2023-11-09 19:03:18 -05:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
2023-11-09 19:19:46 -05:00
|
|
|
if [ ! -f config ]; then
|
|
|
|
echo "] Create a config file based on config.dist"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2023-11-09 19:03:18 -05:00
|
|
|
source config
|
|
|
|
|
|
|
|
check_root() {
|
|
|
|
if [ "$EUID" -ne 0 ]; then
|
|
|
|
printf %b\\n "] Please run the script as root."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Welcome
|
|
|
|
echo ""
|
|
|
|
cat README.md
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
check_root
|
|
|
|
|
|
|
|
# enable IPv4 forwarding
|
|
|
|
sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
|
|
|
|
|
|
|
|
# negate the need to reboot after the above change
|
|
|
|
sysctl -p
|
|
|
|
|
|
|
|
# update/upgrade server and refresh repo
|
|
|
|
apt update -y && apt upgrade -y && apt autoremove -y
|
|
|
|
|
|
|
|
# remove the default firewall
|
|
|
|
ufw disable
|
|
|
|
apt remove --purge ufw -y
|
|
|
|
apt install iptables netfilter-persistent -y
|
|
|
|
|
|
|
|
# install fail2ban
|
|
|
|
apt install fail2ban -y
|
|
|
|
|
|
|
|
# install python-ldap
|
|
|
|
apt install python3-dev python3-pip python3-ldap -y
|
|
|
|
|
|
|
|
# install wireguard
|
|
|
|
systemctl stop wg-quick@wg0.service
|
|
|
|
systemctl disable wg-quick@wg0.service
|
|
|
|
apt install wireguard -y
|
|
|
|
apt install qrencode -y
|
|
|
|
|
|
|
|
# install jq
|
|
|
|
apt install jq -y
|
|
|
|
|
|
|
|
# install curl
|
|
|
|
apt install curl -y
|
|
|
|
|
2024-02-06 08:01:45 -05:00
|
|
|
# install zip and mutt
|
|
|
|
apt install mutt zip -y
|
|
|
|
|
2023-11-09 19:03:18 -05:00
|
|
|
# create Wireguard interface config
|
|
|
|
bash -c "cat > /etc/wireguard/wg0.conf" << ENDOFFILE
|
|
|
|
[Interface]
|
|
|
|
PrivateKey = server_private_key
|
|
|
|
Address = 10.net_prefix.0.1/20
|
|
|
|
ListenPort = 550net_prefix
|
|
|
|
|
|
|
|
PostUp = iptables -A FORWARD -i ${public_ifname} -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o ${public_ifname} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o ${public_ifname} -j MASQUERADE
|
|
|
|
PostDown = iptables -D FORWARD -i ${public_ifname} -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -o ${public_ifname} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o ${public_ifname} -j MASQUERADE
|
|
|
|
SaveConfig = true
|
|
|
|
ENDOFFILE
|
|
|
|
|
|
|
|
cat << EOF | bash
|
|
|
|
cd /etc/wireguard/
|
|
|
|
umask 077
|
|
|
|
[ ! -f server_private.key ] && wg genkey | tee server_private.key | wg pubkey > server_public.key
|
|
|
|
EOF
|
|
|
|
sed -i "s/net_prefix/${net_prefix}/g" /etc/wireguard/wg0.conf
|
|
|
|
sed -i "s/server_private_key/$(sed 's:/:\\/:g' /etc/wireguard/server_private.key)/" /etc/wireguard/wg0.conf
|
|
|
|
|
|
|
|
# make root owner of the Wireguard config file
|
|
|
|
chown -v root:root /etc/wireguard/wg0.conf
|
|
|
|
chmod -v 600 /etc/wireguard/wg0.conf
|
|
|
|
|
|
|
|
# make Wireguard interface start at boot
|
|
|
|
systemctl enable wg-quick@wg0.service
|
|
|
|
|
|
|
|
|
|
|
|
# flush all chains
|
|
|
|
iptables -P INPUT ACCEPT
|
|
|
|
iptables -P FORWARD ACCEPT
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
iptables -t nat -F
|
|
|
|
iptables -t mangle -F
|
|
|
|
iptables -F
