Update something

jupyter-notebook.sh

@@ -0,0 +1,135 @@
+#!/bin/bash
+################################################################################
+# Script: jupyter-notebook.sh
+# Author: Eric Ruzanski
+# Description: This script installs and configures the classic Jupyter Notebook,
+#              serves it securely via an Nginx reverse proxy, and makes it 
+#              accessible through a web browser via the provided domain or 
+#              default reverse DNS (rDNS) of the Linode. If the Linode is ever 
+#              rebooted, or Jupyter Notebook stops running, simply start 
+#              Jupyter Notebook from the command line using 'jupyter notebook &'.
+#
+# GitHub Repository:
+# https://github.com/ericruzanski/StackScripts/blob/main/jupyter-notebook.sh
+#
+# Jupyter Notebook Docs: 
+# https://jupyter-notebook.readthedocs.io/en/latest/
+# 
+# Disclaimer: This script is provided as-is without any warranties.
+################################################################################
+## Jupyter Notebook Settings
+#<UDF name="notebook_password" label="Jupyter Notebook Password" example="s3cure_p4ssw0rd">
+#<UDF name="soa_email_address" label="Email address (for the Let's Encrypt SSL certificate)" example="user@domain.tld">
+## Linode/SSH Security Settings
+#<UDF name="username" label="The limited sudo user to be created for the Linode" default="">
+#<UDF name="password" label="The password for the limited sudo user" example="an0th3r_s3cure_p4ssw0rd" default="">
+#<UDF name="pubkey" label="The SSH Public Key that will be used to access the Linode" default="">
+#<UDF name="disable_root" label="Disable root access over SSH?" oneOf="Yes,No" default="No">
+## Domain Settings
+#<UDF name="token_password" label="Your Linode API token. This is needed to create your server's DNS records" default="">
+#<UDF name="subdomain" label="Subdomain" example="The subdomain for the DNS record: www (Requires Domain)" default="">
+#<UDF name="domain" label="Domain" example="The domain for the DNS record: example.com (Requires API token)" default="">
+## Enable logging
+set -x
+exec > >(tee /dev/ttyS0 /var/log/stackscript.log) 2>&1
+## Import the Bash StackScript Library
+source <ssinclude StackScriptID=1>
+## Import the DNS/API Functions Library
+source <ssinclude StackScriptID=632759>
+## Import the OCA Helper Functions
+source <ssinclude StackScriptID=401712>
+## Run initial configuration tasks (DNS/SSH stuff, etc...)
+source <ssinclude StackScriptID=666912>
+## Register default rDNS 
+export DEFAULT_RDNS=$(dnsdomainname -A | awk '{print $1}')
+## Set absolute domain if any, otherwise use DEFAULT_RDNS
+if [[ $DOMAIN = "" ]]; then
+  readonly ABS_DOMAIN="$DEFAULT_RDNS"
+elif [[ $SUBDOMAIN = "" ]]; then
+  readonly ABS_DOMAIN="$DOMAIN"
+else
+  readonly ABS_DOMAIN="$SUBDOMAIN.$DOMAIN"
+fi
+create_a_record $SUBDOMAIN $IP $DOMAIN
+## Update system, set hostname & install basic security
+set_hostname
+apt_setup_update
+ufw_install
+fail2ban_install
+## Add UFW rules 
+ufw allow http
+ufw allow https
+ufw allow 8888
+## Prepare the Python venv
+apt-get install python3-venv python3-pip -y
+mkdir /root/jupyter-notebook
+mkdir /opt/notebooks
