ChristopherA · August 13, 2018 21:50
diff --git a/debian9generic.stackscript b/debian9generic.stackscript
 #!/bin/bash

 # This block defines the variables the user of the script needs to input
 # when deploying using this script.

 # <UDF name="hostname" label="Short Hostname" example="Example: bitcoincore-testnet-pruned" />
 # HOSTNAME=

 # <UDF name="fqdn" label="Fully Qualified Hostname" example="Example: bitcoincore-testnet-pruned.local or bitcoincore-testnet-pruned.domain.com"/>
 # FQDN=

 # <UDF name="user1name" label="User1 Name" example="Name for the user1 non-privileged account." />
 # USER1NAME=

 # <UDF name="userpassword" label="User1 Password" example="Password to for the user1 non-privileged account." />
 # USERPASSWORD=

 # <UDF name="ssh_key" label="SSH Key" default="" example="Key for automated logins to user1 non-privileged account." optional="true" />
 # SSH_KEY=

 # <UDF name="sys_ssh_ip" label="SSH-Allowed IPs" default="" example="Comma separated list of IPs that can use SSH" optional="true" />
 # SYS_SSH_IP=

 ####
 # 0. Set Initial Variables
 ####


 # Set the variable $IPADDR to the IP address the new Linode receives.
 IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

 # Output stdout and stderr to ~root files

 exec > >(tee -a /root/stackscript.log) 2> >(tee -a /root/stackscript.log /root/stackscript.err >&2)

 echo "$0 - BEGINNING NEW MACHINE SETUP STACKSCRIPT"

 ####
 # 1. Update Hostname
 ####

 echo $HOSTNAME > /etc/hostname
 # /etc/init.d/hostname.sh start
 /bin/hostname $HOSTNAME

 echo "$0 - Set hostname as $FQDN ($IPADDR)"
 echo "$0 - TODO: Put $FQDN with IP $IPADDR in your main DNS file."

 # Add localhost aliases

 echo "127.0.0.1	localhost" > /etc/hosts
 echo "127.0.1.1 $FQDN $HOSTNAME" >> /etc/hosts

 echo "$0 - Set localhost"

 ####
 # 2. Update Timezone
 ####

 # Set Timezone to America/LA

 TIMEZONE="America/Los_Angeles"
 echo $TIMEZONE > /etc/timezone
 cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime

 echo "$0 - Set Time Zone to Lost Angeles"

 ####
 # 3. Protect the Server
 ####

 # Add firewall rules to block everything that's not Ping, or SSH

 cat > /etc/iptables.firewall.rules <<EOF
 *filter

 #  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 -A INPUT -i lo -j ACCEPT
 -A INPUT -d 127.0.0.0/8 -j REJECT

 #  Accept all established inbound connections
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 #  Allow all outbound traffic - you can modify this to only allow certain traffic
 -A OUTPUT -j ACCEPT

 # If you want HTTP and HTTPS, uncomment these

 #  Allow SSH connections
 #
 #  The -dport number should be the same port number you set in sshd_config
 #
 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

 #  Allow ping
 -A INPUT -p icmp -j ACCEPT

 # Allow Bitcoin & Lightning connections
 #-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 #-A INPUT -p tcp --dport 8333 -j ACCEPT
 #-A INPUT -p tcp --dport 18333 -j ACCEPT
 #-A INPUT -p tcp --dport 9735 -j ACCEPT #Lightning
 #-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

 #  Log iptables denied calls
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

 #  Drop all other inbound - default deny unless explicitly allowed policy
 -A INPUT -j DROP
 -A FORWARD -j DROP

 COMMIT
 EOF

 # Make a copy of the IPv4 rules for IPv6

 cat /etc/iptables.firewall.rules | sed 's/127.0.0.0\/8/::1\/128/' > /etc/ip6tables.firewall.rules

 # Make a startup file that runs IPv4 and IPv6 rules

 cat > /etc/network/if-pre-up.d/firewall <<EOF
 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.firewall.rules
 /sbin/ip6tables-restore < /etc/ip6tables.firewall.rules
 EOF

 chmod a+x /etc/network/if-pre-up.d/firewall

 # Then run it

 /etc/network/if-pre-up.d/firewall

 echo "$0 - Created iptables. NOTE! This will prevent everything but Ping, and SSH from working!!"

 # Put your Login IPs into the hosts.allow file to allow access

 if [ -n "$SYS_SSH_IP" ]; then

  echo "sshd: $SYS_SSH_IP" >> /etc/hosts.allow
  echo "sshd: ALL" >> /etc/hosts.deny
  echo "$0 - Limited SSH access."

 else

  echo "$0 - WARNING: Your SSH access is not limited; this is a major security hole!"

 fi

 # Block SSH access from everywhere else

 # Yes, this means that if you don't have an IP address for SSH, you can only login
 # from Linode's Lish Console

 ####
 # 4. Set Up User
 ####

 # Create "user1" with optional password and give them sudo capability

 /usr/sbin/useradd -m -p `perl -e 'printf("%s\n",crypt($ARGV[0],"password"))' "$USERPASSWORD"` -g sudo -s /bin/bash $USER1NAME
 /usr/sbin/adduser $USER1NAME sudo

 echo "$0 - Setup user1 with sudo access."

