118 lines
6.3 KiB
Bash
118 lines
6.3 KiB
Bash
#!/bin/bash
|
|
#
|
|
# base-stack
|
|
# https://git.stack-source.com/msb/base-stack
|
|
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
#
|
|
# this installer expects a clean Ubuntu 20.04 install
|
|
|
|
# require root
|
|
if [ "${EUID}" -ne 0 ]; then
|
|
echo "This script must be run as root"
|
|
exit 1
|
|
fi
|
|
|
|
# do some basic pre-install checks - these are *not* exhaustive
|
|
os_id=`lsb_release -is`
|
|
os_release=`lsb_release -rs`
|
|
if [ $os_id != Ubuntu ] || [ $os_release != 22.04 ]; then
|
|
echo "this installer only runs on Ubuntu 22.04, bailing out"
|
|
exit 1
|
|
fi
|
|
|
|
# set webmaster email address, used below
|
|
WEBMASTER=webmaster@`hostname -d`
|
|
|
|
# have packages automatically start/restart/stop after install/upgrade/uninstall
|
|
if [[ -f /etc/needrestart/needrestart.conf ]]; then
|
|
sed -i "s|^#\$nrconf{restart} = 'i';|\$nrconf{restart} = 'a';|g" /etc/needrestart/needrestart.conf
|
|
fi
|
|
if [[ -f /usr/sbin/policy-rc.d ]]; then
|
|
sed -i "s|exit 101|exit 0|g" /usr/sbin/policy-rc.d
|
|
fi
|
|
|
|
# update system
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y update
|
|
# update grub first, by itself, as it requires special overrides to run unattended
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install grub-common grub2-common grub-pc grub-pc-bin
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y autoremove
|
|
|
|
# remove unwanted packages
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y purge snapd cryptsetup ufw iptables landscape-common popularity-contest
|
|
## used to disable apparmor, going to try leaving it in now
|
|
# aa-teardown
|
|
# systemctl stop apparmor
|
|
# systemctl disable apparmor
|
|
|
|
# disable motd
|
|
sed -i 's|ENABLED=1|ENABLED=0|g' /etc/default/motd-news
|
|
chmod 644 /etc/update-motd.d/10-help-text
|
|
|
|
# configure unattended upgrades with automatic reboots
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y install unattended-upgrades
|
|
sed -i 's|^APT::Periodic::Update-Package-Lists.*|APT::Periodic::Update-Package-Lists "1";|g' /etc/apt/apt.conf.d/10periodic
|
|
sed -i 's|^APT::Periodic::Download-Upgradeable-Packages.*|APT::Periodic::Download-Upgradeable-Packages "1";|g' /etc/apt/apt.conf.d/10periodic
|
|
sed -i 's|^APT::Periodic::AutocleanInterval.*|APT::Periodic::AutocleanInterval "7";|g' /etc/apt/apt.conf.d/10periodic
|
|
sed -i 's|^APT::Periodic::Update-Package-Lists.*|APT::Periodic::Update-Package-Lists "1";|g' /etc/apt/apt.conf.d/20auto-upgrades
|
|
sed -i 's|^APT::Periodic::Unattended-Upgrade.*|APT::Periodic::Unattended-Upgrade "1";|g' /etc/apt/apt.conf.d/20auto-upgrades
|
|
sed -i 's|// "${distro_id}:${distro_codename}-updates";| "${distro_id}:${distro_codename}-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
|
sed -i 's|//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
|
sed -i 's|//Unattended-Upgrade::Remove-Unused-Dependencies "false";|Unattended-Upgrade::Remove-Unused-Dependencies "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
|
sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
|
# between 1:00 and 1:55am
|
|
REBOOT_TIME=01:$(printf "%02d" $((0 + RANDOM % 55)))
|
|
sed -i "s|//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";|Unattended-Upgrade::Automatic-Reboot-Time \"$REBOOT_TIME\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
|
sed -i "s|//Unattended-Upgrade::Mail \"\";|Unattended-Upgrade::Mail \"$WEBMASTER\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
|
|
|
# firewalld
|
|
# without "--no-install-recommends" ipset and ipables are pulled in, and we don't need or want those
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y install firewalld --no-install-recommends
|
|
firewall-cmd --set-default-zone=public
|
|
# get public interface (e.g. eth0, enp0s10, etc.) then add it to the default (public) zone
|
|
INTERFACE=$(/usr/bin/ip route get 1.1.1.1 | sed -n 's/.*dev \([^\ ]*\).*/\1/p')
|
|
firewall-cmd --permanent --zone=public --add-interface=$INTERFACE
|
|
# ssh should already be enabled by default, just making sure
|
|
firewall-cmd --permanent --zone=public --add-service=ssh
|
|
# default firewalld public zone enables dhcpv6-client, we don't want that
|
|
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
|
|
# blacklist - for local blacklisting
|
|
firewall-cmd --permanent --new-ipset=blacklist --type=hash:net
|
|
firewall-cmd --permanent --ipset=blacklist --set-short=Blacklist
|
|
firewall-cmd --permanent --ipset=blacklist --set-description="Blacklist IP set for creating blacklists local to this server. Use fbl.sh & fwl.sh to add/remove IPs to the blacklist."
|
|
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
|
|
# fail2ban - fail2ban blocking
|
|
firewall-cmd --permanent --new-ipset=fail2ban --type=hash:ip --option=timeout=90000
|
|
# 90000 timeout is 25 hours. Assumption is that 24 hours is the longest ban that fail2ban will implement, timeout is in place as a backup to remove out of date IPs
|
|
firewall-cmd --permanent --ipset=fail2ban --set-short=Fail2Ban
|
|
firewall-cmd --permanent --ipset=fail2ban --set-description="IP set for use by fail2ban. IPs in this set get added to the Drop zone."
|
|
firewall-cmd --permanent --zone=drop --add-source=ipset:fail2ban
|
|
systemctl restart firewalld
|
|
|
|
# fail2ban
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y install fail2ban
|
|
chmod 644 fail2ban/*/*
|
|
cp -a fail2ban/* /etc/fail2ban/
|
|
systemctl enable fail2ban
|
|
systemctl start fail2ban
|
|
|
|
# adjust journald config to prevent /var/log/journal/... from using excessive disk space
|
|
sed -i 's|.*SystemMaxUse=.*|SystemMaxUse=1G|g' /etc/systemd/journald.conf
|
|
sed -i 's|.*RuntimeMaxUse=.*|RuntimeMaxUse=1G|g' /etc/systemd/journald.conf
|
|
sed -i 's|.*SystemMaxFiles=.*|SystemMaxFiles=10|g' /etc/systemd/journald.conf
|
|
sed -i 's|.*RuntimeMaxFiles=.*|RuntimeMaxFiles=10|g' /etc/systemd/journald.conf
|
|
sed -i 's|.*MaxRetentionSec=.*|MaxRetentionSec=1week|g' /etc/systemd/journald.conf
|
|
systemctl restart systemd-journald.service
|
|
|
|
# install some handy extra packages
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y install gdu exa pwgen
|
|
|
|
# install
|
|
chmod 750 sbin/*
|
|
cp sbin/* /usr/local/sbin/
|
|
|
|
echo ""
|
|
echo "Unattended upgrades are configured to send notifications to $WEBMASTER."
|
|
echo "Update Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades to suit your needs."
|