Alpine Linux Basic Configuration

by mihiariipearls
7 deployments · 7 still active · last rev. 2 months ago

Basic configuration for Alpine Linux :
- Set hostname and hosts files
- Set timezone
- Install and setup a firewall (shorewall)
- Add automatic updates (-- Very basic! To be tested --)
- Add a sudo user and add a ssh key
- Harden a little bit the ssh server

Compatible with: Alpine 3.9
						#!/bin/sh
#
#<UDF name="fqdn" Label="FQDN" example="web.example.com" />
#<UDF name="timezone" Label="Your timezone" example="Pacific/Tahiti (see a list at  https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)" />
#<UDF name="user" Label="Create sudo user" example="username" />
#<UDF name="password" Label="Sudo user password?" example="strongPassword" />
#<UDF name="pubkey" Label="SSH pubkey (installed for root and sudo user)?" example="ssh-rsa ..." />
#<UDF name="sshport" Label="SSH port" example="999" />
###############################
# Works for Alpine Linux      #
# Tested on Alpine Linux 3.9  #
###############################

# Update the package list
apk update && apk upgrade

# Get IP address
IP=`ip route get 1 | egrep -o 'src [[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' | awk '{print $2;exit}'`
INTERFACE=`cat /etc/network/interfaces | egrep "iface .* static" | awk '{print $2;exit}'`

# Set hostname and FQDN - Source : https://wiki.alpinelinux.org/wiki/Configure_Networking
if [ -n "${FQDN+set}" ]; then
  HOSTNAME=`echo $FQDN | awk -F . '{print $1;exit}'`
  echo $HOSTNAME > /etc/hostname
  hostname -F /etc/hostname
  echo $IP $FQDN $HOSTNAME | tee -a /etc/hosts
fi

#Set timezone - Source : https://wiki.alpinelinux.org/wiki/Setting_the_timezone
apk add tzdata
cp /usr/share/zoneinfo/$TIMEZONE /etc/localtime
echo $TIMEZONE > /etc/timezone
apk del tzdata

#Setup firewall
apk add shorewall

# Add firewall and net (public) zone
echo "net		ipv4" >> /etc/shorewall/zones
# Link net zone to public interface
echo "net		$INTERFACE" >> /etc/shorewall/interfaces
# Add policies
# First authorize outbound traffic
echo "\$FW		net		ACCEPT" >> /etc/shorewall/policy
# DROP all traffic coming from outside
echo "net		all		DROP	info" >> /etc/shorewall/policy
# REJECT anything else
echo "all		all		REJECT	info" >> /etc/shorewall/policy
# Authorize connection to ssh port
echo "ACCEPT	net		\$FW		tcp $SSHPORT" >> /etc/shorewall/rules
rc-update add shorewall default
sed -i -e "s/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/" /etc/shorewall/shorewall.conf
rc-service shorewall start

#Automatic update
cat > /etc/periodic/daily/auto_update << EOF
#!/bin/sh
apk update -q && apk upgrade -q
EOF
chmod a+x /etc/periodic/daily/auto_update

# Add sudo user
apk add sudo
addgroup sudo
adduser -D $USER
adduser $USER sudo
echo "$USER:$PASSWORD" | chpasswd
sed -i '/%sudo/s/^# //' /etc/sudoers

# Harden SSH access
mkdir -p /home/$USER/.ssh
echo "$PUBKEY" >> /home/$USER/.ssh/authorized_keys
chmod -R 700 /home/${USER}/.ssh
chown -R ${USER}:${USER} /home/${USER}/.ssh
sed -i.orig "s/#Port 22/Port $SSHPORT/" /etc/ssh/sshd_config
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/#*PasswordAuthentication [no]*[yes]*/PasswordAuthentication no/" /etc/ssh/sshd_config
#sed -i 's/#*GSSAPIAuthentication [no]*[yes]*/GSSAPIAuthentication no/' /etc/ssh/sshd_config
echo 'AddressFamily inet' | tee -a /etc/ssh/sshd_config
sed -i 's/#Banner none/Banner \/etc\/ssh\/banner/' /etc/ssh/sshd_config

# Banner
cat << EOT > /etc/ssh/banner
#################################################################
#               Welcome to $FQDN                                #
#       All connections are monitored and recorded              #
#  Disconnect IMMEDIATELY if you are not an authorized user!    #
#################################################################
EOT
echo "" > /etc/motd
rc-service sshd restart