-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathinit_linux
More file actions
230 lines (200 loc) · 8.25 KB
/
init_linux
File metadata and controls
230 lines (200 loc) · 8.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
#!/bin/bash
#Exit this script if return a non-zero status.
set -e
#Get os distribution
get_os_distribution() {
os_dist_name=""
#read os-release info
if [ -r /etc/os-release ]; then
os_dist_name="$(. /etc/os-release && echo "$ID")"
fi
echo "Current OS dist Name: $os_dist_name"
}
#Command verification in Linux
command_exists() {
command -v "$@" > /dev/null 2>&1
}
#Check Root privileges, if not, operation with sudo or su prefix.
verify_root_priv() {
cmd_ops="sh -c"
if [ ! $EUID -eq 0 ]; then
if command_exists sudo; then
cmd_ops='sudo -E sh -c'
elif command_exists su; then
cmd_ops='su -c'
else
echo "Please run this script by root privileges."
exit 1
fi
fi
}
installing_error_detection() {
local command=$1
local dependence=`echo "${command}" | awk '{print $NF}'`
${cmd_ops} "${command}"
if [ $? != 0 ]; then
echo "Failed to install: ${dependence}"
exit 1
fi
}
disable_selinux() {
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
if [ -s /etc/selinux/config ] && grep 'SELINUX=permissive' /etc/selinux/config; then
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
}
disable_firewall() {
case "$os_dist_name" in
centos)
systemctl stop firewalld
systemctl disable firewalld
;;
ubuntu)
systemctl stop ufw -l
systemctl disable ufw -l
;;
*)
echo "default"
;;
esac
}
bbr_verification() {
MAIN_VER=$(uname -r | awk -F '.' '{print$1}')
SUB_VER=$(uname -r | awk -F '.' '{print$2}')
SYSCTL_CONGESTION=$(sysctl net.ipv4.tcp_congestion_control | awk -F'=' '{print $2}')
SYSCTL_QDISC=$(sysctl net.core.default_qdisc | awk -F '=' '{print $2}')
LSMOD_RET=$(lsmod | grep bbr | awk '{print $1}')
if (( $MAIN_VER >= 4 )) && (( $SUB_VER >= 9 )) && [ ${SYSCTL_CONGESTION} == "bbr" ] && [ ${SYSCTL_QDISC} == "fq" ] && [ ${LSMOD_RET} == "tcp_bbr" ] ; then
echo "BBR have been verified."
else
case "$os_dist_name" in
centos)
centos_bbr_installation
;;
ubuntu)
ubuntu_bbr_installation
;;
*)
echo "Unsupported OS version."
;;
esac
fi
}
ubuntu_bbr_installation() {
${cmd_ops} "modprobe tcp_bbr"
${cmd_ops} 'echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf'
${cmd_ops} 'echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf'
${cmd_ops} 'echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf'
${cmd_ops} "sysctl -p"
${cmd_ops} "sysctl net.ipv4.tcp_available_congestion_control"
${cmd_ops} "sysctl net.ipv4.tcp_congestion_control"
}
centos_bbr_installation() {
#Get centos version number
if [ -r /etc/os-release ]; then
version_id="$(. /etc/os-release && echo "$VERSION_ID")"
if [ "$version_id" = "7" ]; then
if [ ! -f /etc/yum.repos.d/elrepo.repo ]; then
${cmd_ops} "rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org"
${cmd_ops} "yum -y install http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm"
${cmd_ops} "yum --enablerepo=elrepo-kernel -y install kernel-ml kernel-ml-devel"
fi
if [ ! -f "/boot/grub2/grub.cfg" ]; then
echo "Cannot find /boot/grub2/grub.cfg, please check it."
