Compare commits
4 Commits
3e5fef7215
...
prod
| Author | SHA1 | Date | |
|---|---|---|---|
| 2347d0227a | |||
|
c0c155b322 | ||
|
|
f7e727d2fd | ||
|
|
22a31c200e |
176
bootstrap.sh
Normal file
176
bootstrap.sh
Normal file
@@ -0,0 +1,176 @@
|
||||
#!/bin/bash
|
||||
|
||||
### 1. VARIABLES
|
||||
MOTD="/etc/update-motd.d/01-custom"
|
||||
REBOOTBIN="/usr/sbin/reboot"
|
||||
REBOOTBINOLD="/usr/sbin/reboot.old"
|
||||
SHUTBIN="/usr/sbin/shut"
|
||||
SCRIPTSDIR="/root/scripts"
|
||||
REBOOTHANDLER="/root/scripts/reboot_handler.sh"
|
||||
CRONTABTMP="/tmp/crontab.root.tmp"
|
||||
HOSTNAME=$(hostname)
|
||||
KEYFILE="/root/.ssh/id_ed25519"
|
||||
|
||||
|
||||
## 2. ALIASES
|
||||
echo "alias ll='ls -l --color=auto'" >> ~/.bashrc
|
||||
echo "alias l='ls -lAh --color=auto'" >> ~/.bashrc
|
||||
source ~/.bashrc
|
||||
|
||||
|
||||
## 3. UPDATE & ESSENTIALS
|
||||
apt update && apt -o Dpkg::Options::="--force-confold" upgrade -y
|
||||
apt install -y vim inxi fastfetch htop ncdu net-tools
|
||||
|
||||
timedatectl set-timezone Europe/Paris
|
||||
|
||||
# VIM CONFIG
|
||||
VIMDEF=$(find /usr/share/vim -type f -name defaults.vim | head -n1)
|
||||
[ -f "$VIMDEF" ] && sed -i 's/set mouse=a/set mouse=/g' "$VIMDEF"
|
||||
|
||||
# MOTD CUSTOMIZATION
|
||||
rm -rf /etc/motd /etc/update-motd.d/*
|
||||
cat << 'EOF' > $MOTD
|
||||
#!/bin/bash
|
||||
RED='\033[0;31m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
echo -e "${RED} GENERAL SYSTEM INFORMATION ${NC}"
|
||||
echo
|
||||
script -q -c '/usr/bin/fastfetch' /dev/null
|
||||
echo
|
||||
echo -e "${RED} SYSTEM DISK USAGE ${NC}"
|
||||
export TERM=xterm; inxi -D
|
||||
echo
|
||||
echo -e "${RED} LAST REBOOT STATUS ${NC}"
|
||||
tail -n 4 /var/log/reboot.log
|
||||
echo
|
||||
apt update -qq > /dev/null 2>&1
|
||||
updates=$(apt list --upgradable 2>/dev/null | grep -v "^Listing" | wc -l)
|
||||
if [ "$updates" -gt 0 ]; then
|
||||
echo -e "${RED} APT UPDATE RESULT ${NC}"
|
||||
echo "$updates package updates available"
|
||||
fi
|
||||
EOF
|
||||
chmod +x $MOTD
|
||||
|
||||
|
||||
### 4. Hardening binaries
|
||||
# REBOOT WRAPPER
|
||||
mv $REBOOTBIN $REBOOTBINOLD
|
||||
cat << 'EOF' > $REBOOTBIN
|
||||
#!/bin/bash
|
||||
touch /var/log/restart-flag
|
||||
sleep 1
|
||||
/usr/sbin/reboot.old
|
||||
EOF
|
||||
chmod +x $REBOOTBIN
|
||||
|
||||
# SHUTDOWN WRAPPER
|
||||
cat << 'EOF' > $SHUTBIN
|
||||
#!/bin/bash
|
||||
touch /var/log/restart-flag
|
||||
sleep 1
|
||||
shutdown -h now
|
||||
EOF
|
||||
chmod +x $SHUTBIN
|
||||
|
||||
|
||||
### 5. REBOOT HANDLER
|
||||
mkdir -p $SCRIPTSDIR
|
||||
cat << 'EOF' > $REBOOTHANDLER
|
||||
#!/bin/bash
|
||||
FLAG='/var/log/restart-flag'
|
||||
FLAG2='/var/log/scheduled-flag'
|
||||
LOG='/var/log/reboot.log'
|
||||
|
||||
if [ -f "$FLAG" ]; then
|
||||
echo '--------------------------------' >> "$LOG"
|
||||
date >> "$LOG"
|
||||
