-
-
Save vlucas/3976934 to your computer and use it in GitHub Desktop.
PHP / MySQL Server (Ubuntu 12.04)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| ### | |
| # Run this script as root | |
| ### | |
| # Setup variables for this script | |
| USER_NAME=vlucas | |
| [email protected] | |
| SSH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxoQkUlUr+GcEpY1Its3mXFq/xi6yUgknxcSfGx0Yl25zo9nLl5UpeA+r0SmTfnu5oj674i+Ccx7NgwIkhGONXyKZaWyQf7jQZRa6sAMyETQ8QFbkprLCcF6LXJ9B1Khj16ZgXgcuSjMQKmbi8FA3iCcP5jGeT/02x5QhC5hXNPZafODwR5Xty559mLqsZ3LwzQZ4YaQDi4fnEDz7z4iA5+2Xo44de4ypmAmRBsOJZ0mgiRyClDEa0TVCctIXLeOt5OU76DE/IXuKHmtpwWiAI+c6ZNLmXeidrMQzhS6XfDwtTS0YMNnXn4aSSSJNhuvRAhCj9qjAXT1lV1QPb2P84Q== [email protected]" | |
| GITHUB_USER=$USER_NAME | |
| HOSTNAME=genesis.churchmint.com | |
| LOCALE=en | |
| TIMEZONE=US/Central | |
| # Set a hostname | |
| echo "$HOSTNAME" > /etc/hostname | |
| hostname -F /etc/hostname | |
| # Set the locale | |
| locale-gen $LOCALE | |
| # Set the timezone | |
| echo $TIMEZONE > /etc/timezone | |
| dpkg-reconfigure -f noninteractive tzdata | |
| # Create an admin group | |
| /usr/sbin/groupadd admin | |
| # Add the admin group to the sudoers list (with no password) | |
| sed 's/admin ALL=(ALL) ALL/admin ALL=(ALL) NOPASSWD:ALL/g' /etc/sudoers > /tmp/sudoers.new | |
| mv /tmp/sudoers.new /etc/sudoers && chmod 440 /etc/sudoers | |
| # Create my admin user | |
| /usr/sbin/useradd -m -G admin -s /bin/bash -d /home/$USER_NAME $USER_NAME | |
| # Setup $USER for ssh access | |
| su $USER_NAME -c "mkdir ~/.ssh" | |
| su $USER_NAME -c "echo $SSH_PUBLIC_KEY >> ~/.ssh/authorized_keys" | |
| su $USER_NAME -c "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys" | |
| # Disable root login via SSH (now would be a good time to test your new user if running this script interactively) | |
| #sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config.new | |
| #mv /tmp/sshd_config.new /etc/ssh/sshd_config && chmod 644 /etc/ssh/sshd_config | |
| #service ssh restart | |
| # Update package cache and upgrade packages | |
| DEBIAN_FRONTEND=noninteractive | |
| apt-get update | |
| apt-get upgrade -y -q -o Dpkg::Options::="--force-confold" | |
| # Install fail2ban (prevent repeated logins) | |
| apt-get install -y fail2ban | |
| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
| sed -i '/\[ssh-ddos\]/,+2 s/enabled = false/enabled = true/g' /etc/fail2ban/jail.local | |
| service fail2ban restart | |
| # Setup firewall | |
| cat << 'EOF' > /etc/iptables.firewall.rules | |
| *filter | |
| # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
| # Accept all established inbound connections | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow all outbound traffic - you can modify this to only allow certain traffic | |
| -A OUTPUT -j ACCEPT | |
| # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |
| -A INPUT -p tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # Allow ports for MOSH (mobile shell) | |
| -A INPUT -p udp --dport 60000:61000 -j ACCEPT | |
| # Allow SSH connections | |
| # The -dport number should be the same port number you set in sshd_config | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| # Allow ping | |
| -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| # Log iptables denied calls | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| # Reject all other inbound - default deny unless explicitly allowed policy | |
| -A INPUT -j REJECT | |
| -A FORWARD -j REJECT | |
| COMMIT | |
| EOF | |
| iptables-restore < /etc/iptables.firewall.rules | |
| echo '#!/bin/sh' > /etc/network/if-pre-up.d/firewall | |
| echo '/sbin/iptables-restore < /etc/iptables.firewall.rules' >> /etc/network/if-pre-up.d/firewall | |
| chmod +x /etc/network/if-pre-up.d/firewall | |
| # Email me on sudo | |
| echo "Defaults mail_always" > /etc/sudoers.d/my_sudoers | |
| echo "Defaults mailto='$USER_EMAIL'" >> /etc/sudoers.d/my_sudoers | |
| chmod 440 /etc/sudoers.d/my_sudoers | |
| # Reboot server when out of memory | |
| echo -e "vm.panic_on_oom=1\nkernel.panic=10" >> /etc/sysctl.conf | |
| # Install essentials | |
| apt-get install -y build-essential python-software-properties zsh curl netcat git htop ack-grep tmux vim-nox exuberant-ctags | |
| # Install nginx | |
| apt-get install -y nginx | |
| /etc/init.d/nginx start | |
| # Install databases | |
| apt-get install -y mysql-client mysql-server libmysqlclient15-dev | |
| # Install PHP + PHP-FPM | |
| add-apt-repository -y ppa:ondrej/php5 && apt-get update | |
| apt-get install -y php5-fpm php5-cli php5-common php5-mcrypt php5-mysql php5-memcache php-apc php-pear php5-curl php5-intl php5-gd | |
| # Divert ack to ack-grep | |
| dpkg-divert --local --divert /usr/bin/ack --rename --add /usr/bin/ack-grep |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment