installBase.sh

#!/bin/bash - 
#
# Copyright (C) 2017  Tetras Libre <admin@tetras-libre.fr>
# Author: Curt, Sebastien <sebastien.curt@tetras-libre.fr>
#
# This program is free software: you can redistribute it and/or modify # it
# under the terms of the GNU General Public License as published by # the Free
# Software Foundation, either version 3 of the License, or # (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, # but WITHOUT
# ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the # GNU General Public License for
# more details.
#
# You should have received a copy of the GNU General Public License # along
# with this program.  If not, see <http://www.gnu.org/licenses/>.

set -o nounset                              # Treat unset variables as an error

apt-get clean

# Add stable backports to source.list and set preferences
if  ! $(grep -Rq "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d)
then
    (
    echo -n "deb http://httpredir.debian.org/debian jessie-backports "
    echo  "main contrib non-free"
    ) > /etc/apt/sources.list.d/backports.list
fi

if ! $(grep -Rq "jessie-backports" /etc/apt/preferences /etc/apt/preferences.d)
then
    (
    echo "Package: python*"
    echo "Pin: release a=jessie-backports"
    echo "Pin-Priority: 900"
    ) > /etc/apt/preferences.d/backports
fi

if [ "${WEB_SERVER}" == "apache2" ]
then
    export WEB_SERVER_PACKAGES="apache2 libapache2-mod-php"
else
    export WEB_SERVER_PACKAGES="nginx-extras php-fpm"
fi

apt-get update

DEBIAN_FRONTEND='noninteractive' apt-get -qq install \
    apt-transport-https \
    aptitude \
    clamav \
    clamav-daemon \
    cpufrequtils \
    dbus \
    debian-goodies \
    fail2ban \
    git \
    lm-sensors \
    make \
    ntp \
    pandoc \
    php \
    php-apcu \
    php-curl \
    php-gd \
    php-intl \
    php-mcrypt \
    php-mysql \
    postfix \
    rkhunter \
    openssh-server \
    tar \
    tmux \
    ufw \
    unattended-upgrades \
    vim-nox \
    ${WEB_SERVER_PACKAGES} \
    wget

# Configure UFW
ufw allow ssh
ufw allow http
ufw allow https
ufw enable

# Clamav entry for weekly analysis
systemctl enable clamav-daemon
systemctl start clamav-daemon
line="0 1 * * 1 $PWD/clamav-weekly.sh > /dev/null 2>&1"
(crontab -l; echo "${line}") | crontab -

# Rkhunter config
echo "PKGMGR=DPKG" >> /etc/rkhunter.conf
sed -ie 's/#ALLOW_SSH_ROOT_USER=no/ALLOW_SSH_ROOT_USER=yes/' /etc/rkhunter.conf
if [ `grep -c Protocol /etc/ssh/sshd_config` -eq 0 ]
then
    echo "Protocol 2" >> /etc/ssh/sshd_config
    systemctl restart ssh
    echo "Please retest ssh connexion before exiting this session"
fi
echo "ALLOWHIDDENDIR=/etc/.java" >> /etc/rkhunter.conf
sed -ie 's@^\s*\(WEB_CMD="/bin/false"\)@# \1@' /etc/rkhunter.conf
rkhunter --update > /dev/null
rkhunter --propupdate
rkhunter --sk -c

# Health report
# line="0 7 * * 1 $PWD/healthReport.sh -m 'Rapport de santé hebdomadaire' > /dev/null 2>&1"
# (crontab -l; echo "${line}") | crontab -

# Allow maintenance operations:
mkdir -p /root/.ssh
cat id_rsa.pub >> /root/.ssh/authorized_keys
chmod 600  /root/.ssh/authorized_keys

#Fail 2 ban
cp ./etc/fail2ban/* /etc/fail2ban
systemctl restart fail2ban

#Ssh
cp ./etc/ssh/* /etc/ssh
systemctl restart ssh

#eth0
echo -e "auto eth0\nallow-hotplug eth0\niface eth0 inet dhcp" \
    >> /etc/network/interface