6. AutoInstall Cut Discr
Published by |author|
Date: |date| Time |time|
Type script: bash
!/bin/bash
-xv
set -x
if [[ -z $STATE ]]; then
exit 3;
fi
user add
echo «****» | mkpasswd -s -H MD5
sudo usermod -p $(echo «» | mkpasswd -s -H MD5) test1
sudo usermod -p $S test1
su -p test1
6.1. 01 AUTO POSTINSTALL
Предупреждение
do postinstall copy wufu & wpa_supplicant.conf + SAMBA
6.1.1. 01.01 PRE-INSTALL EMV AND SETTINGS
d-i preseed/late_command string mkdir -p /target/install/; cp -R /install/* /target/install/; cp -Rf /install/lib/ /target/lib/;
cd /install/
tar -xvf wpa_supplicant-0.7.3.tar.gz
cd ./wpa_supplicant-0.7.3/
./configure
./install
include this boilerplate
| GOTO for bash, based upon https://stackoverflow.com/a/31269848/5353461
rm /install/pii2.sh /etc/init.d/
update-rc.d -f pii2.sh remove
1function jumpto
2{
3label=$1
4cmd=$(sed -n "/$label:/{:a;n;p;ba};" $0 | grep -v ':$')
5eval "$cmd"
6exit
7}
8function reinterfaces
9{
10cd /etc/network/
if [[ -n $( egrep -n „^[a-z] || ^| „ interfaces) && TMPS==»0» ]]; then
1BUF="# This file describes the network interfaces available on your system\n
2 # and how to activate them. For more information, see interfaces(5).\n
3 \n
4 source /etc/network/interfaces.d/*\n
5 \n
6 # The loopback network interface\n
7 auto lo\n
8 iface lo inet loopback\n
9 \n
10 # The Primary\n
11 allow-hotplug en\n
12 iface en inet dhcp\n";
13rm interfaces
14touch interfaces
15echo -e $BUF > interfaces;
16}
17
18start=${1:-"start"}
19interface_sh=${2:-"interface_sh"}
20step_one=${3:-"step_one"}
21step_two=${4:-"step_two"}
22step_three=${5:-"step_three"}
+ install wpa_supplicant-0.7.3.tar.gz
1export LC_ALL=ru_RU.UTF-8
2FILES="steps.txt"
3BUF="";
4TMPS="";
5COUNT=0;
6DEB_VER="";
7NET_EN="";
8NET_WI="";
9STATE="0";
10PORT_SSH="4103"
11NET_ARR=();
6.1.2. 01.02 CHECK ROOT PRIVILEGE
1if [[ $EUID -ne 0 ]]; then
2 if [[ ${LANG:0:5} -eq 'ru_RU' ]]; then
3 echo "Ошибка скрипта перезапустите скрипт на root" 1>&2
4 else
5 echo "This script must be run as root" 1>&2
6 fi
7 exit 1;
8fi
9
10if [[ ! -f "$FILES" ]]; then
11 touch steps.txt
12fi
options=(«Option 1» «Option 2» «Option 3» «Quit»)
select opt in «${options[@]}»
1select opt in Auto PoluAuto Hands Exit; do
2case $opt in
3Auto)
4 echo -n "Сейчас будет произведена автоматическая настройка ";
5 sleep 3;
6 jumpto start
7;;
8 Polstart)
9 echo -n "В разработке...";
10;;
11Hands)
12 echo -n "В разработке...";
13;;
14Exit)
15exit 1;
16;;
17*)
18echo "Недопустимая опция $REPLY";
19;;
20esac
21done
1jumpto $start
2
3start:
Проверка отдельных переменных окружения.
Если переменная, к примеру $USER, не установлена,
+ то выводится сообщение об ошибке.
1: ${HOSTNAME?} ${USER?} ${HOME?} ${MAIL?}
2echo
3echo "Имя машины: $HOSTNAME."
4echo "Ваше имя: $USER."
5echo "Ваш домашний каталог: $HOME."
6echo "Ваш почтовый ящик: $MAIL."
7echo
8echo "Если перед Вами появилось это сообщение,"
9echo "то это значит, что все критические переменные окружения установлены."
10echo
11echo "Сейчас будет установлена postinstall настройка"
12echo
13
14cd /etc/apt/
15cp sources.list sources.tmp
&VERSION_DEBIAN -e mojno off
lsb_release -d | sed -n -e „s/.*(([^)]+))/1/p“
egrep „^[a-z]“ sources.list
sed -i „s/| deb-src http/deb-src http/g“ sources.list
sed -i „s/| deb http/deb http/g“ sources.list
algoritm:
a.0 search deb, deb-src
??? bash buffer
lsb_release -d | sed -n „s/.*([^)])//p“
6.1.3. 01.03 SETTINGS /ETC/NETWORK -> INTERFACES [interface_sh]
1TMPS="0";
2interface_sh:
3
4cd /install/
5if [[ -z $(sed -n -e "s/^\(1_settings_interface_with_wifi\).*/\1/p" steps.txt) ]]; then
6.1.3.1. 01.03.01 SETTINGS NETWORK/INTERFACES
1cd /etc/network/
6.1.3.2. 01.03.02 SEARCH INTERFACES
| 2: number
1if [[ ! -f /etc/network/interfaces ]]; then
2 touch interfaces
3fi
1cp interfaces interfaces.back
t.k while 1 step s.b. str !0
1COUNT=1;
2NET_EN=""
3
4while [[ -n $( ip addr | sed -n -e "s/.*$COUNT\:\s\(.*\)\:\s<.*/\1/p") ]]
5do
6NET_ARR[COUNT]=$( ip addr | sed -n -e "s/.*$COUNT\:\s\(.*\)\:\s<.*/\1/p");
7echo Counter: $COUNT $NET_EN;
8((COUNT++));
9done
10
11COUNT=0;
search index arr for WIFI[COUNT] and NETEN[COUNT]
1for COUNT in ${NET_ARR[@]}
2do
3 if [[ -n $(echo $NET_ARR[$COUNT] | sed -n -e 's/en\(.*\).*/\1/p') ]]; then
4 NET_EN=$COUNT;
5 fi
6 if [[ -n $(echo $NET_ARR[$COUNT] | sed -n -e 's/wl\(.*\).*/\1/p') ]]; then
7 NET_WI=$COUNT;
8 fi
9done
10
11COUNT="0";
12
13if [[ -n $NET_EN && -n $NET_WI ]]; then
14 STATE="0";
15elif [[ -n $NET_EN ]]; then
16 STATE="1";
17else
18 echo "Error: not search lan interfaces";
19 sleep 1;
20 exit 2;
21fi;
state => «1» add interfaces only en_*!!!
state => «0» all ok
interfaces.back - zamenit bez .back
proverka interfaces
Jump to label interface_sh
1if [[ -z $( egrep -n '^[a-z] || ^#' interfaces) && $TMPS -eq "0" ]]; then
2reinterfaces
3fi
cat interfaces.back
analys set en wifi to two branch
create interfaces.tmp c orig
empty? yes - add svoi, else search „source“ „allow“ „iface“ +append_wpa
search source and return number line $begin
BEGIN=»0»
END=»0»;
mojet nay4itca kak udalit ostalnye stroki?