+python3 -m venv /root/jupyter-notebook
+source /root/jupyter-notebook/bin/activate
+python3 -m pip install notebook
+# Configure Jupyter Notebook
+jupyter notebook --generate-config
+CONFIG_FILE="/root/.jupyter/jupyter_notebook_config.py"
+HASHED_PASSWORD=$(python3 -c "from jupyter_server.auth import passwd; print(passwd('$NOTEBOOK_PASSWORD'))")
+sudo tee -a $CONFIG_FILE <<EOF
+c.NotebookApp.notebook_dir = '/opt/notebooks'
+c.NotebookApp.open_browser = False
+c.NotebookApp.password = u'$HASHED_PASSWORD'
+c.NotebookApp.allow_origin = '*'
+c.NotebookApp.allow_root = True
+c.NotebookApp.trust_xheaders = True
+EOF
+deactivate
+## Install NGINX reverse-proxy 
+apt-get install nginx -y 
+# Configure NGINX reverse proxy
+rm /etc/nginx/sites-enabled/default
+touch /etc/nginx/sites-available/reverse-proxy.conf
+cat <<END > /etc/nginx/sites-available/reverse-proxy.conf
+server {
+        listen 80;
+        server_name ${ABS_DOMAIN};
+        access_log /var/log/nginx/reverse-access.log;
+        error_log /var/log/nginx/reverse-error.log;
+        location /wss/ {
+                proxy_pass http://127.0.0.1:8888;
+                proxy_http_version 1.1;
+                proxy_buffering off;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                proxy_read_timeout 86400;
+  }
+        location /api/kernels/ {
+                proxy_pass http://127.0.0.1:8888;
+                proxy_http_version 1.1;
+                proxy_buffering off;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                proxy_read_timeout 86400;
+  }
+        location /terminals/ {
+                proxy_pass http://127.0.0.1:8888;
+                proxy_http_version 1.1;
+                proxy_buffering off;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                proxy_read_timeout 86400;
+  }
+        location / {
+                proxy_pass http://127.0.0.1:8888;
+  }
+}
+END
+ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
+# Enable and start NGINX
+systemctl enable nginx
+systemctl restart nginx
+sleep 90
+## Configure SSL
+apt-get install python3-certbot-nginx -y 
+certbot run --non-interactive --nginx --agree-tos --redirect -d ${ABS_DOMAIN} -m ${SOA_EMAIL_ADDRESS} -w /var/www/html/
+## Cleanup
+stackscript_cleanup
+## Start Jupyter Notebook
+source /root/jupyter-notebook/bin/activate
+jupyter notebook

kali-gui-linode.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+
+# Install Xfce desktop environment and related packages
+apt-get update -y
+apt-get install -y xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils
+# Install and configure Xrdp
+apt-get install -y xrdp
+sed -i 's/3389/3390/g' /etc/xrdp/xrdp.ini
+systemctl enable xrdp
+systemctl restart xrdp
+# Open firewall ports
+ufw allow 3390/tcp
+# Create user with password
+useradd -m -s /bin/bash username
+echo "username:password" | chpasswd
+# Set up VNC server
+apt-get install -y tightvncserver
+su -c "echo 'password' | vncpasswd -f > ~/.vnc/passwd" username
+chmod 0600 /home/username/.vnc/passwd
+echo "#!/bin/sh" > /etc/init.d/vncserver
+echo "" >> /etc/init.d/vncserver
+echo "export USER='username'" >> /etc/init.d/vncserver
+echo "eval cd ~\$USER" >> /etc/init.d/vncserver
