Auth and SSH configuration
0) Setting up and configuring the system
if [ "$(readlink /etc/localtime)" != "/usr/share/zoneinfo/UTC" ]; then echo "==================================================================================" echo "Setting local time to UTC .." rm -f /etc/localtime ln -s /usr/share/zoneinfo/UTC /etc/localtime echo ".. done" fi if [ ! -d /home/backup ]; then echo "==================================================================================" echo "Creating /home/backup directory .." mkdir /home/backup echo "Creating a symlink /backup to /home/backup .." ln -s /home/backup /backup echo ".. done" fi if [ ! -d /sandbox ]; then echo "==================================================================================" echo "Creating /sandbox directory .." mkdir /sandbox echo ".. done" fi if grep -Fq '# include "/usr/share/nano/nanorc.nanorc"' /etc/nanorc then echo "==================================================================================" echo "Colorifying the Nano editor .." sed -ie 's|# include "/usr/share/nano/sh.nanorc"|include "/usr/share/nano/sh.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/java.nanorc"|include "/usr/share/nano/java.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/python.nanorc"|include "/usr/share/nano/python.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/patch.nanorc"|include "/usr/share/nano/patch.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/php.nanorc"|include "/usr/share/nano/php.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/c.nanorc"|include "/usr/share/nano/c.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/css.nanorc"|include "/usr/share/nano/css.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/html.nanorc"|include "/usr/share/nano/html.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/man.nanorc"|include "/usr/share/nano/man.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/perl.nanorc"|include "/usr/share/nano/perl.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/ruby.nanorc"|include "/usr/share/nano/ruby.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/xml.nanorc"|include "/usr/share/nano/xml.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/nanorc.nanorc"|include "/usr/share/nano/nanorc.nanorc"|' /etc/nanorc echo ".. done" fi # Setting cron job definitions before other scripts start putting their own lines if ! grep -Fq "Example of cron job definition on AltaGrade servers" /var/spool/cron/root then echo "==================================================================================" echo "Setting up cron definitions .." cd /var/spool/cron mv root temp cat > root << 'EOF' # Example of cron job definition on AltaGrade servers: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # # 1. Entry: Minute when the process will be started [0-60] # 2. Entry: Hour when the process will be started [0-23] # 3. Entry: Day of the month when the process will be started [1-28/29/30/31] # 4. Entry: Month of the year when the process will be started [1-12] # 5. Entry: Weekday when the process will be started [0-6] [0 is Sunday] # # every x min = */x # So according to this your 5 8 * * 6 would run 8:05 every Saturday. # Ex: 39 * * * * wget -O - -q -t 1 http://YourDrupalSite.com/cron.php?key=YourDrupalSiteCronKeyHere EOF cat root temp > root echo "..done" fi if ! grep -Fq "" /etc/banner then echo "==================================================================================" echo "Creating /etc/banner .." cat <<EOT >> /etc/banner ** ** ** ******** ** **** /** /** **//////** /** **//** /** ****** ****** ** // ****** ****** /** ***** ** //** /**///**/ //////** /** //**//* //////** ****** **///** ********** /** /** ******* /** ***** /** / ******* **///**/******* /**//////** /** /** **////** //** ////** /** **////** /** /**/**//// /** /** *** //** //******** //******** /*** //********//******//****** // // /// // //////// //////// /// //////// ////// ////// EOT echo ".. done" fi if grep -Fq "#Banner none" /etc/ssh/sshd_config then sed -ie '/#Banner none/c\Banner /etc/banner' /etc/ssh/sshd_config else echo 'Banner /etc/banner' >> /etc/ssh/sshd_config fi if ! grep -Fq "Welcome" /etc/motd then echo "==================================================================================" echo "Creating /etc/motd .." cat <<EOT >> /etc/motd ***************************************************************************** * Welcome to AltaGrade Optimized Operating System! * * * * If you encounter