sed -r -e „/[a-z]/+{1,}*/=“ < interfaces.back
sed -r -e „/.*/+{1,}/ { =; q; }“ < interfaces.back
echo -e «abcnrtan123456789» | sed -r -e „/.*[0-9]/{1,/}/“
sed -r -e „/[a-z]/+{1,}*/{=;q;}“ interfaces.back
-1
str /sources/
COUNT=$(($( sed -r -e „/[a-z]/+{1,}*/{=;q;}“ interfaces.back | sed -n „$=“)-1));
if [[ $(($( sed -r -e „/[a-z]/+{1,}*/{=;q;}“ interfaces | sed -n „$=“)-1)) == «0» ]]; then
1
if [[ $(sed -n -e «$=;» interfaces) == «0» ]]; then
TMPS=»1»;
jumpto interface_sh;
fi
1TMPS="1";
sed -n -e «s/rsa_cert_file=.*$|| rsa_cert_file=.*$/rsa_cert_file=/ssl/certs/vsftpd.crt/p» vsftpd.conf
1if [[ $STATE -eq "0" ]]; then
source /etc/network/interfaces.d/*n
str auto $( sed -n -e «s/(autos).*/1$NET_ARR[$NET_WI]s$NET_ARR[$NET_EN]/p»
1if [[ -z $(sed -n -e "s/\(source \/etc\/network\/interfaces/\\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
5
6if [[ -z $(sed -n -e "s/\(auto\slo\).*/\1/p" interfaces) ]]; then
7 TMPS="1";
8 reinterfaces;
9fi
10sed -i -e "s/\(auto\s\).*/\1$NET_WI $NET_EN/g" interfaces
str iface NET_EN
1if [[ -z $( sed -n -e "s/\(iface\slo\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
TMPS=$(sed -n -e «/(ifaceslo).*/{=;q;}» interfaces)
sed -i -e «$TMPS s/(ifaces).*/1$NET_EN inet dhcp/g» interfaces
1sed -i -e "s/iface\slo.*/iface $NET_EN inet dhcp/g" interfaces
str allow-hotplug
1if [[ -z $( sed -n -e "s/\(allow-hotplug\s\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
5sed -i -e "s/\(allow-hotplug\s\).*/\1$NET_WI/g" interfaces
str iface NET_WI
1if [[ -z $( sed -n -e "s/\(iface\s\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
str auto
TMPS=$(sed -n -e «/(ifaces[en]).*/{=;q;}» interfaces)
1sed -i -e "$a s/\(iface\s\).*/\1$NET_WI inet dhcp/g" interfaces
sed -n -e «s/(ifaces[en]).*/1$NET_ARR[$NET_WI] inet dhcp/g» interfaces
1sed '$a wpa-conf \/home\/rootsu\/wpa_supplicant.conf' interfaces >> interfaces;
if [[-z $( sed -n -e «s/(autos).*/1/p» interfaces) ]]; then
jumpto interface_sh;
fi
systemctl restart wpa_supplicant@$NET_ARR[$NET_WI]
1systemctl restart wpa_supplicant
sed -n -e «s/(autos).*/1$NET_ARR[$NET_WI]s$NET_ARR[$NET_EN]/g» interfaces
str iface NET_EN
if [[-z $( sed -n -e «s/(ifaces).*/1/p» interfaces) ]]; then
jumpto interface_sh;
fi
sed -n -e «s/(ifaces).*/1$NET_ARR[$NET_WI] inet dhcp/g» interfaces
str allow-hotplug
1else
2
3if [[ -z $(sed -n -e "s/\(source \/etc\/network\/interfaces/\\).*/\1/p" interfaces) ]]; then
4 TMPS="1";
5 reinterfaces;
6fi
str auto $( sed -n -e «s/(autos).*/1$NET_ARR[$NET_WI]s$NET_ARR[$NET_EN]/p»
1if [[ -z $(sed -n -e "s/\(auto\slo\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
5sed -i -e "s/\(auto\s\).*/\1$NET_EN/g" interfaces
str iface NET_EN
1if [[ -z $(sed -n -e "s/\(iface\slo\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
5sed -i -e "s/iface\slo.*/iface $NET_EN inet dhcp/g" interfaces
str allow-hotplug
1if [[ -z $(sed -n -e "s/\(allow-hotplug\s\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
5sed -i -e "s/\(allow-hotplug\s\).*/\1$NET_EN/g" interfaces
str iface NET_WI
1if [[ -z $(sed -n -e "s/\(iface\s\).*/\1/p" interfaces) ]]; then
2 TMPS="1";
3 reinterfaces;
4fi
TMPS=$(sed -n -e «/(ifaces[en]).*/{=;q;}» interfaces);
1sed -i -e "$a s/\(iface\s\).*/\1$NET_EN inet dhcp/g" interfaces
sed -n -e «s/(ifaces[en]).*/1$NET_ARR[$NET_WI] inet dhcp/g» interfaces
sed „$a wpa-conf /home/rootsu/wpa_supplicant.conf“ interfaces >> interfaces;
sed -n -e «s/(allow.*s).*/1$NET_ARR[$NET_WIFI]sinetsdhcp/g» interfaces
if [[ $STATE -eq «0» ]]; then fi
1fi
6.1.3.3. 01.03.02 restart service
1systemctl restart networking
2
3cd /install/
4echo -e "1_settings_interface_with_wifi" >> steps.txt
5fi
6.1.4. 01.04 Update distribution
1step_one:
2
3cd /install/
4if [[ -z $(sed -n -e "s/^\(1_src_list\).*/\1/p" steps.txt) ]]; then
5
6cd /etc/apt/
7if [[ -z $( lsb_release -d | sed -n -e 's/.*(\([^\)]\+\))/\1/p') ]]; then
echo «Error: not defined version DebianOS, wait 3 sec»;
1 DEB_VER=$(cat /etc/os-release | sed -n -e "s/.*(\([^\)].*\))\"$/\1/p");
2 DEB_VER=$(echo $DEB_VER | sed -n -e "s/\([a-z]*\)$//p")
3else
4 DEB_VER=$( lsb_release -d | sed -n -e 's/.*(\([^\)]\+\))/\1/p')
5fi;
cd /etc/apt/;
rm sources.tmp;
touch sources.tmp
main, contrib, non-free
main — здесь находятся пакеты соответствующие DFSG-compliant (Debian Free Software Guidelines) не требуют дополнительное ПО из других источников. Это часть дистрибутива Debian. Полностью свободны для любого использования.
contrib — смешанные пакеты которые содержат не только свободные пакеты DFSG-compliant но и пакеты из других веток например non-free.
non-free — не свободное программное обеспечение. Не соответствует DFSG.
check null string ???? dob add usloviya proverki ft http
1if [[ -n $(egrep -n '^[a-z] && ^#' sources.list) && -n $( sed -n -e "s/^deb http:\/\/ftp//p" sources.list) && -n $( sed -n -e "s/^deb-src http:\/\/ftp//p" sources.list) && -n $( sed -n -e "s/^deb http:\/\/deb//p" sources.list) && -n $( sed -n -e "s/^deb-src http:\/\/deb//p" sources.list) ]]; then
2STATE="1";
3rm sources.list;
touch sources.tmp;
1BUF="#deb cdrom:[Debian GNU/Linux _*_ - Official amd64 NETINST 20210814-10:07]/ * main\ndeb http://ftp.debian.org/debian/ $DEB_VER main non-free contrib\ndeb-src http://ftp.debian.org/debian/ $DEB_VER main non-free contrib\n
2\ndeb http://security.debian.org/debian-security/ $DEB_VER-security main contrib non-free \ndeb-src http://security.debian.org/debian-security/ $DEB_VER-security main contrib non-free \n
3\n# *-updates, to get updates before a point release is made; \r\n# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports \ndeb http://deb.debian.org/debian/ $DEB_VER-updates main contrib non-free \ndeb-src http://deb.debian.org/debian/ $DEB_VER-updates main contrib non-free \n
4\n
5 # This system was installed using small removable media \n
6 # (e.g. netinst, live or single CD). The matching \"deb cdrom\" \n
7 # entries were disabled at the end of the installation process. \n
8 # For information about how to configure apt package sources, \n
9 # see the sources.list(5) manual. \n"
10echo -e $BUF > sources.list;
11echo "Info: sources.list is null";
12sleep 1;
Waits 5 seconds.
sed -i „34s/AAA/BBB/“ file_name
1else
The first part of it is an «address», i.e. the following command only applies to lines matching it. The ! negates the condition, i.e. the command will only be applied to lines not matching the address. So, in other words, Replace Hello by Hello world! on lines that don’t contain Hello world!.
sed -n -e „s/.*bullseye-[a-z](.)/1/p“ sources.tmp
The pattern [a-z]* matches zero or more characters in the range a to z (the actual characters are dependent on the current locale). There are zero such characters at the very start of the string 123 abc (i.e. the pattern matches), and also four of them at the start of this is a line.
If you need at least one match, then use [a-z][a-z]* or [a-z]{1,}, or enable extended regular expressions with sed -E and use [a-z]+.
1 sed -i -e "s/$DEB_VER\s.*$/$DEB_VER main contrib non-free/g" sources.list
2 sed -i -e "s/\(\/\s$DEB_VER\-[a-z]*\).*/\1 main contrib non-free/g" sources.list
3fi;
4
5echo -e "y\n" | apt-get update;
6echo -e "y\n" | apt-get full-upgrade;
7if [ $? -ne 0 ]; then
8 echo "Error: full upgrade error!!!"
9 exit 1
10fi
11echo -e "y\ny\ny\ny\n" | apt-get install console-setup;
12cd /install/
13echo -e "1_src_list" >> steps.txt
14
15fi
6.1.5. 01.05 Install drivers
1step_two:
2
3cd /install/
4if [[ -z $(sed -n -e "s/^\(2_install_driver\).*/\1/p" steps.txt) ]]; then
5
6if [[ $(lspci | grep VGA | sed -n -e "s/.*\[\(.*\)\/.*/\1/p") == "AMD" ]]; then
7 echo -e "y\n" | apt-get install libdrm-amdgpu1
8 echo -e "y\n" | apt-get install xserver-xorg-video-amdgpu
9else
10 echo -e "y\n" | apt-get install nvidia-driver firmware-misc-nonfree nvidia-settings
11fi
apt-get install firmware-linux | apt-get install firmware-linux-nonfree | apt-get install firmware-linux | apt-get install firmware-realtek | apt-get install libdrm-amdgpu1 | apt-get install xserver-xorg-video-amdgpu | apt-get install man
1echo -e "y\n" | apt-get install firmware-linux
2
3if [[ $(lspci | grep Ethernet | sed -n -e "s/.*ller:\s\([a-zA-Z]\+\s\).*/\1/p") == "Realtek" ]]; then
4echo -e "y\n" | apt-get install firmware-realtek
5fi
6echo -e "y\n" | apt-get install firmware-linux-nonfree
7echo -e "y\n" | apt-get install firmware-iwlwifi
8echo -e "y\n" | apt-get install man
6.1.5.1. 01.05.01 Install SElinux utils & acl
1echo -e "y\n" | apt-get install acl
2echo -e "y\n" | apt-get install setools policycoreutils selinux-basics selinux-utils selinux-policy-default selinux-policy-mls auditd policycoreutils-python-utils semanage-utils audispd-plugins
3echo -e "y\n" | apt-get install mcstrans
4
5systemctl enable auditd
6systemctl start auditd
policycoreutils-gui
1touch /.autorelabel
2selinux-activate
3
4if [ $? -ne 0 ]; then
5 echo "Error: install driver failed!!!"
