Annexe

1. Administration RHEL 7 / Centos 7

Centos 7 / RHEL 7 : activation de la console série en modifiant grub

Contexte : accéder à une appliance GNS3 en console série texte

https://gist.githubusercontent.com/goffinet/ea0df57d760293a5b861e63253dfeea4/raw/f5831b7ce002d58b590c95b09e53505163f4b3e5/centos7-grub-console.sh

#!/bin/bash
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
cat << EOF > /etc/default/grub
# grub-mkconfig -o /boot/grub/grub.cfg
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=false
GRUB_TERMINAL="serial console"
GRUB_SERIAL_COMMAND="serial --speed=115200"
GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap console=ttyS0,115200n8"
GRUB_DISABLE_RECOVERY="false"
EOF
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

Centos 7 / RHEL 7 : compilation et installation de stress-ng

Contexte : exercice sur cpulimit, cgroups, nice/renice

https://gist.githubusercontent.com/goffinet/4e9622dee0dc1d4a2a7692ef7ece8224/raw/8659074d31e057465500bd051e436525604cf230/stress-ng.sh

#!/bin/bash
yum -y install git || apt-get install git
yum -y groupinstall 'Development Tools' || apt-get install build-essential git
cd /tmp
git clone git://kernel.ubuntu.com/cking/stress-ng.git
cd stress-ng
make
cp stress-ng /usr/bin
rm -rf /tmp/stress-*

Centos 7 / RHEL 7 : compilation et installation de John the Ripper 1.8.0*

Contexte : Tester la robustesse des mots de passe

https://gist.githubusercontent.com/goffinet/83565ebec963fed0c74d/raw/81d3b6e4cd6c54ad8fc3c1b83514b38a05926c12/jtrinstall.sh

#!/bin/bash
# Centos 7 John the Ripper Installation
yum -y install wget gpgme
yum -y group install "Development Tools"
cd
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz.sign
wget http://www.openwall.com/signatures/openwall-signatures.asc
gpg --import openwall-signatures.asc
gpg --verify john-1.8.0.tar.xz.sign
tar xvfJ john-1.8.0.tar.xz
cd john-1.8.0/src
make clean linux-x86-64
cd ../run/
./john --test
#password dictionnary download
wget -O - http://mirrors.kernel.org/openwall/wordlists/all.gz | gunzip -c > openwall.dico

Centos 7 / RHEL 7 : routeur avec eth0=internal DHCP/DNS et eth1=public masquerading

Contexte : Créer un routeur nat IPv4

https://gist.githubusercontent.com/goffinet/0d2604d09e333d1842b7323d4cb536d8/raw/dd4cebffd7712debbaa83704e61f44e4c2fff83b/net.sh

#!/bin/bash
1_interfaces-ipv4 () {
hostnamectl set-hostname router
nmcli c mod eth0 ipv4.addresses 192.168.168.1/24
nmcli c mod eth0 ipv4.method manual
nmcli c mod eth0 connection.zone internal
nmcli c up  eth0
}
2_routing () {
sysctl -w net.ipv4.ip_forward=1
sysctl -p
}
3_firewall () {
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=internal --add-service=dns --permanent
firewall-cmd --zone=internal --add-service=dhcp --permanent
firewall-cmd --zone=internal --add-source=192.168.168.0/24 --permanent
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
}
4_dhcp-dns () {
yum -y install dnsmasq*
echo "dhcp-range=192.168.168.50,192.168.168.150,255.255.255.0,12h" > /etc/dnsmasq.d/eth0.conf
echo "dhcp-option=3,192.168.168.1" >> /etc/dnsmasq.d/eth0.conf
systemctl enable dnsmasq
systemctl start dnsmasq
}

1_interfaces-ipv4
2_routing
3_firewall
4_dhcp-dns

2. Administration Debian 8 (Jessie) / Kali Linux 2

Complilation d'un noyau 4.9.8 dans une de Debian 8 pour une Debian 8

Contexte : Compilation du noyau Debian

https://gist.githubusercontent.com/goffinet/559f5e176fc60e14841e6ae033e1ad93/raw/bbd3b0b0d28389e0c83ab18a51e9e3f471f9b27f/kernel.deb.sh

#!/bin/bash
sudo apt update && apt update -yqq && apt dist-upgrade -yqq
sudo apt install git fakeroot build-essential ncurses-dev xz-utils libssl-dev bc -yqq
sudo apt install kernel-package -yqq
wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.8.tar.xz
unxz linux-4.9.8.tar.xz
wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.8.tar.sign
gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E
gpg2 --verify linux-4.9.8.tar.sign
tar xvf linux-4.9.8.tar
cd linux-4.9.8/
cp /boot/config-$(uname -r) .config
make menuconfig
make-kpkg clean
fakeroot make-kpkg --initrd --revision=1.0.spec kernel_image kernel_headers -j 4
ls ../*.deb

