craigw · January 21, 2010 11:06
diff --git a/first-boot.sh b/first-boot.sh
 # Quickly setup iptables, ntp, the backup service and snmpd:
 # wget http://gist.github.com/raw/282727/1ec21c6628b3cb9a9f6525b4929f7b8675568b4f/first-boot.sh && bash first-boot.sh

 # Firewall
 apt-get install --yes iptables
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp --dport ssh -j ACCEPT
 iptables -A INPUT -s 193.219.108.245 -p icmp -m icmp --icmp-type 8 -j ACCEPT
 iptables -A INPUT -j DROP
 sh -c 'iptables-save -c > /etc/iptables.rules'
 sed 's/gateway 193.219.108.1/gateway 193.219.108.1\n pre-up iptables-restore < \/etc\/iptables.rules\n post-down iptables-save -c > \/etc\/iptables.rules/' -i /etc/network/interfaces

 # Time
 apt-get install --yes ntp
 echo 1 > /proc/sys/xen/independent_wallclock
 echo 'xen.independent_wallclock = 1' >> /etc/sysctl.conf

 echo 'driftfile /var/lib/ntp/ntp.drift

 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable

 server time.xeriom.net prefer
 server 0.uk.pool.ntp.org
 server 1.uk.pool.ntp.org
 server 2.uk.pool.ntp.org

 restrict -4 default kod notrap nomodify nopeer noquery
 restrict -6 default kod notrap nomodify nopeer noquery
 restrict 127.0.0.1
 restrict ::1' > /etc/ntp.conf
 /etc/init.d/ntp restart

 # Backups
 apt-get install --yes rsync nfs-common
 mkdir /root/.ssh/
 echo 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="193.219.108.249",command="cat /etc/backup.conf" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtAnZC+ncH1ge+RmGzyLu3syuOP+pI2Twb2EXYx3BU73H68ThJqOk13jMalyYa/octxiXOeT7NlBIfkRQZOeS7m5ZRp63S7AjUV4f6ByalGzpvykSXYWKhhcq8MTrSzP+hzsEoOZvkVEqwH9BbX4cJWlFMI0zTxAcWp5cHaBGUADJdx8Sm9Witw2sxYIo2ceVfarHp5lt4h3mvcAW/oAYPmh2iSBBldXGMxuDn1dQ2Jzhfb+4AcGO9Zv/J/Mng+mNSvwsA2XxTKrLoqztUr/GBI6zdnfAzWUaUryhprM3tIwgzvAm/dtF60wlvdzBmN30Gf3/EYwQFXFK0iP2VJd0dkIdDT209SIFSaWeBfpv/the5eNjmX6VxOgza1niMP5lsy27PB4HRRNiR0HKovim3nmq0uy58BWt7V0oyZBWraHmnW/fnFNSEtKDrjJOxcYzgZ2dn4efyl2FUweQL4MiYUYH74DByIo8LcAFUalFuNkMTlr+J/d22/LXDOO4GJVts2yVJZtftVJCgaJx8CNPKYy6PrWZXavaLbUPE6dGZVIUzpk5Nd9g2One5G33ScS6i5RbYBDizyAiNbugEuaF7tK+uUlWBgoQCs+pOU5klzbNJzC+P+MQ6Lxo29CdIe+KzOvUnyk4g/Zsaho69Svj7HHFZ8S25gz07c4rt0uYgaU= Backup Configuration
 no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="193.219.108.249",command="/usr/local/bin/backup_only" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuL0/akkteRgeeq5mLclu/RKvlbLiYpqBPEeLgVrFEWwwCH/cGy2eYhr0XV6bkbO7TG7HYN1tABY5YinA0ylwdOTSvuQxLMoNxpDIYVbt3G5csIZVWI2l20gXpYycCDhXe+30neA3uSFZIgOy7Xkb62WX2oWzsxCe0bHtgxjPBaNFxXk/CrOBiN4WFiQD/O4GeCoihT5LFG63sKqyKevxh92AG7yelem19iTg26oChWYo+/nEyrLE2s3xRGFs4lwWdzgHj5NEH5Fr+qEgcyOS7zOVsh7w0CnuAhPwbIt4kLJ1B6ivAX3irqAP+4KI2apiO1+yTjLe0PEClyTp5B95tX4foHcdARda0oRJO9GsxOGPyzBe5Yn97WUq1LYe3c5sZxSwmmhpCEHwMrXMlnMoMpBkdd1yAcq8qUdq/2IYEl2PEo+Ouq2ffrg7Vxu73fqgBGc2SDMxrz8s0CEzsKEpvepGe2gYQ6CQejt98/0sBE2dTBgUZSeK/TSOSaPq4mbfKJFOU4LHrHwoYPekpUnZZGS0FwugafPfoT5GOEGW6VNyvq1g6lfj1+UujXToAr+xdrIPp8M6FbHGnkAPTz8wO4ia4dFRDt1k4mtqJgLp0C45xK99PJC7lQ2mExgP6BgxeAqrSxbSEdNZqMGFUSalWa7mSK5cZpJAWBg1R+3w8Rk= Backup Agent' > /root/.ssh/authorized_keys
 chmod -R go-wrx /root/.ssh
 sed 's/Port 22/Port 22\nPort 22344/g' -i /etc/ssh/sshd_config
 echo '#!/bin/sh
 case "$SSH_ORIGINAL_COMMAND" in
        *\&*)
                echo "Rejected"
                ;;
        *\(*)
                echo "Rejected"
                ;;
        *\{*)
                echo "Rejected"
                ;;
        *\;*)
                echo "Rejected"
                ;;
        *\<*)
                echo "Rejected"
                ;;
        *\`*)
                echo "Rejected"
                ;;
        rsync\ --server\ --sender\ -logDtprR\ --numeric-ids\ .\ /*)
                $SSH_ORIGINAL_COMMAND
                ;;
        *)
                echo "Rejected"
                ;;
 esac' > /usr/local/bin/backup_only
 chmod +x /usr/local/bin/backup_only
 echo '/etc
 /var/backups' > /etc/backup.conf
 /etc/init.d/ssh restart

