concise7113/Bash_Scrips
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Bash_Scrips/post_install.sh
Roy a4f9ea11f3 first commit
2025-06-23 21:19:51 +02:00

381 lines
13 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
#Roy Cohen :roy@wondercohen.nl
#Wonder Cohen :The Hague The Netherlands
#objective :Post install script for master node/ansible node
#First line of code :07/Mar/2020
#last update :15/Nov/2021
#version :1.0
#synatx example :./<script.sh>
# VARS
#hostnamectl set-hostname lx-ubt-rtm0-101.wondercohen.org
DEB_OS="/etc/lsb-release"
RHEL_OS="/etc/redhat-release"
MY_IP=""
SOURCE_CONNECTION=$(w -i |tail -n1|cut -d " " -f8)
#SOURCE_IP=$(last -a | grep "logged in"|awk '{print $10}')
mkdir -p /root/tools
function install_software(){
echo "*** Starting install software function ***"
if test -f "$DEB_OS"; then
apt -y install net-tools
apt -y install git bash-completion fail2ban
apt -y update && apt -y upgrade
else
yum install -y vim wget curl net-tools lsof bind-utils epel-release bash-completion git
yum install -y fail2ban
yum install -y aide
yum -y update
fi
}
function issue_motd(){
echo "*** Starting /etc/issue ***"
echo -e "
------------------------------------------------------------------------
| *** NOTICE TO USERS *** |
| This computer system is the private property of Wonder Cohen |
| It is for authorized use only. |
| |
| Users (authorized or unauthorized) have no explicit or implicit |
| expectation of privacy. |
| |
| Any or all uses of this system and all files on this system may be |
| intercepted, monitored, recorded, copied, audited, inspected, and |
| disclosed to your employer, to authorized site, government, and law |
| enforcement personnel, as well as authorized officials of government |
| agencies, both domestic and foreign. |
| |
| By using this system, the user consents to such interception, |
| monitoring, recording, copying, auditing, inspection, and disclosure |
| at the discretion of such personnel or officials. Unauthorized or |
| improper use of this system may result in civil and criminal penalties |
| and administrative or disciplinary action, as appropriate. By |
| continuing to use this system you indicate your awareness of and |
| consent to these terms and conditions of use. LOG OFF IMMEDIATELY if |
| you do not agree to the conditions stated in this warning. |
------------------------------------------------------------------------
You Are Logedin from: $(w -i |tail -n1|cut -d " " -f8)
" >/etc/issue
cat /etc/issue > /etc/issue.net
}
function tooling(){
echo "*** Starting Tooling function ***"
if test -f "$DEB_OS"; then
#grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
#grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
echo -e "#script to block malicious IP sources for Wonder Cohen 23-jun-2021
#!/bin/bash
for ip_to_block in \$(cat /var/log/ufw.log |grep -E -oh \"SRC=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\"|grep -v \"SRC=0.0.0.0\"|cut -d \"=\" -f2|sort|uniq -c|sort -n| tail -n 20 | awk '{print \$2}')
do
ufw reject proto tcp from \$ip_to_block
echo >/var/log/ufw.log
done
" > /root/tools/block_ip.sh
chmod 700 /root/tools/block_ip.sh
# echo "0 23 * * * root /root/tools/block_ip.sh" >> /etc/crontab
else
echo -e "#script to block malicious IP sources for Wonder Cohen 23-jun-2021
#!/bin/bash