3. Apache sous Debian 8

3.1. Automatisation de la compilation d'Apache 2.4

#!/bin/bash
srcd="/opt/src"
prodd="/opt/prod"
wdir=$(pwd)

compilation(){
echo "----> Création des répertoires $srcd $prodd"
[ -d "$srcd" ] || mkdir -p $srcd
[ -d "$prodd" ] || mkdir -p $prodd

echo "----> Mise a jour"
apt-get update && apt-get -y upgrade
clear

echo "----> Installation des prérequis"
apt-get -y install build-essential make gcc libpcre3-dev lynx curl unzip dnsutils tree
clear

echo "----> Création groupe et utilisateur apache24"
addgroup --system --gid 50000 apache24
adduser --quiet --gecos "" --home ${prodd}/apache/ --shell /bin/false --uid 50000 --gid 50000 --disabled-password --disabled-login apache24

echo "----> Installation Apache 2.4.18"
[ -f "${wdir}/httpd-2.4.18.tar.gz" ] || wget -O ${wdir}/httpd-2.4.18.tar.gz https://archive.apache.org/dist/httpd/httpd-2.4.18.tar.gz
[ -f "${wdir}/apr-util-1.5.4.tar.gz" ] || wget -O ${wdir}/apr-util-1.5.4.tar.gz https://archive.apache.org/dist/apr/apr-util-1.5.4.tar.gz
[ -f "${wdir}/apr-1.5.2.tar.gz" ] || wget -O ${wdir}/apr-1.5.2.tar.gz https://archive.apache.org/dist/apr/apr-1.5.2.tar.gz

cp ${wdir}/httpd-2.4.18.tar.gz ${srcd}/
cd $srcd
tar xvzf httpd-2.4.18.tar.gz && cd httpd-2.4.18/srclib
cp ${wdir}/apr-util-1.5.4.tar.gz . && tar xvzf apr-util-1.5.4.tar.gz && mv apr-util-1.5.4 apr-util
cp ${wdir}/apr-1.5.2.tar.gz . && tar xvzf apr-1.5.2.tar.gz && mv apr-1.5.2 apr
cd ..
./configure --prefix=${prodd}/apache --enable-nonportable-atomics=yes --with-included-apr
make
make install
echo ""
}

service(){
echo "----> Création du service"
cat << EOF > /etc/systemd/system/apache24.service  
[Unit]
Description=Apache Web Server
After=network.target

[Service]
ExecStart=${prodd}/apache/bin/httpd -DFOREGROUND
ExecReload=${prodd}/apache/bin/httpd -k graceful
ExecStop=${prodd}/apache/bin/httpd -k graceful-stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
systemctl enable apache24
echo ""
echo "----> PATH et environnement"
echo 'PATH=$PATH:'${prodd}'/apache/bin' >> /etc/bash.bashrc
echo 'export HOSTNAME=$(hostname)' >> ${prodd}/apache/bin/envvars
echo "ServerName $HOSTNAME" >> ${prodd}/apache/conf/httpd.conf
clear
}

activation(){
systemctl start apache24
sleep 10
echo "----> Installation Apache 2.4.18 terminée"
echo "----> Statut du service"
systemctl status apache24
echo "----> Test de connexion HTTP"
curl -i 127.0.0.1
echo "----> Fichier de configuration par défaut"
grep "^[^#|^$|^ *$]" ${prodd}/apache/conf/httpd.conf
}

compilation
service
activation

3.2. Automatisation des hôtes virtuels

  1. Création d'un fichier Macro /etc/apache2/macro.conf
  2. Include macro.conf
  3. Création des dossiers
  4. Création des fichiers index.html
  5. Activation de la macro
  6. Configuration DNS local
  7. Activation du module macro
  8. Redémarrage
  9. Tests de connexion
#!/bin/bash

id="\$id"
conf=/etc/apache2
echo "---> Initialisation des variables"

echo "---> Installation d'Apache2"
apt-get -y install curl apache2 apache2-doc apache2-utils

echo "--->  Création du répertoire de logs"
mkdir -p /opt/prod/log/www

echo "---> Création automatique du fichier macro.conf"
cat << EOF > $conf/macro.conf
<Macro monsite $id>
<VirtualHost *:80>
    ServerName monsite$id.xyz
    ServerAlias *.monsite$id.xyz
    ServerAdmin webmaster@monsite$id.xyz
    DocumentRoot /opt/prod/monsite$id/www
    ErrorLog /opt/prod/log/www/monsite$id.xyz_error.log
    CustomLog /opt/prod/log/www/monsite$id.xyz_access.log combined
        <Directory /opt/prod/monsite$id/www>
        Require all granted
    </Directory>
</VirtualHost>
</Macro>
EOF

echo "--->  Intégration dans /etc/apache2/apache2.conf et Entrée DNS local"
cp $conf/apache2.conf $conf/apache2.conf.$(date +%s)
echo "Include macro.conf" >> $conf/apache2.conf
for id in 01 02 03 04; do
   mkdir -p /opt/prod/monsite$id/www
   echo "<html><header></header><body><h1>It Works ! on $id</h1></body></html>" > /opt/prod/monsite$id/www/index.html
   echo "Use monsite $id" >> $conf/apache2.conf
   echo "127.0.0.1 monsite$id.xyz www.monsite$id.xyz" >> /etc/hosts
done

echo "---> Activation du module macro et redémarrage"
a2enmod macro
systemctl reload apache2

echo "---> tests de connexion sur chaque site"
for id in 01 02 03 04; do
   curl http://www.monsite$id.xyz
done