 iptables -I INPUT 4 -p tcp --dport 22344 -s backup.xeriom.net -j ACCEPT
 iptables -I INPUT 4 -p tcp --dport 22344 -s monitor.xeriom.net -j ACCEPT
 sh -c 'iptables-save -c > /etc/iptables.rules'

 # SNMP
 apt-get install ruby rubygems git-core snmpd --yes
 cd /usr/lib
 git clone git://github.com/craigw/xeriom-nagios-snmp-agents.git
 cd /usr/lib/xeriom-nagios-snmp-agents
 git submodule init
 git submodule update
 echo 'rocommunity public
 syslocation London Rack 1
 syscontact [email protected]

 pass_persist .1.3.6.1.4.1.32919.4.1.1.1.1 /usr/lib/xeriom-nagios-snmp-agents/bin/mount_agent' > /etc/snmp/snmpd.conf
 sed 's/127.0.0.1/0.0.0.0/g' -i /etc/default/snmpd
 /etc/init.d/snmpd restart
 iptables -I INPUT 4 -s 193.219.108.60 -p udp -m udp --dport 161 -j ACCEPT
 iptables -I INPUT 4 -s 193.219.108.245 -p udp -m udp --dport 161 -j ACCEPT
 sh -c 'iptables-save -c > /etc/iptables.rules'
	# Quickly setup iptables, ntp, the backup service and snmpd:
	# wget http://gist.github.com/raw/282727/1ec21c6628b3cb9a9f6525b4929f7b8675568b4f/first-boot.sh && bash first-boot.sh

	# Firewall
	apt-get install --yes iptables
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -p tcp --dport ssh -j ACCEPT
	iptables -A INPUT -s 193.219.108.245 -p icmp -m icmp --icmp-type 8 -j ACCEPT
	iptables -A INPUT -j DROP
	sh -c 'iptables-save -c > /etc/iptables.rules'
	sed 's/gateway 193.219.108.1/gateway 193.219.108.1\n pre-up iptables-restore < \/etc\/iptables.rules\n post-down iptables-save -c > \/etc\/iptables.rules/' -i /etc/network/interfaces

	# Time
	apt-get install --yes ntp
	echo 1 > /proc/sys/xen/independent_wallclock
	echo 'xen.independent_wallclock = 1' >> /etc/sysctl.conf

	echo 'driftfile /var/lib/ntp/ntp.drift

	statistics loopstats peerstats clockstats
	filegen loopstats file loopstats type day enable
	filegen peerstats file peerstats type day enable
	filegen clockstats file clockstats type day enable

	server time.xeriom.net prefer
	server 0.uk.pool.ntp.org
	server 1.uk.pool.ntp.org
	server 2.uk.pool.ntp.org

	restrict -4 default kod notrap nomodify nopeer noquery
	restrict -6 default kod notrap nomodify nopeer noquery
	restrict 127.0.0.1
	restrict ::1' > /etc/ntp.conf
	/etc/init.d/ntp restart

