Update something

This commit is contained in:
tiff 2024-07-17 14:47:42 -04:00
parent e2770b318f
commit 5f5e43f781
4 changed files with 364 additions and 0 deletions

135
jupyter-notebook.sh Normal file
View file

@ -0,0 +1,135 @@
#!/bin/bash
################################################################################
# Script: jupyter-notebook.sh
# Author: Eric Ruzanski
# Description: This script installs and configures the classic Jupyter Notebook,
# serves it securely via an Nginx reverse proxy, and makes it
# accessible through a web browser via the provided domain or
# default reverse DNS (rDNS) of the Linode. If the Linode is ever
# rebooted, or Jupyter Notebook stops running, simply start
# Jupyter Notebook from the command line using 'jupyter notebook &'.
#
# GitHub Repository:
# https://github.com/ericruzanski/StackScripts/blob/main/jupyter-notebook.sh
#
# Jupyter Notebook Docs:
# https://jupyter-notebook.readthedocs.io/en/latest/
#
# Disclaimer: This script is provided as-is without any warranties.
################################################################################
## Jupyter Notebook Settings
#<UDF name="notebook_password" label="Jupyter Notebook Password" example="s3cure_p4ssw0rd">
#<UDF name="soa_email_address" label="Email address (for the Let's Encrypt SSL certificate)" example="user@domain.tld">
## Linode/SSH Security Settings
#<UDF name="username" label="The limited sudo user to be created for the Linode" default="">
#<UDF name="password" label="The password for the limited sudo user" example="an0th3r_s3cure_p4ssw0rd" default="">
#<UDF name="pubkey" label="The SSH Public Key that will be used to access the Linode" default="">
#<UDF name="disable_root" label="Disable root access over SSH?" oneOf="Yes,No" default="No">
## Domain Settings
#<UDF name="token_password" label="Your Linode API token. This is needed to create your server's DNS records" default="">
#<UDF name="subdomain" label="Subdomain" example="The subdomain for the DNS record: www (Requires Domain)" default="">
#<UDF name="domain" label="Domain" example="The domain for the DNS record: example.com (Requires API token)" default="">
## Enable logging
set -x
exec > >(tee /dev/ttyS0 /var/log/stackscript.log) 2>&1
## Import the Bash StackScript Library
source <ssinclude StackScriptID=1>
## Import the DNS/API Functions Library
source <ssinclude StackScriptID=632759>
## Import the OCA Helper Functions
source <ssinclude StackScriptID=401712>
## Run initial configuration tasks (DNS/SSH stuff, etc...)
source <ssinclude StackScriptID=666912>
## Register default rDNS
export DEFAULT_RDNS=$(dnsdomainname -A | awk '{print $1}')
## Set absolute domain if any, otherwise use DEFAULT_RDNS
if [[ $DOMAIN = "" ]]; then
readonly ABS_DOMAIN="$DEFAULT_RDNS"
elif [[ $SUBDOMAIN = "" ]]; then
readonly ABS_DOMAIN="$DOMAIN"
else
readonly ABS_DOMAIN="$SUBDOMAIN.$DOMAIN"
fi
create_a_record $SUBDOMAIN $IP $DOMAIN
## Update system, set hostname & install basic security
set_hostname
apt_setup_update
ufw_install
fail2ban_install
## Add UFW rules
ufw allow http
ufw allow https
ufw allow 8888
## Prepare the Python venv
apt-get install python3-venv python3-pip -y
mkdir /root/jupyter-notebook
mkdir /opt/notebooks
python3 -m venv /root/jupyter-notebook
source /root/jupyter-notebook/bin/activate
python3 -m pip install notebook
# Configure Jupyter Notebook
jupyter notebook --generate-config
CONFIG_FILE="/root/.jupyter/jupyter_notebook_config.py"
HASHED_PASSWORD=$(python3 -c "from jupyter_server.auth import passwd; print(passwd('$NOTEBOOK_PASSWORD'))")
sudo tee -a $CONFIG_FILE <<EOF
c.NotebookApp.notebook_dir = '/opt/notebooks'
c.NotebookApp.open_browser = False
c.NotebookApp.password = u'$HASHED_PASSWORD'
c.NotebookApp.allow_origin = '*'
c.NotebookApp.allow_root = True
c.NotebookApp.trust_xheaders = True
EOF
deactivate
## Install NGINX reverse-proxy
apt-get install nginx -y
# Configure NGINX reverse proxy
rm /etc/nginx/sites-enabled/default
touch /etc/nginx/sites-available/reverse-proxy.conf
cat <<END > /etc/nginx/sites-available/reverse-proxy.conf
server {
listen 80;
server_name ${ABS_DOMAIN};
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;
location /wss/ {
proxy_pass http://127.0.0.1:8888;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location /api/kernels/ {
proxy_pass http://127.0.0.1:8888;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location /terminals/ {
proxy_pass http://127.0.0.1:8888;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location / {
proxy_pass http://127.0.0.1:8888;
}
}
END
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
# Enable and start NGINX
systemctl enable nginx
systemctl restart nginx
sleep 90
## Configure SSL
apt-get install python3-certbot-nginx -y
certbot run --non-interactive --nginx --agree-tos --redirect -d ${ABS_DOMAIN} -m ${SOA_EMAIL_ADDRESS} -w /var/www/html/
## Cleanup
stackscript_cleanup
## Start Jupyter Notebook
source /root/jupyter-notebook/bin/activate
jupyter notebook

