CentOS Development template

by hoangnm-ibl
336 deployments · 333 still active · last rev. 2 months ago

Create enviroment development for CentOS 7

Compatible with: CentOS 7
						#!/bin/bash
#<UDF name="hostname" label="The hostname for the new Linode.">
# HOSTNAME=
#<UDF name="Timezone" label="Choose timezone on list: America/Los_Angeles, Asia/Singapore, Europe/London">
# TIMEZONE=
hostnamectl set-hostname $HOSTNAME
#Securing and Hardening the Kernel
cat <<EOT >> /etc/sysctl.conf
# Minimizing the amount of swapping
vm.swappiness = 0
vm.dirty_ratio = 80
vm.dirty_background_ratio = 5

# Increases the size of file handles and inode cache & restricts core dumps
fs.file-max = 2097152
fs.suid_dumpable = 0

# Change the amount of incoming connections and incoming connections backlog
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 262144

# Increase the maximum amount of memory buffers
net.core.optmem_max = 25165824

# Increase the default and maximum send/receive buffers
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1

# Enable ignoring to ICMP requests and broadcasts request
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable logging of spoofed packets, source routed packets and redirect packets
net.ipv4.conf.all.log_martians = 1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0

# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
EOT
sysctl -p

cat <<EOT >> /etc/security/limits.conf
*    soft    nofile        614400
*    hard    nofile        614400
*    soft    nproc        614400
*    hard    nproc        614400
*    soft    memlock        614400
*    hard    memlock        614400
*    soft    stack        614400
*    hard    stack        614400
EOT

sed -i '/*          soft    nproc     4096/s/^/#/g' /etc/security/limits.d/20-nproc.conf
sed -i '/#*          soft    nproc     4096/ a *          soft    nproc     204800' /etc/security/limits.d/20-nproc.conf

systemctl enable firewalld
service firewalld start
firewall-cmd --add-rich-rule="rule family=ipv4 source address="113.161.84.59" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="115.78.5.32" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule 'rule family=ipv4 source address="115.75.191.183" port port=22 protocol=tcp accept' --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="113.161.84.237" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="112.109.95.186" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="115.79.4.45" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="172.104.184.58" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="139.162.56.60" port port=22 protocol=tcp accept" --permanent
firewall-cmd --add-rich-rule="rule family=ipv4 source address="139.162.213.120" port port=10050 protocol=tcp accept" --permanent
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --reload


sed -i '/SELINUX=enforcing/s/^/#/g' /etc/selinux/config
sed -i '/#SELINUX=enforcing/ a SELINUX=disabled' /etc/selinux/config

sed -i '/PermitRootLogin yes/s/^/#/g' /etc/ssh/sshd_config
sed -i '/#PermitRootLogin yes/ a PermitRootLogin no' /etc/ssh/sshd_config
sed -i '/#ClientAliveInterval 0/ a ClientAliveInterval 120' /etc/ssh/sshd_config
sed -i '/#ClientAliveCountMax 3/ a ClientAliveCountMax 720' /etc/ssh/sshd_config
echo "AuthorizedKeysCommand /etc/openssh-ldap-publickey" >> /etc/ssh/sshd_config
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config

echo "%dev  ALL=(ALL)       NOPASSWD:ALL" >> /etc/sudoers
echo "%iblsystem  ALL=(ALL)       NOPASSWD:ALL" >> /etc/sudoers

yum group install -y "Development Tools"
yum install -y epel-release
curl -sL https://rpm.nodesource.com/setup_8.x | bash - 

yum install -y openssl nodejs git vim wget net-tools telnet screen zeromq zeromq-devel yum-plugin-security
yum updateinfo info --cve CVE-2014-0224
yum --security --sec-severity=Critical check-update
yum –sec-severity=Critical updateinfo list
npm install -g pm2 yarn
pm2 install pm2-logrotate

mkdir -p /data/backup/sources
wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.rpm -P /data/backup/sources
rpm -ivh /data/backup/sources/jdk-8u201-linux-x64.rpm

cat <<EOT >> /etc/bashrc
PATH=\$PATH:/opt/geth/
export PATH
alias vi='vim'
EOT
source /etc/bashrc

yum install -y perl-LDAP nss-pam-ldapd nscd authconfig-gtk*
systemctl enable nslcd
systemctl enable nscd
authconfig --enableldap --enableldapauth --enablelocauthorize --ldapserver=185.3.95.232 --ldapbasedn="dc=blockchainlab,dc=dev" --enablemkhomedir --usemd5 --enablecache --update
systemctl start nslcd
systemctl start nscd

#rpm -Uvh http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
rpm --import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX
rpm -ivh http://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-1.el7.centos.noarch.rpm
yum install -y zabbix-agent
systemctl enable zabbix_agent
server_name=`hostname`
cat <<EOT> /etc/zabbix/zabbix_agentd.conf
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=0
Server=139.162.213.120
ServerActive=139.162.213.120
Hostname=$server_name
EOT
systemctl start zabbix_agent

systemctl enable rsyslog
cat <<EOT >> /etc/rsyslog.conf
\$ModLoad imudp
\$UDPServerRun 514
\$UDPServerAddress 127.0.0.1
local2.*                                                /var/log/haproxy.log
local6.* /var/log/cmdlog.log
local6.* @@172.104.57.132:514
daemon.* /var/log/daemon.log
daemon.* @@172.104.57.132:514
authpriv.* @@172.104.57.132:514
*.info;mail.none;authpriv.none;cron.none @@172.104.57.132:514
EOT

echo "export PROMPT_COMMAND='RETRN_VAL=\$?;logger -p local6.debug \"\$(whoami) [\$\$]: \$(history 1 | sed \"s/^[ ]*[0-9]\+[ ]*//\" ) [\$RETRN_VAL]\"'" >> /etc/bashrc
source /etc/bashrc

yum install fail2ban fail2ban-systemd -y
systemctl enable fail2ban
cp -v /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak
sed -i 's/logtarget.*=.*fail2ban.log/logtarget = SYSLOG/g' /etc/fail2ban/fail2ban.conf
sed -i 's/ignoreip.*=.*/ignoreip = 127.0.0.1\/8 113.161.84.59\/32 115.78.5.32\/32 113.161.84.237\/32 112.109.95.186\/32 115.79.4.45\/32/g' /etc/fail2ban/jail.conf
sed -i 's/bantime  = 600/bantime  = 2592000/g' /etc/fail2ban/jail.conf
sed -i 's/findtime  = 600/findtime  = 60/g' /etc/fail2ban/jail.conf
sed -i 's/^\[sshd\]/\[sshd\]\nenabled = true/g' /etc/fail2ban/jail.conf
systemctl start fail2ban

yum install -y ntp
systemctl enable ntpd
yum install -y ntp
timedatectl set-timezone $TIMEZONE
systemctl enable ntpd

systemctl start ntpd

curl -X POST --data-urlencode "payload={\"channel\": \"#system-security\", \"username\": \"Robocop\", \"text\": \"New server: \`\`\``echo -n '+ hostname: '; hostname;echo '+ Network: '``echo ''; ip a|grep inet|grep -v "127.0.0.1"|grep -v "inet6"`\`\`\`\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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

systemctl restart fail2ban
systemctl restart zabbix-agent
systemctl restart ntpd
systemctl restart nslcd
systemctl restart nscd
systemctl restart sshd
systemctl restart rsyslog

init 6