+echo "" >> /etc/init.d/vncserver
+echo "/usr/bin/vncserver :1 -geometry 1280x720 -depth 16 -localhost" >> /etc/init.d/vncserver
+echo "" >> /etc/init.d/vncserver
+chmod +x /etc/init.d/vncserver
+update-rc.d vncserver defaults
+# Clean up
+apt-get clean
+rm -rf /var/lib/apt/lists/*
+# Reboot the system
+shutdown -r now

shadowsocks-server.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# <UDF name="SERVER_PORT" Label="Shadowsocks Server Port" default="8388" />
+# <UDF name="LOCAL_ADDRESS" Label="Local Address" default="127.0.0.1" />
+# <UDF name="LOCAL_PORT" Label="Local Port" default="1080" />
+# <UDF name="PASSWORD" Label="Password" />
+# <UDF name="METHOD" Label="Method" default="rc4-md5" />
+# <UDF name="L2TP_USERNAME" Label="L2TP Username" default="" />
+# <UDF name="L2TP_PASSWORD" Label="L2TP Password" default="" />
+# <UDF name="L2TP_PSK" Label="L2TP PSK" default="" />
+cat >>/etc/gai.conf<<EOF
+precedence ::ffff:0:0/96  100
+EOF
+sudo apt-get update
+sudo apt-get install -y python-pip
+pip install --upgrade pip
+sudo pip install shadowsocks
+sudo apt-get install -y python-m2crypto
+cat >>/etc/shadowsocks.json<<EOF
+{
+  "server":"0.0.0.0",
+  "server_port":$SERVER_PORT,
+  "password":"$PASSWORD",
+  "local_address":"$LOCAL_ADDRESS",
+  "local_port":$LOCAL_PORT,
+  "method":"$METHOD",
+  "timeout":300
+}
+EOF
+sudo chmod 755 /etc/shadowsocks.json
+cat >>/etc/rc.local<<EOF
+/usr/local/bin/ssserver –c /etc/shadowsocks.json
+EOF
+sudo ssserver -c /etc/shadowsocks.json -d start
+wget https://git.io/vpnsetup -O vpnsetup.sh
+sudo VPN_IPSEC_PSK=$L2TP_PSK VPN_USER=$L2TP_USERNAME VPN_PASSWORD=$L2TP_PASSWORD sh vpnsetup.sh
+echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
+echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
+sysctl -p
+reboot

wazuh.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+# #<UDF name="soa_email_address" label="Email address (for the Let's Encrypt SSL certificate)" example="user@domain.tld">
+## Linode/SSH Security Settings
+#<UDF name="username" label="The limited sudo user to be created for the Linode" default="">
+#<UDF name="password" label="The password for the limited sudo user" example="an0th3r_s3cure_p4ssw0rd" default="">
+#<UDF name="pubkey" label="The SSH Public Key that will be used to access the Linode" default="">
+#<UDF name="disable_root" label="Disable root access over SSH?" oneOf="Yes,No" default="No">
+## Domain Settings 
+#<UDF name="token_password" label="Your Linode API token. This is needed to create your WordPress server's DNS records" default="">
+#<UDF name="subdomain" label="Subdomain" example="The subdomain for the DNS record: www (Requires Domain)" default="">
+#<UDF name="domain" label="Domain" example="The domain for the DNS record: example.com (Requires API token)" default="">
+## Enable logging
+set -xo pipefail
+exec > >(tee /dev/ttyS0 /var/log/stackscript.log) 2>&1
+## Import the Bash StackScript Library
+source <ssinclude StackScriptID=1>
+## Import the DNS/API Functions Library
+source <ssinclude StackScriptID=632759>
+## Import the OCA Helper Functions
+source <ssinclude StackScriptID=401712>
+## Run initial configuration tasks (DNS/SSH stuff, etc...)