	# Backups
	apt-get install --yes rsync nfs-common
	mkdir /root/.ssh/
	echo 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="193.219.108.249",command="cat /etc/backup.conf" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtAnZC+ncH1ge+RmGzyLu3syuOP+pI2Twb2EXYx3BU73H68ThJqOk13jMalyYa/octxiXOeT7NlBIfkRQZOeS7m5ZRp63S7AjUV4f6ByalGzpvykSXYWKhhcq8MTrSzP+hzsEoOZvkVEqwH9BbX4cJWlFMI0zTxAcWp5cHaBGUADJdx8Sm9Witw2sxYIo2ceVfarHp5lt4h3mvcAW/oAYPmh2iSBBldXGMxuDn1dQ2Jzhfb+4AcGO9Zv/J/Mng+mNSvwsA2XxTKrLoqztUr/GBI6zdnfAzWUaUryhprM3tIwgzvAm/dtF60wlvdzBmN30Gf3/EYwQFXFK0iP2VJd0dkIdDT209SIFSaWeBfpv/the5eNjmX6VxOgza1niMP5lsy27PB4HRRNiR0HKovim3nmq0uy58BWt7V0oyZBWraHmnW/fnFNSEtKDrjJOxcYzgZ2dn4efyl2FUweQL4MiYUYH74DByIo8LcAFUalFuNkMTlr+J/d22/LXDOO4GJVts2yVJZtftVJCgaJx8CNPKYy6PrWZXavaLbUPE6dGZVIUzpk5Nd9g2One5G33ScS6i5RbYBDizyAiNbugEuaF7tK+uUlWBgoQCs+pOU5klzbNJzC+P+MQ6Lxo29CdIe+KzOvUnyk4g/Zsaho69Svj7HHFZ8S25gz07c4rt0uYgaU= Backup Configuration
	no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="193.219.108.249",command="/usr/local/bin/backup_only" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuL0/akkteRgeeq5mLclu/RKvlbLiYpqBPEeLgVrFEWwwCH/cGy2eYhr0XV6bkbO7TG7HYN1tABY5YinA0ylwdOTSvuQxLMoNxpDIYVbt3G5csIZVWI2l20gXpYycCDhXe+30neA3uSFZIgOy7Xkb62WX2oWzsxCe0bHtgxjPBaNFxXk/CrOBiN4WFiQD/O4GeCoihT5LFG63sKqyKevxh92AG7yelem19iTg26oChWYo+/nEyrLE2s3xRGFs4lwWdzgHj5NEH5Fr+qEgcyOS7zOVsh7w0CnuAhPwbIt4kLJ1B6ivAX3irqAP+4KI2apiO1+yTjLe0PEClyTp5B95tX4foHcdARda0oRJO9GsxOGPyzBe5Yn97WUq1LYe3c5sZxSwmmhpCEHwMrXMlnMoMpBkdd1yAcq8qUdq/2IYEl2PEo+Ouq2ffrg7Vxu73fqgBGc2SDMxrz8s0CEzsKEpvepGe2gYQ6CQejt98/0sBE2dTBgUZSeK/TSOSaPq4mbfKJFOU4LHrHwoYPekpUnZZGS0FwugafPfoT5GOEGW6VNyvq1g6lfj1+UujXToAr+xdrIPp8M6FbHGnkAPTz8wO4ia4dFRDt1k4mtqJgLp0C45xK99PJC7lQ2mExgP6BgxeAqrSxbSEdNZqMGFUSalWa7mSK5cZpJAWBg1R+3w8Rk= Backup Agent' > /root/.ssh/authorized_keys
	chmod -R go-wrx /root/.ssh
	sed 's/Port 22/Port 22\nPort 22344/g' -i /etc/ssh/sshd_config
	echo '#!/bin/sh
	case "$SSH_ORIGINAL_COMMAND" in
	\&)
	echo "Rejected"
	;;
	\()
	echo "Rejected"
	;;
	\{)
	echo "Rejected"
	;;
	\;)
	echo "Rejected"
	;;
	\<)
	echo "Rejected"
	;;
	\`)
	echo "Rejected"
	;;
	rsync\ --server\ --sender\ -logDtprR\ --numeric-ids\ .\ /*)
	$SSH_ORIGINAL_COMMAND
	;;
	*)
	echo "Rejected"
	;;
	esac' > /usr/local/bin/backup_only
	chmod +x /usr/local/bin/backup_only
	echo '/etc
	/var/backups' > /etc/backup.conf
	/etc/init.d/ssh restart

	iptables -I INPUT 4 -p tcp --dport 22344 -s backup.xeriom.net -j ACCEPT
	iptables -I INPUT 4 -p tcp --dport 22344 -s monitor.xeriom.net -j ACCEPT
	sh -c 'iptables-save -c > /etc/iptables.rules'

	# SNMP
	apt-get install ruby rubygems git-core snmpd --yes
	cd /usr/lib
	git clone git://github.com/craigw/xeriom-nagios-snmp-agents.git
	cd /usr/lib/xeriom-nagios-snmp-agents
	git submodule init
	git submodule update
	echo 'rocommunity public
	syslocation London Rack 1
	syscontact [email protected]

	pass_persist .1.3.6.1.4.1.32919.4.1.1.1.1 /usr/lib/xeriom-nagios-snmp-agents/bin/mount_agent' > /etc/snmp/snmpd.conf
	sed 's/127.0.0.1/0.0.0.0/g' -i /etc/default/snmpd
	/etc/init.d/snmpd restart
	iptables -I INPUT 4 -s 193.219.108.60 -p udp -m udp --dport 161 -j ACCEPT
	iptables -I INPUT 4 -s 193.219.108.245 -p udp -m udp --dport 161 -j ACCEPT
	sh -c 'iptables-save -c > /etc/iptables.rules'