for ip_to_block in \$(cat /var/log/firewall-droppd.log |grep -E -oh \"SRC=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\"|grep -v \"SRC=0.0.0.0\"|cut -d \"=\" -f2|sort|uniq -c|sort -n| tail -n 20 | awk '{print \$2}')
do
firewall-cmd --permanent --add-rich-rule=\"rule family='ipv4' source address='$ip_to_block' drop\"
firewall-cmd --reload
echo > /var/log/firewall-droppd.log
done
" > /root/tools/block_ip.sh
chmod 700 /root/tools/block_ip.sh
# echo "0 23 * * * root /root/tools/block_ip.sh" >> /etc/crontab
fi
}
function shell_sh(){
echo "*** Starting shell_sh function ***"
mkdir -p /var/log/history/
chmod 1723 /var/log/history
echo "ALL ALL= NOPASSWD: /usr/bin/chattr +a /var/log/history/*" > /etc/sudoers.d/chattr
chmod 440 /etc/sudoers.d/chattr
echo -e "
#Roy Cohen :roy@wondercohen.nl
#Wonder Cohen :The Hague The Netherlands
#objective :create a historyfile of all user activites also after sudo command
#location :/etc/profile.d/shell.sh
#First line of code :02/Nov/2020
#last update :15/Nov/2021
#version :1.0
#Aditinal info :inspired by a similar script by E. de Wolf version 151119
#Instructions for installation :cp the contant to /etc/profile.d/shell.sh
# :mkdir /var/log/history/
# :chmod 1723 /var/log/history
# :Add to sudoers file: ALL ALL= NOPASSWD: /usr/bin/chattr +a /var/log/history/*
#Vars
DATE=\$(date +%Y%m%d%H%M)
#Users
ACTIVE_USER=\$(whoami)
SOURCE_USER=\$(who -m | awk '{ print \$1 }')
#Path
LOG_LOCATION="/var/log/history/\$\(whoami\)_\$SOURCE_USER.log"
#timeout logoff
TMOUT=900
export TMOUT
readonly TMOUT
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
#unlimited
export HISTFILESIZE=
export HISTSIZE=
export \$SOURCE_USER
export HISTFILE=\$LOG_LOCATION
export HISTIGNORE=''
export HISTCONTROL='ignoreboth'
export HISTTIMEFORMAT=\${HISTTIMEFORMAT:-%F %H:%M:%S }
shopt -s histappend
export PROMPT_COMMAND=\"history -a; \$PROMPT_COMMAND\"
readonly HISTFILE
readonly HISTIGNORE
#lock hisroty files Files
[[ ! -f \$LOG_LOCATION ]] && touch \$LOG_LOCATION && chmod 0600 \$LOG_LOCATION && sudo /usr/bin/chattr +a \$LOG_LOCATION
" > /etc/profile.d/shell.sh
chmod +x /etc/profile.d/shell.sh
}
function sshd_config(){
echo "*** Starting Ssh function ***"
echo -e " #ssh config for Wonder Cohen 23-jun-2021
SyslogFacility AUTHPRIV
PermitRootLogin no
MaxAuthTries 6
MaxSessions 5
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
LogLevel INFO
Protocol 2
IgnoreRhosts yes
HostbasedAuthentication no
PermitUserEnvironment no
ClientAliveInterval 15m
ClientAliveCountMax 0
LoginGraceTime 60
MaxStartups 10:30:60
AllowTcpForwarding no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Banner /etc/issue.net
" > /etc/ssh/sshd_config
systemctl restart sshd
#mkdir -p /home/rcohen/.ssh/
#chown rcohen:rcohen /home/rcohen/.ssh/
#chmod 700 /home/rcohen/.ssh/
#chmod 600 /home/rcohen/.ssh/authorized_keys
#chown rcohen:rcohen /home/rcohen/.ssh/authorized_keys
}
function firewall(){
echo "*** Starting firewalld function ***"
if test -f "$DEB_OS"; then
systemctl enable ufw
ufw --force enable
else
systemctl enable firewall
systemctl start firewalld
echo -e "#firewalld.conf config for Wonder Cohen 23-jun-2021
DefaultZone=public
MinimalMark=100
CleanupOnExit=yes
Lockdown=no
IPv6_rpfilter=yes
IndividualCalls=no
LogDenied=all
AutomaticHelpers=system
AllowZoneDrifting=yes
" > /etc/firewalld/firewalld.conf
firewall-cmd --reload
echo -e "#rsyslog_firewal logging config for Wonder Cohen 23-jun-2021
:msg,contains,"_DROP" /var/log/firewall-droppd.log