+source <ssinclude StackScriptID=666912>
+# UFW https://documentation.wazuh.com/current/getting-started/architecture.html
+ufw allow 1514
+ufw allow 1515
+ufw allow 1516
+ufw allow 514
+ufw allow 55000
+ufw allow 443
+ufw allow 80
+ufw allow 9200
+ufw allow 9300
+# Prereqs & Wazuh Install
+apt install -y curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2 default-jre
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
+echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
+apt_setup_update
+apt install -y wazuh-manager
+systemctl daemon-reload
+systemctl enable --now wazuh-manager
+# Elastic
+apt install -y elasticsearch-oss opendistroforelasticsearch
+curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
+curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
+curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
+curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
+rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}
+curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
+curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
+bash ~/wazuh-cert-tool.sh
+mkdir /etc/elasticsearch/certs/
+mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
+mv ~/certs/admin* /etc/elasticsearch/certs/
+cp ~/certs/root-ca* /etc/elasticsearch/certs/
+systemctl daemon-reload
+systemctl enable elasticsearch
+systemctl start elasticsearch
+export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
+# FOR TESTING
+curl -XGET https://localhost:9200 -u admin:admin -k
+# Filebeat
+apt install -y filebeat
+curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
+curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
+chmod go+r /etc/filebeat/wazuh-template.json
+curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
+mkdir /etc/filebeat/certs
+cp ~/certs/root-ca.pem /etc/filebeat/certs/
+mv ~/certs/filebeat* /etc/filebeat/certs/
+systemctl daemon-reload
+systemctl enable filebeat
+systemctl start filebeat
+# TESTING
+filebeat test output
+# Kibana
+apt install -y opendistroforelasticsearch-kibana
+curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
+mkdir /usr/share/kibana/data
+chown -R kibana:kibana /usr/share/kibana/data
+cd /usr/share/kibana
+sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.2_7.10.2-1.zip
+mkdir /etc/kibana/certs
+cp ~/certs/root-ca.pem /etc/kibana/certs/
+mv ~/certs/kibana* /etc/kibana/certs/
+chown kibana:kibana /etc/kibana/certs/*
+setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
+systemctl daemon-reload
+systemctl enable kibana
+systemctl start kibana
+# Get Passwords
+cd && curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/wazuh-passwords-tool.sh
+#bash wazuh-passwords-tool.sh -a > .wazuh_creds.txt
+# NGINX
+apt install git nginx certbot python3-certbot-nginx -y
+mkdir -p /var/www/certs/.well-known
+chown -R www-data:www-data /var/www/certs/
+cat <<EOF > /etc/nginx/sites-available/$FQDN
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $FQDN;
+    root /var/www/certs;
+    location / {
+        try_files \$uri \$uri/ =404;
+    }
+# allow .well-known
+    location ^~ /.well-known {
+      allow all;
+      auth_basic off;
+      alias /var/www/certs/.well-known;
+    }
+}
+EOF
+ln -s /etc/nginx/sites-available/$FQDN /etc/nginx/sites-enabled/$FQDN
+unlink /etc/nginx/sites-enabled/default
+systemctl restart nginx
+# SSL Certbot
+certbot certonly --agree-tos --webroot --webroot-path=/var/www/certs -d $FQDN -m $SOA_EMAIL_ADDRESS
+# Set Variables
+export KIBANA_FULL=/etc/kibana/certs/fullchain.pem
+export KIBANA_PRIVKEY=/etc/kibana/certs/privkey.pem
+export FULLCHAIN=/etc/letsencrypt/live/$FQDN/fullchain.pem
+export PRIVKEY=/etc/letsencrypt/live/$FQDN/privkey.pem
+# Place certificates in /etc/kibana/kibana.yml
+cat $FULLCHAIN > $KIBANA_FULL
+cat $PRIVKEY > $KIBANA_PRIVKEY
+# Update kibana config to point to letsencrypt certs
+sed -i -e "s/kibana-key.pem/privkey.pem/" /etc/kibana/kibana.yml
+sed -i -e "s/kibana.pem/fullchain.pem/" /etc/kibana/kibana.yml
+# Restart Kibana
+service kibana restart
+# Create Cert renewal cron script
+cat <<END >/root/certbot-kibana-renewal.sh
+#!/bin/bash
+#
+# Script to handle Certbot renewal & Kibana
+# Debug
+# set -xo pipefail
+export KIBANA_FULL=/etc/kibana/certs/fullchain.pem
+export KIBANA_PRIVKEY=/etc/kibana/certs/privkey.pem
+export FULLCHAIN=/etc/letsencrypt/live/$FQDN/fullchain.pem
+export PRIVKEY=/etc/letsencrypt/live/$FQDN/privkey.pem
+certbot renew
+cat \$FULLCHAIN > \$KIBANA_FULL
+cat \$PRIVKEY > \$KIBANA_PRIVKEY
+service kibana restart
+END
+chmod +x /root/certbot-kibana-renewal.sh
+# Setup Cron
+crontab -l > cron
+echo "* 1 * * 1 bash /root/certbot-kibana-renewal.sh" >> cron
+crontab cron
+rm cron
+# Cleanup
+stackscript_cleanup