/
setup.sh
executable file
·134 lines (118 loc) · 3.78 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
#####################################################################
# This set up script is used to set up a web slave tomcat server for
# codefaces.org based on Ubuntu 10
#
# This script only open an AJP port for load balancer, a SSH port and
# a ICMP ping port
#
# This include:
# 1. perform dist-upgrade
# 2. install sun-java
# 3. perform time sync
# 4. create a non-root sudoer
# 5. install and config tomcat
# 6. secure kernel using sysctl
# 6. secure SSH
# 7. secure iptables
#
# KK Lo, August 14, 2010
#
MACHINE_HOST_NAME=spica
MACHINE_DOMAIN_NAME=codefaces.org
MACHINE_IP=173.203.92.105
ADMIN_USER=admin
LOAD_BALANCER_IP=173.203.92.105
SSH_PORT=42597
TOMCAT_HOME=/var/lib/tomcat6
AJP_PORT=47330
JVMROUTE=tomcat2
#####################################################################
# Configurate hostname and domain name
#
echo "$MACHINE_IP $MACHINE_HOST_NAME.$MACHINE_DOMAIN_NAME $MACHINE_HOST_NAME" >> /etc/hosts
/etc/init.d/networking restart
#####################################################################
# Overriding bashrc for environmental variables
#
echo "Replacing .bashrc"
yes | cp templates/bashrc /root/.bashrc
source /root/.bashrc
#####################################################################
# Overriding the apt-get source file
#
echo "Replacing apt/sources.list"
yes | cp templates/sources.list /etc/apt/sources.list
#####################################################################
# Perform a system update
#
echo "Perform system update"
apt-get update
yes | apt-get dist-upgrade
#####################################################################
# Install sun-java
#
echo "Install sun-java"
yes | apt-get install sun-java6-jdk
#####################################################################
# Install tomcat
#
echo "Install Tomcat"
yes | apt-get install tomcat6
/etc/init.d/tomcat6 stop
#####################################################################
# Configure tomcat
#
echo "Configure Tomcat"
sed -e 's/\$AJP_PORT/'$AJP_PORT'/g' \
-e 's/\$JVMROUTE/'$JVMROUTE'/g' \
templates/server.xml > $TOMCAT_HOME/conf/server.xml
yes | rm -rf $TOMCAT_HOME/webapps/*
mkdir -p $TOMCAT_HOME/backup
yes | cp templates/web.xml $TOMCAT_HOME/conf/web.xml
#####################################################################
# Perform time sync
#
echo "Perform time sync"
ntpdate ntp.ubuntu.com
yes | cp templates/ntpdate /etc/cron.daily/ntpdate
chmod 755 /etc/cron.daily/ntpdate
#####################################################################
# Securing Kernel
#
echo "Replacing sysctl.conf"
yes | cp templates/sysctl.conf /etc/sysctl.conf
sysctl -p
#####################################################################
# Create non-root admin
#
echo "Create Non-root admin"
yes | cp templates/sudoers /etc/sudoers
chmod 440 /etc/sudoers
adduser $ADMIN_USER
adduser $ADMIN_USER sudo
#####################################################################
# Securing SSH
#
echo "Securing SSH"
sed -e 's/\$SSH_PORT/'$SSH_PORT'/g' \
templates/sshd_config > /etc/ssh/sshd_config
#####################################################################
# Restart SSH
#
echo "Restart SSH"
echo 'The new SSH PORT is '$SSH_PORT ' with user '$ADMIN_USER
echo "and login to run iptables-restore < /etc/network/iptables/iptables.rule"
/etc/init.d/ssh restart
#####################################################################
# Setting iptables
#
echo "Setting iptables"
mkdir /etc/network/iptables
sed -e 's/\$SSH_PORT/'$SSH_PORT'/g' \
-e 's/\$AJP_PORT/'$AJP_PORT'/g' \
-e 's/\$LOAD_BALANCER_IP/'$LOAD_BALANCER_IP'/g' \
templates/iptables.rule > /etc/network/iptables/iptables.rule
chmod 640 /etc/network/iptables/iptables.rule
yes | cp templates/iptables_load /etc/network/if-pre-up.d/iptables_load
iptables-restore < /etc/network/iptables/iptables.rule