by mkjacksontech
3 deployments · 2 still active · last rev. 1 year ago

Configure a CentOS Deployment:
- Create a non-root user for administration
- Disallow root logins via ssh
- Enable firewall, with a hole punched through for administration
- Update system

Compatible with: CentOS 7
# <UDF name="ss_hostname" Label="Server hostname" example="" />
# <UDF name="ss_whitelistip" Label="Firewall Whitelist IP" example="Your IP so you can bypass the firewall" />
# <UDF name="ss_localusername" Label="Non-root Username" example="steamuser" />
# <UDF name="ss_localuserpassword" Label="Non-root Password" />
# <UDF name="ss_pubkey" Label="SSH Key for Non-root User" />

# Update, configure and secure a centos image
#   then install and configure a l4d dedicated server

# Update system
yum -y update
yum clean all

# Configure the firewall
# - Block all incoming connections, even ssh
# - Allow all incoming from our specified IP (for admin login)
# - Allow incoming connections on web ports
# - Allow incoming connections to game server
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --zone=public  \
             --add-rich-rule="rule family=\"ipv4\" source address=\"$SS_WHITELISTIP\" accept"
firewall-cmd --zone=public --permanent \
             --add-rich-rule="rule family=\"ipv4\" source address=\"$SS_WHITELISTIP\" accept"
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=ssh --permanent

# Disable root login to ssh
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl reload sshd

# Configure the local user account
usermod -G wheel "$SS_LOCALUSERNAME"
echo "\"$SS_LOCALPASSWORD\"" | passwd $SS_LOCALUSERNAME --stdin
mkdir -p /home/$SS_LOCALUSERNAME/.ssh
cat << EOF > /home/$SS_LOCALUSERNAME/.ssh/authorized_keys
chmod go-rx /home/$SS_LOCALUSERNAME/.ssh
chmod go-rx /home/$SS_LOCALUSERNAME/.ssh/authorized_keys

# Set the hostname
# breaks networking until reboot
# not acceptible, as this script will be called by other stackscripts
#hostnamectl set-hostname "\"$SS_HOSTNAME"\"