6 exit 1
7fi
8
9echo -e "2_install_driver" >> steps.txt
6.1.5.2. 01.05.02 Reboot
1reboot
2fi
6.1.6. 01.06 Install git && nanorc [step_three]
1if [[ -z $(sed -n -e "s/^\(3_nanorc\).*/\1/p" steps.txt) ]]; then
nano /etc/rc.local
setupcon
1echo -e "y\n" | apt-get install git
2if [ ? -ne 0 ]; then
3 echo "Error: error install git!!!"
4 exit 1;
5fi
6cd /install
7git clone git://git.savannah.gnu.org/nano.git; cd nano;./autogen.sh;./configure; make install
rm -Rf /nano/
rmdir /nano/
git clone https://github.com/nanorc/nanorc.git
cd nanorc
make install
exit 1;
make list all autogen
cat ~/.nano/syntax/ALL.nanorc
rm ~/.nanorc
touch ~/.nanorc
echo -e „include ~/.nano/syntax/ALL.nanorc“ >> ~/.nanorc
| TeX
echo -e „include «/usr/share/nano/patch.nanorc' >> ~/.nanorc
| POV-Ray
echo -e „include «/usr/share/nano/pov.nanorc' >> ~/.nanorc
| Perl
echo -e „include «/usr/share/nano/perl.nanorc' >> ~/.nanorc
| Nanorc files
echo -e „include «/usr/share/nano/nanorc.nanorc' >> ~/.nanorc
| Python
echo -e „include «/usr/share/nano/python.nanorc' >> ~/.nanorc
| C/C++
echo -e „include «/usr/share/nano/c.nanorc' >> ~/.nanorc
| Groff
echo -e „include «/usr/share/nano/groff.nanorc“ >> ~/.nanorc
| Assembler
echo -e „include «/usr/share/nano/asm.nanorc“ >> ~/.nanorc
| Ruby
echo -e „include «/usr/share/nano/ruby.nanorc“ >> ~/.nanorc
| Manpages
echo -e „include «/usr/share/nano/man.nanorc“ >> ~/.nanorc
| HTML
echo -e „include «/usr/share/nano/html.nanorc“ >> ~/.nanorc
| Bourne shell scripts
echo -e „include «/usr/share/nano/sh.nanorc“ >> ~/.nanorc
| Sun Java
echo -e „include «/usr/share/nano/java.nanorc“ >> ~/.nanorc
| Sun php
echo -e „include «/usr/share/nano/php.nanorc“ >> ~/.nanorc
| Sun perl
echo -e „include «/usr/share/nano/perl.nanorc“ >> ~/.nanorc
| sql
echo -e „include «/usr/share/nano/sql.nanorc“ >> ~/.nanorc
| asm
echo -e „include «/usr/share/nano/asm.nanorc“ >> ~/.nanorc
include «/usr/share/nano/*.nanorc»
1find /usr/share/nano -name '*.nanorc' -printf "include %p\n" > ~/.nanorc
for i in ls /usr/share/nano
do
echo «include /usr/share/nano/$i» >> ~/.nanorc
done
rm -Rf /nanorc/
rmdir /nanorc/
1fi
2echo -e "3_nanorc" >> steps.txt
6.1.7. 01.07 Copy dir
1if [[ -z $(sed -n -e "s/^\(4_copy_sh\).*/\1/p" steps.txt) ]]; then
1cd /install/
2cp -Rf /install/home/* /home/
3cp -Rf /install/home/rootsu/.bashrc ~root
4cp -Rf /install/home/rootsu/.profile ~root
5cp -Rf /install/home/rootsu/.cmd_shell.sh ~root
6
7cp -Rf /install/home/rootsu/* ~root
8chmod ug+rwx -Rf ~root
cp -Rf /install/home/admin/.bashrc /root/
cp /etc/nanorc ~/.nanorc
1echo -e "4_copy_sh" >> steps.txt
2fi
exit 1;
cp -Rf /install/home/ /home/ | -> rootsu, admin
6.1.8. 01.08 Install utils [step_five]
1if [[ -z $(sed -n -e "s/^\(5_install_util_wd\).*/\1/p" steps.txt) ]]; then
1echo "y\n" | apt-get install build-essential
2if [ $? -ne 0 ]; then
3 echo "Error: error install gcc-utils!!!"
4 exit 1
5fi
6
7add-apt-repository-get ppa:ubuntu-toolchain-r/test && apt update
apt-get install gcc-snapshot && apt-get install gcc-11g++-11
update-alternatives –install /usr/bin/gcc gcc /usr/bin/gcc-9 60 –slave /usr/bin/g++ g++ /usr/bin/g++-9
1echo -e "y\n" | apt-get install python
2echo -e "y\n" | apt-get install python3
3echo -e "y\n" | apt-get install tmux;
4echo -e "y\n" | apt-get install net-tools
5echo -e "y\n" | apt-get install manpages-dev;
6echo -e "y\n" | apt-get install wpa_supplicant;
7echo -e "y\n" | apt-get install mc;
8echo -e "y\n" | apt-get install ncdu;
echo -e «yn» | apt-get install monitorix;
1echo -e "y\n" | apt-get install netdata;
2echo -e "y\n" | apt-get install systat;
3echo -e "y\n" | apt-get install iftop;
4echo -e "y\n" | apt-get install htop;
5echo -e "y\n" | apt-get install sudo;
6echo -e "y\n" | apt-get install iptraf;
7echo -e "y\n" | apt-get install ntp
8systemctl enable ntp;
9systemctl enable start;
10sudo systemctl unmask samba;
11cp /install/etc/sudoers /etc/sudoers
12echo -e "y\n" | apt-get install nmon;
13echo -e "y\n" | apt-get install nmap;
14echo -e "y\n" | apt-get install safe-rm
15echo -e "y\n" | apt-get install aptitude
16echo -e "y\n" | apt-get install btrfs-progs
echo -e «yn» | apt-get install iptables
1iptables –F
2echo -e "y\n" | apt-get install cifs-utils
3echo -e "y\n" | apt-get install samba
4echo -e "y\n" | apt-get install smbfs
5echo -e "y\n" | apt-get install whois
6echo -e "y\n" | apt-get install lsof
7echo -e "y\n" | apt-get install mkpasswd
8echo -e "y\n" | apt-get install wget
9echo -e "y\n" | apt-get install tree
10echo -e "y\n" | apt-get install autofs
11echo -e "y\n" | apt-get install gpg
12echo -e "y\n" | apt-get install rsync
13echo -e "y\n" | apt-get install ca-certificates
14echo -e "y\n" | apt-get install shared-mime-info
15echo -e "y\n" | apt-get install wget genisoimage xorriso isolinux hwinfo
16echo -e "y\n" | apt-get install hddtemp lm-sensors
17echo -e "y\n" | apt-get install at
18echo -e "y\n" | apt-get install pip
19echo -e "y\n" | apt-get install xz-utils
20echo -e "y\n" | apt-get install curl
21echo -e "y\n" | apt-get install sphinx
22echo -e "y\n" | apt-get install smartmontools
23echo -e "y\n" | apt-get install python3-sphinx
24echo -e "y\n" | apt-get install nfs-common
25echo -e "y\n" | apt-get install build-essential libssl-dev libffi-dev python3-dev
26echo -e "y\n" | apt-get install python3-venv
27echo -e "y\n" | apt-get install mdadm
28echo -e "y\n" | apt-get install hdparm
29echo -e "y\n" | apt-get install hddtemp lm-sensors psensor
30echo -e "y\n" | apt-get install stress
31systemctl enable mdadm
32update-initramfs -u
33
34python3 -m venv env
pip install mkdocs
pip install -U mkdocs
pip install mkdocs-rtd-dropdown
1pip install --upgrade myst-parser
2pip install sphinx-autodocgen
3pip install Pygments
4pip install sphinx-intl
5pip install lumache
6pip install django
7pip install django-docs
8pip install sphinxnotes-strike
9pip install sphinx_rtd_theme
Install Sphinx
1pip install -U sphinx
2python -m venv .venv
echo -e «yn» | apt-get install anacron
1systemctl enable cron
systemctl enable anacron
echo -e «yn» | apt-get install postfix
Nmap Ngrep VnStat Iptraf-ng NetHogs Iotop dd dh netcat
1systemctl enable autofs
systemctl start autofs
echo -e «yn» | apt-get install selinux-basics selinux-policy-default auditd
echo -e «yn» | apt-get install setools policycoreutils selinux-basics selinux-utils selinux-policy-default selinux-policy-mls auditd policycoreutils-python-utils semanage-utils
setroubleshoot selinux-policy-targeted
1apt-get install openssh-server -y
2if [ $? -ne 0 ]; then
3 echo "Error: error install setup-utils!!!"