3.3. Script create_vhost_httpd.sh

https://gist.github.com/goffinet/33205a18152fe3a87a5cf2d46e65dc3f

bash -x create_vhost_httpd.sh host1.example.com
#!/bin/bash
#create_vhost_httpd.sh in Centos7
#Variables
host=$1
port="80"
location="/var/www/html"
error_log="/var/log/httpd/${host}-error_log"
access_log="/var/log/httpd/${host}-access_log common"
#Résolution de nom locale
echo "127.0.0.1 ${host}" >> /etc/hosts
#Création du dossier et des pages Web
mkdir -p ${location}/${host}
echo "${host} test page" > ${location}/${host}/index.html
#Restauration de la policy Selinux sur le dossier créé
restorecon -Rv ${location}/${host}
#Création du dossier et des fichiers pour les logs
mkdir -p /var/log/httpd
touch /var/log/httpd/${host}-error_log
touch /var/log/httpd/${host}-access_log common
#Configuration du vhost
cat << EOF > /etc/httpd/conf.d/${host}.conf
<VirtualHost *:${port}>
ServerAdmin webmaster@${host}
DocumentRoot ${location}/${host}
ServerName ${host}
ErrorLog ${error_log}
CustomLog ${access_log}
</VirtualHost>
EOF
#Activation et lancement du service
systemctl enable httpd
systemctl start httpd
systemctl restart httpd
#Diganostic
curl ${host}
httpd -D DUMP_VHOSTS

3.4. Script create_vhost_httpds.sh

https://gist.github.com/goffinet/935c79afaffb6860386880e8bbfb7287

bash -x create_vhost_httpds.sh host1.example.com
#!/bin/bash
#create_vhost_httpds.sh in Centos7
#Variables
host=$1
port="443"
location="/var/www/html"
error_log="/var/log/httpd/${host}-error_log"
access_log="/var/log/httpd/${host}-access_log common"
#Résolution de nom locale
echo "127.0.0.1 ${host}" >> /etc/hosts
#Création du dossier et des pages Web
mkdir -p ${location}/${host}
echo "${host} test page" > ${location}/${host}/index.html
#Restauration de la policy Selinux sur le dossier créé
restorecon -Rv ${location}/${host}
#Création du dossier et des fichiers pour les logs
mkdir -p /var/log/httpd
touch /var/log/httpd/${host}-error_log
touch /var/log/httpd/${host}-access_log common
#Configuration du vhost HTTPS
cat << EOF >> /etc/httpd/conf.d/${host}.conf
<VirtualHost *:${port}>
ServerAdmin webmaster@${host}
DocumentRoot ${location}/${host}
ServerName ${host}
ErrorLog ${error_log}
CustomLog ${access_log}
    SSLEngine on
    SSLCipherSuite !EDH:!ADH:!DSS:!RC4:HIGH:+3DES
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile /etc/pki/tls/certs/host1.example.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/host1.example.com.key
</VirtualHost>
EOF
#Génération du certificat auto-signé
openssl req -nodes -x509 -newkey rsa:4096 \
-out /etc/pki/tls/certs/host1.example.com.crt \
-keyout /etc/pki/tls/private/host1.example.com.key \
-days 365 \
-subj "/C=BE/ST=Brussels/L=Brussels/O=webteam/CN=${host}"
#Activation et lancement du service
systemctl enable httpd
systemctl start httpd
systemctl restart httpd
#Diganostic
curl ${host}
httpd -D DUMP_VHOSTS

3.5. Script vhost-creator

Pour la curiosité.

Script https://github.com/mattmezza/vhost-creator.

#!/bin/bash
# This script is used for create virtual hosts on CentOs.
# Created by alexnogard from http://alexnogard.com
# Improved by mattmezza from http://matteomerola.me
# Feel free to modify it
#   PARAMETERS
#
# $usr          - User
# $dir          - directory of web files
# $servn        - webserver address without www.
# $cname        - cname of webserver
# EXAMPLE
# Web directory = /var/www/
# ServerName    = domain.com
# cname            = devel
#
#
# Check if you execute the script as root user
#
# This will check if directory already exist then create it with path : /directory/you/choose/domain.com
# Set the ownership, permissions and create a test index.php file
# Create a vhost file domain in your /etc/httpd/conf.d/ directory.
# And add the new vhost to the hosts.
#
#
if [ "$(whoami)" != 'root' ]; then
echo "Dude, you should execute this script as root user..."
exit 1;
fi
echo "First of all, is this server an Ubuntu or is it a CentOS?"
read -p "ubuntu or centos (lowercase, please) : " osname

