setup

1. #!/bin/bash
2.  
3. # Set Variables
4. # My IP
5. myip=$(echo $SSH_CLIENT | awk '{ print $1}')
6.  
7. # Get username and set as variable
8. echo "Please enter username:"
9. read -p 'Username: ' username
10. # Get fullname and set as variable
11. echo "Please enter your Full Name:"
12. read -p 'Fullname: ' fullname
13.  
14. # Set SSH port number
15. # Get username and set as variable
16. echo "Please enter SSH port number, we recommend above 50000 "
17. read -p 'Port Number: ' sshport
18.  
19.  
20. # set locale
21. export LANGUAGE=en_US.UTF-8;
22. export LC_ALL=en_US.UTF-8;
23. export LANG=en_US.UTF-8;
24. export LC_TYPE=en_US.UTF-8;
25.  
26. apt-get update;
27. apt-get upgrade -y;
28.  
29. # Install Unzip
30. apt-get install unzip -y;
31.  
32. # Set timezone Europe/London #
33. echo "Europe/London" | sudo tee /etc/timezone;
34. sudo dpkg-reconfigure --frontend noninteractive tzdata;
35.  
36. ## Add User $username ##
37. echo "Adding user $username"
38. useradd $username -G sudo -d /home/$username -s /bin/bash -m -c "$fullname";
39.  
40. ## Add to sudoers ##
41. echo "Assign $username to sudoers"
42. echo "$username ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers;
43. echo " adding ssh keys for $username"
44.  
45. ## Add ssh keys ##
46. mkdir /home/$username/.ssh && ssh-keygen -t rsa -N "" -f /home/$username/.ssh/id_rsa
47. cp /root/.ssh/authorized_keys /home/$username/.ssh/;
48. chown -R $username:$username /home/$username/.ssh;
49.  
50. ## add group admin ##
51. addgroup admin;
52. adduser $username admin;
53.  
54. ## restrict su ##
55. sudo dpkg-statoverride --update --add root admin 4750 /bin/su;
56.  
57. ## secure /run/shm ##
58. echo "tmpfs /run/shm tmpfs defaults,noatime,size=20%,mode=1777 0 0" >> /etc/fstab;
59.  
60. ## Add .profile ##
61. echo -e 'PS1="`if [ $? = 0 ]; then echo "\[\e[32m\] ✔ "; else echo "\[\e[31m\] ✘ "; fi`\[$(tput bold)\]\[$(tput setaf 6)\]\t \[$(tput setaf 2)\][\[$(tput setaf 5)\]\u\[$(tput setaf 2)\]@\[$(tput setaf 5)\]\H \[$(tput setaf 6)\]\W\[$(tput setaf 2)\]]\[$(tput setaf 6)\] ;-)\n\\$ \[$(tput sgr0)\]"' >> /home/$username/.profile;
62. echo -e 'PS1="`if [ $? = 0 ]; then echo "\[\e[32m\] ✔ "; else echo "\[\e[31m\] ✘ "; fi`\[$(tput bold)\]\[$(tput setaf 6)\]\t \[$(tput setaf 2)\][\[$(tput setaf 5)\]\u\[$(tput setaf 2)\]@\[$(tput setaf 5)\]\H \[$(tput setaf 6)\]\W\[$(tput setaf 2)\]]\[$(tput setaf 6)\] ;-)\n\\$ \[$(tput sgr0)\]"' >> /root/.profile;
63.  
64. ## bashrc aliases ##
65. echo "alias sudos='sudo su --login'
66. alias apti='sudo apt-get install'
67. alias aptr='sudo apt-get remove'" >> /home/$username/.bashrc;
68.  
69. ## change ssh options, port 55022, no root logins and ssh key only ##
70. echo "Changing sshd service options to port $sshport, no root logins and ssh key only"
71. sed -i "s/#Port 22/Port $sshport/g" /etc/ssh/sshd_config;
72. sed -i "s/PermitRootLogin yes/PermitRootLogin without-password/g"  /etc/ssh/sshd_config;
73. sed -i "s/#\PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config;
74. service ssh restart;
75.  
76. # Hosts allow file
77. # input IP for hosts.allow
78. echo "ALL : $myip  : allow" | tee /etc/hosts.allow;
79.  