exit 1
fi
${cmd_ops} 'grub2-set-default 0'
${cmd_ops} "sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf"
${cmd_ops} "sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf"
${cmd_ops} 'echo "net.core.default_qdisc = fq" >> /etc/sysctl.conf'
${cmd_ops} 'echo "net.ipv4.tcp_congestion_control = bbr" >> /etc/sysctl.conf'
${cmd_ops} 'sysctl -p >/dev/null 2>&1'
else
echo "Currently it only support CentOS 7, but this one is: $version_id"
fi
else
echo "Can not identify current version: $VERSION_ID"
fi
}
packages_installation_configuration() {
case "$os_dist_name" in
ubuntu)
ubuntu_dep=(build-essential libpcre3 cmake net-tools)
for dep in ${ubuntu_dep[@]}; do
installing_error_detection "apt -y install ${dep}"
done
apt update -y -qq > /dev/null
bbr_verification
;;
debian)
debian_dep=(build-essential libpcre3 cmake bison libboost-all-dev net-tools)
for dep in ${debian_dep[@]}; do
installing_error_detection "apt -y install ${dep}"
done
apt update -y -qq > /dev/null
;;
centos)
#Packages dependences
centos_dep=(epel-release grub2 kernel.x86_64 openssl openssl-devel gettext gcc autoconf libtool automake make asciidoc xmlto udns-devel libev-devel pcre pcre-devel links elinks git net-tools gnutls-devel libev-devel tcp_wrappers-devel pam-devel lz4-devel libseccomp-devel readline-devel libnl3-devel krb5-devel liboath-devel radcli-devel protobuf-c-devel libtalloc-devel pcllib-devel autogen-libopts-devel autogen protobuf-c gperf lockfile-progs nuttcp lcov uid_wrapper pam_wrapper nss_wrapper socket_wrapper gssntlmssp pam_oath screen vim iperf htop zip unzip wget c-ares c-ares-devel bind-utils lsof nc telnet sysstat tree httpd tor fail2ban)
for dep in ${centos_dep[@]}; do
installing_error_detection "yum -y install ${dep}"
done
${cmd_ops} 'yum -y update'
${cmd_ops} 'yum -y groupinstall Development Tools'
disable_selinux
bbr_verification
# echo "Unknown OS dist: $os_dist_name"
;;
esac
}
disable_history() {
${cmd_ops} 'rm -rf ~/.bash_history && unset HISTFILE && HISTSIZE=0 && >/var/log/wtmp && >/var/log/btmp'
${cmd_ops} 'echo "unset HISTFILE" >> ~/.bashrc '
${cmd_ops} 'echo "HISTSIZE=0" >> ~/.bashrc'
${cmd_ops} 'echo "set +o history" >> ~/.bashrc'
${cmd_ops} 'echo ">/var/log/wtmp" >> ~/.bashrc'
${cmd_ops} 'echo ">/var/log/btmp" >> ~/.bashrc'
}
verify_root_priv_for_new_user() {
if [ ! $EUID -eq 0 ]; then
echo "Please run this script by root privileges."
exit 1
fi
}
secure_sshd() {
sed -i 's/^#Port.*/Port 54321/g' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords.*/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords.*/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/^#TCPKeepAlive.*/TCPKeepAlive yes/g' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveInterval.*/ClientAliveInterval 10/g' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
systemctl restart sshd
}
add_new_user() {
useradd $os_dist_name
mkdir /home/$os_dist_name/.ssh -p
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj3sFcfqI0ybPHSsdyFbV7+yKmWr562meCPqbisIUGy8qYDkrtjZ6e+uREAyww824HLTMhAp6qMzqekUqVelgUgtTJa/PH59ggsXVDuF3/h8pYvNMCtOo+RCHFcXLmvXUKmuUJ1xJx6qaFDH5IGA3uJakoyXQgZNCU3o6aXCKuZ3E8zATrmOJ7MMd5pyJRYSfwd3VdCL3p4MTf4zWXcJZc00i+SC34ME04qG8owqIoJ//UkMJZs7eHamV3gi+TwqU0pWH4kTNVrljncANcSnWKbsAcIkHPy4BfglzQJGJZQSeENQU5xD+MgPvxSBARhLvUsNwlz5wBpGLCk6yd2R8H" >> /home/$os_dist_name/.ssh/authorized_keys
chmod 755 /home/$os_dist_name/.ssh
chown $os_dist_name:$os_dist_name /home/$os_dist_name/.ssh
chown $os_dist_name:$os_dist_name /home/$os_dist_name/.ssh/authorized_keys
chmod 600 /home/$os_dist_name/.ssh/authorized_keys
echo "%$os_dist_name ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
}
main() {
get_os_distribution
verify_root_priv
packages_installation_configuration
disable_firewall
# disable_history
verify_root_priv_for_new_user
secure_sshd
add_new_user
${cmd_ops} 'init 6'
}
main