SERVICE_="apache2"
VHOST_PATH="/etc/apache2/sites-available"
CFG_TEST="apachectl -t"
if [ "$osname" == "centos" ]; then
  SERVICE_="httpd"
  VHOST_PATH="/etc/httpd/conf.d"
  CFG_TEST="service httpd configtest"
elif [ "$osname" != "ubuntu" ]; then
  echo "Sorry mate but I only support ubuntu or centos"
  echo " "
  echo "By the way, are you sure you have entered 'centos' or 'ubuntu' all lowercase???"
  exit 1;
fi

echo "Enter the server name you want"
read -p "e.g. mydomain.tld (without www) : " servn
echo "Enter a CNAME"
read -p "e.g. www or dev for dev.website.com : " cname
echo "Enter the path of directory you wanna use"
read -p "e.g. /var/www/, dont forget the / : " dir
echo "Enter the name of the document root folder"
read -p "e.g. htdocs : " docroot
echo "Enter the user you wanna use"
read -p "e.g. apache/www-data : " usr
echo "Enter the listened IP for the web server"
read -p "e.g. * : " listen
echo "Enter the port on which the web server should respond"
read -p "e.g. 80 : " port

if ! mkdir -p $dir$cname_$servn/$docroot; then
echo "Web directory already Exist !"
else
echo "Web directory created with success !"
fi
echo "<h1>$cname $servn</h1>" > $dir$cname_$servn/$docroot/index.html
chown -R $usr:$usr $dir$cname_$servn/$docroot
chmod -R '775' $dir$cname_$servn/$docroot
mkdir /var/log/$cname_$servn

alias=$cname.$servn
if [[ "${cname}" == "" ]]; then
alias=$servn
fi

echo "#### $cname $servn
<VirtualHost $listen:$port>
ServerName $servn
ServerAlias $alias
DocumentRoot $dir$cname_$servn/$docroot
<Directory $dir$cname_$servn/$docroot>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>" > $VHOST_PATH/$cname_$servn.conf
if ! echo -e $VHOST_PATH/$cname_$servn.conf; then
echo "Virtual host wasn't created !"
else
echo "Virtual host created !"
fi
echo "Would you like me to create ssl virtual host [y/n]? "
read q
if [[ "${q}" == "yes" ]] || [[ "${q}" == "y" ]]; then
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $VHOST_PATH/$cname_$servn.key -out $VHOST_PATH/$cname_$servn.crt
if ! echo -e $VHOST_PATH/$cname_$servn.key; then
echo "Certificate key wasn't created !"
else
echo "Certificate key created !"
fi
if ! echo -e $VHOST_PATH/$cname_$servn.crt; then
echo "Certificate wasn't created !"
else
echo "Certificate created !"
if [ "$osname" == "ubuntu" ]; then
  echo "Enabling Virtual host..."
  sudo a2ensite $cname_$servn.conf
fi
fi

echo "#### ssl $cname $servn
<VirtualHost $listen:443>
SSLEngine on
SSLCertificateFile $VHOST_PATH/$cname_$servn.crt
SSLCertificateKeyFile $VHOST_PATH/$cname_$servn.key
ServerName $servn
ServerAlias $alias
DocumentRoot $dir$cname_$servn/$docroot
<Directory $dir$cname_$servn/$docroot>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Satisfy Any
</Directory>
</VirtualHost>" > $VHOST_PATH/ssl.$cname_$servn.conf
if ! echo -e $VHOST_PATH/ssl.$cname_$servn.conf; then
echo "SSL Virtual host wasn't created !"
else
echo "SSL Virtual host created !"
if [ "$osname" == "ubuntu" ]; then
  echo "Enabling SSL Virtual host..."
  sudo a2ensite ssl.$cname_$servn.conf
fi
fi
fi

echo "127.0.0.1 $servn" >> /etc/hosts
if [ "$alias" != "$servn" ]; then
echo "127.0.0.1 $alias" >> /etc/hosts
fi
echo "Testing configuration"
sudo $CFG_TEST
echo "Would you like me to restart the server [y/n]? "
read q
if [[ "${q}" == "yes" ]] || [[ "${q}" == "y" ]]; then
service $SERVICE_ restart
fi
echo "======================================"
echo "All works done! You should be able to see your website at http://$servn"
echo ""
echo "Share the love! <3"
echo "======================================"
echo ""
echo "Wanna contribute to improve this script? Found a bug? https://github.com/mattmezza/vhost-creator"

4. Proxy Nginx

4.1. Script d'installation Ghost - Nginx - Letsencrypt

Source : https://gist.github.com/goffinet/f998fd20b0b79e06deb398ede19943cb

Ce script vise à automatiser l'installation d'un blog Ghost lancé sur un port TCP aléatoire (tcp_port=$(shuf -i 8184-65000 -n 1)) avec Nginx en frontal en HTTPS à partir de n'importe quelle instance Ubuntu 16.04 Xenial connectée à l'Internet (ip_wan=$(curl -s ipinfo.io/ip)). Le proxy Web est configuré pour rediriger les requêtes HTTP en HTTPS. Le certificat TLS est automatiquement généré avec Let's Encrypt. Une adresse DNS type A est créée ou mise à jour chez Cloudflare via leur API (CF_API_URL="https://api.cloudflare.com/client/v4"). On envisage une sécurité minimale avec le pare-feu Netfilter et le logiciel Fail2ban.

Le script respecte les différentes étapes manuelles décrites plus haut :

  1. Vérification du contexte d'exécution du script
  2. Mise à jour du système
  3. Création ou mise à jour d'une entrée DNS (via l'API Cloudflare)
  4. Installation de la version pré-requise du framework Node.js
  5. Installation de Nginx
  6. Configuration de Nginx comme Reverse Proxy
  7. Installation et configuration de Let's Encrypt, obtention des certificats et configuration du Proxy
  8. Installation et configuration du pare-feu et de Fail2ban
  9. Installation de quelques thèmes du blog
#!/bin/bash

## 1. Set variables
SITE="blog1"
ZONE="example.com"
MAIL="root@example.com"
CF_TOKEN="your_api"
## Do not touch any others
CF_EMAIL=$MAIL
CF_ZONE=$ZONE
CF_NAME=$SITE
CF_API_URL="https://api.cloudflare.com/client/v4"
curl_command='curl'
ip_wan=$(curl -s ipinfo.io/ip)
tcp_port=$(shuf -i 8184-65000 -n 1)

## 2. Check root and distro
check_env () {
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
if [ ! $(lsb_release -rs) == "16.04" ]; then
 echo "This script must be run on Ubuntu 16.04 Xenial" 1>&2  
 exit 1
fi
}

## 3. Update and upgrade the system
system_update () {
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
}

## 4. Create an DNS entry to Cloudflare

set_dns () {
apt-get -y install curl  
## 2. Get Zone ID
zones=`${curl_command} -s -X GET "${CF_API_URL}/zones?name=${CF_ZONE}" -H "X-Auth-Email: ${CF_EMAIL}" -H "X-Auth-Key: ${CF_TOKEN}" -H "Content-Type: application/json"`
zone=$(echo "${zones}" | grep -Po '(?<="id":")[^"]*' | head -1)
## 3. Get Record ID et IP Address of hostanme
records=`${curl_command} -s -X GET "${CF_API_URL}/zones/${zone}/dns_records?type=A&name=${CF_NAME}.${CF_ZONE}&page=1&per_page=20&order=type&direction=desc&match=all" -H "X-Auth-Email: ${CF_EMAIL}" -H "X-Auth-Key: ${CF_TOKEN}" -H "Content-Type: application/json"`
records_id=`echo "${records}" | grep -Po '(?<="id":")[^"]*'`
ip=`echo "${records}" | grep -Po '(?<="content":")[^"]*'`
## Check if Record exists
if [ "${ip}" == "${ip_wan}" ]; then
 echo "Noting to do"
fi
if [ ! "${ip}" == "${ip_wan}" ]; then
 echo "do update"
 ${curl_command} -s -X PUT "${CF_API_URL}/zones/${zone}/dns_records/${records_id}" -H "X-Auth-Email: ${CF_EMAIL}" -H "X-Auth-Key: ${CF_TOKEN}" -H "Content-Type: application/json" --data "{\"id\":\"${zone}\",\"type\":\"A\",\"name\":\"${CF_NAME}.${CF_ZONE}\",\"content\":\"${ip_wan}\"}"
fi
if [ -z "$records_id" ]; then
 echo "Please create the record ${CF_NAME}.${CF_ZONE}"
 ${curl_command} -s -X POST "${CF_API_URL}/zones/${zone}/dns_records" -H "X-Auth-Email: ${CF_EMAIL}" -H "X-Auth-Key: ${CF_TOKEN}" -H "Content-Type: application/json" --data "{\"id\":\"${zone}\",\"type\":\"A\",\"name\":\"${CF_NAME}.${CF_ZONE}\",\"content\":\"${ip_wan}\"}"
fi
}

## 5. Get and install Node.js
set_nodejs () {
curl -sL https://deb.nodesource.com/setup_4.x | sudo bash -
apt-get install -y nodejs
}

## 6. Get and Install Ghost Software
set_ghost () {
cd ~
wget https://ghost.org/zip/ghost-latest.zip
mkdir /var/www
apt-get install unzip
unzip -d /var/www/$SITE ghost-latest.zip
cd /var/www/$SITE
npm install --production
cp config.example.js config.js
sed -i s/my-ghost-blog.com/${SITE}.${ZONE}/ config.js
sed -i s/2368/${tcp_port}/ config.js
adduser --shell /bin/bash --gecos 'Ghost application' ghost --disabled-password
chown -R ghost:ghost /var/www/$SITE
cat << EOF > /etc/systemd/system/$SITE.service
[Unit]
Description="Ghost $SITE"
After=network.target

