# *** With modules : cli mysql curl gd mcrypt memcache memcached suhosin
# ** PHPMyAdmin
# ** ProFTPd with MySQL support
#
# @see http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
# For install NGinx & PHP, see :
# @see https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-debian-7
# First of all, we check if the user is root
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# Changing the password of the root user
read -e -p "Do you want to change the root password? [Y/n] : " change_password
if [[ ("$change_password" == "y" || "$change_password" == "Y" || "$change_password" == "") ]]; then
passwd
fi
# Installing Postfix
read -e -p "Do you want to install PostFix? [Y/n] : " install_postfix
if [[ ("$install_postfix" == "y" || "$install_postfix" == "Y" || "$install_postfix" == "") ]]; then
apt-get remove exim4-base exim4-config exim4-daemon-light
apt-get --yes install postfix
# We only want to send emails
sed -i "s/inet_interfaces = all/inet_interfaces = loopback-only/" /etc/postfix/main.cf
fi
read -e -p "Admin contact email : " root_email
if [[ "$root_email" != "" ]]; then
echo $root_email > ~/.email
echo $root_email > ~/.forward
read -e -p "Send an mail to test the smtp service? [Y/n] : " send_email
if [[ ("$send_email" == "y" || "$send_email" == "Y" || "$send_email" == "") ]]; then
echo "This is a mail test for the SMTP Service." > /tmp/email.message
echo "You should receive this !" >> /tmp/email.message
echo "" >> /tmp/email.message
echo "Cheers" >> /tmp/email.message
mail -s "SMTP Testing" $root_email < /tmp/email.message
rm -f /tmp/email.message
echo "Mail sent"
fi
fi
# Adding French accents to bash
grep -q 'export LANG=fr_FR.UTF-8' ~/.bashrc || echo "export LANG=fr_FR.UTF-8" >> ~/.bashrc
# And adding it for all the newly created users :
grep -q 'export LANG=fr_FR.UTF-8' /etc/skel/.bashrc || echo "export LANG=fr_FR.UTF-8" >> /etc/skel/.bashrc
echo "Updating Server name"
read -e -p "New server name (like srv.company.tld) : " server_name
if [[ "$server_name" != "" ]]; then
echo $server_name > /etc/hostname
IP=$(ip addr show | grep eth0 | grep inet | tr -s " " | cut -f3 -d " " | cut -f1 -d "/")
hosts_ip=$(grep -q $IP /etc/hosts)
if [[ "$hosts_ip" != "" ]]; then
sed -i "s/$IP.*/$IP $server_name/" /etc/hosts
else
echo "$IP $server_name" >> /etc/hosts
fi
hostname $server_name
/etc/init.d/hostname.sh
fi
# Creating multiple users
create_user=true
while $create_user; do
read -e -p "Create a new user? [y/N] : " new_user
if [[ ("$new_user" == "y" || "$new_user" == "Y") ]]; then
read -e -p "Username : " user_name
adduser $user_name
else
create_user=false
fi
done
# SSH Server
echo "Improving security on SSH"
echo " * Allow AuthorizedKeyFiles"
sed -i "s/#AuthorizedKeysFile/AuthorizedKeysFile/" /etc/ssh/sshd_config
echo " * Disallow X11Forwarding"
sed -i "s/X11Forwarding yes/X11Forwarding no/" /etc/ssh/sshd_config
echo " * Removing Root Login"
sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
read -e -p "SSH Allowed users (space separated) : " ssh_users
if [[ $ssh_users ]]; then
echo "AllowUsers $ssh_users" >> /etc/ssh/sshd_config
fi
/etc/init.d/ssh restart
read -e -p "Force update the server? [Y/n] : " force_update
if [[ ("$force_update" == "y" || "$force_update" == "Y" || "$force_update" == "") ]]; then
apt-get --yes update && apt-get --yes upgrade && apt-get dist-upgrade
fi
read -e -p "Automate installation of new upgrades? [Y/n] : " install_unattended
if [[ ("$install_unattended" == "y" || "$install_unattended" == "Y" || "$install_unattended" == "") ]]; then
apt-get --yes install unattended-upgrades
fi
read -e -p "Install Fail2ban? [Y/n] : " install_fail2ban
if [[ ("$install_fail2ban" == "y" || "$install_fail2ban" == "Y" || "$install_fail2ban" == "") ]]; then
apt-get --yes install fail2ban
fi
read -e -p "Install Apache? [Y/n] : " install_apache
if [[ ("$install_apache" == "y" || "$install_apache" == "Y" || "$install_apache" == "") ]]; then
apt-get --yes install apache2
a2dismod userdir suexec cgi cgid dav include autoindex authn_file status env headers proxy proxy_balancer proxy_http headers
a2enmod expires rewrite setenvif ssl
sed -i "s/ServerTokens.*/ServerTokens Prod/g" /etc/apache2/conf.d/security
sed -i "s/ServerSignature On/ServerSignature Off/" /etc/apache2/conf.d/security