|
|
|
|
# delete all chains
|
|
|
|
iptables -X
|
|
|
|
|
|
|
|
# configure the firewall and make it persistent
|
|
|
|
DEBIAN_FRONTEND=noninteractive apt install iptables-persistent -y
|
|
|
|
systemctl enable netfilter-persistent
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
iptables -A INPUT -p all -s localhost -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp --dport 655 -j ACCEPT
|
|
|
|
iptables -A INPUT -p udp --dport 655 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s ${monitor_host} --dport 10050 -j ACCEPT
|
|
|
|
iptables -A INPUT -p udp --dport 550${net_prefix} -j ACCEPT
|
|
|
|
iptables -A INPUT -p all -i wg0 -j ACCEPT
|
|
|
|
iptables -P FORWARD ACCEPT
|
|
|
|
iptables -A FORWARD -i wg0 -o wg0 -j REJECT
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
netfilter-persistent save
|
|
|
|
|
|
|
|
# install Unbound DNS
|
|
|
|
systemctl stop unbound.service
|
|
|
|
systemctl disable unbound.service
|
|
|
|
apt install unbound unbound-host -y
|
|
|
|
|
|
|
|
# download list of DNS root servers
|
|
|
|
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
|
|
|
|
|
|
|
|
# create unbound log file
|
|
|
|
mkdir -p /var/log/unbound
|
|
|
|
chown unbound:unbound /var/log/unbound/
|
|
|
|
touch /var/log/unbound/unbound.log
|
|
|
|
chown unbound:unbound /var/log/unbound/unbound.log
|
|
|
|
|
|
|
|
echo "/var/log/unbound/unbound.log rw," > /etc/apparmor.d/local/usr.sbin.unbound
|
|
|
|
apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
|
|
|
|
|
|
|
|
# create custom conf
|
|
|
|
touch /etc/unbound/custom.conf
|
|
|
|
chown unbound:unbound /etc/unbound/custom.conf
|
|
|
|
|
|
|
|
# create Unbound config file
|
|
|
|
bash -c "cat > /etc/unbound/unbound.conf" << ENDOFFILE
|
|
|
|
server:
|
|
|
|
num-threads: 4
|
|
|
|
|
|
|
|
# enable logs
|
|
|
|
verbosity: 1
|
|
|
|
logfile: /var/log/unbound/unbound.log
|
|
|
|
chroot: ""
|
2024-06-24 09:11:39 -04:00
|
|
|
log-queries: no
|
2023-11-09 19:03:18 -05:00
|
|
|
|
|
|
|
# list of root DNS servers
|
|
|
|
root-hints: "/var/lib/unbound/root.hints"
|
|
|
|
|
|
|
|
# use the root server's key for DNSSEC
|
|
|
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
|
|
|
|
|
|
# respond to DNS requests on all interfaces
|
|
|
|
interface: 0.0.0.0
|
|
|
|
max-udp-size: 3072
|
|
|
|
|
|
|
|
# IPs authorised to access the DNS Server
|
|
|
|
access-control: 0.0.0.0/0 refuse
|
|
|
|
access-control: 127.0.0.1 allow
|
|
|
|
access-control: 10.net_prefix.0.0/20 allow
|
|
|
|
|
|
|
|
# not allowed to be returned for public Internet names
|
|
|
|
private-address: 10.net_prefix.0.0/20
|
|
|
|
|
|
|
|
#hide DNS Server info
|
|
|
|
hide-identity: yes
|
|
|
|
hide-version: yes
|
|
|
|
|
|
|
|
# limit DNS fraud and use DNSSEC
|
|
|
|
harden-glue: yes
|
|
|
|
harden-dnssec-stripped: yes
|
|
|
|
harden-referral-path: yes
|
|
|
|
|
|
|
|
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
|
|
|
|
unwanted-reply-threshold: 10000000
|
|
|
|
|
|
|
|
# have the validator print validation failures to the log
|
|
|
|
val-log-level: 1
|
|
|
|
|
|
|
|
# minimum lifetime of cache entries in seconds
|
|
|
|
cache-min-ttl: 1800
|
|
|
|
|
|
|
|
# maximum lifetime of cached entries in seconds
|
|
|
|
cache-max-ttl: 14400
|
|
|
|
prefetch: yes