any issues with the server, then please browse our Help * * section on https://www.altagrade.com/docs first. And if you couldn't find * * any solution, then submit a support request at https://my.altagrade.com. * * * ***************************************************************************** EOT echo ".. done" fi if ! grep -Fq "update-webmin" /root/.bashrc; then echo "==================================================================================" echo "Creating root aliases .." cat >> /root/.bashrc << 'EOF' alias update-webmin='yes | /usr/libexec/webmin/update-from-repo.sh' alias update-theme='yes | /usr/libexec/webmin/authentic-theme/theme-update.sh' alias webminpass='/usr/libexec/webmin/changepass.pl /etc/webmin root' alias ps10='ps -auxf | sort -nr -k 4 | head -10' alias cpu10='ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10' alias qchwr='drush pml --no-core --type=module --status=enabled --pipe | xargs drush -y dis' alias repo='sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n' alias psx="ps -eo pcpu,pid -o comm= | sort -k1 -n -r | head -12" alias psg="ps fuxa |grep $1" alias psm="ps -eo pmem,pcpu,rss,vsize,args | sort -k 1 -r | less" alias eba='nano /etc/profile.d/globaliases.sh' alias lba='source /etc/profile.d/globaliases.sh' alias net1='rm -rf /etc/udev/rules.d/70-persistent-net.rules' alias net2='nano /etc/resolv.conf' alias net3='nano /etc/sysconfig/network-scripts/ifcfg*' add-vpn() { ssh -t altagrade@vpn.altagrade.net -p 19759 "sudo /./etc/wireguard/add-client.sh ${1} && exit" } snd () { rsync --rsh -av -e 'ssh -p 19759' --progress --partial ${1} root@IP:/ } # sync two directories # rsync -azP -e 'ssh -p 19759' local_dir root@IP:/remote_dir EOF echo "..done" fi if grep -Fq 'update_messages = no' /etc/yum/yum-cron.conf then echo "==================================================================================" echo "Enabling automatic OS updates .." sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron-hourly.conf echo ".. done" fi if grep -Fq 'installonly_limit=5' /etc/yum.conf then echo "Setting amount of installed kernels to 2 .." sed -ie 's/installonly_limit=5/installonly_limit=2/' /etc/yum.conf systemctl enable yum-cron.service && systemctl start yum-cron.service echo ".. done" fi if [ -f /etc/ag/scripts/login-notify.sh ]; then chmod 755 /etc/ag/scripts/login-notify.sh echo 'session optional pam_exec.so seteuid /etc/ag/scripts/login-notify.sh' >> /etc/pam.d/sshd fi echo '* soft nofile 65535' >> /etc/security/limits.conf echo '* hard nofile 65535' >> /etc/security/limits.conf if ! grep -q 127.0.0.1 "/etc/resolv.conf"; then echo "nameserver 127.0.0.1" >> /etc/resolv.conf fi
1) Creating an 'altagrade' admin user
if ! id "altagrade" >/dev/null 2>&1; then echo "==================================================================================" echo "Creating altagrade user .." # Disabling root password passwd -d root useradd -G wheel altagrade openssl rand -base64 12 | passwd altagrade --stdin echo "Setting %wheel group members passwordless sudoers .." sed -ie 's/%wheel/#%wheel/' /etc/sudoers && sed -ie 's/# #%wheel/%wheel/' /etc/sudoers mkdir /home/altagrade/.ssh echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC753VZbicoElj5moS0XZ70ERwse483Cuqc6Jf3YXJvn4+ZGzdjUsUI4+0GHK0aufeFh4YNZQ9QoQnM/3HUKZIGm3/2lYvzY1Z2YtyWz57LSX6o+oskq01Pe+3g+sxbt1yOW/KhClVhTSNzFPtMV5h4//JLxdO1Z6pctXSgq2COZ9fnEAm/AzmYFpuNvg0JmNdWuFkvnSKZrkt9hmw72TTjTE+p9DviTmoq4GCr6l2Pg4y6oTlyQ595yi6wDZe0JK7cdkKMsA4U6kAyHqci7zXOu7HjLdYcKZCohCp/iddHZbERmlZuS1eGbiARYtBZb9FNdUmnUB3nggb4DU3FPeDl' >> /home/altagrade/.ssh/authorized_keys echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGfQcSb8ATF0+1LZTEFEXvTz9tl67VDr+Zklu5YJhWajezq6hom4RZ3wWZd01P6qIsqy+wbcY+9NGo/sjU5dRg70lRMYzOU0fX5qz8mz/I3EiXBjSu2Pv2gAKj6ajX0ifMXwNcZkxNX2BLIbHgjSsw9ci5L610gFGjR65q66jjwAIDZP+Ohih7oerfK1LWRcNIsrkUTVSbVWJQytiiyH9Up9Q5wzIceq7H2Kc4GUS0FYKM52oNhpGSD9hPR449w528/hEBeHr1rAT294qZYR59jrZYTtlwOcXU/JlOef0n+G4++dd75zQZ+/NZCh8S+kuYY+Lzip2W6EzMpUvmPVih nurlan bayaman@BNx230' >> /home/altagrade/.ssh/authorized_keys restorecon -R -v /home/altagrade/.ssh sed -i "s/#Port 22/Port 19759/g" /etc/ssh/sshd_config sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config dnf -y install policycoreutils-python-utils semanage port -a -t ssh_port_t -p tcp 19759 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config service sshd restart echo ".. done" fi
2) Creating global aliases for user SSH sessions
56- Log in to post comments