lucasrenan · January 3, 2016 09:39
diff --git a/10periodic b/10periodic
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
 APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";
diff --git a/config.sh b/config.sh
 # updating

 sudo apt-get update
 sudo apt-get upgrade
 sudo apt-get dist-upgrade

 # precompilers
 sudo apt-get install build-essential
 sudo apt-get install vim

 # ssh config
 sudo addgroup sshlogin
 sudo useradd -s /bin/bash -g www-data -m ubuntu
 sudo passwd ubuntu
 sudo adduser ubuntu sshlogin
 sudo adduser ubuntu sudo

 # configure /etc/ssh/sshd_config
 # check for errors /usr/sbin/sshd –t

 # adds your public ssh key (~/.ssh/id_rsa.pub) to
 # /home/ubuntu/.ssh/authorized_keys

 su ubuntu
 cd
 mkdir .ssh
 chmod 700 .ssh
 vim .ssh/authorized_keys
 # add your public ssh key
 chmod 600 .ssh/authorized_keys

 # add environment variables
 vim /home/ubuntu/.ssh/environment
 # add env vars
 # RAILS_ENV=production
 # RACK_ENV=production
 chmod 600 .ssh/environment

 # ruby with rvm
 \curl -sSL https://get.rvm.io | bash -s stable
 source /etc/profile.d/rvm.sh
 rvm install 2.1.0

 # firewall config
 sudo apt-get install ufw

 sudo ufw default deny
 sudo ufw enable
 sudo ufw logging on
 sudo ufw logging low
 sudo ufw allow ssh
 sudo ufw allow www
 sudo ufw allow https
 sudo ufw limit ssh
 sudo ufw reload

 sudo apt-get install denyhosts

 # automatic updates
 sudo apt-get install unattended-upgrades

 # edit /etc/apt/apt.conf.d/10periodic

 # clock config
 sudo apt-get install ntp
 sudo dpkg-reconfigure tzdata

 # install nginx
 sudo apt-get install software-properties-common
 sudo apt-get install python-software-properties
 sudo add-apt-repository ppa:nginx/stable
 sudo apt-get update
 sudo apt-get install nginx
 sudo service nginx start

 # install imagemagick
 sudo apt-get install imagemagick --fix-missing

 # nodejs
 sudo add-apt-repository ppa:chris-lea/node.js
 sudo apt-get update
 sudo apt-get install nodejs
diff --git a/sshd_config b/sshd_config
 # Package generated configuration file
 # See the sshd_config(5) manpage for details

 # What ports, IPs and protocols we listen for
 Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 768

 # Logging
 SyslogFacility AUTH
 LogLevel INFO

 # Authentication:
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes

 RSAAuthentication yes
 PubkeyAuthentication yes
 #AuthorizedKeysFile     %h/.ssh/authorized_keys

 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes

 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no

 # Change to no to disable tunnelled clear text passwords
 #PasswordAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 X11Forwarding yes
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
 #UseLogin no

 #MaxStartups 10:30:60
 #Banner /etc/issue.net

 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

 Subsystem sftp /usr/lib/openssh/sftp-server

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes

 UseDNS no
 AllowGroups sshlogin
 PermitUserEnvironment yes
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";
	# updating

	sudo apt-get update
	sudo apt-get upgrade
	sudo apt-get dist-upgrade

	# precompilers
	sudo apt-get install build-essential
	sudo apt-get install vim

	# ssh config
	sudo addgroup sshlogin
	sudo useradd -s /bin/bash -g www-data -m ubuntu
	sudo passwd ubuntu
	sudo adduser ubuntu sshlogin
	sudo adduser ubuntu sudo

	# configure /etc/ssh/sshd_config
	# check for errors /usr/sbin/sshd –t

	# adds your public ssh key (~/.ssh/id_rsa.pub) to
	# /home/ubuntu/.ssh/authorized_keys

	su ubuntu
	cd
	mkdir .ssh
	chmod 700 .ssh
	vim .ssh/authorized_keys
	# add your public ssh key
	chmod 600 .ssh/authorized_keys