|
|
|
|
prefetch-key: yes
|
|
|
|
|
|
|
|
# additional entries
|
|
|
|
include: /etc/unbound/custom.conf
|
|
|
|
ENDOFFILE
|
|
|
|
|
|
|
|
sed -i "s/net_prefix/${net_prefix}/g" /etc/unbound/unbound.conf
|
|
|
|
|
|
|
|
# give root ownership of the Unbound config
|
|
|
|
chown -R unbound:unbound /var/lib/unbound
|
|
|
|
|
|
|
|
# enable Unbound in place of systemd-resovled
|
|
|
|
systemctl enable unbound-resolvconf
|
|
|
|
systemctl enable unbound
|
|
|
|
systemctl start unbound
|
|
|
|
|
|
|
|
# disable systemd-resolved
|
|
|
|
systemctl stop systemd-resolved
|
|
|
|
systemctl disable systemd-resolved
|
|
|
|
unlink /etc/resolv.conf
|
|
|
|
bash -c "cat > /etc/resolv.conf" << ENDOFFILE
|
|
|
|
nameserver 127.0.0.1
|
|
|
|
ENDOFFILE
|
|
|
|
|
|
|
|
# Initial database generation
|
|
|
|
bash -c "./gen-ip-database.sh"
|
|
|
|
|
|
|
|
#provide scripts in /usr/local/bin
|
|
|
|
__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
cp -v ${__dir}/wgstats.sh /usr/local/bin/
|
|
|
|
cp -v ${__dir}/wgldap.sh /usr/local/bin/
|
|
|
|
|
|
|
|
#install Postfix mailserver
|
|
|
|
if [ $email_origin == "wire.example.com" ]; then
|
|
|
|
echo "] WARN: Mailing is disabled!"
|
|
|
|
else
|
|
|
|
echo "] Setting up mail server $email_origin ..."
|
|
|
|
if [ ! -f /etc/postfix/main.cf ]; then
|
|
|
|
echo "] Mail server config does not exist. Installing..."
|
|
|
|
|
|
|
|
# install postfix
|
|
|
|
echo "postfix postfix/mailname string ${email_origin}" | debconf-set-selections
|
|
|
|
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
|
2024-02-06 08:01:45 -05:00
|
|
|
apt install -y postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
|
2023-11-09 19:03:18 -05:00
|
|
|
|
|
|
|
# setup mail server for email reports
|
|
|
|
/usr/sbin/postconf -e "relayhost = [${email_host}]:587" \
|
|
|
|
"smtp_sasl_auth_enable = yes" \
|
|
|
|
"smtp_sasl_security_options = noanonymous" \
|
|
|
|
"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
|
|
|
|
"smtp_use_tls = yes" \
|
|
|
|
"smtp_tls_security_level = encrypt" \
|
|
|
|
"smtp_tls_note_starttls_offer = yes"
|
|
|
|
echo "[${email_host}]:587 ${email_user}:${email_pass}" > /etc/postfix/sasl_passwd
|
|
|
|
/usr/sbin/postmap hash:/etc/postfix/sasl_passwd
|
|
|
|
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
|
|
|
|
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
|
|
|
|
/usr/sbin/postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
|
|
|
|
/usr/sbin/postconf -e "myorigin = ${email_origin}"
|
|
|
|
sleep 2
|
|
|
|
service postfix restart
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Setup LDAP sync service
|
|
|
|
if [ $ldap_server == "ldap://idm.example.com" ]; then
|
|
|
|
echo "] WARN: LDAP disabled!"
|
|
|
|
else
|
|
|
|
echo "] Setting up LDAP server $ldap_server"
|
|
|
|
cp -v ${__dir}/wgldapsync.service /etc/systemd/system/wgldapsync.service
|
|
|
|
cp -v ${__dir}/wgldapsync.timer /etc/systemd/system/wgldapsync.timer
|
|
|
|
systemctl daemon-reload
|
|
|
|
systemctl enable wgldapsync.timer
|
|
|
|
systemctl status wgldapsync.service
|
|
|
|
systemctl status wgldapsync.timer
|
|
|
|
fi
|
|
|
|
|
|
|
|
# reboot to make changes effective
|
|
|
|
echo "] System reboot after 30 seconds..."
|
|
|
|
sleep 30
|
|
|
|
reboot
|