[Service]
Type=simple

WorkingDirectory=/var/www/$SITE
User=ghost
Group=ghost

ExecStart=/usr/bin/npm start --production
ExecStop=/usr/bin/npm stop --production
Restart=always
SyslogIdentifier=Ghost

[Install]
WantedBy=multi-user.target
EOF
systemctl enable $SITE.service
systemctl start $SITE.service
rm ~/ghost-latest.zip
}

## 7. Get and install Nginx
set_nginx () {
apt-get install -y nginx
systemctl enable nginx
rm /etc/nginx/sites-enabled/default
if [ ! -f /etc/ssl/certs/dhparam.pem ]; then
openssl dhparam  -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
fi
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat << EOF > /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

  # from https://cipherli.st/
  # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

  # Only the TLS protocol family
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  # This will block IE6, Android 2.3 and older Java version from accessing your site, but these are the safest settings.
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  # ECDH key exchange prevents all known feasible cryptanalytic attacks
  ssl_ecdh_curve secp384r1;
  # 20MB of cache will host about 80000 sessions
  ssl_session_cache shared:SSL:20m;
  # Session expires every 3 hours
  ssl_session_timeout 180m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  # OCSP stapling using Google public DNS servers
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


#mail {
#    # See sample authentication script at:
#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#    # auth_http localhost/auth.php;
#    # pop3_capabilities "TOP" "USER";
#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#    server {
#        listen     localhost:110;
#        protocol   pop3;
#        proxy      on;
#    }
#
#    server {
#        listen     localhost:143;
#        protocol   imap;
#        proxy      on;
#    }
#}
EOF
cat << EOF > /etc/nginx/sites-available/$SITE
server {
    listen 80;
    server_name ${SITE}.${ZONE};

    location ~ ^/.well-known {
        root /var/www/$SITE;
    }

    location / {
        return 301 https://\$server_name\$request_uri;
    }
}
EOF
ln -s /etc/nginx/sites-available/$SITE /etc/nginx/sites-enabled/$SITE
systemctl stop nginx ; systemctl start nginx
}

## 8. Get and install Letsencrypt
set_letsencrypt () {
apt-get -y install letsencrypt
letsencrypt certonly -a webroot --webroot-path=/var/www/$SITE/ -d ${SITE}.${ZONE} -m $MAIL --agree-tos
cat << EOF > /etc/nginx/sites-available/$SITE
server {
        listen 80;

        server_name ${SITE}.${ZONE};

        location ~ ^/.well-known {
            root /var/www/$SITE;
        }

        location / {
            return 301 https://\$server_name\$request_uri;
        }
}

server {
        listen 443 ssl;

        server_name ${SITE}.${ZONE};

        location / {
                proxy_pass http://localhost:${tcp_port};
                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
                proxy_set_header Host \$http_host;
                proxy_set_header X-Forwarded-Proto \$scheme;
                proxy_buffering off;
                proxy_redirect off;
        }

        ssl on;
        ssl_certificate /etc/letsencrypt/live/${SITE}.${ZONE}/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/${SITE}.${ZONE}/privkey.pem;

        ssl_prefer_server_ciphers On;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

}
EOF
cat << EOF > /etc/cron.d/le-renew
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx
EOF
systemctl stop nginx ; systemctl start nginx
cd /var/www/$SITE
sed -i s/http/https/ config.js
chown -R ghost:ghost /var/www/$SITE
systemctl stop $SITE.service ; systemctl start $SITE.service
}

## 9. Set Firewalld and Fail2ban
set_firewall () {
apt-get install -y firewalld
systemctl enable firewalld
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-interface=eth0
firewall-cmd --reload
firewall-cmd --permanent --zone=public --list-all
apt-get install -y fail2ban
systemctl enable fail2ban
}

## 10. Upload some themes

upload_themes () {
apt-get install -y git
cd content/themes
git clone https://github.com/boh717/beautiful-ghost.git beautifulghost
chown -R ghost:ghost beautifulghost
git clone https://github.com/Dennis-Mayk/Practice.git Practice
chown -R ghost:ghost Practice
git clone https://github.com/andreborud/penguin-theme-dark.git penguin-theme-dark
chown -R ghost:ghost penguin-theme-dark
git clone https://github.com/daanbeverdam/buster.git buster
chown -R ghost:ghost buster
git clone https://github.com/godofredoninja/Mapache.git Mapache
chown -R ghost:ghost Mapache
git clone https://github.com/haydenbleasel/ghost-themes.git Phantom
chown -R ghost:ghost Phantom
git clone https://github.com/kagaim/Chopstick.git Chopstick
chown -R ghost:ghost Chopstick
git clone https://github.com/GavickPro/Perfetta-Free-Ghost-Theme.git Perfetta
chown -R ghost:ghost Perfetta
systemctl stop $SITE.service ; systemctl start $SITE.service
}

check_env
system_update
set_dns
set_nodejs
set_ghost
set_nginx
set_letsencrypt
set_firewall
upload_themes

5. OpenVPN

Installation d'OpenVPN et configuration de clients

https://gist.githubusercontent.com/goffinet/aec2c7d85891e6078c5138c9f38de100/raw/7761dc2372604133e458091e19312cf6c5b71123/openvpn-install.sh

6. Scripts de virtualisation KVM/libvirt

https://github.com/goffinet/virt-scripts/

Cet ensemble de scripts pour Libvirt/Qemu/KVM vise à la fois, d'une part, à fournir rapidement des solutions de déploiement et de gestion de systèmes Linux, et d'autre part, à démontrer l'usage des scripts Bash à des fins pédagogiques.