80. # Add hosts deny info
81. echo "#DENY LIST
82. sshd : ALL : deny
83. whostmgrd : ALL : deny
84. ftpd : ALL : deny
85. mysqld : ALL : deny" >> /etc/hosts.allow;
86.  
87.  
88. # Install CSF
89. cd /usr/local/src;
90. wget http://download.configserver.com/csf.tgz;
91. ufw disable;
92. tar zxvf csf.tgz;
93. cd csf;
94. ./install.sh;
95.  
96. #Insert ip into ignore and allow
97. echo "$myip # $username" | tee /etc/csf/csf.allow /etc/csf/csf.ignore;
98. sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf;
99. sed -i 's/#SPAMDROP/SPAMDROP/g' /etc/csf/csf.blocklists;
100. sed -i 's/#SPAMEDROP/SPAMEDROP/g' /etc/csf/csf.blocklists;
101. sed -i 's/#DSHIELD/DSHIELD/g' /etc/csf/csf.blocklists;
102. sed -i 's/#TOR/TOR/g' /etc/csf/csf.blocklists;
103. sed -i 's/#ALTTOR/ALTTOR/g' /etc/csf/csf.blocklists;
104. sed -i 's/#BOGON/BOGON/g' /etc/csf/csf.blocklists;
105. sed -i 's/#HONEYPOT/HONEYPOT/g' /etc/csf/csf.blocklists;
106. sed -i 's/#CIARMY/CIARMY/g' /etc/csf/csf.blocklists;
107. sed -i 's/#BFB/BFB/g' /etc/csf/csf.blocklists;
108. sed -i 's/#MAXMIND/MAXMIND/g' /etc/csf/csf.blocklists;
109. sed -i 's/#BDE/BDE/g' /etc/csf/csf.blocklists;
110. sed -i 's/#BDEALL/BDEALL/g' /etc/csf/csf.blocklists;
111. sed -i 's/#STOPFORUMSPAM/STOPFORUMSPAM/g' /etc/csf/csf.blocklists;
112. sed -i 's/#STOPFORUMSPAMV6/STOPFORUMSPAMV6/g' /etc/csf/csf.blocklists;
113. sed -i 's/#GREENSNOW/GREENSNOW/g' /etc/csf/csf.blocklists;
114.  
115. # Restart CSF
116. csf -r;
117.  
118. #creating of swap
119. echo -e "On next step we going to create SWAP (it should be your RAM x2)..."
120.  
121. read -r -p "Do you need SWAP? [y/N] " response
122. case $response in
123.     [yY][eE][sS]|[yY])
124.  
125.   RAM="`free -m | grep Mem | awk '{print $2}'`"
126.   swap_allowed=$(($RAM * 2))
127.   swap=$swap_allowed"M"
128.   fallocate -l $swap /var/swap.img
129.   chmod 600 /var/swap.img
130.   mkswap /var/swap.img
131.   swapon /var/swap.img
132.  
133.   echo -e "${GREEN}RAM detected: $RAM
134.  Swap was created: $swap${NC}"
135.   sleep 5
136.  
137.         ;;
138.     *)
139.  
140.   echo -e "${RED}You didn't create any swap for faster system working. You can do this manually or re run this script.${NC}"
141.  
142.         ;;
143. esac
144.  
145. # Password stuff
146. echo "Adding password for $username"
147. ## add user password ##
148. echo "Please enter the new password:"
149. read -s password1
150. echo "Please repeat the new password:"
151. read -s password2
152. # Check both passwords match
153. if [ $password1 != $password2 ]; then
154.     echo "Passwords do not match"
155.      exit
156. fi
157.  
158. # Change password
159. echo -e "$password1\n$password1" | passwd $username
160.  
161. # Check Script
162. echo "Hosts Allow Check"
163. cat /etc/hosts.allow;
164.  
165. echo "csf.ignore Check"
166. cat /etc/csf/csf.ignore;
167.  
168. echo "csf.allow Check"
169. cat /etc/csf/csf.allow;
170.  
171. echo "Check SSH port allowed in csf.conf"
172. grep -R "$sshport" /etc/csf/csf.conf;