#!/bin/bash # # for installation of OS centos5, fedora7, freebsd, ubuntu # # songbird # # linux partitioning: # swap - 2G (twice memory) # /boot - 120MB # / - 4G # /tmp - 4G # /usr/local - 4G # /home - 24G # /var - all the rest # # (bsd -- use default partitioning) # # turn off pxe boot # record mac addrs for dhcp # eth0: public address dhcp # eth1: private address dhcp # # get these by wget http://songbird.com/sysfiles/sys-init # get these by wget http://songbird.com/sysfiles/si # #1) install /bin/me #2) add users zero and kent #3) copy keys for zero and kent and root #4) set up some environment stuff #5) run ntsysv to turn off unnecessary stuff (could script via chkconfig) #6) set up ntp service if [ -e /etc/redhat-release ] ; then INSTALL="/usr/bin/yum install" RC_LOCAL="/etc/rc.d/rc.local" NTPD_RESTART="/etc/init.d/ntpd restart" fi if [ -e /etc/debian_version ] ; then INSTALL="/usr/bin/apt-get install" RC_LOCAL="/etc/rc.local" NTPD_RESTART="/etc/init.d/ntp restart" fi [ -e /root/etc ] || mkdir /root/etc #if /sbin/route -n |grep '^0.0.0.0 '|grep eth0 >/dev/null ; then ## default route is set to eth0; shut down other interface # /sbin/ifdown eth1 #fi #if /sbin/route -n |grep '^0.0.0.0 '|grep eth1 >/dev/null ; then ## default route is set to eth1; shut down other interface # /sbin/ifdown eth0 #fi ## if /bin/hostname |grep songbird >/dev/null ; then # /sbin/route -n |grep '^0.0.0.0 ' >/dev/null || route add default gw 192.168.1.17 # # set up resolv.conf # mv -f /etc/resolv.conf /etc/resolv.conf.dist # cat </etc/resolv.conf #search songbird.com #nameserver 72.52.113.2 #nameserver 72.52.113.3 #nameserver 67.114.146.49 #EOF SONGBIRD=/bin/true fi echo "songbird is $SONGBIRD" if [ ! -e /bin/me ] ; then cd /bin wget http://208.184.79.7/sysfiles/me chmod 755 me fi if ! grep -q clear /etc/skel/.bash_logout ; then perl -pi.bak -e 's/^([^#].*clear)/#$1/;' /etc/skel/.bash_logout fi if [ ! -e /home/zero ]; then echo "creating zero's home directory" /bin/mkdir /home/zero /bin/cp /etc/skel/.??* /home/zero echo "zero:x:0:0::/home/zero:/bin/bash" >>/etc/passwd echo "zero:x:13756:0:99999:7:::" >>/etc/shadow pwck fi if [ ! -d /home/zero/.ssh ] ; then echo "setting up ssh for zero" /bin/mkdir /home/zero/.ssh cat <>/home/zero/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzngktm1oLfBK+B6jzaoBdtZ4Ndpx/aFfvDmsQcfrUtypElmR9cPbP3GqDdcivQwjnePs/DXDTeiqbnLMzkx4+yCqBg0HvkzP/aJTSJEAc+ftAMvnyYAUqP2pIxvBloOwCY7ksOkuxeI8CaGdMSaiH3JcEigeuv8mdtpYc4IQ32M= kent@raven.songbird.com EOF /bin/chmod 700 /home/zero/.ssh /bin/chmod 600 /home/zero/.ssh/authorized_keys fi if [ ! -e /home/kent ] ; then echo "adding 'kent'" useradd kent fi if [ ! -e /home/kent/.ssh ] ; then echo "setting up ssh for 'kent'" /bin/mkdir /home/kent/.ssh cat <>/home/kent/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzngktm1oLfBK+B6jzaoBdtZ4Ndpx/aFfvDmsQcfrUtypElmR9cPbP3GqDdcivQwjnePs/DXDTeiqbnLMzkx4+yCqBg0HvkzP/aJTSJEAc+ftAMvnyYAUqP2pIxvBloOwCY7ksOkuxeI8CaGdMSaiH3JcEigeuv8mdtpYc4IQ32M= kent@raven.songbird.com EOF /bin/chmod 700 /home/kent/.ssh /bin/chmod 600 /home/kent/.ssh/authorized_keys /bin/chown -R kent.kent /home/kent/.ssh fi if [ ! -e /root/.ssh ] ; then /bin/mkdir /root/.ssh /bin/chmod 700 /root/.ssh cat <>/root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzngktm1oLfBK+B6jzaoBdtZ4Ndpx/aFfvDmsQcfrUtypElmR9cPbP3GqDdcivQwjnePs/DXDTeiqbnLMzkx4+yCqBg0HvkzP/aJTSJEAc+ftAMvnyYAUqP2pIxvBloOwCY7ksOkuxeI8CaGdMSaiH3JcEigeuv8mdtpYc4IQ32M= kent@raven.songbird.com