www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 44 Next »

Starting to put together a script to be converted into Puppet or Chef for setup of server using Bonsaiframework approach. 

If you don't know what you're doing yet, make sure to follow the expanded instructions.

#!/bin/bash 
# This is not yet ready to use as an automatic script.


#
# MINIMAL SECURITY ON HOST
#


sudo apt-get install fail2ban
#
# MINIMAL SOFTWARE AND UPDATES to copy and past from this script
#

sudo apt-get --assume-yes install ntp
sudo apt-get update
sudo apt-get --assume-yes dist-upgrade
sudo apt-get --assume-yes install man htop

# on super secure system (ie your host container) you might NOT install
sudo apt-get --assume-yes install wget telnet

#
# allow staff to use sudo 
#

# allow staff users to have root access through sudo
sudo su - root
cd /etc/sudoers.d/
sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff
exit
#
# SSH for HOST and CONTAINER
#
# install ssh
sudo apt-get --assume-yes install ssh

# If you have slow ssh connection issues this can mean DNS related to server hosting system is not working properly.
# In cases where you cannot fix this (ie work environment) then disable.
# Only used FROM option in an authorized_keys file and you want to filter by names and not just IPs.
# echo '# Disable reverse DNS lookup to prevent slow login' | sudo tee -a /etc/ssh/sshd_config
# echo 'UseDNS no' | sudo tee -a /etc/ssh/sshd_config

#
# MINIMAL SOFTWARE ON CONTAINER 
# Software below is required to run the other scripts ie download keys
#

sudo apt-get --assume-yes install mlocate wget

#
# ACCOUNTS
#


#
# I should add a setp in here to verify that sudo works with the staff acounts
# Create Staff Users
sudo useradd -d /home/tin.pham -m -g staff -u 2000 -c "Support Tin Pham" -s /bin/bash tin.pham
sudo usermod -a -G adm tin.pham
sudo passwd tin.pham
sudo su - tin.pham
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.tin.pham
cat publicKey.tin.pham >> authorized_keys
rm publicKey.tin.pham
exit # make sure to leave the user
 
sudo useradd -d /home/roderick.fongyee -m -g staff -u 2505 -c "Support Roderick Fongyee" -s /bin/bash roderick.fongyee
sudo usermod -a -G adm roderick.fongyee
sudo passwd roderick.fongyee
sudo su - roderick.fongyee
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.roderick.fongyee
cat publicKey.roderick.fongyee >> authorized_keys
rm publicKey.roderick.fongyee
exit # make sure to leave the user

sudo addgroup --gid 3000 serveradmin
sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin
sudo usermod -a -G adm serveradmin
sudo passwd serveradmin
# add public key here if intention is to allow remote login
sudo su - serveradmin
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
wget www.bonsaiframework.com/tscripts/publicKey.serveradmin
cat publicKey.serveradmin >> authorized_keys
rm publicKey.serveradmin
exit # make sure to leave the user

#
# SECURE SSH
#


# Currently SSH can use keys, but falls back to passwords if keys fail.
# Once you confirm you can log in successfully with keys AND use sudo with your account
# Only then, disable passwords to protect from brute force.
 
# Disable ssh user password authentication.
# Note: not necessary for LXD created images as this is already set to be no
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck
# We'll edit quickly with sed
cd /etc/ssh/
sudo sed -i.sedautobck 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Confirm your change worked. If you get nothing back you are good.
cmp -s $_ $_.sedautobck && echo "sed did not work, your files are identical."

# restart ssh for the change to take effect,
sudo service ssh restart


# Make sure to try starting a new terminal and connecting with a non-ssh enabled account.
# You will see the error "Permission denied (publickey).
# Your system is now safer.

################ Leave the default account and log into your main account

#
# CLEANUP
#

# Logout and delete default ubuntu account for containers
# Interesting, in a lxc setup, once my main account was created, left and logged back in, it appeared to automatically delete default ubuntu user.
# Test this scenario again.
sudo userdel -r ubuntu
sudo userdel -r setupadmin

# Make sure to reboot for any kernel updates to take effect 
sudo reboot


# Clean Up
sudo apt-get autoclean # use this if you only want to clean out nolonger used packages
sudo apt-get clean # clean out all downloaded packages - I usually use this one
sudo apt-get autoremove # cleans out unused packages

# Setup firewall
  • No labels