You are here

Setup altagrade user and SSH configuration

Submitted by Nurlan Bayaman on Wed, 07/01/2020 - 16:43

Auth and SSH configuration


0) Setting up and configuring the system

if [ "$(readlink /etc/localtime)" != "/usr/share/zoneinfo/UTC" ]; then
  echo "=================================================================================="
  echo "Setting local time to UTC .."
  rm -f /etc/localtime
  ln -s /usr/share/zoneinfo/UTC /etc/localtime
  echo ".. done"
fi
 
if [ ! -d /home/backup ]; then
  echo "=================================================================================="
  echo "Creating /home/backup directory .."
  mkdir /home/backup
  echo "Creating a symlink /backup to /home/backup .."
  ln -s /home/backup /backup
  echo ".. done"
fi
 
if [ ! -d /sandbox ]; then
  echo "=================================================================================="
  echo "Creating /sandbox directory .."
  mkdir /sandbox
  echo ".. done"
fi
 
if grep -Fq '# include "/usr/share/nano/nanorc.nanorc"' /etc/nanorc
then
  echo "=================================================================================="
  echo "Colorifying the Nano editor .."
  sed -ie 's|# include "/usr/share/nano/sh.nanorc"|include "/usr/share/nano/sh.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/java.nanorc"|include "/usr/share/nano/java.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/python.nanorc"|include "/usr/share/nano/python.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/patch.nanorc"|include "/usr/share/nano/patch.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/php.nanorc"|include "/usr/share/nano/php.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/c.nanorc"|include "/usr/share/nano/c.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/css.nanorc"|include "/usr/share/nano/css.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/html.nanorc"|include "/usr/share/nano/html.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/man.nanorc"|include "/usr/share/nano/man.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/perl.nanorc"|include "/usr/share/nano/perl.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/ruby.nanorc"|include "/usr/share/nano/ruby.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/xml.nanorc"|include "/usr/share/nano/xml.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/nanorc.nanorc"|include "/usr/share/nano/nanorc.nanorc"|' /etc/nanorc
  echo ".. done"
fi
 
# Setting cron job definitions before other scripts start putting their own lines
 
if ! grep -Fq "Example of cron job definition on AltaGrade servers" /var/spool/cron/root
then
  echo "=================================================================================="
  echo "Setting up cron definitions .."
  cd /var/spool/cron
  mv root temp
cat > root << 'EOF'
# Example of cron job definition on AltaGrade servers:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
#
# 1. Entry: Minute when the process will be started [0-60]
# 2. Entry: Hour when the process will be started [0-23]
# 3. Entry: Day of the month when the process will be started [1-28/29/30/31]
# 4. Entry: Month of the year when the process will be started [1-12]
# 5. Entry: Weekday when the process will be started [0-6] [0 is Sunday]
#
# every x min = */x
# So according to this your 5 8 * * 6 would run 8:05 every Saturday.
# Ex: 39 * * * * wget -O - -q -t 1 http://YourDrupalSite.com/cron.php?key=YourDrupalSiteCronKeyHere
EOF
  cat root temp > root
  echo "..done"
fi
 
if ! grep -Fq "" /etc/banner
then
  echo "=================================================================================="
  echo "Creating /etc/banner .."
cat <<EOT >> /etc/banner
 
 
     **      **   **               ********                        **        
    ****    /**  /**              **//////**                      /**        
   **//**   /** ******  ******   **      //  ******  ******       /**  ***** 
  **  //**  /**///**/  //////** /**         //**//* //////**   ****** **///**
 ********** /**  /**    ******* /**    ***** /** /   *******  **///**/*******
/**//////** /**  /**   **////** //**  ////** /**    **////** /**  /**/**//// 
/**     /** ***  //** //******** //******** /***   //********//******//******
//      // ///    //   ////////   ////////  ///     ////////  //////  //////                                                                               
 
 
EOT
  echo ".. done"
fi
 
if grep -Fq "#Banner none" /etc/ssh/sshd_config
then
  sed -ie '/#Banner none/c\Banner /etc/banner' /etc/ssh/sshd_config
else
  echo 'Banner /etc/banner' >> /etc/ssh/sshd_config
fi
 
if ! grep -Fq "Welcome" /etc/motd
then
  echo "=================================================================================="
  echo "Creating /etc/motd .."
cat <<EOT >> /etc/motd
*****************************************************************************
*             Welcome to AltaGrade Optimized Operating System!              *
*                                                                           *
* If you encounter any issues with the server, then please browse our Help  *
* section on https://www.altagrade.com/docs first. And if you couldn't find *
* any solution, then submit a support request at https://my.altagrade.com.  *
*                                                                           *
*****************************************************************************
EOT
  echo ".. done"
fi
 