On y trouve entre autres de quoi fabriquer automatiquement à partir de sources HTTP et un fichier de configuration (kickstart ou preseed) une distribution Debian 8, Ubuntu 16.04 ou Centos 7 à optimiser et à cloner.

On y trouve aussi un script d'installation d'images déjà préparées (Quickbuilder).

Native installation and post-installation

Purpose : gold image auto-creation

  1. autoprep.sh : prepare your system as virtualization host
  2. get-iso.sh : get iso distributions
  3. auto-install.sh : build a fresh Centos, Debian or Ubuntu system with http repos and kickstart files
  4. auto-install-tui.sh : auto-install.sh text user interface demo
  5. sparsify.sh : optimize space disk on the designated guest
  6. clone.sh : clone, sysprep and optimize builded guests
  7. hosts-file : print the running guests and their ipv4 address
  8. nested-physical.sh : nested installation

Devices creation

Purpose : disks and network creation

  1. add-isolated-bridge.sh : add an isolated libvirt bridge
  2. add-net-live.sh : attach a bridged network interface to a live guest
  3. add-storage.sh : attach an empty bit disk by Gb size

Quickbuilder

Purpose : deploy quickly centos7 debian7 debian8 ubuntu1604 kali metasploitable openwrt15.05 guests based on pre-builded and downloaded minimal images.

  • quickbuilder-install.sh : install quickbuilder procedure
  • define-guest-image.sh : Install pre-builded images (quickbuilder)
  • get_and_install_openwrt.sh : get and start openwrt with two interfaces

Start stop and remove guests

  1. start_all.sh : start all the defined guests
  2. destroy_and_undefine_all.sh : destroy, undefine all the guests with storage removing

Native installation and post-installation

Step 1 : Verify your installation

Script : autoprep.sh

Description : Setup KVM/Libvirtd/LibguestFS on RHEL7/Centos 7/Debian Jessie.

Usage :

# ./autoprep.sh

Step 2 : Get iso images (optionnal)

Script : get-iso.sh

Description : Get latest iso of Centos 7, Debian Jessie and Ubuntu Xenial.

Usage :

# ./get-iso.sh unknow
Erreur dans le script : ./get-iso.sh [ centos | debian | ubuntu ]

Step 3 : Build a guest automatically

Script : auto-install.sh

Description : Centos 7, Debian Jessie or Ubuntu Xenial fully automatic installation by HTTP Repo and response file via local HTTP.

Usage :

./auto-install.sh [ centos | debian | ubuntu ] guest_name

Note : Escape character is ^]

Step 4 : Sparse your native image

Script : sparsify.sh

Description : Sparse a disk. Great gain on disk space !

Usage :

./sparsify.sh guest_name

Check the disk usage : 2,0G

# du -h /var/lib/libvirt/images/ubuntu-gold-31122016.qcow2
2,0G    /var/lib/libvirt/images/ubuntu-gold-31122016.qcow2

Sparsify operation

# ./sparsify.sh ubuntu-gold-31122016

Sparse disk optimization
[   0,1] Create overlay file in /tmp to protect source disk
[   0,1] Examine source disk
[   4,3] Fill free space in /dev/sda1 with zero
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ --:--
[   6,9] Fill free space in /dev/u1-vg/root with zero
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
[  70,6] Clearing Linux swap on /dev/u1-vg/swap_1
[  71,9] Copy to destination and make sparse
[ 191,4] Sparsify operation completed with no errors.
virt-sparsify: Before deleting the old disk, carefully check that the
target disk boots and works correctly.

Check the disk usage : 432M

# du -h /var/lib/libvirt/images/ubuntu-gold-31122016.qcow2
432M    /var/lib/libvirt/images/ubuntu-gold-31122016.qcow2

Step 5 : Clone your guest

Script : clone.sh

Description : Cloning a domain disk with sparsifying and Linux sysprep.

Usage :

./clone.sh original_guest_name clone_guest_name

Step 6 : Add the guest hostname resolution

Script :

Description : Print a new /etc/resolv.conf with the ip address and the hostname of running guests.

Usage :

./hosts-file.sh

For example :

# ./hosts-file.sh
192.168.122.152 d1
192.168.122.236 d2
192.168.122.190 d3
192.168.122.155 c1
192.168.122.100 c2
192.168.122.40 c3

To update your /etc/hosts :

./hosts-file.sh >> /etc/hosts

Manage network and storage

Script : add-isolated-bridge.sh

Description : add an isolated libvirt bridge named "lan" on "virbr3"

Usage :

./add-isolated-bridge.sh

Script : add-net-live.sh

Description : attach a bridged network interface to a live guest

Usage :

./add-net-live.sh guest_name

Script : add-storage.sh

Description : attach an empty bit disk by GB size

Usage :

./add-storage.sh guest_name disk_name size_in_GB

Next steps ...