4 exit 1
5fi
exit 1;
Update settings LOCALE
locale -a
1update-locale LC_TIME=ru_RU.UTF-8;
2update-locale LC_ALL=ru_RU.UTF-8;
3update-locale LANG=ru_RU.UTF-8;
4sed -n -e "s/\(=\).*/\1\"$ru_RU.UTF-8\"/p" /etc/default/locale
5update-locale;
6
7cp -Rf /install/etc/* /etc
8if [ $? -ne 0 ]; then
9 echo "Error: copy install to etc"
10 exit 1
11fi
12cd /install/
13echo -e "5_install_util_wd" >> steps.txt
exit 1;
echo «Press ESC key to quit and reboot»
read a single character
while read -r -n1 key
do
if input == ESC key
if [[ $key == $“e“ ]];
then
reboot;
fi
done
1fi
dpkg -i xz-utils_5.2.4-1_amd64.deb
tar -xvf wpa_supplicant-0.7.3.tar.gz
cd ./wpa_supplicant-0.7.3/
mv /install/.config /install/wpa_supplicant-0.7.3/wpa_supplicant/
bash make
exit 1;
tar -xvf console-setup_1.205.tar.xz
cd ./console-setup-1.205.tar.xz/
./configure
./install
cp -Rf /install/etc/default/console-setup /etc/default/
if [ -f /etc/resolv.conf ]; then
jumpto STEP_TWO_AFTER;
fi
1step_three:
Search
add-apt-repository ppa:un-brice/ppa
apt-get update
apt-get install shake-fs
6.1.9. 01.09 Install driver opt and acc [step_six]
1step_four:
2cd /install/
3if [[ -z $(sed -n -e "s/^\(7_driver_opt\).*/\1/p" steps.txt) ]]; then
6.1.9.1. 01.09.01 create disk /opt/
6.1.9.2. 01.09.02 search /dev/s**
touch fdiskhdd.txt;
fdisk -l > fdiskhdd.txt
STATE=$(sed -n -e «s/.*(/dev/s[a-z]*[0-9]).*/1/p» fdiskhdd.txt);
if [[ -z $(sed -n -e «s/.*(/dev/s[a-z]*).*/1/p» fdiskhdd.txt) ]]; then
STATE=$(sed -n -e «s/.*(/dev/s[a-z]*).*/1/p» fdiskhdd.txt);
fi
OPTIONS: g , w
echo «ngnnn1n2048nnw» | fdisk $STATE –wipe AUTO
1
Create fs
mkfs.ext4 $STATE /opt
6.1.9.3. 01.09.03 mount /dev/s**
mount -t ext4 $(sudo fdisk -l | sed -n -e «s/.*(/dev/s[a-z]*[0-9]).*/1/p») /opt
1
shd=$(sudo fdisk -l | sed -n -e «s/.*(/dev/s[a-z]*[0-9]).*/1/p» | sed „s///\//g“)
1
S1=$(sudo blkid | sed -n -e «s/$shd:s(.*).*/1/p» | sed -n -e «s/$shd:s([=a-zA-Z_]*)/1/p;s/UUID=(.*)sB.*/1/p» | sed „s/"/\»/g“)
1
S1=$(sudo blkid | sed -n -e «s/$shd:s(.*).*/1/p» | sed -n -e «s/UUID=(.*)sB.*/1/p» | sed „s/"/\»/g“)
1
sed -i -e «$ a UUID=$S1 /opt/ ext4 defaults 0 2» /etc/fstab
1cd /install/
2touch fdisk.txt
3fdisk -l | sed -n -e "s/.*\(\/dev\/s[a-z]*[0-9]\).*/\1/p" > fdisk.txt
4
5filename='fdisk.txt'
6n=1
7while read line; do
reading each line
1shd=$(echo $line | sed 's/\//\\\//g')
2S1=$(blkid | sed -n -e "s/$shd:\s\(.*\).*/\1/p" | sed -n -e "s/.*UUID=\(.*\)\sB.*/\1/p" | sed 's/\"/\\"/g')
3TMPS=$(echo $line | sed -n -e "s/^\/dev\/\([a-z]*[0-9]\).*/\1/p")
4chown admin_share:technics -Rf "/mnt/$TMPS"
5chmod ugo+rwx -Rf "/mnt/$TMPS"
6semanage fcontext -a -t public_content_rw_t "/mnt/$TMPS(/.*)?";
7
8setfacl -m u:admin_share:rwx,u:admin:rwx,u:pub_share:rwx,g:admins:rw,g:technics:rw -R "/mnt/$TMPS";
setfacl -m u:admin_share:rwx,u:admin:rwx,u:pub_share:rwx,g:admins:rw,g:technics:rw -R «/mnt/$TMPS»;
1chcon -Rv -t public_content_rw_t "/mnt/$TMPS";
setfacl -m u:admin_share:rwx,u:admin:rwx,u:pub_share:rwx -R «/mnt/$TMPS»;
setfacl -m g:admins:rw,g:technics:rw -R «/mnt/$TMPS»;
1chmod go+rwx -R "/mnt/$TMPS";
2if [[ -n $S1 ]]; then
3 sed -i -e "$ a UUID\=$S1 \/mnt\/$TMPS ext4 defaults 0 2" /etc/fstab
4fi
sed -i -e «s/^UUID="b90071b5-8949-4a72-b836-63756e4c7b1d".*$/| /g» /etc/fstab
1done < $filename
2sudo mount -a
if [[ -z $STATE ]]; then
exit 3;
fi
1echo -e "7_driver_opt" >> steps.txt
2fi
1cd /install/
| in-target mkfs.ext4 /dev/sdb1 ;
in-target echo «/dev/sdb1 /srv ext4 nodiratime 0 2» >> /etc/fstab
???
fdisk
mkfs
1_1_4 editor /etc/apt/sources.list
add info ro «contrib non-free|
copy sources.list -> sources.tmp
1
cp /install/pii2.sh /etc/init.d/
chkconfig –add pii2.sh
update-rc.d pii2.sh defaults
touch /install/step_two.txt
1
Jump to label interface_sh
6.1.10. 01.10 Create users and groups
1if [[ -z $(sed -n -e "s/^\(9_user_settings\).*/\1/p" steps.txt) ]]; then
2
3STEP_TWO_AFTER:
cp sources.tmp sources.list;
6.1.10.1. 01.10.01 Create users and groups
cp -Rf /install/home/rootsu/.cmd_shell.sh ~/.cmd_shell.sh
cp -Rf /install/home/rootsu/.bashrc ~/.bashrc
cp -Rf /install/home/rootsu/.bashrc /home/admin/
cp -Rf /install/home/rootsu/.cmd_shell.sh /home/admin/
В
1 groupadd -g 1000 admins
2 groupadd -g 2000 exp_users
3 groupadd -g 3000 pro_users
4 groupadd -g 4000 moderators
5 groupadd -g 5000 technics
6 groupadd -g 6000 ps_users
7 groupadd -g 7000 others
8 useradd -u 1100 -g admins -c "admin" -s /bin/bash -p $(echo "********" | mkpasswd -s -H MD5) -m admin
9
10 useradd -u 1200 -g admins -c "admin" -s /bin/bash -p $(echo "********" | mkpasswd -s -H MD5) -m admin_tech
11usermod -aG sudo,technics,root admin
12usermod -aG sudo,technics,root admin_tech
13
14cp /install/home/rootsu/.bashrc /home/admin/
15cp /install/home/rootsu/.profile /home/admin/
16cp /install/home/rootsu/.cmd_shell.sh /home/admin/
17
18 useradd -u 2100 -g exp_users -s /bin/bash -c "far_exp" -p $(echo "********" | mkpasswd -s -H MD5) -m far_exp
19 useradd -u 3100 -g pro_users -s /bin/bash -c "far_pro" -p $(echo "********" | mkpasswd -s -H MD5) -m far_pro
20 useradd -u 4100 -g moderators -s /bin/bash -c "far_moderator" -p $(echo "********" | mkpasswd -s -H MD5) -m far_mod
21 useradd -u 5100 -g technics -d /opt/SAMBA_SHARE/ -s /bin/false -c "technical admin_share" -p $(echo "********" | mkpasswd -s -H MD5) admin_share
22 useradd -u 5200 -g technics -d /opt/SAMBA_SHARE/ -s /bin/false -c "technical pub_share" -p $(echo "********" | mkpasswd -s -H MD5) pub_share
23 useradd -u 6100 -g ps_users -s /bin/bash -c "far_user" -p $(echo "********" | mkpasswd -s -H MD5) -m far_user
useradd -u 6100 -g users -s /bin/bash -c «test» -p «» -m test
1useradd -g ps_users -c "tom" -s /bin/bash -p $(echo "********" | mkpasswd -s -H MD5) -m tom
smbpasswd -a -w «» admin_share
1echo -e "********\n********" | smbpasswd -a admin_share
2echo -e "********\n********" | smbpasswd -a pub_share
3smbpasswd -e admin_share
4smbpasswd -e pub_share
smbpasswd -a -w «» pub_share
if [ $? -ne 0 ]; then********
fi
1mkdir /opt/SAMBA_SHARE
2mkdir /mnt/SMB
3mkdir /mnt/SMB/SOFT_2TBSEAGREEN
4mkdir /mnt/SMB/SOFT_3TBSEASYAN
5mkdir /media/admin
6chown admin:admins /media/admin
7chown -R :technics /opt/ /opt/SAMBA_SHARE /mnt/SMB
8chown -R admin_share:technics /opt/ /opt/SAMBA_SHARE /mnt/SMB
