#!/bin/bash
|
|
# Run this as root user
|
|
# This part is for hardening the server and setting up a user account
|
|
|
|
if [ `whoami` != "root" ];
|
|
then
|
|
echo "You must run this script as root"
|
|
exit 1
|
|
fi
|
|
|
|
USER="tmuser"
|
|
OPEN_PORTS=(46656 46657 46658 46659 46660 46661 46662 46663 46664 46665 46666 46667 46668 46669 46670 46671)
|
|
SSH_PORT=20
|
|
WHITELIST=()
|
|
|
|
# update and upgrade
|
|
apt-get update -y
|
|
apt-get upgrade -y
|
|
|
|
# fail2ban for monitoring logins
|
|
apt-get install -y fail2ban
|
|
|
|
# set up the network time daemon
|
|
apt-get install -y ntp
|
|
|
|
# install dependencies
|
|
apt-get install -y make screen gcc git mercurial libc6-dev pkg-config libgmp-dev
|
|
|
|
# set up firewall
|
|
echo "ENABLE FIREWALL ..."
|
|
# white list ssh access
|
|
for ip in "${WHITELIST[@]}"; do
|
|
ufw allow from $ip to any port $SSH_PORT
|
|
done
|
|
if [ ${#WHITELIST[@]} -eq 0 ]; then
|
|
ufw allow $SSH_PORT
|
|
fi
|
|
# open ports
|
|
for port in "${OPEN_PORTS[@]}"; do
|
|
ufw allow $port
|
|
done
|
|
# apply
|
|
ufw enable
|
|
|
|
# watch the logs and have them emailed to me
|
|
# apt-get install -y logwatch
|
|
# echo "/usr/sbin/logwatch --output mail --mailto $ADMIN_EMAIL --detail high" >> /etc/cron.daily/00logwatch
|
|
|
|
# set up user account
|
|
echo "CREATE USER $USER ..."
|
|
useradd $USER -d /home/$USER
|
|
# This user should not have root access.
|
|
# usermod -aG sudo $USER
|
|
mkdir /home/$USER
|
|
cp /etc/skel/.bashrc .
|
|
cp /etc/skel/.profile .
|
|
chown -R $USER:$USER /home/$USER
|
|
|
|
echo "Done setting env. Switching to $USER..."
|
|
su $USER
|