Centos7BasicSetup

by toanadmin
36 deployments · 25 still active · last rev. 2 years ago

Basic Clean , System Security and User Security , Utilities of CentOS 7

Compatible with: CentOS 7
Includes: 9IStackLib
						#!/bin/bash
# 9I Global.

# <UDF name="host_name" label="The hostname for the new Linode.">
# <UDF name="fqdn" label="The new Linode's Fully Qualified Domain Name">

# <udf name="publicip" label="Linode Public IP" example="178.79.134.167"/>
# <udf name="publicnetmask" label="Netmask" default="255.255.255.0" example="255.255.255.0 "/>
# <udf name="publicgateway" label="Gateway" example="178.79.134.1"/>
# <udf name="dnsresolver1" label="DNS Resolver 1" default="8.8.8.8" example="8.8.8.8 Google DNS"/>
# <udf name="dnsresolver2" label="DNS Resolver 2" default="209.244.0.3" example="209.244.0.3 Level3 DNS"/>
# <udf name="dnsresolver3" label="DNS Resolver 3" default="74.82.42.42" example="74.82.42.42 Hurricane Electric DNS"/>
# <udf name="privateip" label="Linode Private IP" example="192.168.154.122"/>
# <udf name="privatenetmask" label="Private Netmask" default="255.255.128.0" example="255.255.128.0"/>

# Security StackScript
# By Toan Tran <toan@9ient.com>
#
# <udf name="user_name" label="Unprivileged User Account" default="toan" />
# <udf name="user_password" label="Unprivileged User Password" />
# <udf name="user_sshkey" label="Public Key for User" default=""/>
#
# <udf name="sshd_port" label="SSH Port" default="44445" />
# <udf name="sshd_protocol" label="SSH Protocol" oneOf="1,2,1 and 2" default="2" />
# <udf name="sshd_permitroot" label="SSH Permit Root Login" oneof="No,Yes" default="No" />
# <udf name="sshd_passwordauth" label="SSH Password Authentication" oneOf="No,Yes" default="No" />
# <udf name="sshd_group" label="SSH Allowed Groups" default="sshusers" example="List of groups seperated by spaces" />
#
# <udf name="sudo_usergroup" label="Usergroup to use for Admin Accounts" default="wheel" />
# <udf name="sudo_passwordless" label="Passwordless Sudo" oneof="Require Password,Do Not Require Password", default="Require Password" />

exec &> /root/stackscript.log

###########################################################
# System
###########################################################

    source <ssinclude StackScriptID="16496">        #StackScript Bash Library for Centos 7

    # Set Time Zone and install Basics
	
    timedatectl set-timezone 'Asia/Ho_Chi_Minh'

    # Create Groups
    groupadd ${SSHD_GROUP}
    groupadd ${SUDO_USERGROUP}



###########################################################
# Configure Sudo
###########################################################

    cp /etc/sudoers /etc/sudoers.tmp
    chmod 0640 /etc/sudoers.tmp
    test "${SUDO_PASSWORDLESS}" == "Do Not Require Password" && (echo "%`echo ${SUDO_USERGROUP} | tr '[:upper:]' '[:lower:]'` ALL = NOPASSWD: ALL" >> /etc/sudoers.tmp)
    test "${SUDO_PASSWORDLESS}" == "Require Password" && (echo "%`echo ${SUDO_USERGROUP} | tr '[:upper:]' '[:lower:]'` ALL = (ALL) ALL" >> /etc/sudoers.tmp)
    chmod 0440 /etc/sudoers.tmp
    mv /etc/sudoers.tmp /etc/sudoers

###########################################################
# Configure SSHD
###########################################################

    echo "Port ${SSHD_PORT}" > /etc/ssh/sshd_config.tmp
    echo "Protocol ${SSHD_PROTOCOL}" >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(HostKey .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(UsePrivilegeSeparation .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(KeyRegenerationInterval .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(ServerKeyBits .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(SyslogFacility .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(LogLevel .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(LoginGraceTime .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    echo "PermitRootLogin `echo ${SSHD_PERMITROOT} | tr '[:upper:]' '[:lower:]'`" >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(StrictModes .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(RSAAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(PubkeyAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(IgnoreRhosts .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(RhostsRSAAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(HostbasedAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(PermitEmptyPasswords .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(ChallengeResponseAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    echo "PasswordAuthentication `echo ${SSHD_PASSWORDAUTH} | tr '[:upper:]' '[:lower:]'`" >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(X11Forwarding .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(X11DisplayOffset .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(PrintMotd .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(PrintLastLog .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
    sed -n 's/\(TCPKeepAlive .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(MaxStartups .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(AcceptEnv .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(Subsystem .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    sed -n 's/\(UsePAM .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp

    echo "AllowGroups `echo ${SSHD_GROUP} | tr '[:upper:]' '[:lower:]'`" >> /etc/ssh/sshd_config.tmp
    echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config.tmp
    chmod 0600 /etc/ssh/sshd_config.tmp
    mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
    touch /tmp/restart-sshd

###########################################################
# Create User & Add SSH Key
###########################################################

     if [ "${USER_SSHKEY}" == "" ]; then
            USER_SSHKEY=`echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplVUmVSuzpxZyEeA6PJrFBu/XpEHba03GMPxclXT+jaacHAVNsWkuflaChAgTppUM7sHVWb0gdAgEMRQTDxYl+6ePQESiTkHm3CP+WarrGF0ADD47n5rxY62QopiCuY24J0c31hDB3w2Fhun6iqgBQxVvugfA0qVZMyJ6VmFDO1FMkR5ZHNrOEMkCN2PtbZDpXtfYNtR/5SAj3Lg/cynutTLjuMPRrfhTcPpYNYDlxyp6JFzYdLyUfbyZINjJmToyxX9oFEht0d5beOdGdfeOxhx9CA9mNHCVHybNL2OLpz6ANVUowxzIwsBB+ONlLxBXCp4IgMAeU4s2ThM/ydTkw== empty@toan"`;
     fi


    USER_NAME_LOWER=`echo ${USER_NAME} | tr '[:upper:]' '[:lower:]'`

    user_add_sudo ${USER_NAME_LOWER} ${USER_PASSWORD} ${SUDO_USERGROUP}

    user_add_pubkey ${USER_NAME_LOWER} "${USER_SSHKEY}"




    usermod -aG ${SSHD_GROUP} ${USER_NAME_LOWER}

###########################################################
# Wall up - Firewalld
###########################################################

    # This section sets up the basic firewall and enables it.
    cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh.xml
    sed -i 's#<port protocol="tcp" port="22"/>#<port protocol="tcp" port="'$SSHD_PORT'"/>#' /etc/firewalld/services/ssh.xml
    systemctl start firewalld
    systemctl enable firewalld
    firewall-cmd --zone=public --add-interface=eth0 --permanent
    firewall-cmd --zone=public --add-service=ssh --permanent
    firewall-cmd --reload

    restart_services

###########################################################
# Aliases for Super User
###########################################################

    # Add a few useful aliases to .bashrc
    echo "alias update='sudo yum update'" >> /home/$USER_NAME_LOWER/.bashrc
    echo "alias install='sudo yum install'" >> /home/$USER_NAME_LOWER/.bashrc
    echo "alias free='free -m'" >> /home/$USER_NAME_LOWER/.bashrc
    echo "alias firewall-cmd='sudo firewall-cmd'" >> /home/$USER_NAME_LOWER/.bashrc
    echo "alias df='sudo df -h'" >> /home/$USER_NAME_LOWER/.bashrc

###########################################################
# Final Init Services
###########################################################


    # Remove unwanted services
    systemctl stop chronyd
    yum -y -q remove chrony

    systemctl stop postfix
    yum -y -q remove postfix

    systemctl stop avahi-daemon.socket avahi-daemon.service
    systemctl disable avahi-daemon.socket avahi-daemon.service


###########################################################
# Host Name Control
###########################################################

# This sets the variable $IPADDR to the IP address the new Linode receives.
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

# This section sets the hostname on the account

hostnamectl set-hostname $FQDN

# This section updates the /etc/hosts file
echo $IPADDR $FQDN $HOST_NAME >> /etc/hosts



# Configf Networking

set_static_linode_ip $PUBLICIP $PUBLICGATEWAY $PRIVATEIP

set_dns_resolver $DNSRESOLVER1 $DNSRESOLVER2 $DNSRESOLVER3


restart_networking

 # Update the System
system_update

install_ntp
install_basics