From fcf42cc46b4b65bbe826f5a542764bcc8695ab21 Mon Sep 17 00:00:00 2001 From: ageissler Date: Tue, 29 Oct 2024 09:49:23 +0100 Subject: [PATCH] Dateien nach "setup" hochladen --- setup/add2ansible.sh | 75 +++++++++++++++++++ setup/initialsetup.sh | 163 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 238 insertions(+) create mode 100644 setup/add2ansible.sh create mode 100644 setup/initialsetup.sh diff --git a/setup/add2ansible.sh b/setup/add2ansible.sh new file mode 100644 index 0000000..27ee561 --- /dev/null +++ b/setup/add2ansible.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# Ver 1.2 +# 5. Sep 2024 +# + +if [ "$USER" == "root" ] +then + echo "you're 'root'. fine" +else + echo "need to run as 'root'" + exit +fi + +echo "add user 'ansible'" +adduser --disabled-password --shell /bin/bash --gecos "" ansible +echo "" + +echo "check 'python'" +PY=`which python || echo nix` +PY=`which python3 || echo nix` +if [ "$PY" == "nix" ] +then + echo "python not installed. try to install." + apt-get install -y python > /dev/null +else + echo "'$PY' found" +fi +echo "" + +echo "check 'sudo'" +SU=`which sudo || echo nix` +if [ "$SU" == "nix" ] +then + echo "sudo not installed. try to install." + apt-get install -y sudo > /dev/null +else + echo "'sudo' found" +fi +echo "" + +PY=`which python || echo nix` +PY=`which python3 || echo nix` +if [ "$PY" == "nix" ] +then + echo "still no 'python'" + echo "ansible won't work without python" +fi + +SU=`which sudo || echo nix` +if [ "$SU" == "nix" ] +then + echo "still no 'sudo'" + echo "ansible won't work without sudo" + echo "" + echo "if you still want to use user 'ansible' run:" + echo "su - ansible" + echo "mkdir -p /home/ansible/.ssh/" + echo "echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gz8mIcQmAxOVbajBb0nO7jWI09TXfHn6kNg6E/43bSzu10qq3hatTPuuXgaU6Y/KMkGF0nt6nsufP3P9u1FrCtq5j175z3GCQjk6Mb5QOO9iKLO9fQV08d6j3C7YGc1+6SZlTKdReyfBy7lQAfeUMuvFT4KevMExzyzvAtgQ8ZtLHwEUWBW5F/0YIGZyr6cMNe09RT2WTYJIbQCTzfVuWbOPw2SFzvd4ls7TnLK3EU4kjujnzBsTOAJLkbaWFVm6i+W6M3N+TutrtoDcW12Q9CK5eQtVwQrMWS1JbAAIGke1TKeizgDt5EuWk4k5YovXv6wrcWT9SahgeKDVtCLx ansible\" >> /home/ansible/.ssh/authorized_keys" +else + echo "configure 'sudoers' for 'ansible'" + echo " +### added by script add2ansible.sh +ansible ALL=(ALL) NOPASSWD:ALL + +" >> /etc/sudoers + echo "add key" + sudo -u ansible mkdir -p /home/ansible/.ssh/ + sudo -u ansible echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gz8mIcQmAxOVbajBb0nO7jWI09TXfHn6kNg6E/43bSzu10qq3hatTPuuXgaU6Y/KMkGF0nt6nsufP3P9u1FrCtq5j175z3GCQjk6Mb5QOO9iKLO9fQV08d6j3C7YGc1+6SZlTKdReyfBy7lQAfeUMuvFT4KevMExzyzvAtgQ8ZtLHwEUWBW5F/0YIGZyr6cMNe09RT2WTYJIbQCTzfVuWbOPw2SFzvd4ls7TnLK3EU4kjujnzBsTOAJLkbaWFVm6i+W6M3N+TutrtoDcW12Q9CK5eQtVwQrMWS1JbAAIGke1TKeizgDt5EuWk4k5YovXv6wrcWT9SahgeKDVtCLx ansible" >> /home/ansible/.ssh/authorized_keys +fi +echo "" + +echo "we're done" + diff --git a/setup/initialsetup.sh b/setup/initialsetup.sh new file mode 100644 index 0000000..abb5db0 --- /dev/null +++ b/setup/initialsetup.sh @@ -0,0 +1,163 @@ +############################################################### +### +### iptables konfig +### +############################################################### +apt -y install iptables iptables-persistent +touch /etc/iptables/rules.v4 +ln -s /etc/iptables/rules.v4 /etc/network/iptables.up.rules +echo '# Generated by install script +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "existing connections" +-A INPUT -d 127.0.0.0/8 -j ACCEPT -m comment --comment "connects to myself" +-A INPUT -p icmp -j ACCEPT -m comment --comment "allow ping" +-A INPUT -s 10.0.0.0/8 -j ACCEPT -m comment --comment "private sources" +-A INPUT -s 192.168.0.0/16 -j ACCEPT -m comment --comment "private sources" +-A INPUT -s 172.16.0.0/12 -j ACCEPT -m comment --comment "private sources" +-A INPUT -s 195.20.133.0/24 -j ACCEPT -m comment --comment "CONET sources" +-A INPUT -s 149.13.94.0/24 -j ACCEPT -m comment --comment "CONET sources" +-A INPUT -s 92.50.110.208/29 -j ACCEPT -m comment --comment "CONET sources" +-A INPUT -p tcp -m tcp --dport 22 -j DROP -m comment --comment "drop unknown ssh" +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 -m comment --comment "log other traffic ..." +-A INPUT -j ACCEPT -m comment --comment "... and drop nothing, config not finished" +COMMIT +# Completed +' > /etc/iptables/rules.v4 +iptables-apply + + +############################################################### +### +### blocklist konfig +### +############################################################### + +echo '#!/bin/bash +iptables -D INPUT -j blocklist.de +iptables -F blocklist.de +iptables -X blocklist.de +iptables -N blocklist.de + +for IP in `curl -s -k http://blocklist.de/downloads/export-ips_all.txt | grep -v ":"`; +do + iptables -A blocklist.de -s $IP/32 -j DROP +done +iptables -A blocklist.de -j RETURN +iptables -I INPUT -j blocklist.de +' > /usr/local/bin/iptables_blocklist +chmod +x /usr/local/bin/iptables_blocklist +ln -s /usr/local/bin/iptables_blocklist /etc/cron.daily/iptables_blocklist + + + +############################################################### +### +### fail2ban konfig +### +############################################################### + +apt -y install fail2ban python3-systemd + +echo "[sshd] +backend=systemd +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 3 +" > /etc/fail2ban/jail.local + +systemctl restart fail2ban + + + +############################################################### +### +### ssh server konfig +### +############################################################### + +START='### unique ssh config start ###' + +END='### unique ssh config end ###' + +CFG='Match User conetadm + PasswordAuthentication yes + PubkeyAuthentication yes + AllowUsers conetadm@10.0.0.0/8 conetadm@192.168.0.0/16 conetadm@172.16.0.0/12 conetadm@195.20.133.0/24 conetadm@149.13.94.0/24 + +Match User ansible + PasswordAuthentication no + PubkeyAuthentication yes + AllowUsers ansible@10.0.0.0/8 ansible@192.168.0.0/16 ansible@172.16.0.0/12' + +UNIQ="$START +$CFG +$END" + +grep "$START" /etc/ssh/sshd_config +if [ "$?" == "1" ] +then + echo uniq Eintrag nicht vorhanden, wird angehÃĪngt +else + echo uniq Eintrag gefunden, wird ersetzt + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bu + sed -i "/$START/,/$END/d" /etc/ssh/sshd_config +fi +echo "$UNIQ" >> /etc/ssh/sshd_config + +sed -i "s/^[# ]*PermitRootLogin.*$/PermitRootLogin no/g" /etc/ssh/sshd_config +sed -i "s/^[# ]*AllowTcpForwarding.*$/AllowTcpForwarding no/g" /etc/ssh/sshd_config + +systemctl restart sshd + + +############################################################### +### +### snmp konfig +### +############################################################### +apt -y install snmpd + +echo "sysLocation VMWare, Frankfurt am Main, Hessen +sysContact help@conet.de + +sysServices 72 + +master agentx + +agentaddress udp::161 + +view systemonly included .1.3.6.1 +rocommunity con default -V systemonly +rocommunity6 con default -V systemonly + +rouser authPrivUser authpriv -V systemonly + +includeDir /etc/snmp/snmpd.conf.d + +" > /etc/snmp/snmpd.conf + +systemctl restart snmpd + +############################################################### +### +### sudoers konfig +### +############################################################### +echo " +### added by script initialsetup.sh +conetadm ALL=(ALL) ALL + +" >> /etc/sudoers + +############################################################### +### +### timezone konfig +### +############################################################### +rm -rf /etc/localtime +ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime