BasicCentOSDeployment

by mkjacksontech
1 deployments · 1 still active · last rev. 20 days ago

Configure a CentOS Deployment:
- Create a non-root user for administration
- Disallow root logins via ssh
- Enable firewall, with a hole punched through for administration
- Update system

Compatible with: CentOS 7
						#!/bin/bash
# <UDF name="ss_hostname" Label="Server hostname" example="mygames.example.net" />
# <UDF name="ss_whitelistip" Label="Firewall Whitelist IP" example="Your IP so you can bypass the firewall" />
# <UDF name="ss_localusername" Label="Non-root Username" example="steamuser" />
# <UDF name="ss_localuserpassword" Label="Non-root Password" />
# <UDF name="ss_pubkey" Label="SSH Key for Non-root User" />

# Update, configure and secure a centos image
#   then install and configure a l4d dedicated server

# Update system
yum -y update
yum clean all

# Install dependencies specified at https://gameservermanagers.com/lgsm/l4d2server/
yum -y install \
    mailx \
    postfix \
    curl \
    wget \
    gzip \
    bzip2 \
    python \
    tmux \
    glibc.i686 \
    libstdc++ \
    libstdc++.i686

# Configure the firewall
# - Block all incoming connections, even ssh
# - Allow all incoming from our specified IP (for admin login)
# - Allow incoming connections on web ports
# - Allow incoming connections to game server
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --zone=public  \
             --add-rich-rule="rule family=\"ipv4\" source address=\"$SS_WHITELISTIP\" accept"
firewall-cmd --zone=public --permanent \
             --add-rich-rule="rule family=\"ipv4\" source address=\"$SS_WHITELISTIP\" accept"
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=ssh --permanent
# {TODO} OPEN STEAM SERVER PORTS

# Disable root login to ssh
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl reload sshd

# Configure the local user account
useradd "$SS_LOCALUSERNAME"
usermod -G wheel "$SS_LOCALUSERNAME"
echo "\"$SS_LOCALPASSWORD\"" | passwd $SS_LOCALUSERNAME --stdin
mkdir -p /home/$SS_LOCALUSERNAME/.ssh
cat << EOF > /home/$SS_LOCALUSERNAME/.ssh/authorized_keys
$SS_PUBKEY
EOF
chown $SS_LOCALUSERNAME:$SS_LOCALUSERNAME -R /home/$SS_LOCALUSERNAME/.ssh
chmod go-rx /home/$SS_LOCALUSERNAME/.ssh
chmod go-rx /home/$SS_LOCALUSERNAME/.ssh/authorized_keys

# Set the hostname
# breaks networking until reboot
# not acceptible, as this script will be called by other stackscripts
#hostnamectl set-hostname "\"$SS_HOSTNAME"\"