debian9-security-postgresql

by katox
8 deployments · 1 still active · last rev. 3 months ago

Compatible with: Debian 9
						#!/bin/bash
# <UDF name="notify_email" Label="Send email notification to" example="Email address to send notification and system alerts. Check Spam folder if you don't receive a notification within 6 minutes." />

# <UDF name="user1_name" label="User 1 account name" example="This is the account that you will be using to log in." />
# <UDF name="user1_password" label="User 1 password" />
# <UDF name="user1_sshkey" label="Public Key for user 1" default="" example="Recommended method of authentication. It is more secure than password log in." />
# <UDF name="user1_shell" label="Shell" oneof="/bin/zsh,/bin/bash" default="/bin/bash" />
# <UDF name="user2_name" default="" label="User 2 account name" example="This is the account that you will be using to log in." />
# <UDF name="user2_password" default="" label="User 2 password" />
# <UDF name="user2_sshkey" default="" label="Public Key for user 2" default="" example="Recommended method of authentication. It is more secure than password log in." />
# <UDF name="user2_shell" label="Shell" oneof="/bin/zsh,/bin/bash" default="/bin/bash" />
# <UDF name="sshd_passwordauth" label="Allow SSH password authentication" oneof="Yes,No" default="No" example="Turn off password authentication if you have added a Public Key." />
# <UDF name="sshd_permitrootlogin" label="Allow SSH root login" oneof="No,Yes" default="No" example="Root account should not be exposed." />
# <UDF name="sys_hostname" label="System hostname" default="myvps" example="Name of your server, i.e. linode1." />
# <UDF name="sys_private_ip_cidr" Label="Private IP in CIDR format" default="" example="Configure network card to listen on this Private IP and PostgreSQL to accept connections from this private network range. See http://library.linode.com/networking/configuring-static-ip-interfaces" />
# <UDF name="relay_email" label="Gmail email including domain as relay" example="Email used to login into Gmail/GApps" />
# <UDF name="relay_password" label="Gmail account app-specific password" example="Email account password (app specific with 2factor auth)" />
# <UDF name="teamcity_password" label="Teamcity specific password" example="PostgreSQL teamcity user password)" />

set -e
set -u
#set -x

USER_GROUPS=sudo

exec &> /root/stackscript.log

source <ssinclude StackScriptID="1"> # StackScript Bash Library
#source ./linode-ss1.sh

source <ssinclude StackScriptID="10444"> # Common utilities
#source ./utils.sh

source <ssinclude StackScriptID="10456"> # Postgresql fns
#source ./postgresql.sh

source <ssinclude StackScriptID="10446"> # Common utilities
#source ./lib-system-ubuntu.sh


# Basic system update
system_update
system_install_locales
system_set_timezone

# Setup /etc versioning
system_install_git
system_start_etc_dir_versioning 

# Initialize hostname
system_update_hostname "$SYS_HOSTNAME"
system_record_etc_dir_changes "Updated hostname" 

# Setup firewall

function system_setup_iptables_pg {
    cat > /etc/iptables.firewall.rules << EOF
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow ports for PostgreSQL
# internal IP of teamcity.leafclick.com
-A INPUT -p tcp --dport 5432 -j ACCEPT --source 192.168.157.233

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
EOF
    
    /sbin/iptables-restore < /etc/iptables.firewall.rules
    DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent
    mv /etc/iptables.firewall.rules /etc/iptables/rules.v4    
}


system_setup_iptables_pg
system_record_etc_dir_changes "Enabled firewall"

# Create user accounts
system_add_user "$USER1_NAME" "$USER1_PASSWORD" "$USER_GROUPS" "$USER1_SHELL"
if [ "$USER1_SSHKEY" ]; then
    system_user_add_ssh_key "$USER1_NAME" "$USER1_SSHKEY"
fi
if [ "$USER2_NAME" ]; then
    system_add_user "$USER2_NAME" "$USER2_PASSWORD" "$USER_GROUPS" "$USER2_SHELL"
    if [ "$USER2_SSHKEY" ]; then
        system_user_add_ssh_key "$USER2_NAME" "$USER2_SSHKEY"
    fi
fi
system_record_etc_dir_changes "Added user accounts"

# Configure sshd
system_sshd_permitrootlogin "$SSHD_PERMITROOTLOGIN"
system_sshd_passwordauthentication "$SSHD_PASSWORDAUTH"
touch /tmp/restart-ssh
system_record_etc_dir_changes "Configured sshd" # SS124

# Lock user account if not used for login
if [ "SSHD_PERMITROOTLOGIN" == "No" ]; then
    system_lock_user "root"
    system_record_etc_dir_changes "Locked root account" # SS124
fi

# Install Postfix
postfix_install_gmail_relay
system_record_etc_dir_changes "Installed postfix gmail relay" 

# Setup fail2ban
system_security_fail2ban
system_record_etc_dir_changes "Installed fail2ban"

# Install basic system utilities
system_install_utils
system_install_emacs
system_record_etc_dir_changes "Installed common utils"

# Setup kernel OOM policy
system_setup_oom_policy
system_record_etc_dir_changes "Set panic on OOM + reboot"

# Retain log after reboot
system_configure_persistent_journal
system_record_etc_dir_changes "Configure persistent journal"

# Install PostgreSQL and setup database
postgresql_install "$SYS_PRIVATE_IP_CIDR"
system_record_etc_dir_changes "Installed PostgreSQL"

postgresql_create_admin_group
postgresql_create_admin_user "$USER1_NAME" "$USER1_PASSWORD" 
postgresql_create_admin_user "$USER2_NAME" "$USER2_PASSWORD" 
postgresql_create_admin_user "teamcity" "$TEAMCITY_PASSWORD" 
system_record_etc_dir_changes "Configured PostgreSQL"

# Install all updates (including eventual service restarts)
aptitude update
aptitude -y upgrade

# Restart changed services
restart_services

# Send info message
cat > ~/setup_message <<EOD
Hi,

Your Linode VPS configuration is completed.

EOD

mail -s "Your Linode VPS $(hostname) is ready" "$NOTIFY_EMAIL" < ~/setup_message