Refactored to new approach of two scripts, local and remote with conf…

…iguration system
FusionAuth · May 3, 2016 · fd5eab5 · fd5eab5
1 parent 556e781
commit fd5eab5
Show file tree

Hide file tree

Showing 8 changed files with 150 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 .idea/workspace.xml
+output
diff --git a/2016-security-scripts.iml b/2016-security-scripts.iml
@@ -10,7 +10,7 @@
   <component name="NewModuleRootManager" inherit-compiler-output="true">
     <exclude-output />
     <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+      <excludeFolder url="file://$MODULE_DIR$/output" />
     </content>
     <orderEntry type="inheritedJdk" />
     <orderEntry type="sourceFolder" forTests="false" />

diff --git a/configure.sh b/configure.sh
@@ -9,6 +9,8 @@ function ask_yes_no {
   done
 }
 
+rm -rf output
+mkdir output
 
 echo "Enter the IP address of the Application Server"
 read application_server_ip
@@ -30,6 +32,8 @@ while [[ ${monit_smtp_encryption} != "ssl" && ${monit_smtp_encryption} != "tlsv1
 done
 if [[ ${monit_smtp_encryption} == "none" ]]; then
   monit_smtp_encryption=""
+else
+  monit_smtp_encryption="using ${monit_smtp_encryption}"
 fi
 
 ask_yes_no "Install Ruby and Monit Slack/Pushover integration? (y/n)"
@@ -54,16 +58,22 @@ if [[ ${answer} == "y" ]]; then
     read monit_pushover_user
     monit_pushover_enabled="true"
   fi
+
+  cp template/ubuntu-16.04/monit-ssh-logins-exec.cfg output/monit-ssh-logins.cfg
+  sed "s/@MONIT_SLACK_WEBHOOK_URL@/${monit_slack_webhook_url//\//\\/}/g;s/@MONIT_SLACK_ENABLED@/${monit_slack_enabled}/g;s/@MONIT_PUSHOVER_APPLICATION@/${monit_pushover_application}/g;s/@MONIT_PUSHOVER_USER@/${monit_pushover_user}/g;s/@MONIT_PUSHOVER_ENABLED@/${monit_pushover_enabled}/g" < template/ubuntu-16.04/monit-slack-pushover.rb > output/monit-slack-pushover.rb
+  chmod +x output/monit-slack-pushover.rb
+else
+  cp template/ubuntu-16.04/monit-ssh-logins-alert.cfg output/monit-ssh-logins.cfg
 fi
 
-cp template/ubuntu-16.04/backup.sh .
-cp template/ubuntu-16.04/common-password .
-cp template/ubuntu-16.04/iptables-application-server.cfg .
-cp template/ubuntu-16.04/monit-ssh-logins-alert.cfg .
-cp template/ubuntu-16.04/monit-ssh-logins-exec.cfg .
-chmod +x backup.sh
+cp template/ubuntu-16.04/backup.sh output
+cp template/ubuntu-16.04/common-password output
+cp template/ubuntu-16.04/iptables-application-server.cfg output
+cp template/ubuntu-16.04/setup-server.sh output
+cp template/ubuntu-16.04/sshd output
+cp template/ubuntu-16.04/sshd_config output
+chmod +x output/backup.sh
+chmod +x output/setup-server.sh
 
-sed "s/@APPLICATION_SERVER_IP@/${application_server_ip}/g" < template/ubuntu-16.04/iptables-database-server.cfg > iptables-database-server.cfg
-sed "s/@MONIT_SLACK_WEBHOOK_URL@/${monit_slack_webhook_url/\//\\\/}/g;s/@MONIT_SLACK_ENABLED@/${monit_slack_enabled}/g;s/@MONIT_PUSHOVER_APPLICATION@/${monit_pushover_application}/g;s/@MONIT_PUSHOVER_USER@/${monit_pushover_user}/g;s/@MONIT_PUSHOVER_ENABLED@/${monit_pushover_enabled}/g" < template/ubuntu-16.04/monit-slack-pushover.rb > monit-slack-pushover.rb
-sed "s/@MONIT_EMAIL_SERVER@/${monit_smtp_host}/g;s/@MONIT_EMAIL_PORT@/${monit_smtp_port}/g;s/@MONIT_EMAIL_USERNAME@/${monit_smtp_username}/g;s/@MONIT_EMAIL_PASSWORD@/${monit_smtp_password}/g;s/@MONIT_EMAIL_ENCRYPTION@/${monit_smtp_encryption}/g" < template/ubuntu-16.04/monitrc > monitrc
-chmod +x /etc/monit/monit-slack-pushover.rb
+sed "s/@APPLICATION_SERVER_IP@/${application_server_ip}/g" < template/ubuntu-16.04/iptables-database-server.cfg > output/iptables-database-server.cfg
+sed "s/@MONIT_EMAIL_SERVER@/${monit_smtp_host}/g;s/@MONIT_EMAIL_PORT@/${monit_smtp_port}/g;s/@MONIT_EMAIL_USERNAME@/${monit_smtp_username}/g;s/@MONIT_EMAIL_PASSWORD@/${monit_smtp_password}/g;s/@MONIT_EMAIL_ENCRYPTION@/${monit_smtp_encryption}/g" < template/ubuntu-16.04/monitrc > output/monitrc
diff --git a/setup-server.sh → setup-existing-server.sh b/setup-server.sh → setup-existing-server.sh
@@ -54,6 +54,9 @@ function ask_yes_no {
 }
 