:msg,contains,"_REJECT" /var/log/firewall-droppd.log
& stop
" > /etc/rsyslog.d/firewalld-droppd.conf
systemctl restart rsyslog.service
fi
}
function firewall_rules(){
echo "*** Starting firewall_rules function ***"
if test -f "$DEB_OS"; then
ufw allow proto tcp from $MY_IP
ufw allow proto tcp from $SOURCE_CONNECTION
ufw allow proto tcp from 1/24
ufw default deny incoming
ufw reload
else
firewall-cmd --set-log-denied=all
firewall-cmd --get-log-denied
firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public
firewall-cmd --permanent --remove-service=cockpit --zone=public
firewall-cmd --permanent --remove-service=ssh --zone=public
firewall-cmd --zone=drop --permanent --add-service=http
firewall-cmd --zone=drop --permanent --add-service=https
firewall-cmd --zone=drop --permanent --add-service=samba-client
firewall-cmd --zone=drop --permanent --add-service=dhcpv6-client
firewall-cmd --zone=drop --permanent --add-service=cockpit
firewall-cmd --zone=drop --permanent --add-service=ssh
firewall-cmd --zone=trusted --permanent --add-source=$MY_IP
firewall-cmd --zone=trusted --permanent --add-source=$SOURCE_CONNECTION
firewall-cmd --reload
fi
}
function fail2ban(){
echo "*** Starting Fail2ban function ***"
systemctl enable fail2ban && sudo systemctl start fail2ban
echo -e "
[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 5
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
# Call iptables to ban IP address
banaction = iptables-multiport
# Enable sshd protection
[sshd]
enabled = true
" > /etc/fail2ban/jail.local
systemctl restart fail2ban
}
function network_setting(){
echo "*** Starting Network function ***"
if test -f "$DEB_OS"; then
SET_IP=$(ip -4 a show ens3|grep inet|cut -d "." -f4|cut -d "/" -f1)
HOSTNAME=$(hostname -f|cut -d "." -f1|cut -d "-" -f4)
if [ "$HOSTNAME" -ge 99 ] && [ "$HOSTNAME" -le 200 ];
then
echo -e "
network:
version: 2
renderer: networkd
ethernets:
ens8:
dhcp4: yes
optional: true
dhcp6: no
addresses:
-
else
echo -e "
network:
version: 2
renderer: networkd
ethernets:
ens8:
dhcp4: yes
optional: true
dhcp6: no
addresses:
-
fi
netplan apply
else
SET_IP=$(ip -4 a show eth0 |grep inet|cut -d "." -f4|cut -d "/" -f1)
HOSTNAME=$(hostname -f|cut -d "." -f1|cut -d "-" -f4)
if [ "$HOSTNAME" -ge 99 ] && [ "$HOSTNAME" -le 200 ];
then
echo -e "
DEVICE=eth1\n
ONBOOT=yesn\n
NETBOOT=yes\n
BOOTPROTO=static\n
IPADDR=1\n
NETMASK=255.255.255.0\n
ZONE=public\n
" >/etc/sysconfig/network-scripts/ifcfg-eth1
else
echo -e "
DEVICE=eth1
ONBOOT=yes
NETBOOT=yes
BOOTPROTO=static
IPADDR=1....$SET_IP
NETMASK=255.255.255.0
ZONE=public\n
" >/etc/sysconfig/network-scripts/ifcfg-eth1
fi
systemctl restart network.service
fi
}
#https://kifarunix.com/install-and-configure-aide-on-ubuntu-20-04/
function aide(){
echo "*** Starting aide function ***"
apt -y install aide
aideinit
cp /var/lib/aide/aide.db{.new,}
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
aide -c /etc/aide/aide.conf -C
echo "0 0 * * * root /usr/sbin/aide -c /etc/aide/aide.conf -C" >> /etc/crontab
}
function main(){
HOSTNAME_VAR=$(hostname -f|cut -d "." -f1|cut -d "-" -f4)
if [ "$HOSTNAME_VAR" -ge 99 ];
then
install_software
issue_motd
sshd_config
shell_sh
firewall
firewall_rules
fail2ban
network_setting
tooling
#aide
else
echo "Please set a valid hostname"
fi
}
main 2>&1 | tee /root/$(hostname)_$(date +%Y%m%d%H%M).log
Reference in New Issue View Git Blame Copy Permalink