Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #assumes server already hardened
- SERVERIP=192.168.23.23
- INTERFACENAME=eth0
- EASYRSA_REQ_COUNTRY=Japan
- EASYRSA_REQ_PROVINCE=Tokyo
- EASYRSA_REQ_CITY=Tokyo
- EASYRSA_REQ_ORG=AnOrg
- EASYRSA_REQ_EMAIL=anemail@exampleemail.net
- EASYRSA_REQ_OU=AnOU
- apt update && apt upgrade -y
- apt install openvpn -y
- wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
- cd
- tar xvf EasyRSA-unix-v3.0.6.tgz
- cp -r EasyRSA-v3.0.6/ EasyRSA-ca
- cd EasyRSA-ca/
- cp vars.example vars
- sed -i "s/^#\(set_var EASYRSA_REQ_COUNTRY[ \t]*\)\"US\"/\1\"$EASYRSA_REQ_COUNTRY\"/" /root/EasyRSA-ca/vars
- sed -i "s/^#\(set_var EASYRSA_REQ_PROVINCE[ \t]*\)\"California\"/\1\"$EASYRSA_REQ_PROVINCE\"/" /root/EasyRSA-ca/vars
- sed -i "s/^#\(set_var EASYRSA_REQ_CITY[ \t]*\)\"San Francisco\"/\1\"$EASYRSA_REQ_CITY\"/" /root/EasyRSA-ca/vars
- sed -i "s/^#\(set_var EASYRSA_REQ_ORG[ \t]*\)\"Copyleft Certificate Co\"/\1\"$EASYRSA_REQ_ORG\"/" /root/EasyRSA-ca/vars
- sed -i "s/^#\(set_var EASYRSA_REQ_EMAIL[ \t]*\)\"me@example.net\"/\1\"$EASYRSA_REQ_EMAIL\"/" /root/EasyRSA-ca/vars
- sed -i "s/^#\(set_var EASYRSA_REQ_OU[ \t]*\)\"My Organizational Unit\"/\1\"$EASYRSA_REQ_OU\"/" /root/EasyRSA-ca/vars
- ./easyrsa init-pki
- ./easyrsa build-ca nopass
- cd ../EasyRSA-v3.0.6/
- ./easyrsa init-pki
- ./easyrsa gen-req server nopass
- cp pki/private/server.key /etc/openvpn/
- cp pki/reqs/server.req /tmp
- cd ../EasyRSA-ca/
- ./easyrsa import-req /tmp/server.req server
- ./easyrsa sign-req server server
- cp pki/issued/server.crt /tmp
- cp pki/ca.crt /tmp
- cd ../EasyRSA-v3.0.6/
- cp /tmp/{server.crt,ca.crt} /etc/openvpn/
- ./easyrsa gen-dh
- openvpn --genkey --secret ta.key
- cp ta.key /etc/openvpn/
- cp pki/dh.pem /etc/openvpn/
- mkdir -p ~/client-configs/keys
- chmod -R 700 ~/client-configs
- ./easyrsa gen-req client1 nopass
- cp pki/private/client1.key ~/client-configs/keys/
- cp pki/reqs/client1.req /tmp
- cd ../EasyRSA-ca/
- ./easyrsa import-req /tmp/client1.req client1
- ./easyrsa sign-req client client1
- cp pki/issued/client1.crt /tmp
- cd ../EasyRSA-v3.0.6/
- cp /tmp/client1.crt ~/client-configs/keys/
- cp ta.key ~/client-configs/keys/
- cp /etc/openvpn/ca.crt ~/client-configs/keys/
- cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
- gzip -d /etc/openvpn/server.conf.gz
- sed -i '/^tls-auth ta.key 0/a key-direction 0' /etc/openvpn/server.conf
- sed -i '/^cipher AES-256-CBC/a auth SHA256' /etc/openvpn/server.conf
- sed -i 's/^dh dh2048.pem/dh dh.pem/' /etc/openvpn/server.conf
- sed -i 's/^;user nobody/user nobody/' /etc/openvpn/server.conf
- sed -i 's/^;group nogroup/group nogroup/' /etc/openvpn/server.conf
- sed -i 's/^;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
- sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 8.8.8.8"/' /etc/openvpn/server.conf
- sed -i 's/^;push "dhcp-option DNS 8.8.4.4"/push "dhcp-option DNS 8.8.8.8"/' /etc/openvpn/server.conf
- sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
- sysctl -p
- iptables -A INPUT -i $INTERFACENAME -m state --state NEW -p udp --dport 1194 -j ACCEPT
- iptables -A INPUT -i tun+ -j ACCEPT
- iptables -A FORWARD -i tun+ -j ACCEPT
- iptables -A FORWARD -i tun+ -o $INTERFACENAME -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i $INTERFACENAME -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $INTERFACENAME -j MASQUERADE
- iptables -D INPUT -j DROP
- iptables -A INPUT -j DROP
- iptables-save > /etc/iptables/rules.v4
- ip6tables-save > /etc/iptables/rules.v6
- systemctl start openvpn@server
- #systemctl status openvpn@server
- #ip addr show tun0
- systemctl enable openvpn@server
- mkdir -p ~/client-configs/files
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
- sed -i "s/^remote your_server_ip 1194/remote $SERVERIP 1194/" ~/client-configs/base.conf
- sed -i 's/^;user nobody/user nobody/' ~/client-configs/base.conf
- sed -i 's/^;group nogroup/group nogroup/' ~/client-configs/base.conf
- sed -i 's/^ca ca.crt/#ca ca.crt/' ~/client-configs/base.conf
- sed -i 's/^cert client.crt/#cert client.crt/' ~/client-configs/base.conf
- sed -i 's/^key client.key/#key client.key/' ~/client-configs/base.conf
- sed -i 's/^tls-auth ta.key 1/#tls-auth ta.key 1/' ~/client-configs/base.conf
- sed -i '/^cipher AES-256-CBC/a auth SHA256\nkey direction 1\n# script-security 2\n# up /etc/openvpn/update-resolv-conf\n# down /etc/openvpn/update-resolv-conf' ~/client-configs/base.conf
- cp ~/client-configs/base.conf ~/client-configs/files/client1.ovpn
- sed -i '$ a <ca>' ~/client-configs/files/client1.ovpn
- cat ~/client-configs/keys/ca.crt >> ~/client-configs/files/client1.ovpn
- echo -e "</ca>" >> ~/client-configs/files/client1.ovpn
- sed -i '$ a <cert>' ~/client-configs/files/client1.ovpn
- cat ~/client-configs/keys/client1.crt >> ~/client-configs/files/client1.ovpn
- echo -e "</cert>" >> ~/client-configs/files/client1.ovpn
- sed -i '$ a <key>' ~/client-configs/files/client1.ovpn
- cat ~/client-configs/keys/client1.key >> ~/client-configs/files/client1.ovpn
- echo -e "</key>" >> ~/client-configs/files/client1.ovpn
- sed -i '$ a <tls-auth>' ~/client-configs/files/client1.ovpn
- cat ~/client-configs/keys/ta.key >> ~/client-configs/files/client1.ovpn
- echo -e "</tls-auth>" >> ~/client-configs/files/client1.ovpn
- -------
- NEWUSER=user
- PASSWORD=password
- SSHPORT=777
- apt-get update
- apt-get upgrade -y
- #timedatectl set-timezone Asia/Japan
- adduser $NEWUSER --gecos "First Last,RoomNumber,WorkPhone,HomePhone" --disabled-password
- echo "$NEWUSER:$PASSWORD" | sudo chpasswd
- adduser $NEWUSER sudo
- sed -i 's/^PermitRootLogin yes/PermitRootLogin no'/ /etc/ssh/sshd_config
- sed -i '/^#TCPKeepAlive yes/a AllowTcpForwarding no' /etc/ssh/sshd_config
- sed -i 's/^X11Forwarding yes/X11Forwarding no'/ /etc/ssh/sshd_config
- sed -i 's/^UsePAM yes/UsePAM no'/ /etc/ssh/sshd_config
- sed -i '$ a AddressFamily inet' /etc/ssh/sshd_config
- sed -i "$ a AllowUsers $NEWUSER" /etc/ssh/sshd_config
- sed -i "s/^#Port 22/Port $SSHPORT"/ /etc/ssh/sshd_config
- service ssh restart
- apt-get install fail2ban -y
- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- sed -i '/^\[sshd\]/a enabled = true\nfilter = sshd\nbantime = 1800\nfindtime = 1800\nmaxretry = 3' /etc/fail2ban/jail.local
- sed -i "s/^\(port[ ]*=\) ssh/\1 $SSHPORT"/ /etc/fail2ban/jail.local
- service fail2ban restart
- iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p tcp --dport $SSHPORT -j ACCEPT
- iptables -I INPUT 1 -i lo -j ACCEPT
- iptables -A INPUT -j DROP
- DEBIAN_FRONTEND=noninteractive apt-get install iptables-persistent -y
- iptables-save > /etc/iptables/rules.v4
- iptables-save > /etc/iptables/rules.v6
- sed -i '$ a net.ipv6.conf.all.disable_ipv6 = 1' /etc/sysctl.conf
- sed -i '$ a net.ipv6.conf.default.disable_ipv6 = 1' /etc/sysctl.conf
- sed -i '$ a net.ipv6.conf.lo.disable_ipv6 = 1' /etc/sysctl.conf
- sysctl -p
- apt-get update
- apt-get upgrade -y
- DEBIAN_FRONTEND=noninteractive dpkg-reconfigure unattended-upgrades
- sed -i '/-updates/s/^\/\///g' /etc/apt/apt.conf.d/50unattended-upgrades
- sed -i 's/\/\/Unattended-Upgrade::Automatic-Reboot "false";/Unattended-Upgrade::Automatic-Reboot "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
- sed -i 's/\/\/Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";/Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
- sed -i 's/\/\/Unattended-Upgrade::Remove-Unused-Dependencies "false";/Unattended-Upgrade::Remove-Unused-Dependencies "true";'/ /etc/apt/apt.conf.d/50unattended-upgrades
- sed -i '/^APT::Periodic::Update-Package-Lists "1";/a APT::Periodic::Download-Upgradeable-Packages "1";\nAPT::Periodic::AutocleanInterval "7";' /etc/apt/apt.conf.d/20auto-upgrades
- #setup key-based authentication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement