Linux Server ansible konfig und initial setup

2024-10-14 11:09:32 +02:00
parent a5b7607d12
commit 8448e16c7f
2 changed files with 228 additions and 0 deletions
--- a/Minitools/ansible.sh
+++ b/Minitools/ansible.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+#
+# Ver 1.2
+# 5. Sep 2024
+#
+
+if [ "$USER" == "root" ]
+then
+   echo "you're 'root'. fine"
+else
+   echo "need to run as 'root'"
+   exit
+fi
+
+echo "add user 'ansible'"
+adduser --disabled-password --shell /bin/bash --gecos "" ansible
+echo ""
+
+echo "check 'python'"
+PY=`which python || echo nix`
+PY=`which python3 || echo nix`
+if [ "$PY" == "nix" ]
+then
+   echo "python not installed. try to install."
+   apt-get install -y python > /dev/null
+else
+   echo "'$PY' found"
+fi
+echo ""
+
+echo "check 'sudo'"
+SU=`which sudo || echo nix`
+if [ "$SU" == "nix" ]
+then
+   echo "sudo not installed. try to install."
+   apt-get install -y sudo > /dev/null
+else
+   echo "'sudo' found"
+fi
+echo ""
+
+PY=`which python || echo nix`
+PY=`which python3 || echo nix`
+if [ "$PY" == "nix" ]
+then
+   echo "still no 'python'"
+   echo "ansible won't work without python"
+fi
+
+SU=`which sudo || echo nix`
+if [ "$SU" == "nix" ]
+then
+   echo "still no 'sudo'"
+   echo "ansible won't work without sudo"
+   echo ""
+   echo "if you still want to use user 'ansible' run:"
+   echo "su - ansible"
+   echo "mkdir -p /home/ansible/.ssh/"
+   echo "echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gz8mIcQmAxOVbajBb0nO7jWI09TXfHn6kNg6E/43bSzu10qq3hatTPuuXgaU6Y/KMkGF0nt6nsufP3P9u1FrCtq5j175z3GCQjk6Mb5QOO9iKLO9fQV08d6j3C7YGc1+6SZlTKdReyfBy7lQAfeUMuvFT4KevMExzyzvAtgQ8ZtLHwEUWBW5F/0YIGZyr6cMNe09RT2WTYJIbQCTzfVuWbOPw2SFzvd4ls7TnLK3EU4kjujnzBsTOAJLkbaWFVm6i+W6M3N+TutrtoDcW12Q9CK5eQtVwQrMWS1JbAAIGke1TKeizgDt5EuWk4k5YovXv6wrcWT9SahgeKDVtCLx ansible\" >> /home/ansible/.ssh/authorized_keys"
+else
+   echo "configure 'sudoers' for 'ansible'"
+   echo "
+### added by script add2ansible.sh
+ansible ALL=(ALL) NOPASSWD:ALL
+
+" >> /etc/sudoers
+   echo "add key"
+   sudo -u ansible mkdir -p /home/ansible/.ssh/
+   sudo -u ansible echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gz8mIcQmAxOVbajBb0nO7jWI09TXfHn6kNg6E/43bSzu10qq3hatTPuuXgaU6Y/KMkGF0nt6nsufP3P9u1FrCtq5j175z3GCQjk6Mb5QOO9iKLO9fQV08d6j3C7YGc1+6SZlTKdReyfBy7lQAfeUMuvFT4KevMExzyzvAtgQ8ZtLHwEUWBW5F/0YIGZyr6cMNe09RT2WTYJIbQCTzfVuWbOPw2SFzvd4ls7TnLK3EU4kjujnzBsTOAJLkbaWFVm6i+W6M3N+TutrtoDcW12Q9CK5eQtVwQrMWS1JbAAIGke1TKeizgDt5EuWk4k5YovXv6wrcWT9SahgeKDVtCLx ansible" >> /home/ansible/.ssh/authorized_keys
+fi
+echo ""
+
+echo "we're done"
+
--- a/Minitools/initialsetup.sh
+++ b/Minitools/initialsetup.sh
@@ -0,0 +1,153 @@
+###############################################################
+###
+### iptables konfig
+###
+###############################################################
+apt -y install iptables iptables-persistent
+touch /etc/iptables/rules.v4
+ln -s /etc/iptables/rules.v4 /etc/network/iptables.up.rules
+echo '# Generated by install script
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT    -m comment --comment "existing connections"
+-A INPUT -d 127.0.0.0/8 -j ACCEPT                          -m comment --comment "connects to myself"
+-A INPUT -p icmp -j ACCEPT                                 -m comment --comment "allow ping"
+-A INPUT -s 10.0.0.0/8 -j ACCEPT                           -m comment --comment "private sources"
+-A INPUT -s 192.168.0.0/16 -j ACCEPT                       -m comment --comment "private sources"
+-A INPUT -s 172.16.0.0/12 -j ACCEPT                        -m comment --comment "private sources"
+-A INPUT -s 195.20.133.0/24 -j ACCEPT                      -m comment --comment "CONET sources"
+-A INPUT -s 149.13.94.0/24 -j ACCEPT                       -m comment --comment "CONET sources"
+-A INPUT -s 92.50.110.208/29 -j ACCEPT                     -m comment --comment "CONET sources"
+-A INPUT -p tcp -m tcp --dport 22 -j DROP                   -m comment --comment "drop unknown ssh"
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 -m comment --comment "log other traffic ..."
