Hardened LinuxGSM

by scrane
23 deployments · 5 still active · last rev. 1 month ago

This is a stackscript to install LinuxGSM on the Linode while hardening SSH to prevent some vectors of hack.

The following fields are used
Limited User Name - Creating a limited user to access the Linode with
Limited User Password - A password for the limited user on the Linode
SSH Pubkey - the public key to use when accessing the Linode via SSH
Hostname - local host name for your Linode
Fully qualified domain name - domain you'd like to use for your Linode
Game server - select the game server you'd like to deploy
Game server name - the outward facing name for your game server (i.e. what folks would see when logging in to Minecraft). Also functions as a limited user that cannot be directly accessed via SSH due to hardening.

Compatible with: Ubuntu 18.04 LTS
Includes: LinuxGSM Library
#<UDF name="ssuser" Label="Sudo user username?" example="username" />
#<UDF name="sspassword" Label="Sudo user password?" example="strongPassword" />
#<UDF name="steamuser" Label="Steam username (required for some game installations. If not required just fill 'null'." example="username" />
#<UDF name="steampassword" Label="Steam user password (required for some game installations. If not required just fill 'null'." example="strongPassword" />
#<UDF name="sspubkey" Label="SSH pubkey (installed for root and sudo user)?" example="ssh-rsa ..." />
#<UDF name="hostname" label="Hostname" example="Local hostname">
#<UDF name="fqdn" label="Fully Qualified Domain Name" example="Provide the domain name you'd like to use for your server">
#<udf name="gameserver" label="Game Server" oneOf="arkserver,arma3server,bb2server,bbserver,bdserver,bf1942server,bmdmserver,boserver,bsserver,bt1944server,ccserver,cod2server,cod4server,codserver,coduoserver,codwawserver,csczserver,csgoserver,csserver,cssserver,dabserver,dmcserver,dodserver,dodsserver,doiserver,dstserver,ecoserver,emserver,etlserver,fctrserver,fofserver,gesserver,gmodserver,hl2dmserver,hldmserver,hldmsserver,hwserver,insserver,jc2server,jc3server,kf2server,kfserver,l4d2server,l4dserver,mcserver,mtaserver,mumbleserver,nmrihserver,ns2cserver,ns2server,nsserver,opforserver,pcserver,pvkiiserver,pzserver,q2server,q3server,qlserver,qwserver,ricochetserver,roserver,rustserver,rwserver,sampserver,sbserver,sdtdserver,squadserver,ss3server,stserver,svenserver,terrariaserver,tf2server,tfcserver,ts3server,tuserver,twserver,ut2k4server,ut3server,ut99server,vsserver,wetserver,zpsserver" example="Select your game for your game server">
#<UDF name="gamename" label="Game Server Name" example="Name of the game server within your game">

# Sets source library script
source <ssinclude StackScriptID="333596">

# Added logging for debug purposes
exec >  >(tee -a /root/stackscript.log)
exec 2> >(tee -a /root/stackscript.log >&2)

# stopping the SSH service to prevent the peasants from storming the gates while we configure this
service sshd stop

# initial needfuls
apt-get -o Acquire::ForceIPv4=true update
# console-setup = derp
DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::ForceIPv4=true -y upgrade

# set up user 
adduser $SSUSER --disabled-password --gecos "" && \
echo "$SSUSER:$SSPASSWORD" | chpasswd
adduser $SSUSER sudo

# set up ssh pubkey
# for x in... loop doesn't work here, sadly
echo Setting up ssh pubkeys...
mkdir -p /root/.ssh
mkdir -p /home/$SSUSER/.ssh
echo "$SSPUBKEY" > /root/.ssh/authorized_keys
echo "$SSPUBKEY" > /home/$SSUSER/.ssh/authorized_keys
chmod -R 700 /root/.ssh
chmod -R 700 /home/${SSUSER}/.ssh
chown -R ${SSUSER}:${SSUSER} /home/${SSUSER}/.ssh
echo ...done

# disable password and root over ssh
echo Disabling passwords and root login over ssh...
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin no/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i -e "s/#PasswordAuthentication no/PasswordAuthentication no/" /etc/ssh/sshd_config
echo "AllowUsers $SSUSER" >> /etc/ssh/sshd_config
echo Restarting sshd...
systemctl restart sshd
echo ...done

#set up fail2ban
echo Setting up fail2ban...
apt-get -o Acquire::ForceIPv4=true install -y fail2ban
cd /etc/fail2ban
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local
systemctl enable fail2ban
systemctl start fail2ban
echo ...done

# This sets the variable $IPADDR to the IP address the new Linode receives.
echo Configuring IP address
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

# Install LinuxGSM and the Game Server of your choice
echo Setting up Dependencies
export DEBIAN_FRONTEND=noninteractive

# Continuing with download, installation, setup, and execution of the game server

# Add a user for the game server
echo Setting up a user
adduser --disabled-password --gecos "" $GAMESERVER
echo "$GAMESERVER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

# Download and the LinuxGSM script
echo Downloading LinuxGSM
wget https://linuxgsm.com/dl/linuxgsm.sh -P /home/$GAMESERVER/
chmod +x /home/$GAMESERVER/linuxgsm.sh

# Run the GSM script

echo running LinuxGSM script
su - $GAMESERVER -c "/home/$GAMESERVER/linuxgsm.sh $GAMESERVER"

# Game specific settings
echo Configuring the gameserver

# Installing the Server
echo Installing the Server
su - $GAMESERVER -c "/home/$GAMESERVER/$GAMESERVER auto-install"

# Update the server IP and name
echo Updating the server IP and name
su - $GAMESERVER -c "sed -i \"s/server-ip=/server-ip=$IPADDR/\" /home/$GAMESERVER/serverfiles/server.properties"
su - $GAMESERVER -c "sed -i \"s/motd=.*/motd=$GAMENAME/\" /home/$GAMESERVER/serverfiles/server.properties"

# Add cron jobs for updating the game server and linuxgsm
echo Adding game update cron jobs
crontab -l > gamecron
echo "0 23 * * * su - $GAMESERVER -c '/home/$GAMESERVER/$GAMESERVER update' > /dev/null 2>&1" >> gamecron
echo "30 23 * * * su - $GAMESERVER -c '/home/$GAMESERVER/$GAMESERVER update-functions' > /dev/null 2>&1" >> gamecron
crontab gamecron
rm gamecron

# Set hostname and FQDN
echo Configuring hostname and FQDN
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname
echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts

# Starting the SSH service back up to allow the peasants into their kingdom
service ssh start

# Start it up!
echo Starting up the gameserver!

# Setting up the firewall
echo firewall rules incoming
ufw default deny incoming
ufw allow ssh
systemctl enable ufw
systemctl start ufw
ufw enable

# Remove StackScript traces
echo Removing StackScript traces
rm -- "$0"
echo Job's done!