 
+echo "This script doesn't work yet"
+exit 1
+
 if [[ $# != 3 ]]; then
   echo "Usage: setup-server.sh <ordinary-username> <ssh-public-key-file> <iptable-config-file>"
   exit 1
@@ -233,4 +236,4 @@ fi
 if ! usermod -p '*' root; then
   bail "Unable to lock root user's account for direct login"
 fi
-####### End Lock Root Account #######
+####### End Lock Root Account #######
diff --git a/setup-new-server.sh b/setup-new-server.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+if [[ ${#} != 4 && ${#} != 5 ]]; then
+  echo "Usage: setup-new-server.sh <root@host> <ssh-public-key-file> <iptable-config-file> <ordinary-username> [ordinary-user-password]"
+  echo ""
+  echo "    for example: setup-new-server.sh root@192.168.1.1 ~/.ssh/id_rsa.pub output/iptables-application-server.cfg myuser password"
+  echo ""
+  echo " If the password is not specified, it will be input by the user interactively"
+  exit 1
+fi
+
+
+root_at_host=$1
+ssh_key_file=$2
+iptable_cfg_file=$3
+ordinary_user=$4
+
+ordinary_user_password=""
+ordinary_user_password_confirm=""
+if [[ ${#} == 5 ]]; then
+  ordinary_user_password=$5
+else
+  while [[ ${ordinary_user_password} != ${ordinary_user_password_confirm} ]]; do
+    echo -n "Password: "
+    read -s ordinary_user_password
+    echo -n "Password (again): "
+    read -s ordinary_user_password_confirm
+    if [[ ${ordinary_user_password} != ${ordinary_user_password_confirm} ]]; then
+      echo "Passwords don't match"
+    fi
+  done
+fi
+
+if ! [ -f ${ssh_key_file} ]; then
+  bail "Invalid SSH public key file"
+fi
+
+if ! [ -f ${iptable_cfg_file} ]; then
+  bail "Invalid IPTables configuration file"
+fi
+
+scp output/* ${ssh_key_file} ${root_at_host}:/root
+ssh -t ${root_at_host} "/root/setup-new-server.sh ${ssh_key_file} ${iptable_cfg_file} ${ordinary_user} ${ordinary_user_password}"
diff --git a/template/ubuntu-16.04/setup-server.sh b/template/ubuntu-16.04/setup-server.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+if [[ ${#} != 4 ]]; then
+  echo "Usage: setup-server.sh <ssh-public-key-file> <iptable-config-file> <ordinary-username> <ordinar-user-password>"
+  echo ""
+  echo "    for example: setup-server.sh id_rsa.pub iptables-application-server.cfg myuser password"
+  exit 1
+fi
+
+ssh_key_file=$1
+iptable_cfg_file=$2
+ordinary_user=$3
+ordinary_user_password=$4
+
+if ! [ -f ${ssh_key_file} ]; then
+  bail "Invalid SSH public key file"
+fi
+
+if ! [ -f ${iptable_cfg_file} ]; then
+  bail "Invalid IPTables configuration file"
+fi
+
+apt-get -qq -y install libpam-cracklib > /dev/null 2>&1
+apt-get -qq -y install libpam-google-authenticator > /dev/null 2>&1
+apt-get -qq -y install ntp > /dev/null 2>&1
+debconf-set-selections <<< 'iptables-persistent iptables-persistent/autosave_v4 boolean true'
+debconf-set-selections <<< 'iptables-persistent iptables-persistent/autosave_v6 boolean true'
+apt-get -qq -y install iptables-persistent > /dev/null 2>&1
+apt-get -qq -y install monit > /dev/null 2>&1
+apt-get -qq -y install ruby > /dev/null 2>&1
+
+ordinary_user_password_encrypted=$(mkpasswd -m sha-512 ${ordinary_user_password})
+useradd -m -G sudo -s /bin/bash -p "${ordinary_user_password_encrypted}" ${ordinary_user}
+mkdir -p /home/${ordinary_user}/.ssh
+cp ${ssh_key_file} /home/${ordinary_user}/.ssh/authorized_keys
+chown -R ${ordinary_user}:${ordinary_user} /home/${ordinary_user}/.ssh
+chmod 700 /home/${ordinary_user}/.ssh
+chmod 600 /home/${ordinary_user}/.ssh/authorized_keys
+
+# Backup all the configuration files
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
+cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
+cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.orig
+cp /etc/monit/monitrc /etc/monit/monitrc.orig
+
+# SCP over all the files
+cp common-password /etc/pam.d/common-password
+cp ${iptable_cfg_file} /etc/iptables/rules.v4
+cp monit-ssh-logins.cfg /etc/monit/conf.d/ssh-logins
+cp monitrc /etc/monit/monitrc
+cp sshd_config /etc/ssh/sshd_config
+cp sshd /etc/pam.d/sshd
+if [ -f monit-slack-pushover.rb ]; then
+  cp monit-slack-pushover.rb /etc/monit/monit-slack-pushover.rb
+fi
+
+service ssh restart
+service netfilter-persistent reload
+service monit restart
+usermod -p '*' root
diff --git a/test-answers b/test-answers
@@ -0,0 +1,13 @@
+10.10.10.10
+monit-alerts@test.com
+smtp.test.com
+587
+smtp-username@test.com
+smtp-password
+tlsv12
+y
+y
+https://hooks.slack.com/services/A0411FLaa/B004CKBBB/E7eeeea2a7a1U6EUhnIAus6z
+y
+pushover-app
+pushover-user
diff --git a/test-answers-no-slack-pushover b/test-answers-no-slack-pushover
@@ -0,0 +1,8 @@
+10.10.10.10
+monit-alerts@test.com
+smtp.test.com
+587
+smtp-username@test.com
+smtp-password
+tlsv12
+n