Linux Server ansible konfig und initial setup
This commit is contained in:
153
1 Minitools/initialsetup.sh
Normal file
153
1 Minitools/initialsetup.sh
Normal file
@@ -0,0 +1,153 @@
|
||||
###############################################################
|
||||
###
|
||||
### iptables konfig
|
||||
###
|
||||
###############################################################
|
||||
apt -y install iptables iptables-persistent
|
||||
touch /etc/iptables/rules.v4
|
||||
ln -s /etc/iptables/rules.v4 /etc/network/iptables.up.rules
|
||||
echo '# Generated by install script
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "existing connections"
|
||||
-A INPUT -d 127.0.0.0/8 -j ACCEPT -m comment --comment "connects to myself"
|
||||
-A INPUT -p icmp -j ACCEPT -m comment --comment "allow ping"
|
||||
-A INPUT -s 10.0.0.0/8 -j ACCEPT -m comment --comment "private sources"
|
||||
-A INPUT -s 192.168.0.0/16 -j ACCEPT -m comment --comment "private sources"
|
||||
-A INPUT -s 172.16.0.0/12 -j ACCEPT -m comment --comment "private sources"
|
||||
-A INPUT -s 195.20.133.0/24 -j ACCEPT -m comment --comment "CONET sources"
|
||||
-A INPUT -s 149.13.94.0/24 -j ACCEPT -m comment --comment "CONET sources"
|
||||
-A INPUT -s 92.50.110.208/29 -j ACCEPT -m comment --comment "CONET sources"
|
||||
-A INPUT -p tcp -m tcp --dport 22 -j DROP -m comment --comment "drop unknown ssh"
|
||||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 -m comment --comment "log other traffic ..."
|
||||
-A INPUT -j ACCEPT -m comment --comment "... and drop nothing, config not finished"
|
||||
COMMIT
|
||||
# Completed
|
||||
' > /etc/iptables/rules.v4
|
||||
iptables-apply
|
||||
|
||||
|
||||
###############################################################
|
||||
###
|
||||
### blocklist konfig
|
||||
###
|
||||
###############################################################
|
||||
|
||||
echo '#!/bin/bash
|
||||
iptables -D INPUT -j blocklist.de
|
||||
iptables -F blocklist.de
|
||||
iptables -X blocklist.de
|
||||
iptables -N blocklist.de
|
||||
|
||||
for IP in `curl -s -k http://blocklist.de/downloads/export-ips_all.txt | grep -v ":"`;
|
||||
do
|
||||
iptables -A blocklist.de -s $IP/32 -j DROP
|
||||
done
|
||||
iptables -A blocklist.de -j RETURN
|
||||
iptables -I INPUT -j blocklist.de
|
||||
' > /usr/local/bin/iptables_blocklist
|
||||
chmod +x /usr/local/bin/iptables_blocklist
|
||||
ln -s /usr/local/bin/iptables_blocklist /etc/cron.daily/iptables_blocklist
|
||||
|
||||
|
||||
|
||||
###############################################################
|
||||
###
|
||||
### fail2ban konfig
|
||||
###
|
||||
###############################################################
|
||||
|
||||
apt -y install fail2ban python3-systemd
|
||||
|
||||
echo "[sshd]
|
||||
backend=systemd
|
||||
enabled = true
|
||||
port = ssh
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 3
|
||||
" > /etc/fail2ban/jail.local
|
||||
|
||||
systemctl restart fail2ban
|
||||
|
||||
|
||||
|
||||
###############################################################
|
||||
###
|
||||
### ssh server konfig
|
||||
###
|
||||
###############################################################
|
||||
|
||||
START='### unique ssh config start ###'
|
||||
|
||||
END='### unique ssh config end ###'
|
||||
|
||||
CFG='Match User conetadm
|
||||
PasswordAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
AllowUsers conetadm@10.0.0.0/8 conetadm@192.168.0.0/16 conetadm@172.16.0.0/12 conetadm@195.20.133.0/24 conetadm@149.13.94.0/24
|
||||
|
||||
Match User ansible
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
AllowUsers ansible@10.0.0.0/8 ansible@192.168.0.0/16 ansible@172.16.0.0/12'
|
||||
|
||||
UNIQ="$START
|
||||
$CFG
|
||||
$END"
|
||||
|
||||
grep "$START" /etc/ssh/sshd_config
|
||||
if [ "$?" == "1" ]
|
||||
then
|
||||
echo uniq Eintrag nicht vorhanden, wird angehängt
|
||||
else
|
||||
echo uniq Eintrag gefunden, wird ersetzt
|
||||
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bu
|
||||
sed -i "/$START/,/$END/d" /etc/ssh/sshd_config
|
||||
fi
|
||||
echo "$UNIQ" >> /etc/ssh/sshd_config
|
||||
|
||||
sed -i "s/^[# ]*PermitRootLogin.*$/PermitRootLogin no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^[# ]*AllowTcpForwarding.*$/AllowTcpForwarding no/g" /etc/ssh/sshd_config
|
||||
|
||||
systemctl restart sshd
|
||||
|
||||
|
||||
###############################################################
|
||||
###
|
||||
### snmp konfig
|
||||
###
|
||||
###############################################################
|
||||
apt -y install snmpd
|
||||
|
||||
echo "sysLocation VMWare, Frankfurt am Main, Hessen
|
||||
sysContact help@conet.de
|
||||
|
||||
sysServices 72
|
||||
|
||||
master agentx
|
||||
|
||||
agentaddress udp::161
|
||||
|
||||
view systemonly included .1.3.6.1
|
||||
rocommunity con default -V systemonly
|
||||
rocommunity6 con default -V systemonly
|
||||
|
||||
rouser authPrivUser authpriv -V systemonly
|
||||
|
||||
includeDir /etc/snmp/snmpd.conf.d
|
||||
|
||||
" > /etc/snmp/snmpd.conf
|
||||
|
||||
systemctl restart snmpd
|
||||
|
||||
|
||||
###############################################################
|
||||
###
|
||||
### timezone konfig
|
||||
###
|
||||
###############################################################
|
||||
rm -rf /etc/localtime
|
||||
ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
|
||||
Reference in New Issue
Block a user