 # Set up SSH Key

 if [ -n "$SSH_KEY" ]; then

   mkdir ~$USER1NAME/.ssh
   echo "$SSH_KEY" >> ~$USER1NAME/.ssh/authorized_keys
   chown -R $USER1NAME ~$USER1NAME/.ssh

   echo "$0 - Added .ssh key to $USER1NAME."

 fi

 ####
 # 5. Bring Debian Up To Date
 ####

 echo "$0 - Starting Debian updates; this will take a while!"

 # Add non-free repositories

 echo "deb http://ftp.it.debian.org/debian/ stretch main contrib non-free" | sudo tee -a /etc/apt/sources.list
 echo "deb-src http://ftp.it.debian.org/debian/ stretch main contrib non-free" | sudo tee -a /etc/apt/sources.list
 echo "deb http://security.debian.org/debian-security stretch/updates main contrib non-free" | sudo tee -a /etc/apt/sources.list
 echo "deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free" | sudo tee -a /etc/apt/sources.list
 echo "deb http://ftp.it.debian.org/debian/ stretch-updates main contrib non-free" | sudo tee -a /etc/apt/sources.list
 echo "deb-src http://ftp.it.debian.org/debian/ stretch-updates main contrib non-free" | sudo tee -a /etc/apt/sources.list

 # Make sure all packages are up-to-date

 export DEBIAN_FRONTEND=noninteractive
 apt-get update
 apt-get upgrade -y
 apt-get dist-upgrade -y

 # Install key tools

 apt-get install sudo -y       # usually available by default
 apt-get install git -y        # usually available by default
 apt-get install wget -y       # usually available by default
 apt-get install emacs -y      # alternative good editor
 apt-get install haveged -y    # improves random numbers generator, in particular on VM
 apt-get install fail2ban -y   # denies access for 10 minutes after 5 failed attempts to login
 apt-get install stow -y       # installation tool
 apt-get install tmux -y       # terminal multiplexer


 # Set system to automatically update

 echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
 apt-get -y install unattended-upgrades

 echo "$0 - Updated Debian Packages"

 # Alert User!

 sudo -u $USER1NAME touch ~$USER1NAME/LINODE-IS-READY

 echo "$0 - ENDING NEW MACHINE SETUP STACKSCRIPT"
	#!/bin/bash

	# This block defines the variables the user of the script needs to input
	# when deploying using this script.

	# <UDF name="hostname" label="Short Hostname" example="Example: bitcoincore-testnet-pruned" />
	# HOSTNAME=

	# <UDF name="fqdn" label="Fully Qualified Hostname" example="Example: bitcoincore-testnet-pruned.local or bitcoincore-testnet-pruned.domain.com"/>
	# FQDN=

	# <UDF name="user1name" label="User1 Name" example="Name for the user1 non-privileged account." />
	# USER1NAME=

	# <UDF name="userpassword" label="User1 Password" example="Password to for the user1 non-privileged account." />
	# USERPASSWORD=

	# <UDF name="ssh_key" label="SSH Key" default="" example="Key for automated logins to user1 non-privileged account." optional="true" />
	# SSH_KEY=

	# <UDF name="sys_ssh_ip" label="SSH-Allowed IPs" default="" example="Comma separated list of IPs that can use SSH" optional="true" />
	# SYS_SSH_IP=

	####
	# 0. Set Initial Variables
	####


	# Set the variable $IPADDR to the IP address the new Linode receives.
	IPADDR=$(/sbin/ifconfig eth0 \| awk '/inet / { print $2 }' \| sed 's/addr://')

	# Output stdout and stderr to ~root files

	exec > >(tee -a /root/stackscript.log) 2> >(tee -a /root/stackscript.log /root/stackscript.err >&2)

	echo "$0 - BEGINNING NEW MACHINE SETUP STACKSCRIPT"

	####
	# 1. Update Hostname
	####

	echo $HOSTNAME > /etc/hostname
	# /etc/init.d/hostname.sh start
	/bin/hostname $HOSTNAME

	echo "$0 - Set hostname as $FQDN ($IPADDR)"
	echo "$0 - TODO: Put $FQDN with IP $IPADDR in your main DNS file."