34
kali-gui-linode.sh Normal file
View file

@ -0,0 +1,34 @@
#!/bin/bash
# Install Xfce desktop environment and related packages
apt-get update -y
apt-get install -y xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils
# Install and configure Xrdp
apt-get install -y xrdp
sed -i 's/3389/3390/g' /etc/xrdp/xrdp.ini
systemctl enable xrdp
systemctl restart xrdp
# Open firewall ports
ufw allow 3390/tcp
# Create user with password
useradd -m -s /bin/bash username
echo "username:password" | chpasswd
# Set up VNC server
apt-get install -y tightvncserver
su -c "echo 'password' | vncpasswd -f > ~/.vnc/passwd" username
chmod 0600 /home/username/.vnc/passwd
echo "#!/bin/sh" > /etc/init.d/vncserver
echo "" >> /etc/init.d/vncserver
echo "export USER='username'" >> /etc/init.d/vncserver
echo "eval cd ~\$USER" >> /etc/init.d/vncserver
echo "" >> /etc/init.d/vncserver
echo "/usr/bin/vncserver :1 -geometry 1280x720 -depth 16 -localhost" >> /etc/init.d/vncserver
echo "" >> /etc/init.d/vncserver
chmod +x /etc/init.d/vncserver
update-rc.d vncserver defaults
# Clean up
apt-get clean
rm -rf /var/lib/apt/lists/*
# Reboot the system
shutdown -r now

40
shadowsocks-server.sh Normal file
View file

@ -0,0 +1,40 @@
#!/bin/bash
# <UDF name="SERVER_PORT" Label="Shadowsocks Server Port" default="8388" />
# <UDF name="LOCAL_ADDRESS" Label="Local Address" default="127.0.0.1" />
# <UDF name="LOCAL_PORT" Label="Local Port" default="1080" />
# <UDF name="PASSWORD" Label="Password" />
# <UDF name="METHOD" Label="Method" default="rc4-md5" />
# <UDF name="L2TP_USERNAME" Label="L2TP Username" default="" />
# <UDF name="L2TP_PASSWORD" Label="L2TP Password" default="" />
# <UDF name="L2TP_PSK" Label="L2TP PSK" default="" />
cat >>/etc/gai.conf<<EOF
precedence ::ffff:0:0/96 100
EOF
sudo apt-get update
sudo apt-get install -y python-pip
pip install --upgrade pip
sudo pip install shadowsocks
sudo apt-get install -y python-m2crypto
cat >>/etc/shadowsocks.json<<EOF
{
"server":"0.0.0.0",
"server_port":$SERVER_PORT,
"password":"$PASSWORD",
"local_address":"$LOCAL_ADDRESS",
"local_port":$LOCAL_PORT,
"method":"$METHOD",
"timeout":300
}
EOF
sudo chmod 755 /etc/shadowsocks.json
cat >>/etc/rc.local<<EOF
/usr/local/bin/ssserver c /etc/shadowsocks.json
EOF
sudo ssserver -c /etc/shadowsocks.json -d start
wget https://git.io/vpnsetup -O vpnsetup.sh
sudo VPN_IPSEC_PSK=$L2TP_PSK VPN_USER=$L2TP_USERNAME VPN_PASSWORD=$L2TP_PASSWORD sh vpnsetup.sh
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
reboot

