API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 1st, 2019
178
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.74 KB | None | 0 0
raw download clone embed print report
  1. #assumes server already hardened
  2.  
  3. SERVERIP=192.168.23.23
  4.  
  5. INTERFACENAME=eth0
  6.  
  7. EASYRSA_REQ_COUNTRY=Japan
  8. EASYRSA_REQ_PROVINCE=Tokyo
  9. EASYRSA_REQ_CITY=Tokyo
  10. EASYRSA_REQ_ORG=AnOrg
  11. EASYRSA_REQ_EMAIL=anemail@exampleemail.net
  12. EASYRSA_REQ_OU=AnOU
  13.  
  14. apt update && apt upgrade -y
  15. apt install openvpn -y
  16. wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
  17. cd
  18. tar xvf EasyRSA-unix-v3.0.6.tgz
  19. cp -r EasyRSA-v3.0.6/ EasyRSA-ca
  20. cd EasyRSA-ca/
  21. cp vars.example vars
  22. sed -i "s/^#\(set_var EASYRSA_REQ_COUNTRY[ \t]*\)\"US\"/\1\"$EASYRSA_REQ_COUNTRY\"/" /root/EasyRSA-ca/vars
  23. sed -i "s/^#\(set_var EASYRSA_REQ_PROVINCE[ \t]*\)\"California\"/\1\"$EASYRSA_REQ_PROVINCE\"/" /root/EasyRSA-ca/vars
  24. sed -i "s/^#\(set_var EASYRSA_REQ_CITY[ \t]*\)\"San Francisco\"/\1\"$EASYRSA_REQ_CITY\"/" /root/EasyRSA-ca/vars
  25. sed -i "s/^#\(set_var EASYRSA_REQ_ORG[ \t]*\)\"Copyleft Certificate Co\"/\1\"$EASYRSA_REQ_ORG\"/" /root/EasyRSA-ca/vars
  26. sed -i "s/^#\(set_var EASYRSA_REQ_EMAIL[ \t]*\)\"me@example.net\"/\1\"$EASYRSA_REQ_EMAIL\"/" /root/EasyRSA-ca/vars
  27. sed -i "s/^#\(set_var EASYRSA_REQ_OU[ \t]*\)\"My Organizational Unit\"/\1\"$EASYRSA_REQ_OU\"/" /root/EasyRSA-ca/vars
  28.  
  29. ./easyrsa init-pki
  30. ./easyrsa build-ca nopass
  31. cd ../EasyRSA-v3.0.6/
  32. ./easyrsa init-pki
  33. ./easyrsa gen-req server nopass
  34. cp pki/private/server.key /etc/openvpn/
  35. cp pki/reqs/server.req /tmp
  36. cd ../EasyRSA-ca/
  37. ./easyrsa import-req /tmp/server.req server
  38. ./easyrsa sign-req server server
  39. cp pki/issued/server.crt /tmp
  40. cp pki/ca.crt /tmp
  41. cd ../EasyRSA-v3.0.6/
  42. cp /tmp/{server.crt,ca.crt} /etc/openvpn/
  43. ./easyrsa gen-dh
  44. openvpn --genkey --secret ta.key
  45. cp ta.key /etc/openvpn/
  46. cp pki/dh.pem /etc/openvpn/
  47. mkdir -p ~/client-configs/keys
  48. chmod -R 700 ~/client-configs
  49. ./easyrsa gen-req client1 nopass
  50. cp pki/private/client1.key ~/client-configs/keys/
  51. cp pki/reqs/client1.req /tmp
  52. cd ../EasyRSA-ca/
  53. ./easyrsa import-req /tmp/client1.req client1
  54. ./easyrsa sign-req client client1
  55. cp pki/issued/client1.crt /tmp
  56. cd ../EasyRSA-v3.0.6/
  57. cp /tmp/client1.crt ~/client-configs/keys/
  58. cp ta.key ~/client-configs/keys/
  59. cp /etc/openvpn/ca.crt ~/client-configs/keys/
  60. cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
  61. gzip -d /etc/openvpn/server.conf.gz
  62. sed -i '/^tls-auth ta.key 0/a key-direction 0' /etc/openvpn/server.conf
  63. sed -i '/^cipher AES-256-CBC/a auth SHA256' /etc/openvpn/server.conf
  64. sed -i 's/^dh dh2048.pem/dh dh.pem/' /etc/openvpn/server.conf
  65. sed -i 's/^;user nobody/user nobody/' /etc/openvpn/server.conf