/etc/init.d/apache2 restart
fi
read -e -p "Install MySQL? [Y/n] : " install_mysql
if [[ ("$install_mysql" == "y" || "$install_mysql" == "Y" || "$install_mysql" == "") ]]; then
apt-get --yes install mysql-server
read -e -p "Execute mysql_secure_installation ? [Y/n] : " mysql_secure
if [[ ("$mysql_secure" == "y" || "$mysql_secure" == "Y" || "$mysql_secure" == "") ]]; then
mysql_secure_installation
fi
fi
read -e -p "Install PHP? [Y/n] : " install_php
if [[ ("$install_php" == "y" || "$install_php" == "Y" || "$install_php" == "") ]]; then
apt-get --yes install php5 libapache2-mod-php5 php5-cli php5-mysql php5-curl php5-gd php5-mcrypt php5-memcache php5-memcached
# General settings
sed -i "s/expose_php.*/expose_php = Off/" /etc/php5/apache2/php.ini
sed -i "s/disable_functions.*/disable_functions = exec,system,shell_exec,passthru/" /etc/php5/apache2/php.ini
sed -i "s/register_globals.*/register_globals = Off/" /etc/php5/apache2/php.ini
# Session specific
sed -i "s/session.use_only_cookies.*/session.use_only_cookies = 1/" /etc/php5/apache2/php.ini
sed -i "s/session.cookie_httponly.*/session.cookie_httponly = 1/" /etc/php5/apache2/php.ini
sed -i "s/session.use_trans_sid.*/session.use_trans_sid = 0/" /etc/php5/apache2/php.ini
# For CLI :
sed -i "s/disable_functions.*/disable_functions = exec,system,shell_exec,passthru/" /etc/php5/cli/php.ini
sed -i "s/register_globals.*/register_globals = Off/" /etc/php5/cli/php.ini
read -e -p "Install PHPMyAdmin? [Y/n] : " install_pma
if [[ ("$install_pma" == "y" || "$install_pma" == "Y" || "$install_pma" == "") ]]; then
apt-get --yes install phpmyadmin
fi
/etc/init.d/apache2 restart
fi
read -e -p "Install ProFTPd (With MySQL support)? [Y/n] : " install_proftpd
if [[ ("$install_proftpd" == "y" || "$install_proftpd" == "Y" || "$install_proftpd" == "") ]]; then
apt-get --yes install proftpd-mod-mysql
sed -i "s/#LoadModule mod_sql.c/LoadModule mod_sql.c/" /etc/proftpd/modules.conf
sed -i "s/#LoadModule mod_sql_mysql.c/LoadModule mod_sql_mysql.c/" /etc/proftpd/modules.conf
sed -i "s/#Include \/etc\/proftpd\/sql.conf/Include \/etc\/proftpd\/sql.conf/" /etc/proftpd/proftpd.conf
# Creating proftpd.sql file
read -e -p "ProFTPd DataBase name? [proftpd] : " proftpd_database
if [[ "$proftpd_database" == "" ]]; then
proftpd_database="proftpd"
fi
read -e -p "ProFTPd Username? [proftpd] : " proftpd_user
if [[ "$proftpd_user" == "" ]]; then
proftpd_user="proftpd"
fi
while true; do
read -e -p "ProFTPd User password for $proftpd_user ? : " -s proftpd_passwd
if [[ "$proftpd_passwd" != "" ]]; then
break
fi
done
echo "CREATE DATABASE $proftpd_database;" > /tmp/proftpd.create.sql
echo "" >> /tmp/proftpd.create.sql
read -e -p "Create a specific ProFTPd user? [Y/n] : " proftpd_new_user
if [[ ("$proftpd_new_user" == "y" || "$proftpd_new_user" == "Y" || "$proftpd_new_user" == "") ]]; then
echo "GRANT SELECT, INSERT, UPDATE, DELETE ON $proftpd_database.* TO '$proftpd_user'@'localhost' IDENTIFIED BY '$proftpd_passwd';" >> /tmp/proftpd.create.sql
echo "FLUSH PRIVILEGES;" >> /tmp/proftpd.create.sql
echo "" >> /tmp/proftpd.create.sql
fi
proftpd_default_user=$(id -u www-data)
proftpd_default_group=$(id -g www-data)
echo "USE $proftpd_database;" >> /tmp/proftpd.create.sql
echo "" >> /tmp/proftpd.create.sql
echo "CREATE TABLE ftpgroup (" >> /tmp/proftpd.create.sql
echo " groupname varchar(16) NOT NULL default ''," >> /tmp/proftpd.create.sql
echo " gid smallint(6) NOT NULL default '$proftpd_default_group'," >> /tmp/proftpd.create.sql
echo " members varchar(16) NOT NULL default ''," >> /tmp/proftpd.create.sql
echo " KEY groupname (groupname)" >> /tmp/proftpd.create.sql
echo ") ENGINE=MyISAM COMMENT='ProFTP group table';" >> /tmp/proftpd.create.sql
echo "" >> /tmp/proftpd.create.sql
echo "CREATE TABLE ftpuser (" >> /tmp/proftpd.create.sql
echo " id int(10) unsigned NOT NULL auto_increment," >> /tmp/proftpd.create.sql
echo " userid varchar(32) NOT NULL default ''," >> /tmp/proftpd.create.sql
echo " passwd varchar(32) NOT NULL default ''," >> /tmp/proftpd.create.sql
echo " uid smallint(6) NOT NULL default '$proftpd_default_user'," >> /tmp/proftpd.create.sql
echo " gid smallint(6) NOT NULL default '$proftpd_default_group'," >> /tmp/proftpd.create.sql
