Server Bootstrap

a_starting_point

# To use this script run: 
curl -O https://raw.github.com/gist/1395181/d9147fd2aa0ca24ec609c188438d1eec60f8ffb4/bootstrap.sh; chmod +x bootstrap.sh; sudo ./bootstrap.sh  

# Also the script assumes a group with admin privileges 
# called admin already exists. If it does not you may want 
# to check by running visudo:
#
# Create sudo group: 
# (may not be necessary LTS now has admin group by default) 
visudo 
%admin  ALL=(ALL)       
ALL # /usr/sbin/groupadd admin

bootstrap.sh

echo ""
echo ""
echo "Checking your linux release:"
echo ""
cat /etc/lsb-release
echo ""
echo ""
echo "BOOTSTRAP:"
echo "----------------------------------------"
echo "This will configure a default user, secure your SSH, and supply some utility scripts for further installation of system essentials, ruby, etc."
echo ""
while true; do
    read -p "Do you wish to bootstrap this server? (yes or no):" yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done
echo ""
echo "STEP ONE: SETUP YOUR USER ACCOUNT."
echo "----------------------------------------"
echo "We're going to disable root authentication and create a user account to access the server."
echo ""
echo -n "Enter your username for this server: "
read DEFAULT_USERNAME

# Setup my user account.
/usr/sbin/adduser $DEFAULT_USERNAME
/usr/sbin/usermod -a -G admin $DEFAULT_USERNAME

# Setup SSH for my user.
mkdir /home/$DEFAULT_USERNAME/.ssh
touch /home/$DEFAULT_USERNAME/.ssh/authorized_keys
chown -R $DEFAULT_USERNAME:$DEFAULT_USERNAME /home/$DEFAULT_USERNAME/.ssh
chmod 700 /home/$DEFAULT_USERNAME/.ssh
chmod 600 /home/$DEFAULT_USERNAME/.ssh/authorized_keys

# Update SSH config.
echo ""
echo ""
echo "STEP TWO: UPDATE YOUR SSH SETTINGS."
echo "----------------------------------------"
echo "Your SSH configuration will now be opened in nano with suggested modifications."
echo ""
while true; do
    read -p "Do you want to continue? (yes or no): " yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done
curl -O https://raw.github.com/gist/1395181/51d243e28e66b5341057dc75bab72347fe8fc3af/sshmods
echo AllowUsers $DEFAULT_USERNAME >> sshmods
echo "# --------------------------------------------------" >> sshmods
cat /etc/ssh/sshd_config >> sshmods
cp /etc/ssh/sshd_config ./sshd_config.backup
mv sshmods /etc/ssh/sshd_config
nano /etc/ssh/sshd_config

# Setup default IPTables
echo ""
echo ""
echo "STEP THREE: IPTABLES"
echo "----------------------------------------"
echo "Some default IP rules will now be opened in nano. ENSURE THE PORT MATCHES THE PORT YOU SET IN YOUR SSH CONFIG! i.e. 30000"
echo ""
while true; do
    read -p "Do you want to continue? (yes or no): " yn
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

/sbin/iptables -F
curl -O https://raw.github.com/gist/1395181/cee84792277eb77c6dd5b1afabc815622896324f/iptables.up.rules
mv iptables.up.rules /etc/iptables.up.rules
nano /etc/iptables.up.rules
/sbin/iptables-restore < /etc/iptables.up.rules
/sbin/iptables -L
curl -O https://raw.github.com/gist/1395181/c1a1ebe10fb9c9d4fe4c9f28c217b5d101b857f9/iptables
mv iptables /etc/network/if-pre-up.d/iptables
echo ""
echo "iptables will automatically be reloaded via the script installed here: /etc/network/if-pre-up.d/iptables"
chmod +x /etc/network/if-pre-up.d/iptables

echo ""
echo "All done! Now just some final changes."

echo "--------------------------------------------"
echo "Grabbing utility scripts for further setup."
echo "--------------------------------------------"
echo ""
echo ""

# Download various bootstrap script
curl -O https://raw.github.com/gist/450334/3e439622391fb8d42063c1bce231c4e794d16cac/Ruby_1.9.3_on_Ubuntu_10.4
mv Ruby_1.9.3_on_Ubuntu_10.4 install_ruby_1.9.3.sh
chmod +x install_ruby_1.9.3.sh
echo "-----------------------------------------"
echo "Installed: install_ruby_1.9.3.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/b10fc3f3fd91c391ed7836e9b373bc8e471b2584/update_bashrc.sh
chmod +x update_bashrc.sh
echo "-----------------------------------------"
echo "Installed: update_bashrc.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/ad20e58b0c8a4d0df41585bc30f03940db553be3/setup_locale.sh
chmod +x setup_locale.sh
echo "-----------------------------------------"
echo "Installed: setup_locale.sh"
echo ""
echo ""

curl -O https://raw.github.com/gist/1395181/40ad21645817a29ef6d3408c2cd42fcb955d8ce3/safe_upgrade.sh
chmod +x safe_upgrade.sh
echo "-----------------------------------------"
echo "Installed: safe_upgrade.sh"
echo ""
echo ""

# Reload SSH
echo "FINAL STEPS:"
echo "-----------------------------------------"
echo "All done! Now just install the safe upgrades:"
echo "./safe_upgrade.sh"
echo ""
echo "Then, once you have added your SSH keys be sure to run:"
echo "/etc/init.d/ssh reload"
echo ""
echo ""

iptables

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

iptables.up.rules

*filter


#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT


#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

prompt_and_aliases

# Custom Prompt
PS1='\[\033[0;35m\]\u@\h\[\033[0;33m\] \w\[\033[00m\]: '

alias free="free -m"
alias update="sudo aptitude update"
alias install="sudo aptitude install"
alias upgrade="sudo aptitude safe-upgrade"
alias remove="sudo aptitude remove"

safe_upgrade.sh

# Update System
sudo aptitude update
sudo aptitude safe-upgrade
sudo aptitude install build-essential
# I consider git mandatory.
sudo aptitude install git-core

setup_locale.sh

# Setup Locale
/usr/bin/locale
sudo /usr/sbin/locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

sshmods

# Suggested Changes to config
# --------------------------------------------------
# Port 30000
# Protocol 2
# PermitRootLogin no
# PasswordAuthentication no
# UseDNS no

update_bashrc.sh

# Add .bashrc mixins.
mv .bashrc .bashrc.backup
curl -O
https://raw.github.com/gist/1395181/215c0c41c78538196143a8566ab6ae5ce1e7e373/prompt_and_aliases
cat prompt_and_aliases >> .bashrc
rm prompt_and_aliases
nano .bashrc