  66. sed -i 's/^;group nogroup/group nogroup/' /etc/openvpn/server.conf
  67. sed -i 's/^;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
  68. sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 8.8.8.8"/' /etc/openvpn/server.conf
  69. sed -i 's/^;push "dhcp-option DNS 8.8.4.4"/push "dhcp-option DNS 8.8.8.8"/' /etc/openvpn/server.conf
  70. sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
  71. sysctl -p
  72. iptables -A INPUT -i $INTERFACENAME -m state --state NEW -p udp --dport 1194 -j ACCEPT
  73. iptables -A INPUT -i tun+ -j ACCEPT
  74. iptables -A FORWARD -i tun+ -j ACCEPT
  75. iptables -A FORWARD -i tun+ -o $INTERFACENAME -m state --state RELATED,ESTABLISHED -j ACCEPT
  76. iptables -A FORWARD -i $INTERFACENAME -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  77. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $INTERFACENAME -j MASQUERADE
  78. iptables -D INPUT -j DROP
  79. iptables -A INPUT -j DROP
  80. iptables-save > /etc/iptables/rules.v4
  81. ip6tables-save > /etc/iptables/rules.v6
  82. systemctl start openvpn@server
  83. #systemctl status openvpn@server
  84. #ip addr show tun0
  85. systemctl enable openvpn@server
  86. mkdir -p ~/client-configs/files
  87. cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
  88. sed -i "s/^remote your_server_ip 1194/remote $SERVERIP 1194/" ~/client-configs/base.conf
  89. sed -i 's/^;user nobody/user nobody/' ~/client-configs/base.conf
  90. sed -i 's/^;group nogroup/group nogroup/' ~/client-configs/base.conf
  91. sed -i 's/^ca ca.crt/#ca ca.crt/' ~/client-configs/base.conf
  92. sed -i 's/^cert client.crt/#cert client.crt/' ~/client-configs/base.conf
  93. sed -i 's/^key client.key/#key client.key/' ~/client-configs/base.conf
  94. sed -i 's/^tls-auth ta.key 1/#tls-auth ta.key 1/' ~/client-configs/base.conf
  95. sed -i '/^cipher AES-256-CBC/a auth SHA256\nkey direction 1\n# script-security 2\n# up /etc/openvpn/update-resolv-conf\n# down /etc/openvpn/update-resolv-conf' ~/client-configs/base.conf
  96.  
  97. cp ~/client-configs/base.conf ~/client-configs/files/client1.ovpn
  98. sed -i '$ a <ca>' ~/client-configs/files/client1.ovpn
  99. cat ~/client-configs/keys/ca.crt >> ~/client-configs/files/client1.ovpn
  100. echo -e "</ca>" >> ~/client-configs/files/client1.ovpn
  101. sed -i '$ a <cert>' ~/client-configs/files/client1.ovpn
  102. cat ~/client-configs/keys/client1.crt >> ~/client-configs/files/client1.ovpn
  103. echo -e "</cert>" >> ~/client-configs/files/client1.ovpn
  104. sed -i '$ a <key>' ~/client-configs/files/client1.ovpn
  105. cat ~/client-configs/keys/client1.key >> ~/client-configs/files/client1.ovpn
  106. echo -e "</key>" >> ~/client-configs/files/client1.ovpn
  107. sed -i '$ a <tls-auth>' ~/client-configs/files/client1.ovpn
  108. cat ~/client-configs/keys/ta.key >> ~/client-configs/files/client1.ovpn
  109. echo -e "</tls-auth>" >> ~/client-configs/files/client1.ovpn
  110. -------
  111. NEWUSER=user
  112. PASSWORD=password
  113. SSHPORT=777
  114.  