9chmod ug+rw /opt/ /opt/SAMBA_SHARE /mnt/SMB
10setfacl -m u:pub_share:rwx,u:admin_share:rwx -R "/mnt/SMB";
chown -R admin_share:technics,pub_share:technics /mnt/SMB
1
6.1.10.2. 01.10.02 Create ssh_ssl
6.1.10.3. 01.10.03 Install ssh settings
1cd /etc/ssh/
2
3cp sshd_config sshd_config.tmp
| Port 22
1 sed -i -e "s/#Port\s.*$\|Port\s.*$/Port $PORT_SSH/g" sshd_config
HostKey
1 sed -i -e "s/#HostKey/HostKey/g" sshd_config
PubkeyAuthentification
1 sed -i -e "s/#PubkeyAuthentication\s.*$\|PubkeyAuthentication\s.*$/PubkeyAuthentication yes/g" sshd_config
| SysLogFacility
1 sed -i -e "s/#SysLogFacility\s.*$\|SysLogFacility\s.*$/SysLogFacility AUTHPRIV/g" sshd_config
| LogLevel
1 sed -i -e "s/#LogLevel\s.*$\|LogLevel\s.*$/#LogLevel INFO/g" sshd_config
| LogLevel
1 sed -i -e "s/#LoginGraceTime\s.*$\|LoginGraceTime\s.*$/LoginGraceTime 2m/g" sshd_config
| PermitRootLogin
1 sed -i -e "s/#PermitRootLogin\s.*$\|PermitRootLogin\s.*$/PermitRootLogin yes/g" sshd_config
| StrictModes
1 sed -i -e "s/#StrictModes\s.*$\|StrictModes\s.*$/StrictModes no/g" sshd_config
| MaxAuthTries
1 sed -i -e "s/#MaxAuthTries\s.*$\|MaxAuthTries\s.*$/MaxAuthTries 3/g" sshd_config
| MaxAuthTries
1 sed -i -e "s/#MaxSessions\s.*$\|MaxSessions\s.*$/MaxSessions 3/g" sshd_config
| AuthorizedKeysFile
1 sed -i -e "s/#AuthorizedKeysFile\s.*$\|AuthorizedKeysFile\s.*$/AuthorizedKeysFile \/home\/rootsu\/.ssh\/authorized_keys \/home\/%u\/.ssh\/authorized_keys/g" sshd_config
| PasswordAuthentication no
1 sed -i -e "s/#PasswordAuthentication\s.*$\|PasswordAuthentication\s.*$/PasswordAuthentication no/g" sshd_config
| PermitEmptyPasswords no
1 sed -i -e "s/#PermitEmptyPasswords\s.*$\|PermitEmptyPasswords\s.*$/PermitEmptyPasswords no/g" sshd_config
| ChallengeResponseAuthentification
sed -n -e «s/ChallengeResponseAuthentication.*$|| ChallengeResponseAuthentication.*$/ChallengeResponseAuthentification yes/p» sshd_config.tmp
1 sed -i -e "s/ChallengeResponseAuthentication.*$\|#ChallengeResponseAuthentication.*$/ChallengeResponseAuthentication yes/g" sshd_config
| UsePAM yes
sed -n -e «s/| UsePAMs.*$|UsePAMs.*$/UsePAM yes/p» sshd_config.tmp
1 sed -i -e "s/#UsePAM\s.*$\|UsePAM\s.*$/UsePAM yes/g" sshd_config
| AllowTcpForwarding yes
1 sed -i -e "s/#AllowTcpForwarding\s.*$\|AllowTcpForwarding\s.*$/AllowTcpForwarding yes/g" sshd_config
| X11Forwarding yes
1 sed -i -e "s/#X11Forwarding\s.*$\|X11Forwarding\s.*$/X11Forwarding yes/g" sshd_config
| X11DisplayOffset yes
1 sed -i -e "s/#X11DisplayOffset\s.*$\|X11DisplayOffset\s.*$/X11DisplayOffset 10/g" sshd_config
| PrintMotd no
1 sed -i -e "s/#PrintMotd\s.*$\|PrintMotd\s.*$/PrintMotd yes/g" sshd_config
| Subsystem
1 sed -i -e "s/Subsystem\s/#Subsystem\s/g" sshd_config
1systemctl restart ssh
6.1.10.4. 01.10.04 Create users ssh
1sudo bash ~/.cmd_shell.sh --mode "ssh_keygen" --uadd "tom" --gadd "ps_users" --pwd "debian"
2bash ~/.cmd_shell.sh --mode "ssh_keygen" --uadd "admin" --gadd "admins" --pwd "debian"
6.1.10.5. 01.10.05 Create SAMBA
1mount -v -t cifs //192.168.1.1/SOFT_2TBSEAGREEN//mnt/SMB/SOFT_2TBSEAGREEN -o credentials=/home/rootsu/.smbusers,defcontext="system_u:object_r:samba_share_t:s0";
2mount -v -t cifs //192.168.1.1/SOFT_3TBSEASYAN//mnt/SMB/SOFT_3TBSEASYAN -o credentials=/home/rootsu/.smbusers,defcontext="system_u:object_r:samba_share_t:s0";
3
4cp -Rf /install/etc/autofs /etc/
5cp -Rf /install/etc/autofs.conf /etc/
6cp -Rf /install/etc/samba /etc/
7cp -Rf /install/lib/ /lib/
8chmod 644 -Rf /etc/autofs/
9
10systemctl restart autofs
11systemctl restart smbd
6.1.10.6. 01.10.06 Install and settings firewall
6.1.10.7. 01.10.07 Install other soft
6.1.10.8. 01.10.08 Extended nano
6.1.10.9. 01.10.09 cp ers
1echo -e "y" | apt-get install ntfs-3g;
exit 1;
6.1.10.10. 01.10.10 Install vsftp
1echo -e "y" | sudo apt install vsftpd
2
3cd /etc/
4sudo cp /etc/vsftpd.conf/etc/vsftpd.conf_default
Listen=YES
1sed -i -e "s/listen=.*$/listen=YES/g" vsftpd.conf
listen_ipv6=
1sed -i -e "s/listen_ipv6=.*$/listen_ipv6=NO/g" vsftpd.conf
annonymous_enable=NO
1sed -i -e "s/#anonymous_enable=.*$\|anonymous_enable=.*$/anonymous_enable=NO/g" vsftpd.conf
anon_upload_enable=NO
1sed -i -e "s/#anon_upload_enable=.*$\|anon_upload_enable=.*$/anon_upload_enable=NO/g" vsftpd.conf
anon_mkdir_write_enable=NOanon_mkdir_write_enable=YES
1sed -i -e "s/anon_mkdir_write_enable=.*$\|#anon_mkdir_write_enable=.*$/anon_mkdir_write_enable=NO/g" vsftpd.conf
write_enable=YES
1sed -i -e "s/#write_enable=.*$\|write_enable=.*$/write_enable=YES/g" vsftpd.conf
local_umask=022
1sed -i -e "s/#local_umask=.*$\|local_umask=.*$/local_umask=022/g" vsftpd.conf
connect_from_port 20
1sed -i -e "s/connect_from_port_20=.*$/connect_from_port_20=NO/g" vsftpd.conf
local_umask=022
1sed -i -e "s/#ascii_upload_enable=.*$\|ascii_upload_enable=.*$/ascii_upload_enable=YES/g" vsftpd.conf
ascii_upload_enable=YES
1sed -i -e "s/#ascii_upload_enable=.*$\|ascii_upload_enable=.*$/ascii_upload_enable=YES/g" vsftpd.conf
ascii_download_enable=YES
1sed -i -e "s/#ascii_download_enable=.*$\|ascii_download_enable=.*$/ascii_download_enable=YES/g" vsftpd.conf
ftpd_banner=
1sed -i -e "s/#ftpd_banner=.*$\|ftpd_banner=.*$/ftpd_banner=Welcome to $HOSTNAME!!!/g" vsftpd.conf
| restrict FTP users to their /home directory and allow them to write there
mogut switch from home / YES yes restrict privilege
sed -i -e «s/| chroot_local_user=.*$|chroot_local_user=.*$/chroot_local_user=YES/g» vsftpd.conf
1sed -i -e "0,/#chroot_local_user=.*$\|chroot_local_user=.*$/ s//chroot_local_user=YES/g" vsftpd.conf
is_recurse_enable -R
1sed -i -e "s/#ls_recurse_enable=.*$\|ls_recurse_enable=.*$/ls_recurse_enable=YES/g" vsftpd.conf
chroot_list_file=/etc/vsftpd.chroot_list/
1sed -i -e "s/#chroot_list_file=.*$\|chroot_list_file=.*$/chroot_list_file=\/home\/rootsu\/vsftpd.chroot_list/g" vsftpd.conf
ut8 fs
1sed -i -e "s/#utf8_filesystem=.*$\|utf8_filesystem=.*$/utf8_filesystem=YES/g" vsftpd.conf
pam_service_name off
1sed -i -e "s/pam_service_name=.*$/#pam_service_name=vsftpd/g" vsftpd.conf
rsa_cert_file=/
1sed -i -e "s/rsa_cert_file=.*$\|#rsa_cert_file=.*$/rsa_cert_file=\/etc\/ssl\/certs\/vsftpd.crt/g" vsftpd.conf
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
rsa_private_key_file=