echo " homedir varchar(255) NOT NULL default ''," >> /tmp/proftpd.create.sql
echo " shell varchar(16) NOT NULL default '/sbin/nologin'," >> /tmp/proftpd.create.sql
echo " count int(11) NOT NULL default '0'," >> /tmp/proftpd.create.sql
echo " accessed datetime NOT NULL default '0000-00-00 00:00:00'," >> /tmp/proftpd.create.sql
echo " modified datetime NOT NULL default '0000-00-00 00:00:00'," >> /tmp/proftpd.create.sql
echo " PRIMARY KEY (id)," >> /tmp/proftpd.create.sql
echo " UNIQUE KEY userid (userid)" >> /tmp/proftpd.create.sql
echo ") ENGINE=MyISAM COMMENT='ProFTP user table';" >> /tmp/proftpd.create.sql
echo "" >> /tmp/proftpd.create.sql
echo "INSERT INTO ftpgroup (groupname, gid, members) VALUES ('www-data', $proftpd_default_group, 'www-data');" >> /tmp/proftpd.create.sql
# Creating sql.conf file
echo "#" > /etc/proftpd/sql.conf
echo "# Proftpd sample configuration for SQL-based authentication." >> /etc/proftpd/sql.conf
echo "#" >> /etc/proftpd/sql.conf
echo "# (This is not to be used if you prefer a PAM-based SQL authentication)" >> /etc/proftpd/sql.conf
echo "#" >> /etc/proftpd/sql.conf
echo "<IfModule mod_sql.c>" >> /etc/proftpd/sql.conf
echo " DefaultRoot ~" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " # Choose a SQL backend among MySQL or PostgreSQL." >> /etc/proftpd/sql.conf
echo " # Both modules are loaded in default configuration, so you have to specify the backend" >> /etc/proftpd/sql.conf
echo " # or comment out the unused module in /etc/proftpd/modules.conf." >> /etc/proftpd/sql.conf
echo " # Use 'mysql' or 'postgres' as possible values." >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " SQLBackend mysql" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " #SQLEngine on" >> /etc/proftpd/sql.conf
echo " #SQLAuthenticate on" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " # Use both a crypted or plaintext password" >> /etc/proftpd/sql.conf
echo " SQLAuthTypes Plaintext Crypt" >> /etc/proftpd/sql.conf
echo " SQLAuthenticate users groups" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " # Connection" >> /etc/proftpd/sql.conf
echo " SQLConnectInfo $proftpd_database@localhost $proftpd_user $proftpd_passwd" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo " # Describes both users/groups tables" >> /etc/proftpd/sql.conf
echo " #" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # Here we tell ProFTPd the names of the database columns in the 'usertable'" >> /etc/proftpd/sql.conf
echo " # we want it to interact with. Match the names with those in the db" >> /etc/proftpd/sql.conf
echo " SQLUserInfo ftpuser userid passwd uid gid homedir shell" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # Here we tell ProFTPd the names of the database columns in the 'grouptable'" >> /etc/proftpd/sql.conf
echo " # we want it to interact with. Again the names match with those in the db" >> /etc/proftpd/sql.conf
echo " SQLGroupInfo ftpgroup groupname gid members" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # set min UID and GID - otherwise these are 999 each" >> /etc/proftpd/sql.conf
echo " SQLMinID $proftpd_default_user" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # create a user's home directory on demand if it doesn't exist" >> /etc/proftpd/sql.conf
echo " CreateHome on" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # Update count every time user logs in" >> /etc/proftpd/sql.conf
echo " SQLLog PASS updatecount" >> /etc/proftpd/sql.conf
echo " SQLNamedQuery updatecount UPDATE \"count=count+1, accessed=now() WHERE userid='%u'\" ftpuser" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " # Update modified everytime user uploads or deletes a file" >> /etc/proftpd/sql.conf
echo " SQLLog STOR,DELE modified" >> /etc/proftpd/sql.conf
echo " SQLNamedQuery modified UPDATE \"modified=now() WHERE userid='%u'\" ftpuser" >> /etc/proftpd/sql.conf
echo "" >> /etc/proftpd/sql.conf
echo " RootLogin off" >> /etc/proftpd/sql.conf
echo " RequireValidShell off" >> /etc/proftpd/sql.conf
echo "</IfModule>" >> /etc/proftpd/sql.conf
# now execute sql as root in database!
echo "Please indicate your MySQL root password"
mysql -u root -p < /tmp/proftpd.create.sql
rm -f /tmp/proftpd.create.sql
/etc/init.d/proftpd restart
fi
exit 0;