  115. apt-get update
  116. apt-get upgrade -y
  117. #timedatectl set-timezone Asia/Japan
  118.  
  119. adduser $NEWUSER --gecos "First Last,RoomNumber,WorkPhone,HomePhone" --disabled-password
  120. echo "$NEWUSER:$PASSWORD" | sudo chpasswd
  121. adduser $NEWUSER sudo
  122.  
  123. sed -i 's/^PermitRootLogin yes/PermitRootLogin no'/ /etc/ssh/sshd_config
  124. sed -i '/^#TCPKeepAlive yes/a AllowTcpForwarding no' /etc/ssh/sshd_config
  125. sed -i 's/^X11Forwarding yes/X11Forwarding no'/ /etc/ssh/sshd_config
  126. sed -i 's/^UsePAM yes/UsePAM no'/ /etc/ssh/sshd_config
  127. sed -i '$ a AddressFamily inet' /etc/ssh/sshd_config
  128. sed -i "$ a AllowUsers $NEWUSER" /etc/ssh/sshd_config
  129. sed -i "s/^#Port 22/Port $SSHPORT"/ /etc/ssh/sshd_config
  130.  
  131. service ssh restart
  132.  
  133. apt-get install fail2ban -y
  134. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  135.  
  136. sed -i '/^\[sshd\]/a enabled = true\nfilter = sshd\nbantime = 1800\nfindtime = 1800\nmaxretry = 3' /etc/fail2ban/jail.local
  137. sed -i "s/^\(port[ ]*=\) ssh/\1 $SSHPORT"/ /etc/fail2ban/jail.local
  138.  
  139. service fail2ban restart
  140.  
  141. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  142. iptables -A INPUT -p tcp --dport $SSHPORT -j ACCEPT
  143. iptables -I INPUT 1 -i lo -j ACCEPT
  144. iptables -A INPUT -j DROP
  145. DEBIAN_FRONTEND=noninteractive apt-get install iptables-persistent -y
  146. iptables-save > /etc/iptables/rules.v4
  147. iptables-save > /etc/iptables/rules.v6
  148.  
  149. sed -i '$ a net.ipv6.conf.all.disable_ipv6 = 1' /etc/sysctl.conf
  150. sed -i '$ a net.ipv6.conf.default.disable_ipv6 = 1' /etc/sysctl.conf
  151. sed -i '$ a net.ipv6.conf.lo.disable_ipv6 = 1' /etc/sysctl.conf
  152. sysctl -p
  153.  
  154. apt-get update
  155. apt-get upgrade -y
  156.  
  157. DEBIAN_FRONTEND=noninteractive dpkg-reconfigure unattended-upgrades
  158.  
  159. sed -i '/-updates/s/^\/\///g' /etc/apt/apt.conf.d/50unattended-upgrades
  160. sed -i 's/\/\/Unattended-Upgrade::Automatic-Reboot "false";/Unattended-Upgrade::Automatic-Reboot "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
  161. sed -i 's/\/\/Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";/Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
  162. sed -i 's/\/\/Unattended-Upgrade::Remove-Unused-Dependencies "false";/Unattended-Upgrade::Remove-Unused-Dependencies "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
  163. sed -i '/^APT::Periodic::Update-Package-Lists "1";/a APT::Periodic::Download-Upgradeable-Packages "1";\nAPT::Periodic::AutocleanInterval "7";' /etc/apt/apt.conf.d/20auto-upgrades
  164.  
  165. #setup key-based authentication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!