EOF /bin/chmod 700 /root/.ssh /bin/chmod 600 /root/.ssh/authorized_keys fi # # set up some environment stuff # # /etc/profile echo 'setting up environment stuff' if ! grep -q RSYNC_RSH /etc/profile >/dev/null ; then echo 'setting up global /etc/profile' cat <>/etc/profile LESS='-iwX';export LESS RSYNC_RSH=/usr/bin/ssh;export RSYNC_RSH TMOUT=3600 EOF fi # zeros profile if ! grep -q RSYNC_RSH /home/zero/.bash_profile >/dev/null ; then echo 'setting up zeros profile' cat <>/home/zero/.bash_profile LESS='-iwX';export LESS RSYNC_RSH=/usr/bin/ssh;export RSYNC_RSH EDITOR=/bin/me; export EDITOR TMOUT=3600 PATH=/sbin:/usr/sbin:/usr/local/sbin:\$PATH export PATH EOF fi # kent's profile if ! grep -q RSYNC_RSH /home/kent/.bash_profile >/dev/null ; then setting up kents profile cat <>/home/kent/.bash_profile LESS='-iwX';export LESS RSYNC_RSH=/usr/bin/ssh;export RSYNC_RSH EDITOR=/bin/me; export EDITOR TMOUT=3600 PATH=/sbin:/usr/sbin:/usr/local/sbin:\$PATH export PATH EOF fi if [ -e /var/spool/cron/root ] ; then echo setting up cron if grep -q "#min hour day-of-month month day-of-week" /var/spool/cron/root >>/dev/null ;then cat <>/var/spool/cron/root #min hour day-of-month month day-of-week EOF else cat <>/var/spool/cron/root #min hour day-of-month month day-of-week EOF fi fi # # make sure that control key works. for this case we just map capslock to # control, since it's not that important to have a capslock # echo setting up key mapping if [ ! -e /etc/init.d/keymap.local ] ; then echo 'defining keymap for console' dumpkeys >/etc/init.d/keymap.local perl -pi.bak -e 's/keycode 58 = Caps_Lock/keycode 58 = Control/' /etc/init.d/keymap.local loadkeys /etc/init.d/keymap.local cat <>$RC_LOCAL /bin/loadkeys /etc/init.d/keymap.local EOF fi # # be sure certain basic commands are installed # if [ ! -e /usr/sbin/ntpd ]; then $INSTALL ntp fi if [ ! -e /usr/bin/nmap ]; then $INSTALL nmap fi if [ ! -e /usr/bin/lynx ]; then $INSTALL lynx fi # # Only for songbird hosts # echo Songbird specific setup if $SONGBIRD ; then echo "Doing songbird specific setup" perl -pi.bak -e 's/^server/#server/' /etc/ntp.conf perl -pi.bak -e 's/^fudge/#fudge/' /etc/ntp.conf cat <>/etc/ntp.conf server 72.52.113.2 EOF ntpdate 72.52.113.2 $NTPD_RESTART if grep -q -s "ForwardAgent yes" /etc/ssh/ssh_config >/dev/null ;then perl -pi.bak -e 's/# ForwardAgent no/# ForwardAgent no\nForwardAgent yes/' /etc/ssh/ssh_config fi cd /etc/ssh echo setting up ssh for songbird if grep -s -q \"Host bywater.songbird.com\" /etc/ssh/ssh_config >>/dev/null then cat <>/etc/ssh/ssh_config Host joy port 922 Host joy.songbird.com port 922 Host bywater port 922 Host bywater.songbird.com port 922 Host jay port 922 Host jay.songbird.com port 922 Host clyde port 922 Host clyde.songbird.com port 922 host sbc port 922 host sbc.songbird.com port 922 host sbcp port 922 host sbcp.songbird.com port 922 host wren port 922 host wren.songbird.com port 922 host wrenp port 922 host sb6 port 922 host sb6.songbird.com port 922 host sb6p port 922 host sbh2 port 922 host sbh2.songbird.com port 922 host sbh2p port 922 host sbh2p.songbird.com port 922 host sbh3 port 922 host sbh3.songbird.com port 922 host sbh3p port 922 host sbh3p.songbird.com port 922 host sbh4 