	# Add localhost aliases

	echo "127.0.0.1 localhost" > /etc/hosts
	echo "127.0.1.1 $FQDN $HOSTNAME" >> /etc/hosts

	echo "$0 - Set localhost"

	####
	# 2. Update Timezone
	####

	# Set Timezone to America/LA

	TIMEZONE="America/Los_Angeles"
	echo $TIMEZONE > /etc/timezone
	cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime

	echo "$0 - Set Time Zone to Lost Angeles"

	####
	# 3. Protect the Server
	####

	# Add firewall rules to block everything that's not Ping, or SSH

	cat > /etc/iptables.firewall.rules <<EOF
	*filter

	# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	-A INPUT -i lo -j ACCEPT
	-A INPUT -d 127.0.0.0/8 -j REJECT

	# Accept all established inbound connections
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow all outbound traffic - you can modify this to only allow certain traffic
	-A OUTPUT -j ACCEPT

	# If you want HTTP and HTTPS, uncomment these

	# Allow SSH connections
	#
	# The -dport number should be the same port number you set in sshd_config
	#
	-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

	# Allow ping
	-A INPUT -p icmp -j ACCEPT

	# Allow Bitcoin & Lightning connections
	#-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	#-A INPUT -p tcp --dport 8333 -j ACCEPT
	#-A INPUT -p tcp --dport 18333 -j ACCEPT
	#-A INPUT -p tcp --dport 9735 -j ACCEPT #Lightning
	#-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# Log iptables denied calls
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

	# Drop all other inbound - default deny unless explicitly allowed policy
	-A INPUT -j DROP
	-A FORWARD -j DROP

	COMMIT
	EOF

	# Make a copy of the IPv4 rules for IPv6

	cat /etc/iptables.firewall.rules \| sed 's/127.0.0.0\/8/::1\/128/' > /etc/ip6tables.firewall.rules

	# Make a startup file that runs IPv4 and IPv6 rules

	cat > /etc/network/if-pre-up.d/firewall <<EOF
	#!/bin/sh
	/sbin/iptables-restore < /etc/iptables.firewall.rules
	/sbin/ip6tables-restore < /etc/ip6tables.firewall.rules
	EOF

	chmod a+x /etc/network/if-pre-up.d/firewall

	# Then run it

	/etc/network/if-pre-up.d/firewall

	echo "$0 - Created iptables. NOTE! This will prevent everything but Ping, and SSH from working!!"

	# Put your Login IPs into the hosts.allow file to allow access

	if [ -n "$SYS_SSH_IP" ]; then

	echo "sshd: $SYS_SSH_IP" >> /etc/hosts.allow
	echo "sshd: ALL" >> /etc/hosts.deny
	echo "$0 - Limited SSH access."

	else

	echo "$0 - WARNING: Your SSH access is not limited; this is a major security hole!"

	fi

	# Block SSH access from everywhere else

	# Yes, this means that if you don't have an IP address for SSH, you can only login
	# from Linode's Lish Console

	####
	# 4. Set Up User
	####

	# Create "user1" with optional password and give them sudo capability

	/usr/sbin/useradd -m -p `perl -e 'printf("%s\n",crypt($ARGV[0],"password"))' "$USERPASSWORD"` -g sudo -s /bin/bash $USER1NAME
	/usr/sbin/adduser $USER1NAME sudo

	echo "$0 - Setup user1 with sudo access."

	# Set up SSH Key

	if [ -n "$SSH_KEY" ]; then

	mkdir ~$USER1NAME/.ssh
	echo "$SSH_KEY" >> ~$USER1NAME/.ssh/authorized_keys
	chown -R $USER1NAME ~$USER1NAME/.ssh

	echo "$0 - Added .ssh key to $USER1NAME."

	fi

	####
	# 5. Bring Debian Up To Date
	####

	echo "$0 - Starting Debian updates; this will take a while!"

	# Add non-free repositories

	echo "deb http://ftp.it.debian.org/debian/ stretch main contrib non-free" \| sudo tee -a /etc/apt/sources.list
	echo "deb-src http://ftp.it.debian.org/debian/ stretch main contrib non-free" \| sudo tee -a /etc/apt/sources.list
	echo "deb http://security.debian.org/debian-security stretch/updates main contrib non-free" \| sudo tee -a /etc/apt/sources.list
	echo "deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free" \| sudo tee -a /etc/apt/sources.list
	echo "deb http://ftp.it.debian.org/debian/ stretch-updates main contrib non-free" \| sudo tee -a /etc/apt/sources.list
	echo "deb-src http://ftp.it.debian.org/debian/ stretch-updates main contrib non-free" \| sudo tee -a /etc/apt/sources.list

	# Make sure all packages are up-to-date

	export DEBIAN_FRONTEND=noninteractive
	apt-get update
	apt-get upgrade -y
	apt-get dist-upgrade -y

	# Install key tools

	apt-get install sudo -y # usually available by default
	apt-get install git -y # usually available by default
	apt-get install wget -y # usually available by default
	apt-get install emacs -y # alternative good editor
	apt-get install haveged -y # improves random numbers generator, in particular on VM
	apt-get install fail2ban -y # denies access for 10 minutes after 5 failed attempts to login
	apt-get install stow -y # installation tool
	apt-get install tmux -y # terminal multiplexer


	# Set system to automatically update

	echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" \| debconf-set-selections
	apt-get -y install unattended-upgrades

	echo "$0 - Updated Debian Packages"

	# Alert User!

	sudo -u $USER1NAME touch ~$USER1NAME/LINODE-IS-READY

	echo "$0 - ENDING NEW MACHINE SETUP STACKSCRIPT"