  • Install ansible, add ssh hosts keys, create an ansible inventory and test your managed nodes.
  • Exploit snapshots and virtual storage
  • Exploit Freeipa, Pacemaker, Ovirt

Todo

  • auto-install.sh
    • Fedora
  • create_repo.sh : create local repo

7. Scripts de Manipulation

7.1. Evaluation d'expressions rationnelles

Regexp.sh

Contexte : Evaluation d'expression rationnelles.

#! /bin/sh
# Christophe Blaess, Scripts Shell Linux et Unix, p. 180.
# regexp.sh
EXPRESSION="$1"
# Eliminons l'expression des arguments de ligne de commande :
shift
# Puis comparons-la avec les chaines :
for chaine in "$@"
do
echo "$chaine" | grep "$EXPRESSION" > /dev/null
if [ $? -eq 0 ]
then
echo "$chaine : OUI"
else
echo "$chaine : NON"
fi
done

7.2. Script rm_secure.sh

Auteur : Christophe Blaess, Scripts Shell Linux et Unix, http://www.blaess.fr/christophe/articles/secure-your-rm-command.

Contexte : Ce script est utilisé comme point de départ du livre de Christophe Blaess.

rm_secure.sh

# http://www.blaess.fr/christophe/articles/secure-your-rm-command

    sauvegarde_rm=~/.rm_saved/

function rm
{
    local opt_force=0
    local opt_interactive=0
    local opt_recursive=0
    local opt_verbose=0
    local opt_empty=0
    local opt_list=0
    local opt_restore=0
    local opt

    OPTIND=0
    # Analyse des arguments de la ligne de commande
    while getopts ":dfirRvels-:" opt ; do
        case $opt in
            d ) ;; # ignor�e
            f ) opt_force=1 ;;
            i ) opt_interactive=1 ;;
            r | R ) opt_recursive=1 ;;
            e ) opt_empty=1 ;;
            l ) opt_list=1 ;;
            s ) opt_restore=1 ;;
            v ) opt_verbose=1 ;;
            - ) case $OPTARG in
                directory )     ;;
                force)        opt_force=1 ;;
                interactive )    opt_interactive=1 ;;
                recursive )    opt_recursive=1 ;;
                verbose )    opt_verbose=1 ;;
                help ) /bin/rm --help
                    echo "rm_secure:"
                    echo "  -e  --empty     vider la corbeille"
                    echo "  -l  --list      voir les fichiers sauv�s"
                    echo "  -s, --restore   r�cup�rer des fichiers"
                    return 0 ;;
                version ) /bin/rm --version
                    echo "(rm_secure 1.2)"
                    return 0 ;;
                empty )     opt_empty=1 ;;
                list )        opt_list=1 ;;
                restore )    opt_restore=1 ;;
                * )     echo "option ill�gale --$OPTARG"
                    return 1;;
            esac ;;
        ? )     echo "option ill�gale -$OPTARG"
            return 1;;
        esac
    done
    shift $(($OPTIND - 1))

    # Cr�er �ventuellement le r�pertoire
    if [ ! -d "$sauvegarde_rm" ] ; then
        mkdir "$sauvegarde_rm"
    fi

    # Vider la poubelle
    if [ $opt_empty -ne 0 ] ; then
        /bin/rm -rf "$sauvegarde_rm"
        return 0
    fi

    # Liste des fichiers sauv�s
    if [ $opt_list -ne 0 ] ; then
        ( cd "$sauvegarde_rm"
          ls -lRa * )
    fi

    # R�cup�ration de fichiers
    if [ $opt_restore -ne 0 ] ; then
        while [ -n "$1" ] ; do
            mv "${sauvegarde_rm}/$1" .
            shift
        done
        return
    fi

    # Suppression de fichiers
    while [ -n "$1" ] ; do
        # Pour les suppressions interactives, interroger l'utilisateur
        if [ $opt_force -ne 1 ] && [ $opt_interactive -ne 0 ] ; then
            local reponse
            echo -n "D�truire $1 ? "
            read reponse
            if [ "$reponse" != "y" ] && [ "$reponse" != "Y" ] &&
               [ "$reponse" != "o" ] && [ "$reponse" != "O" ] ; then
                shift
                continue
            fi
        fi
        if [ -d "$1" ] && [ $opt_recursive -eq 0 ] ; then
            # Les r�pertoires n�cessitent l'option r�cursive
            shift
            continue
        fi
        if [ $opt_verbose -ne 0 ] ; then
            echo "Suppression $1"
        fi
        mv -f "$1" "${sauvegarde_rm}/"
        shift
      done
}

    trap "/bin/rm -rf $sauvegarde_rm" EXIT

results matching ""

    No results matching ""