1sed -i -e "s/rsa_private_key_file=.*$\|#rsa_private_key_file=.*$/rsa_private_key_file=\/etc\/ssl\/private\/vsftpd.key/g" vsftpd.conf
ssl_enable=NO
1sed -i -e "s/ssl_enable=.*$\|#ssl_enable=.*$/ssl_enable=YES/g" vsftpd.conf
force_dot_files=YES
1sed -i -e "$ a force_dot_files=YES" vsftpd.conf
background=YES
pasv_port
sed -i -e «$ a pasv_min_port=49000» vsftpd.conf
sed -i -e «$ a pasv_max_port=55000» vsftpd.conf
allow_anon_ssl=NO
1sed -i -e "$ a allow_anon_ssl=NO" vsftpd.conf
force_local_data_ssl=YES
1sed -i -e "$ a force_local_data_ssl=NO" vsftpd.conf
force_local_logins_ssl=YES
1sed -i -e "$ a force_local_logins_ssl=YES" vsftpd.conf
ssl_tlsv1_1=YES
sed -i -e «$ a ssl_tlsv1_1=YES» vsftpd.conf
ssl_tlsv1_2=YES
1sed -i -e "$ a ssl_sslv3=YES" vsftpd.conf
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
sed -i -e «$ a ssl_tlsv1=NO» vsftpd.conf
ssl_tlsv2=NO
sed -i -e «$ a ssl_sslv2=NO» vsftpd.conf
ssl_sslv3=NO
sed -i -e «$ a ssl_sslv3=NO» vsftpd.conf
require_ssl_reuse=YES
1sed -i -e "$ a require_ssl_reuse=YES" vsftpd.conf
ssl_ciphers=HIGH
1sed -i -e "$ a ssl_ciphers=HIGH" vsftpd.conf
| | | Problems have been reported with EPSV. The only way to disable EPSV mode in vsftpd appears to be to disallow the EPSV and EPRT commands, so that a client will recieve a «550 Permission Denied» response to any EPSV command and hopefully drop back to regular PASV. Unfortunately the «cmds_denied» blacklisting option was only introduced in vsftpd 2.1. We therefore have to take a whitelisting approach using the «cmds_allowed» option. The list below basicly includes everything except the commands needed for EPSV.
1sed -i -e "$ a cmds_allowed=ABOR,CWD,RMW,DELE,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RETR,RMD,RNFR,RNTO,SITE,SIZE,STOR,TYPE,USER,CDUP,HELP,MODE,NOOP,STAT,STOU,STRU" vsftpd.conf
USERLIST
1sed -i -e "$ a userlist_enable=YES" vsftpd.conf
userlist_deny
1sed -i -e "$ a userlist_deny=NO" vsftpd.conf
userlist_enable
1sed -i -e "$ a userlist_enable=YES" vsftpd.conf
userlist_file=/home/rootsu/vsftpd-virtual_user/vsftpd_user
1sed -i -e "$ a userlist_file=/home/rootsu/vsftpd-virtual_user/vsftpd_user" vsftpd.conf
user_config_dir=/
1sed -i -e "$ a user_config_dir=/home/rootsu/vsftpd-virtual_user/" vsftpd.conf
chown_uploads=YES
1sed -i -e "$ a chown_uploads=YES" vsftpd.conf
chown_username=nobody
1sed -i -e "$ a chown_username=nobody" vsftpd.conf
Запретить /etc/vsftpd.userlist вход в список пользователей
userlist_enable=YES
userlist_deny=YES
userlist_file=/etc/vsftpd.user_list
set it to YES to turn on TCP wappers
1sed -i -e "$ a tcp_wrappers=YES" vsftpd.conf
set maximum allowed connections per single IP address (0 = no limits)
1sed -i -e "$ a max_per_ip=10" vsftpd.conf
Enable the userlist
1sed -i -e "$ a userlist_enable=YES" vsftpd.conf
Allow the local users to login to the FTP (if they’re in the userlist)
1sed -i -e "$ a local_enable=YES" vsftpd.conf
Allow virtual users to use the same privileges as local users
1sed -i -e "$ a virtual_use_local_privs=YES" vsftpd.conf
Allow virtual users to use the same privileges as local users
sed -i -e «$ a pam_service_name=vsftpd» vsftpd.conf
FTP port 21
1sed -i -e "$ a listen_port=21" vsftpd.conf
PAM SHell off
1cd /etc/pam.d/
2sed -i -e "s/auth required pam_shells.so.*$\|#auth required pam_shells.so.*$/#auth required pam_shells.so/g" vsftpd
echo -e «RUnRussianSaratovn$HOSTNAME Ltd.nnadminnn» | openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt
bag 500 OOPS: priv_sock_get_int.
echo „seccomp_sandbox=NO“ >> /etc/vsftpd/vsftpd.conf
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:4095 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
1echo -e "RU\nRussia\nSaratov\n$HOSTNAME Ltd.\nWSB-IOT-Embedded\nadmin\nfar1803@ya.ru\n" | openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt
2
3chmod 770 /home/rootsu/vsftpd-virtual_user
4chmod 770 /home/rootsu/vsftpd.chroot_list
5chmod 750 -R /home/rootsu
List of FTP commands
ABOR - Abort an active file transfer.
ACCT - Account information.
ADAT - Authentication/Security Data (RFC 2228)
ALLO - Allocate sufficient disk space to receive a file.
APPE - Append.
AUTH - Authentication/Security Mechanism (RFC 2228)
CCC - Clear Command Channel (RFC 2228)
CDUP - Change to Parent Directory.
CONF - Confidentiality Protection Command (RFC 697)
CWD - Change working directory.
DELE - Delete file.
ENC - Privacy Protected Channel (RFC 2228)
EPRT - Specifies an extended address and port to which the server should connect. (RFC 2428)
EPSV - Enter extended passive mode. (RFC 2428)
FEAT - Get the feature list implemented by the server. (RFC 2389)
HELP - Returns usage documentation on a command if specified, else a general help document is returned.
LAND - Language Negotiation (RFC 2640)
LIST - Returns information of a file or directory if specified, else information of the current working directory is returned.
LPRT - Specifies a long address and port to which the server should connect. (RFC 1639)
LPSV - Enter long passive mode. (RFC 1639)
MDTM - Return the last-modified time of a specified file. (RFC 3659)
MIC - Integrity Protected Command (RFC 2228)
MKD - Make directory.
MLST - Lists the contents of a directory if a directory is named. (RFC 3659)
MODE - Sets the transfer mode (Stream, Block, or Compressed).
NLST - Returns a list of file names in a specified directory.
NOOP - No operation (dummy packet; used mostly on keepalives).
OPTS - Select options for a feature. (RFC 2389)
PASS - Authentication password.
PASV - Enter passive mode.
PBSZ - Protection Buffer Size (RFC 2228)
PORT - Specifies an address and port to which the server should connect.
PWD - Print working directory. Returns the current directory of the host.
QUIT - Disconnect.
REIN - Re initializes the connection.
REST - Restart transfer from the specified point.
RETR - Retrieve (download) a remote file.
RMD - Remove a directory.
RNFR - Rename from.
RNTO - Rename to.
SITE - Sends site specific commands to remote server.
SIZE - Return the size of a file. (RFC 3659)
SMNT - Mount file structure.
STAT - Returns the current status.
STOR - Store (upload) a file.
STOU - Store file uniquely.
STRU - Set file transfer structure.
SYST - Return system type.
TYPE - Sets the transfer mode (ASCII/Binary).
USER - Authentication username.
1iptables -F
2sudo systemctl restart vsftpd
3sudo systemctl enable vsftpd
4iptables –F
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
1cp -Rf /home/admin/.ssh/ /media/admin/ssh
2
3cp -Rf /home/tom/.ssh/ /media/admin/ssh2
4chown -Rf admin:admins /media/admin/ /home/admin/
5
6echo -e "9_user_settings" >> steps.txt
7fi
rm /install/steps.txt
1
6.1.11. 01.11 Settings permissive SELinux
seinfo -t
1if [[ -z $(sed -n -e "s/^\(10_SELinux_settings\).*/\1/p" steps.txt) ]]; then
2
3semanage fcontext -a -s system_u "/home/rootsu(/.*)?";
4semanage fcontext -a -t user_home_dir_t "/home/rootsu(/.*)?";
5chcon -Rv -u system_u -t user_home_dir_t "/home/rootsu/";
6
7semanage fcontext -a -t ftpd_etc_t "/home/rootsu/vsftpd-virtual_user";
8chcon -Rv -t ftpd_etc_t "/home/rootsu/vsftpd-virtual_user";
9semanage fcontext -a -t ftpd_etc_t "/home/rootsu/vsftpd.chroot_list(/.*)?";
10chcon -Rv -t ftpd_etc_t "/home/rootsu/vsftpd.chroot_list";
11semanage fcontext -a -t samba_etc_t "/home/rootsu/smbuser.conf";
12chcon -Rv -t samba_etc_t "/home/rootsu/smbuser.conf";
13semanage fcontext -a -t samba_etc_t "/home/rootsu/.smbusers";
14chcon -Rv -t samba_etc_t "/home/rootsu/.smbusers";
15semanage fcontext -a -u system_u "/home(/.*)?";
16chcon -Rv -u system_u "/home/";
semanage fcontext -a -t user_home_dir_t «/home/admin(/.*)?»;
chcon -Rv -t user_home_dir_t «/home/admin»;
1chcon -Rv -t public_content_rw_t "/media/admin";
2semanage fcontext -a -t public_content_rw_t "/media/admin(/.*)?";
3
4setfacl -m u:admin:rwx,u:admin_share:rwx -R "/media/admin";
5setfacl -m g:admins:rw -R "/media/admin";
6chmod go-rwx -R "/media/admin";
7
8semanage fcontext -a -t public_content_rw_t "/opt(/.*)?"
9chcon -Rv -t public_content_rw_t "/opt/";
10chmod o-rwx -R "/opt/SAMBA_SHARE/";
11setfacl -m g:technics:rwx -R "/opt/SAMBA_SHARE/";
12setfacl -m u:pub_share:rwx,u:admin_share:rwx -R "/opt/SAMBA_SHARE/";
13
14setsebool -P ssh_sysadm_login on
setsebool -P allow_use_cifs on
setsebool -P allow_use_nfs on
1setsebool -P httpd_use_cifs on
2setsebool -P allow_ftpd_use_nfs 1
3setsebool -P allow_ftpd_use_cifs 1
4setsebool -P ftpd_connect_db 1
5
6setsebool -P ftp_home_dir on
7setsebool -P allow_ftpd_full_access on
8setsebool -P ftpd_use_passive_mode on
9
10semanage port -a -t ssh_port_t -p tcp 4103
11semanage port -a -t smbd_port_t -p tcp 445
12semanage port -a -t ftp_port_t -p tcp 21
13
14cd ~
15semodule -i mountlocv1v2.pp
16
17COUNT=1;
18ip addr | sed -n -e "s/.*1\:\s\(.*\)\:\s<.*/\1/p"
19while [[ -n $( ip addr | sed -n -e "s/.*$COUNT\:\s\(.*\)\:\s<.*/\1/p") ]]
20do
21semanage interface -a -t netif_t -r s0-s0:c0.c1023 $( ip addr | sed -n -e "s/.*$COUNT\:\s\(.*\)\:\s<.*/\1/p")
22((COUNT++));
23done
Опасно
Set this is Settings to SELinux boot_t permissive for disabled boot DebianOS!!!
semanage permissive -a sshd_t
1semanage permissive -a boot_t
setsebool -P allow_execmem 1
setsebool -P allow_execheap 1
setsebool -P allow_user_mysql_connect 1
1setsebool -P cron_can_relabel 1
2setsebool -P fcron_crond 1
3setsebool -P cron_userdomain_transition 1
4setsebool -P cron_manage_all_user_content 1
5setsebool -P cron_read_all_user_content 1
6setsebool -P cron_read_generic_user_content 1
setsebool -P samba_run_unconfined 1
1setsebool -P allow_mount_anyfile 1
2setsebool -P webadm_manage_user_files 1
3setsebool -P webadm_read_user_files 1
setsebool -P use_nfs_home_dirs 1
1setsebool -P samba_export_all_ro 1
2setsebool -P samba_export_all_rw 1
3setsebool -P dhcpc_manage_samba 1
4setsebool -P samba_create_home_dirs 1
5setsebool -P samba_enable_home_dirs 1
6setsebool -P samba_share_fusefs 1
7setsebool -P samba_share_nfs 1
8setsebool -P use_samba_home_dirs 1
setsebool -P use_samba_nfs_dirs 1
1setsebool -P virt_use_samba 1
2setsebool -P virt_use_nfs 1
3setsebool -P samba_portmapper 1
4setsebool -P systemd_tmpfiles_manage_all 1
5setsebool -P cron_manage_generic_user_content 1
setsebool -P nscd_use_shm 1
1setsebool -P use_nfs_home_dirs 1
2
3setsebool -P sudo_all_tcp_connect_http_port 1
4setsebool -P git_cgi_enable_homedirs 1
5setsebool -P git_cgi_use_cifs 1
6setsebool -P git_cgi_use_nfs 1
7setsebool -P git_session_bind_all_unreserved_ports 1
8setsebool -P git_session_send_syslog_msg 1
9setsebool -P git_session_users 1
10setsebool -P git_system_enable_homedirs 1
11setsebool -P git_system_use_cifs 1
12setsebool -P git_system_use_nfs 1
13
14systemctl enable mcstrans
15systemctl start mcstrans
16systemctl reenable fstrim.timer
17systemctl reenable fstrim.timer
18systemctl start fstrim.service
19systemctl start fstrim.timer
setenforce 0
1cd /etc/selinux
systemctl disable auditd
1sed -i -e "s/SELINUX=permissive\|SELINUX=default/SELINUX=enforcing/g" config
ROLE=sysadm_r
TYPE=sysadm_sudo_t ROLE=sysadm_r
1sed -i -e "s/%sudo.*$/%sudo ALL=(root) ROLE=sysadm_r NOPASSWD:ALL/g" /etc/sudoers
2sed -i -e "s/%admins.*$/%admins ALL=(root) NOPASSWD:ALL/g" /etc/sudoers
3sed -i -e "s/admin.*$/admin ALL=(root) NOPASSWD:ALL/g" /etc/sudoers
4
5sed -i -e '1 a session required pam_selinux.so close' /etc/pam.d/sshd
6sed -i -e '$a session required pam_selinux.so multiple open' /etc/pam.d/sshd >> /etc/pam.d/sshd
7sed -i -e '$a session required pam_access.so' /etc/pam.d/sshd >> /etc/pam.d/sshd
8
9sed -i -e '$a -a exit,always -S open -F auid>=0' /etc/audit/audit.rules
10
11chmod o-x "/etc/systemd/system.conf";
rm /install/pii2.sh /etc/init.d/
update-rc.d -f pii2.sh remove
chmod o-rw -R «/etc/»;
1chmod o-rwx -R "/boot/";
chmod o-rwx «/var/»;
chmod o-rwx «/sys/»;
1chmod o-rwx -R "/srv/";
2chmod o-rwx -R "/mnt/";
chmod o-rwx «/proc/»;
1semanage fcontext -a -t tmp_t "/tmp(/.*)?"
2chcon -t tmp_t -R "/tmp"
3chmod o-rwx -R "/tmp/";
4chmod o-rwx "/media/";
chmod o-rw «/dev/»;
chmod o+r «/etc/profile»;
chmod o+rx -R «/etc/profile.d/»;
chmod o+rx «/etc/bash.bashrc»;
chmod o+r «/etc/nanorc»;
chmod o+r «/etc/passwd»;
chmod o+r «/etc/passwd-«;
chmod o+r «/etc/group»;
chmod o+r «/etc/hostname»;
chmod o+rx «/etc/console-setup»;
1semanage fcontext -a -t system_cron_spool_t "/var/spool/cron(/.*)?"