+-A INPUT -j ACCEPT                                         -m comment --comment "... and drop nothing, config not finished"
+COMMIT
+# Completed
+' > /etc/iptables/rules.v4
+iptables-apply
+
+
+###############################################################
+###
+### blocklist konfig
+###
+###############################################################
+
+echo '#!/bin/bash
+iptables -D INPUT -j blocklist.de
+iptables -F blocklist.de
+iptables -X blocklist.de
+iptables -N blocklist.de
+
+for IP in `curl -s -k http://blocklist.de/downloads/export-ips_all.txt | grep -v ":"`;
+do
+  iptables -A blocklist.de -s $IP/32 -j DROP
+done
+iptables -A blocklist.de -j RETURN
+iptables -I INPUT -j blocklist.de
+' > /usr/local/bin/iptables_blocklist
+chmod +x /usr/local/bin/iptables_blocklist
+ln -s /usr/local/bin/iptables_blocklist /etc/cron.daily/iptables_blocklist
+
+
+
+###############################################################
+###
+### fail2ban konfig
+###
+###############################################################
+
+apt -y install fail2ban python3-systemd
+
+echo "[sshd]
+backend=systemd
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+" > /etc/fail2ban/jail.local
+
+systemctl restart fail2ban
+
+
+
+###############################################################
+###
+### ssh server konfig
+###
+###############################################################
+
+START='### unique ssh config start ###'
+
+END='### unique ssh config end ###'
+
+CFG='Match User conetadm
+    PasswordAuthentication yes
+    PubkeyAuthentication yes
+    AllowUsers conetadm@10.0.0.0/8 conetadm@192.168.0.0/16 conetadm@172.16.0.0/12 conetadm@195.20.133.0/24 conetadm@149.13.94.0/24
+
+Match User ansible
+    PasswordAuthentication no
+    PubkeyAuthentication yes
+    AllowUsers ansible@10.0.0.0/8 ansible@192.168.0.0/16 ansible@172.16.0.0/12'
+
+UNIQ="$START
+$CFG
+$END"
+
+grep "$START" /etc/ssh/sshd_config
+if [ "$?" == "1" ]
+then
+   echo uniq Eintrag nicht vorhanden, wird angehängt
+else
+   echo uniq Eintrag gefunden, wird ersetzt
+   cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bu
+   sed -i "/$START/,/$END/d" /etc/ssh/sshd_config
+fi
+echo "$UNIQ" >> /etc/ssh/sshd_config
+
+sed -i "s/^[# ]*PermitRootLogin.*$/PermitRootLogin no/g" /etc/ssh/sshd_config
+sed -i "s/^[# ]*AllowTcpForwarding.*$/AllowTcpForwarding no/g" /etc/ssh/sshd_config
+
+systemctl restart sshd
+
+
+###############################################################
+###
+### snmp konfig
+###
+###############################################################
+apt -y install snmpd
+
+echo "sysLocation    VMWare, Frankfurt am Main, Hessen
+sysContact     help@conet.de
+
+sysServices    72
+
+master  agentx
+
+agentaddress  udp::161
+
+view   systemonly  included   .1.3.6.1
+rocommunity  con default -V systemonly
+rocommunity6 con default -V systemonly
+
+rouser authPrivUser authpriv -V systemonly
+
+includeDir /etc/snmp/snmpd.conf.d
+
+" > /etc/snmp/snmpd.conf
+
+systemctl restart snmpd
+
+
+###############################################################
+###
+### timezone konfig
+###
+###############################################################
+rm -rf /etc/localtime
+ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime