d

#!/bin/bash

#$1 - Find
#$2 - Replace
#$3 - File
copyReplaceB()
{
	_r1="$1"
	_r2="$2"

	_r1="${_r1//\//\\/}"
	_r2="${_r2//\//\\/}"

	sed -e "s/${_r1}/${_r2}/g" $3 > /tmp/temp
	cat /tmp/temp > $3
	rm /tmp/temp
}

#$1 - Find
#$2 - Replace
#$3 - File
copyReplace()
{
	sed -e "s/$1/$2/g" $3 > /tmp/temp
	cat /tmp/temp > $3
	rm /tmp/temp
}

if [ $(lsb_release -a 2>&1 | grep Release | awk {'print $2'}) != "16.04" ]
then
	echo "This script is only intended to be used on Ubuntu 16.04."
	exit 1
fi

if [ -w /etc/passwd ]
then
	dpkg-reconfigure tzdata

	webip='sonic.evolution-host.com' #For the downloads user (Should be Sonic at the moment - Not SBG)
	downloadsPassword='57ZVYkQ85pKMvBXD'

	mkdir /vps
	mkdir /var/include
	mkdir /var/weblogs
	mkdir /usr/template
	mkdir /root/mailspam

	chmod 700 /var/include
	chmod 700 /var/weblogs

	chown www-data: /var/weblogs

	apt-get update
	apt-get install -y php-cli mysql-client sshpass php-pear libnetfilter-queue1 iotop fail2ban nload unattended-upgrades htop iotop

	pear install --alldeps mail
	pear install --alldeps Net_SMTP
	pear install --alldeps Auth_SASL
	pear install --alldeps mail_mime

	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:blcheck.php /var/include/
	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:blacklistCheck.php /var/include/
	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:autoupdate.sh /root/autoupdate.sh
	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:restartmail.sh /root/mailspam/restartmail.sh
	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:mailmonitor /root/mailspam/mailmonitor
	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@$webip:Net.tar.gz /usr/share/php

	cd /usr/share/php
	tar -xf Net.tar.gz
	cd ~

	chmod 700 /root/autoupdate.sh
	chmod 700 /root/mailspam/restartmail.sh
	chmod 700 /root/mailspam/mailmonitor

	#Enable automatic updates
	copyReplaceB '//	"${distro_id}:${distro_codename}-updates";' '	"${distro_id}:${distro_codename}-updates";' '/etc/apt/apt.conf.d/50unattended-upgrades'

	if ! [[ -e /etc/apt/apt.conf.d/20auto-upgrades ]]
	then
		echo 'APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";' > /etc/apt/apt.conf.d/20auto-upgrades
	fi

	crontab -l | { cat; echo "0 * * * * /root/autoupdate.sh"; } | crontab -
	crontab -l | { cat; echo "0 */4 * * * php -q /var/include/blacklistCheck.php"; } | crontab -
	crontab -l | { cat; echo "0 3 * * * /usr/sbin/ntpdate ntp.ovh.net > /dev/null"; } | crontab -

	crontab -l | { cat; echo "@reboot /sbin/iptables -I INPUT -p tcp --dport 4085 -j DROP"; } | crontab -
	crontab -l | { cat; echo "@reboot /sbin/iptables -I INPUT -s 94.175.42.138 -j ACCEPT"; } | crontab -
	crontab -l | { cat; echo "@reboot /sbin/iptables -I INPUT -s 46.7.250.103 -j ACCEPT"; } | crontab -
	crontab -l | { cat; echo "@reboot /sbin/iptables -I INPUT -s main.evolution-host.com -j ACCEPT"; } | crontab -

	crontab -l | { cat; echo "@reboot /sbin/iptables -A FORWARD -m physdev --physdev-in viifv+ -p tcp --match multiport --dports 25,2525,587,465,2526 -j NFQUEUE --queue-num 0"; } | crontab -
	crontab -l | { cat; echo "@reboot /sbin/iptables -A FORWARD -m physdev --physdev-in viifv+ -p tcp --match multiport --sports 25,2525,587,465,2526 -j NFQUEUE --queue-num 0"; } | crontab -
	crontab -l | { cat; echo '@reboot /sbin/iptables -A FORWARD -p udp -m string --algo bm --string "TSource" -m limit --limit 30/second -j ACCEPT'; } | crontab -
	crontab -l | { cat; echo '@reboot /sbin/iptables -A FORWARD -p udp -m string --algo bm --string "TSource" -j DROP'; } | crontab -
	crontab -l | { cat; echo '@reboot /sbin/iptables -A FORWARD -p udp -m string --algo bm --string "TS3INIT" -m limit --limit 30/second -j ACCEPT'; } | crontab -
	crontab -l | { cat; echo '@reboot /sbin/iptables -A FORWARD -p udp -m string --algo bm --string "TS3INIT" -j DROP'; } | crontab -

	#Makes the iptables FORWARD chain apply to VPS/viifbr0
	modprobe br_netfilter
	crontab -l | { cat; echo '@reboot /sbin/ebtables -t broute -A BROUTING -p ipv4 -i br0 -j DROP'; } | crontab -

	crontab -l | { cat; echo "@reboot /root/mailspam/restartmail.sh"; } | crontab -

	useradd vpsremoteuser
	mkdir /home/vpsremoteuser
	chown vpsremoteuser: /home/vpsremoteuser
	chmod 700 /home/vpsremoteuser
	echo -e "8apv6GZYTX9jBRZY\n8apv6GZYTX9jBRZY\n" | passwd vpsremoteuser

	allowips="94.175.42.138 46.7.250.103 5.196.162.99 173.234.25.98 198.50.246.48 188.166.190.1"
	allowips=$(echo $allowips | sort | uniq)
	for ip in $allowips
	do
		if [ $(grep $ip /etc/ssh/sshd_config | wc -l) -eq 0 ]
		then
			sed -i "/^AllowUsers/ s/\$/ *@$ip/" /etc/ssh/sshd_config
		fi
	done

	echo "vpsremoteuser ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
	service ssh restart

	sshpass -p $downloadsPassword scp -oStrictHostKeyChecking=no downloads@sonic.evolution-host.com:f2b_phpmyadmin_mysql_16.04.sh /tmp/f2b_phpmyadmin_mysql_16.04.sh
	chmod 700 /tmp/f2b_phpmyadmin_mysql_16.04.sh
	/tmp/f2b_phpmyadmin_mysql_16.04.sh
	rm /tmp/f2b_phpmyadmin_mysql_16.04.sh

	echo ''
	echo ''
	echo 'Remember to set a DNS and rDNS record for this system IP. Turn on permanant mitigation.'
	echo 'Transfer all Virtualizor templates.'
	echo 'Setup automatic backups'
	echo 'Grant SQL access for this system to login to main.evolution-host.com as createdb (blacklist checking).'
else
	echo 'This script must be ran as root. (use sudo)'
	exit 0
fi