echo '* REBOOT OK : command exec *' >> "$LOG"
|
||||
echo '--------------------------------' >> "$LOG"
|
||||
rm -f "$FLAG"
|
||||
elif [ -f "$FLAG2" ]; then
|
||||
echo '---------------------------------' >> "$LOG"
|
||||
date >> "$LOG"
|
||||
echo '* REBOOT PLANNED : crontab *' >> "$LOG"
|
||||
echo '---------------------------------' >> "$LOG"
|
||||
rm -f "$FLAG2"
|
||||
else
|
||||
date >> "$LOG"
|
||||
echo '* REBOOT ERROR : not planned *' >> "$LOG"
|
||||
echo '---------------------------------' >> "$LOG"
|
||||
fi
|
||||
EOF
|
||||
chmod +x $REBOOTHANDLER
|
||||
|
||||
# CRONTAB SETUP
|
||||
crontab -l 2>/dev/null > $CRONTABTMP || true
|
||||
echo "@reboot /root/scripts/reboot_handler.sh" >> $CRONTABTMP
|
||||
crontab $CRONTABTMP
|
||||
rm -f $CRONTABTMP
|
||||
|
||||
# INIT LOG FILE
|
||||
touch /var/log/reboot.log
|
||||
|
||||
|
||||
### 6. Ajout route VPN
|
||||
echo "up ip route add 10.8.0.0/24 via 192.168.1.200" >> /etc/network/interfaces
|
||||
systemctl restart networking
|
||||
|
||||
|
||||
### 7. Hardening SSH
|
||||
echo "AllowUsers root@192.168.1.250 #(PC_Aurel)" >> /etc/ssh/sshd_config
|
||||
echo "AllowUsers root@10.8.0.3 #(asus_r409l via VPN)" >> /etc/ssh/sshd_config
|
||||
systemctl restart sshd
|
||||
|
||||
# Préparation clé SSH root
|
||||
mkdir -p /root/.ssh
|
||||
chmod 700 /root/.ssh
|
||||
ssh-keygen -t ed25519 -C "$HOSTNAME" -f "$KEYFILE" -N ""
|
||||
|
||||
# Ajouter la clé publique dans authorized_keys
|
||||
cat "${KEYFILE}.pub" >> /root/.ssh/authorized_keys
|
||||
chmod 600 /root/.ssh/authorized_keys
|
||||
|
||||
|
||||
### 8. Création du script first-login
|
||||
cat << 'EOF' > /root/first-login.sh
|
||||
#!/bin/bash
|
||||
|
||||
KEYFILE="/root/.ssh/id_ed25519"
|
||||
|
||||
echo
|
||||
echo "==============================="
|
||||
echo " Clé privée SSH à conserver !"
|
||||
echo "==============================="
|
||||
echo
|
||||
cat "${KEYFILE}"
|
||||
echo
|
||||
echo "==============================="
|
||||
|
||||
# Suppression de la clé privée
|
||||
rm -f "${KEYFILE}"
|
||||
|
||||
# Durcissement SSH
|
||||
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
||||
sed -i 's/^#\?AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
|
||||
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
|
||||
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
||||
|
||||
systemctl restart sshd
|
||||
|
||||
# Désactivation du hook
|
||||
rm -f /root/.bash_firstlogin
|
||||
EOF
|
||||
|
||||
chmod +x /root/first-login.sh
|
||||
|
||||
# Hook pour exécuter first-login au premier login root
|
||||
echo "/root/first-login.sh" > /root/.bash_firstlogin
|
||||
|
||||
# Ajout dans .bashrc
|
||||
if ! grep -q bash_firstlogin /root/.bashrc; then
|
||||
echo '[ -f /root/.bash_firstlogin ] && bash /root/.bash_firstlogin' >> /root/.bashrc
|
||||
fi
|
||||
Reference in New Issue
Block a user