if ! grep -Fq "update-webmin" /root/.bashrc; then
  echo "=================================================================================="
  echo "Creating root aliases .."
  cat >> /root/.bashrc << 'EOF'
alias update-webmin='yes | /usr/libexec/webmin/update-from-repo.sh'
alias update-theme='yes | /usr/libexec/webmin/authentic-theme/theme-update.sh'
alias webminpass='/usr/libexec/webmin/changepass.pl /etc/webmin root'
alias ps10='ps -auxf | sort -nr -k 4 | head -10'
alias cpu10='ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10'
alias qchwr='drush pml --no-core --type=module --status=enabled --pipe | xargs drush -y dis'
alias repo='sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n'
alias psx="ps -eo pcpu,pid -o comm= | sort -k1 -n -r | head -12"
alias psg="ps fuxa |grep $1"
alias psm="ps -eo pmem,pcpu,rss,vsize,args | sort -k 1 -r | less"
alias eba='nano /etc/profile.d/globaliases.sh'
alias lba='source /etc/profile.d/globaliases.sh'
 
alias net1='rm -rf /etc/udev/rules.d/70-persistent-net.rules'
alias net2='nano /etc/resolv.conf'
alias net3='nano /etc/sysconfig/network-scripts/ifcfg*'
 
add-vpn() {
ssh -t altagrade@vpn.altagrade.net -p 19759 "sudo /./etc/wireguard/add-client.sh ${1} && exit"
}
 
snd () {
rsync --rsh -av -e 'ssh -p 19759' --progress --partial ${1} root@IP:/
}
 
# sync two directories
# rsync -azP -e 'ssh -p 19759' local_dir root@IP:/remote_dir
 
EOF
echo "..done"
fi
 
if grep -Fq 'update_messages = no' /etc/yum/yum-cron.conf
then
  echo "=================================================================================="
  echo "Enabling automatic OS updates .."
  sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron-hourly.conf
  sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron-hourly.conf
  sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron-hourly.conf
  echo ".. done"
fi
 
if grep -Fq 'installonly_limit=5' /etc/yum.conf
then
  echo "Setting amount of installed kernels to 2 .."
  sed -ie 's/installonly_limit=5/installonly_limit=2/' /etc/yum.conf
  systemctl enable yum-cron.service && systemctl start yum-cron.service
  echo ".. done"
fi
 
if [ -f /etc/ag/scripts/login-notify.sh ]; then
  chmod 755 /etc/ag/scripts/login-notify.sh
  echo 'session optional pam_exec.so seteuid /etc/ag/scripts/login-notify.sh' >> /etc/pam.d/sshd
fi
 
echo '*               soft    nofile            65535' >> /etc/security/limits.conf
echo '*               hard    nofile            65535' >> /etc/security/limits.conf
 
if ! grep -q 127.0.0.1 "/etc/resolv.conf"; then
  echo "nameserver 127.0.0.1" >> /etc/resolv.conf
fi

1) Creating an 'altagrade' admin user

if ! id "altagrade" >/dev/null 2>&1; then
  echo "=================================================================================="
  echo "Creating altagrade user .."
  # Disabling root password
  passwd -d root
  useradd -G wheel altagrade
  openssl rand -base64 12 | passwd altagrade --stdin
  echo "Setting %wheel group members passwordless sudoers .."
  sed -ie 's/%wheel/#%wheel/' /etc/sudoers && sed -ie 's/# #%wheel/%wheel/' /etc/sudoers
  mkdir /home/altagrade/.ssh
  echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC753VZbicoElj5moS0XZ70ERwse483Cuqc6Jf3YXJvn4+ZGzdjUsUI4+0GHK0aufeFh4YNZQ9QoQnM/3HUKZIGm3/2lYvzY1Z2YtyWz57LSX6o+oskq01Pe+3g+sxbt1yOW/KhClVhTSNzFPtMV5h4//JLxdO1Z6pctXSgq2COZ9fnEAm/AzmYFpuNvg0JmNdWuFkvnSKZrkt9hmw72TTjTE+p9DviTmoq4GCr6l2Pg4y6oTlyQ595yi6wDZe0JK7cdkKMsA4U6kAyHqci7zXOu7HjLdYcKZCohCp/iddHZbERmlZuS1eGbiARYtBZb9FNdUmnUB3nggb4DU3FPeDl' >> /home/altagrade/.ssh/authorized_keys
  echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGfQcSb8ATF0+1LZTEFEXvTz9tl67VDr+Zklu5YJhWajezq6hom4RZ3wWZd01P6qIsqy+wbcY+9NGo/sjU5dRg70lRMYzOU0fX5qz8mz/I3EiXBjSu2Pv2gAKj6ajX0ifMXwNcZkxNX2BLIbHgjSsw9ci5L610gFGjR65q66jjwAIDZP+Ohih7oerfK1LWRcNIsrkUTVSbVWJQytiiyH9Up9Q5wzIceq7H2Kc4GUS0FYKM52oNhpGSD9hPR449w528/hEBeHr1rAT294qZYR59jrZYTtlwOcXU/JlOef0n+G4++dd75zQZ+/NZCh8S+kuYY+Lzip2W6EzMpUvmPVih nurlan bayaman@BNx230' >> /home/altagrade/.ssh/authorized_keys
 
 
  restorecon -R -v /home/altagrade/.ssh
  sed -i "s/#Port 22/Port 19759/g" /etc/ssh/sshd_config
  sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
  sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
  dnf -y install policycoreutils-python-utils
  semanage port -a -t ssh_port_t -p tcp 19759
  sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
  service sshd restart
  echo ".. done"
fi

2) Creating global aliases for user SSH sessions

56