Page tree
Skip to end of metadata
Go to start of metadata

Starting to put together a script to be converted into Puppet or Chef for setup of server using Bonsaiframework approach. 

If you don't know what you're doing yet, make sure to follow the expanded instructions.

#!/bin/bash 
# This is not yet ready to use as an automatic script.


#
# MINIMAL SECURITY ON HOST
#


sudo apt-get install fail2ban
#
# MINIMAL SOFTWARE AND UPDATES to copy and past from this script
#

sudo apt-get --assume-yes install ntp
sudo apt-get update
sudo apt-get --assume-yes dist-upgrade
sudo apt-get --assume-yes install man htop

# on super secure system (ie your host container) you might NOT install
sudo apt-get --assume-yes install wget telnet

#
# allow staff to use sudo 
#

# allow staff users to have root access through sudo
sudo su - root
cd /etc/sudoers.d/
sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff
exit
#
# SSH for HOST and CONTAINER
#
# install ssh
sudo apt-get --assume-yes install ssh

# If you have slow ssh connection issues this can mean DNS related to server hosting system is not working properly.
# In cases where you cannot fix this (ie work environment) then disable.
# Only used FROM option in an authorized_keys file and you want to filter by names and not just IPs.
# echo '# Disable reverse DNS lookup to prevent slow login' | sudo tee -a /etc/ssh/sshd_config
# echo 'UseDNS no' | sudo tee -a /etc/ssh/sshd_config

#
# MINIMAL SOFTWARE ON CONTAINER 
# Software below is required to run the other scripts ie download keys
#

sudo apt-get --assume-yes install mlocate wget

#
# ACCOUNTS
#


#
# I should add a setp in here to verify that sudo works with the staff acounts
# Create Staff Users
sudo useradd -d /home/tin.pham -m -g staff -u 2000 -c "Support Tin Pham" -s /bin/bash tin.pham
sudo usermod -a -G adm tin.pham
sudo passwd tin.pham
sudo su - tin.pham
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.tin.pham
cat publicKey.tin.pham >> authorized_keys
rm publicKey.tin.pham
exit # make sure to leave the user
 
sudo useradd -d /home/roderick.fongyee -m -g staff -u 2505 -c "Support Roderick Fongyee" -s /bin/bash roderick.fongyee
sudo usermod -a -G adm roderick.fongyee
sudo passwd roderick.fongyee
sudo su - roderick.fongyee
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.roderick.fongyee
cat publicKey.roderick.fongyee >> authorized_keys
rm publicKey.roderick.fongyee
exit # make sure to leave the user

sudo addgroup --gid 3000 serveradmin
sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin
sudo usermod -a -G adm serveradmin
sudo passwd serveradmin
# add public key here if intention is to allow remote login
sudo su - serveradmin
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.serveradmin
cat publicKey.serveradmin >> authorized_keys
rm publicKey.serveradmin
exit # make sure to leave the user

#
# SECURE SSH
#


# Currently SSH can use keys, but falls back to passwords if keys fail.
# Once you confirm you can log in successfully with keys AND use sudo with your account
# Only then, disable passwords to protect from brute force.
 
# Disable ssh user password authentication.
# Note: not necessary for LXD created images as this is already set to be no
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck
# We'll edit quickly with sed
cd /etc/ssh/
sudo sed -i.sedautobck 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Confirm your change worked. If you get nothing back you are good.
cmp -s $_ $_.sedautobck && echo "sed did not work, your files are identical."

# restart ssh for the change to take effect,
sudo service ssh restart


# Make sure to try starting a new terminal and connecting with a non-ssh enabled account.
# You will see the error "Permission denied (publickey).
# Your system is now safer.

################ Leave the default account and log into your main account

#
# CLEANUP
#

# Logout and delete default ubuntu account for containers
# Interesting, in a lxc setup, once my main account was created, left and logged back in, it appeared to automatically delete default ubuntu user.
# Test this scenario again.
sudo userdel -r ubuntu
sudo userdel -r setupadmin

# Make sure to reboot for any kernel updates to take effect 
sudo reboot


# Clean Up
sudo apt-get autoclean # use this if you only want to clean out nolonger used packages
sudo apt-get clean # clean out all downloaded packages - I usually use this one
sudo apt-get autoremove # cleans out unused packages

# Setup firewall
# .... however is following this next add the instructions here

  • No labels