	# add environment variables
	vim /home/ubuntu/.ssh/environment
	# add env vars
	# RAILS_ENV=production
	# RACK_ENV=production
	chmod 600 .ssh/environment

	# ruby with rvm
	\curl -sSL https://get.rvm.io \| bash -s stable
	source /etc/profile.d/rvm.sh
	rvm install 2.1.0

	# firewall config
	sudo apt-get install ufw

	sudo ufw default deny
	sudo ufw enable
	sudo ufw logging on
	sudo ufw logging low
	sudo ufw allow ssh
	sudo ufw allow www
	sudo ufw allow https
	sudo ufw limit ssh
	sudo ufw reload

	sudo apt-get install denyhosts

	# automatic updates
	sudo apt-get install unattended-upgrades

	# edit /etc/apt/apt.conf.d/10periodic

	# clock config
	sudo apt-get install ntp
	sudo dpkg-reconfigure tzdata

	# install nginx
	sudo apt-get install software-properties-common
	sudo apt-get install python-software-properties
	sudo add-apt-repository ppa:nginx/stable
	sudo apt-get update
	sudo apt-get install nginx
	sudo service nginx start

	# install imagemagick
	sudo apt-get install imagemagick --fix-missing

	# nodejs
	sudo add-apt-repository ppa:chris-lea/node.js
	sudo apt-get update
	sudo apt-get install nodejs
	# Package generated configuration file
	# See the sshd_config(5) manpage for details

	# What ports, IPs and protocols we listen for
	Port 22
	# Use these options to restrict which interfaces/protocols sshd will bind to
	#ListenAddress ::
	#ListenAddress 0.0.0.0
	Protocol 2
	# HostKeys for protocol version 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	#Privilege Separation is turned on for security
	UsePrivilegeSeparation yes

	# Lifetime and size of ephemeral version 1 server key
	KeyRegenerationInterval 3600
	ServerKeyBits 768

	# Logging
	SyslogFacility AUTH
	LogLevel INFO

	# Authentication:
	LoginGraceTime 120
	PermitRootLogin no
	StrictModes yes

	RSAAuthentication yes
	PubkeyAuthentication yes
	#AuthorizedKeysFile %h/.ssh/authorized_keys

	# Don't read the user's ~/.rhosts and ~/.shosts files
	IgnoreRhosts yes
	# For this to work you will also need host keys in /etc/ssh_known_hosts
	RhostsRSAAuthentication no
	# similar for protocol version 2
	HostbasedAuthentication no
	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	#IgnoreUserKnownHosts yes

	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	PermitEmptyPasswords no

	# Change to yes to enable challenge-response passwords (beware issues with
	# some PAM modules and threads)
	ChallengeResponseAuthentication no

	# Change to no to disable tunnelled clear text passwords
	#PasswordAuthentication yes

	# Kerberos options
	#KerberosAuthentication no
	#KerberosGetAFSToken no
	#KerberosOrLocalPasswd yes
	#KerberosTicketCleanup yes

	# GSSAPI options
	#GSSAPIAuthentication no
	#GSSAPICleanupCredentials yes

	X11Forwarding yes
	X11DisplayOffset 10
	PrintMotd no
	PrintLastLog yes
	TCPKeepAlive yes
	#UseLogin no

	#MaxStartups 10:30:60
	#Banner /etc/issue.net

	# Allow client to pass locale environment variables
	AcceptEnv LANG LC_*

	Subsystem sftp /usr/lib/openssh/sftp-server

	# Set this to 'yes' to enable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the ChallengeResponseAuthentication and
	# PasswordAuthentication. Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'.
	UsePAM yes

	UseDNS no
	AllowGroups sshlogin
	PermitUserEnvironment yes