port 922 host sbh4.songbird.com port 922 host sbh4p port 922 host sbh4p.songbird.com port 922 host sbh5 port 922 host sbh5.songbird.com port 922 host sbh5p port 922 host sbh5p.songbird.com port 922 host sbh6 port 922 host sbh6.songbird.com port 922 host sbh6p port 922 host sbh6p.songbird.com port 922 host sbh7 port 922 host sbh7.songbird.com port 922 host sbh7p port 922 host sbh7p.songbird.com port 922 host sbh8 port 922 host sbh8.songbird.com port 922 host sbh8p port 922 host sbh8p.songbird.com port 922 host sbh9 port 922 host sbh9.songbird.com port 922 host sbh9p port 922 host sbh9p.songbird.com port 922 host sbh10 port 922 host sbh10.songbird.com port 922 host sbh10p port 922 host sbh10p.songbird.com port 922 host sbh11 port 922 host sbh11.songbird.com port 922 host sbh11p port 922 host sbh11p.songbird.com port 922 host sbh12 port 922 host sbh12.songbird.com port 922 host sbh12p port 922 host sbh12p.songbird.com port 922 host sbh13 port 922 host sbh13.songbird.com port 922 host sbh13p port 922 host sbh13p.songbird.com port 922 host sbh14 port 922 host sbh14.songbird.com port 922 host sbh14p port 922 host sbh14p.songbird.com port 922 host sbh15 port 922 host sbh15.songbird.com port 922 host sbh15p port 922 host sbh15p.songbird.com port 922 host sbh17 port 922 host sbh17.songbird.com port 922 host sbh17p port 922 host sbh17p.songbird.com port 922 host sbh18 port 922 host sbh18.songbird.com port 922 host sbh18p port 922 host sbh18p.songbird.com port 922 host sbh19 port 922 host sbh19.songbird.com port 922 host sbh19p port 922 host sbh19p.songbird.com port 922 host sbh20 port 922 host sbh20.songbird.com port 922 host sbh20p port 922 host sbh20p.songbird.com port 922 EOF fi # # set up ssh # if [ ! -e /etc/ssh/sshd_config.922 ] ; then cp /etc/ssh/sshd_config /etc/ssh/sshd_config.922 perl -pi.bak -e 's/#Port 22/#Port 22\nPort 922/' /etc/ssh/sshd_config.922 if [ -e /etc/sysconfig/iptables ] ; then cat </etc/sysconfig/iptables.new # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter # # redhat boilerplate :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # accept ssh always from known hosts -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/255.255.0.0 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.0.32.0/255.255.240.0 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 67.114.146.0/255.255.255.240 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 72.52.113.0/255.255.255.0 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 208.184.79.0/255.255.255.0 --dport 22 -j ACCEPT # accept ssh on alternate port -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT # rate limit ssh connections to 1/minute -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/minute -j ACCEPT # DROP will make it hang a *long* time -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j DROP # REJECT will return immediately #-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j REJECT --reject-with icmp-host-prohibited # # default http,dns,ntp rules -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 123 -j ACCEPT # # # reject everything else -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT EOF mv /etc/sysconfig/iptables /etc/sysconfig/iptables.old mv /etc/sysconfig/iptables.new /etc/sysconfig/iptables chmod 700 /etc/sysconfig/iptables /etc/init.d/iptables restart fi fi # fi SONGBIRD