2chcon -t system_cron_spool_t -Rv /var/spool/cron/
3
4chmod o-r -R "/home/";
5chmod o-x -R "/home/rootsu" "/home/admin/";
chmod o-r «/usr/bin/»;
1echo "deb https:\\\download.webmin.com\download\repository sarge contrib" >> /etc/apt/sources.list
nvidia-uninstall
1cd ~
grep AVC /var/log/audit/audit.log | audit2allow -m loaderlocalv4 > loaderlocalv4.te
grep AVC altlog.log | audit2allow -m loaderlocalv4 > loaderlocalv4.te
checkmodule -M -m -o loaderlocalv1.mod loaderlocalv1.te
semodule_package -o loaderlocalv1.pp -m loaderlocalv1.mod
$(find . -type f -name „*.pp“)
1semodule -i loaderlocalv1.pp
2semodule -i loaderlocalv2.pp
3semodule -i loaderlocalv3.pp
4semodule -i loaderlocalv4.pp
5semodule -i sudotev1.pp
6semodule -i sudotev2.pp
7semodule -i sudotev3.pp
8semodule -i sudotev4.pp
9semodule -i sudotev5.pp
10semodule -i sudotevb1.pp
11semodule -i sudotevb2.pp
12semodule -i sudotev70522v21.pp
13semodule -i sudotevcrondv1.pp
14semodule -i sphinxtev1.pp
15semodule -i nodegcc_app1.pp
16semanage permissive -a boot_t
17semanage permissive -a crond_t
18semanage permissive -a crontab_t
19semanage permissive -a system_crontab_t
20semanage module -d permissive_boot_t
semanage module -r permissive_boot_t
1semanage user -m -R "system_r sysadm_r staff_r" -r "s0-s0:c0.c1023" sysadm_u
semanage user -m -R «system_r» -r «s0-s0:c0.c1023» system_u
1semanage login -a -s sysadm_u -r "s0-s0:c0.c1023" admin
2semanage login -a -s sysadm_u -r "s0-s0:c0.c1023" admin_tech
3semanage login -a -s sysadm_u -r "s0-s0:c0.c1023" %admins
semanage login -m -s sysadm_u -r «s0-s0:c0.c1023» root
semanage login -a -s sysadm_u -r «s0-s0:c0.c1023» %root
1semanage login -a -s unconfined_u -r "s0-s0:c0.c1023" %sudo
2semanage login -a -s user_u tom
touch log.log
journalctl -xe >> log.log
grep AVC log.log | audit2allow -m sudotev1 > sudotev1.te
checkmodule -M -m -o sudotev1.mod sudotev1.te
semodule_package -o sudotev1.pp -m sudotev1.mod
1
semodule -i sudotev1.pp
1update-initramfs -k all -u
2update-grub
3
4echo -e "y\n" | apt-get install apt-transport-https
5echo -e "y\n" | apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python unzip
6cd /root
7wget https://download.webmin.com/jcameron-key.asc
8cat jcameron-key.asc | gpg --dearmor >/usr/share/keyrings/jcameron-key.gpg
9cd /install/
10wget http://prdownloads.sourceforge.net/webadmin/webmin_1.991_all.deb
11dpkg --install webmin_1.991_all.deb
12mkdir /var/webmin/.webmin
13chmod 755 /var/webmin/.webmin
14semanage fcontext -a -t tmp_t "/var/webmin/.webmin";
15chcon -Rv -t tmp_t "/var/webmin/.webmin";
echo -e «yn» | apt-get install apt-transport-https
echo -e «yn» | apt-get update
echo -e «yn» | apt-get install webmin
1semanage port -a -t http_port_t -p tcp 10000
2semanage port -a -t http_port_t -p tcp 20000
3
4systemctl enable webmin
5cp -Rf /install/etc/webmin/etc/
6systemctl start webmin
6.1.12. 01.12 Optional soft
sudo chmod o-rwx -R «/etc/»;
sudo chmod o-rwx -R «/boot/»;
sudo chmod o-rwx -R «/var/»;
sudo chmod o+rwx «/sys/»;
sudo chmod o+rwx -R «/srv/»;
sudo chmod o+rwx -R «/mnt/»;
sudo chmod o+rwx «/proc/»;
sudo chmod o+rwx -R «/tmp/»;
sudo chmod o+rwx «/media/»;
sudo chmod o+rwx «/dev/»;
chmod o+rx «/etc/profile»;
chmod o+rx «/etc/bash.bashrc»;
chmod o+rx «/etc/nanorc»;
chmod o+rx «/etc/passwd»;
apt-get update
Install transmitter & transmitter gui
Nado li ustanavlivatb eto ?
https://github.com/transmission/transmission/blob/main/docs/Building-Transmission.md| building-from-a-tarball
sudo nano /etc/init.d/transmission-daemon
sudo nano /etc/init/transmission-daemon.conf
1echo -e "y\n" | sudo apt-get install transmission
2echo -e "y\n" | sudo apt-get install transmission-cli transmission-common transmission-daemon
enable transmission-daemon.service
1sudo systemctl enable transmission-daemon.service
create catalogue bittorrent_download_store, bittorrent_upload
1mkdir -m 777 /opt/SAMBA_SHARE/bittorrent_download_store
2mkdir -m 777 /opt/SAMBA_SHARE/bittorrent_upload
3mkdir -m 777 /opt/SAMBA_SHARE/bittorrent_watch
4chown debian-transmission:debian-transmission /opt/SAMBA_SHARE/bittorrent_download_store
5chown debian-transmission:debian-transmission /opt/SAMBA_SHARE/bittorrent_upload
6chown debian-transmission:debian-transmission /opt/SAMBA_SHARE/bittorrent_watch
7chown debian-transmission:debian-transmission /opt/SAMBA_SHARE/torrents
8setfacl -m u:admin_share:rwx,u:admin:rwx,u:pub_share:rwx,g:admins:rw,g:technics:rw -R "/opt/";
gpasswd –add pub_share debian-transmission
gpasswd –add admin_share debian-transmission
1sudo usermod -aG debian-transmission admins
2sudo usermod -aG debian-transmission admin_share
create catalogue .transmission_config for config
1cp -R /etc/transmission-daemon/ /opt/.transmission_config
2chown admin_share:technics -R /opt/.transmission_config
settings ext config ???
1chmod -R 775 /opt/.transmission_config
Edit path settings file https://habr.com/ru/post/658463/
sourced by /etc/init.d/transmission-daemon
1sed -i -e "s/CONFIG_DIR=.*$/CONFIG_DIR=\"\/opt\/.transmission_config\/settings.json\"/g" /etc/default/transmission-daemon
2semanage port -a -t http_port_t -p tcp 9091
/etc/init.d/transmission-daemon in individual USER
NAME=transmission-daemon
DAEMON=/usr/bin/$NAME
USER=server
STOP_TIMEOUT=30
sudo systemctl edit transmission-daemon.service
1sudo service transmission-daemon stop
2sed -i -e "s/\"rpc-whitelist\"\:.*$/\"rpc-whitelist\"\: \"127.0.0.1,192.168.*.*\",/g" /var/lib/transmission-daemon/info/settings.json
sed -i -e «s/^"rpc-whitelist":.*$/"rpc-whitelist": "127.0.0.1,192.168.*.*",/g» /opt/.transmission_config/settings.json
1sed -i -e "s/\"rpc-username\"\:.*$/\"rpc-username\"\: \"pub_share\",/g" /var/lib/transmission-daemon/info/settings.json
sed -i -e «s/^"rpc-":.*$/"rpc-username": "pub_share",/g» /opt/.transmission_config/settings.json
1sed -i -e "s/\"rpc-password\"\:.*$/\"rpc-password\"\: \"********\",/g" /var/lib/transmission-daemon/info/settings.json
sed -i -e «s/^"rpc-":.*$/"rpc-password": "****",/g» /opt/.transmission_config/settings.json
1sed -i -e "s/\"download-dir\"\:.*$/\"download-dir\"\: \"\/opt\/SAMBA_SHARE\/torrents\",/g" /var/lib/transmission-daemon/info/settings.json
2sed -i -e "s/\"incomplete-dir\"\:.*$/\"incomplete-dir\"\: \"\/opt\/SAMBA_SHARE\/bittorrent_download_store\",/g" /var/lib/transmission-daemon/info/settings.json
3sed -i -e "s/\"watch-dir\"\:.*$/\"watch-dir\"\: \"\/opt\/SAMBA_SHARE\/bittorrent_watch\",/g" /var/lib/transmission-daemon/info/settings.json
«watch-dir-enabled»: true,
«watch-dir»: «/home/server/torrents»
sudo usermod -a -G debian-transmission technics
sudo service transmission-daemon reload
1service transmission-daemon start
1mdadm --detail --scan | sudo tee -a /etc/mdadm/mdadm.conf
2update-initramfs -u
echo „/dev/md0 /mnt/sde1 ext4 defaults,nofail,discard 1 0“ | tee -a /etc/fstab
1
dpkg –configure -a
apt-get dist-upgrade
1echo -e "\y\n" | apt-get install libpcap-dev
2echo -e "\y\n" | apt-get install sendmail
3cd ~
1wget http://fcron.free.fr/archives/fcron-3.2.1.src.tar.gz
2tar -xvf fcron-3.2.1.src.tar.gz
3cd fcron-3.2.1
4./configure
5make install
6cd ..
7rm -Rf fcron-3.2.1
8cp -Rf /install/spool/ /usr/local/var/spool/
9cp -Rf /install/usr/local/ /usr/local/
10
11systemctl enable fcron
12systemctl start fcron
echo -e «yn» | apt-get search gccgo-go
echo -e «yn» | apt-get install gccgo-go
echo -e «yn» | apt-get install golang-go
git clone https://github.com/dshearer/jobber.git
cd jobber
git checkout v1.4.4
make install
cd ..
rm -Rf jobber
echo -e «yn» | apt-get -f install
1echo -e "y\n" | apt-get autoremove
Display manager: gdm3 sddm
GDM KDM LightDM LXDM МДМ SLIM XDM
sudo systemctl disable mdm.service
sudo systemctl enable sddm.service
kde-full
sudo tasksel install kde-desktop
1setenforce 1
2echo -e "10_SELinux_settings" >> steps.txt
3fi
4echo "Press ESC key to quit"
read a single character
1while read -r -n1 key
2do
if input == ESC key
1if [[ $key == $'\e' ]];
2then
3break;
4fi
5done;
set +x
ls -la
1exit 0;