155
wazuh.sh Normal file
View file

@ -0,0 +1,155 @@
#!/usr/bin/env bash
# #<UDF name="soa_email_address" label="Email address (for the Let's Encrypt SSL certificate)" example="user@domain.tld">
## Linode/SSH Security Settings
#<UDF name="username" label="The limited sudo user to be created for the Linode" default="">
#<UDF name="password" label="The password for the limited sudo user" example="an0th3r_s3cure_p4ssw0rd" default="">
#<UDF name="pubkey" label="The SSH Public Key that will be used to access the Linode" default="">
#<UDF name="disable_root" label="Disable root access over SSH?" oneOf="Yes,No" default="No">
## Domain Settings
#<UDF name="token_password" label="Your Linode API token. This is needed to create your WordPress server's DNS records" default="">
#<UDF name="subdomain" label="Subdomain" example="The subdomain for the DNS record: www (Requires Domain)" default="">
#<UDF name="domain" label="Domain" example="The domain for the DNS record: example.com (Requires API token)" default="">
## Enable logging
set -xo pipefail
exec > >(tee /dev/ttyS0 /var/log/stackscript.log) 2>&1
## Import the Bash StackScript Library
source <ssinclude StackScriptID=1>
## Import the DNS/API Functions Library
source <ssinclude StackScriptID=632759>
## Import the OCA Helper Functions
source <ssinclude StackScriptID=401712>
## Run initial configuration tasks (DNS/SSH stuff, etc...)
source <ssinclude StackScriptID=666912>
# UFW https://documentation.wazuh.com/current/getting-started/architecture.html
ufw allow 1514
ufw allow 1515
ufw allow 1516
ufw allow 514
ufw allow 55000
ufw allow 443
ufw allow 80
ufw allow 9200
ufw allow 9300
# Prereqs & Wazuh Install
apt install -y curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2 default-jre
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
apt_setup_update
apt install -y wazuh-manager
systemctl daemon-reload
systemctl enable --now wazuh-manager
# Elastic
apt install -y elasticsearch-oss opendistroforelasticsearch
curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
bash ~/wazuh-cert-tool.sh
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
# FOR TESTING
curl -XGET https://localhost:9200 -u admin:admin -k
# Filebeat
apt install -y filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
# TESTING
filebeat test output
# Kibana
apt install -y opendistroforelasticsearch-kibana
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
# Get Passwords
cd && curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/wazuh-passwords-tool.sh
#bash wazuh-passwords-tool.sh -a > .wazuh_creds.txt
# NGINX
apt install git nginx certbot python3-certbot-nginx -y
mkdir -p /var/www/certs/.well-known
chown -R www-data:www-data /var/www/certs/
cat <<EOF > /etc/nginx/sites-available/$FQDN
server {
listen 80;
listen [::]:80;
server_name $FQDN;
root /var/www/certs;
location / {
try_files \$uri \$uri/ =404;
}
# allow .well-known
location ^~ /.well-known {
allow all;
auth_basic off;
alias /var/www/certs/.well-known;
}
}
EOF
ln -s /etc/nginx/sites-available/$FQDN /etc/nginx/sites-enabled/$FQDN
unlink /etc/nginx/sites-enabled/default
systemctl restart nginx
# SSL Certbot
certbot certonly --agree-tos --webroot --webroot-path=/var/www/certs -d $FQDN -m $SOA_EMAIL_ADDRESS
# Set Variables
export KIBANA_FULL=/etc/kibana/certs/fullchain.pem
export KIBANA_PRIVKEY=/etc/kibana/certs/privkey.pem
export FULLCHAIN=/etc/letsencrypt/live/$FQDN/fullchain.pem
export PRIVKEY=/etc/letsencrypt/live/$FQDN/privkey.pem
# Place certificates in /etc/kibana/kibana.yml
cat $FULLCHAIN > $KIBANA_FULL
cat $PRIVKEY > $KIBANA_PRIVKEY
# Update kibana config to point to letsencrypt certs
sed -i -e "s/kibana-key.pem/privkey.pem/" /etc/kibana/kibana.yml
sed -i -e "s/kibana.pem/fullchain.pem/" /etc/kibana/kibana.yml
# Restart Kibana
service kibana restart
# Create Cert renewal cron script
cat <<END >/root/certbot-kibana-renewal.sh
#!/bin/bash
#
# Script to handle Certbot renewal & Kibana
# Debug
# set -xo pipefail
export KIBANA_FULL=/etc/kibana/certs/fullchain.pem
export KIBANA_PRIVKEY=/etc/kibana/certs/privkey.pem
export FULLCHAIN=/etc/letsencrypt/live/$FQDN/fullchain.pem
export PRIVKEY=/etc/letsencrypt/live/$FQDN/privkey.pem
certbot renew
cat \$FULLCHAIN > \$KIBANA_FULL
cat \$PRIVKEY > \$KIBANA_PRIVKEY
service kibana restart
END
chmod +x /root/certbot-kibana-renewal.sh
# Setup Cron
crontab -l > cron
echo "* 1 * * 1 bash /root/certbot-kibana-renewal.sh" >> cron
crontab cron
rm cron
# Cleanup
stackscript_cleanup