#!/usr/bin/bash ####################################################################### #Script Name: pdns_master_deb.sh #Version: 1.6 #Description: Install for PowerDNS on Debian #Last Modify Date: 09242021 #Author:Brent Dacus #Email:brent[at]thedacus[dot]net ####################################################################### # Banner # ####################################################################### export COLUMNS=100 nssetupdeb_banner() { cat <<"eot" ad8888ba d8" "8b ,aiiiiia, ,d nnd8888bn Y8, 6' " 88 ns 'we `Y8aaaaa, `8aaaa, ,adPPYba, MM88MMM 88 88 8b,dPPYba, ns we `"""""8b, `"8b, a8P_____88 88 88 88 88P' "8a ns we `8b `8b 8PP""""""" 88 88 88 88 d8 ns we '8a a8P Y8a a8P "8b, ,aa 88, "8a, ,a88 88b, ,a8" ns we "Y88888P" `"YbbdP' `"Ybbd8"' "Y888 `"YbbdP'Y8 88`YbbdP"' 88 88 eot cat <<"eot" MASTER DNS SERVER eot cat <<"eot" Author: Brent Dacus eot } ####################################################################### # Variables # ####################################################################### cur_hostname="$(hostname)" serverip="$(hostname -I | awk '{print $1}')" serverip6="$(hostname -I | awk '{print $2}')" servername="$(hostname -s)" svrdomainname="$(hostname -d)" hstdomainname=delainhosting.com cpu_cores=1 cpu_cores="$(grep >"${2}" fi if grep -q \\"${1}" "${2}"; then printf '%s exists.\n Skipping.\n' "${1}" else printf '%s does not exist\n' "$1" echo "${1}" >>"${2}" fi } doreboot() { printf "Need to reboot? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) reboot ;; [Nn]*) ;; esac } cycleswap() { printf "Cycling Swapfile.\n" swapoff -a sleep 10 swapon -a } ####################################################################### # Add Admin User # ####################################################################### addadminuser() { printf "Installing Standard packages.\n" printf "Please Wait.\n" apt-get install ${aptargs} git wget curl nano htop neovim bat >/dev/null bshrvals=("alias fbc='fail2ban-client status '" "export EDITOR='nano'") printf 'Adding values in to %s.\n Please wait.\n' "$bshrc" for bshrval in "${bshrvals[@]}"; do if grep -q "$bshrval" ${bshrc}; then printf '%s exists.\n Skipping.\n' "$bshrval" else printf '%s does not exist\n' "$bshrval" printf '#added by DH.\n' >>${bshrc} printf '%s\n' "$bshrval" >>${bshrc} fi done if ! grep -q doserver /root/.bashrc; then printf 'Bash shell profile not set up. adding...\n' cat <<"eol" >>/root/.bashrc export EDITOR='nano' export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias lh='history |grep ' alias search='find / -name ' alias doserver='curl -o pdns_master_deb.sh -L https://files.delaintech.com/dns/pdns_master_deb.sh && bash pdns_master_deb.sh' alias fbc='fail2ban-client status ' alias cycle='systemctl restart ' alias status='systemctl is-active ' eol printf "Print Profile File.\n" cat /root/.bashrc printf "Done.\n" else printf "Profile already setup. See Below.\n" cat /root/.bashrc fi } ####################################################################### # Turn on IPV6 # ####################################################################### setipv6() { printf "Do we need to turn on IPV6? REBOOT REQUIRED (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) sed -i "/net.ipv6.conf.all.disable_ipv6.*/d" /etc/sysctl.conf sysctl -q -p echo 0 >/proc/sys/net/ipv6/conf/all/disable_ipv6 doreboot ;; [Nn]*) ;; esac } ####################################################################### # Set Timezone # ####################################################################### settimezone() { printf "What TimeZone are you in? [America/Chicago]: " read -r tmzone tmzone=${tmzone:-America/Chicago} if timedatectl | grep -q "America/Chicago"; then printf "%s found\n" "$tmzone" else timedatectl set-timezone "$tmzone" timedatectl set-local-rtc 0 printf "We set timezone as:\n" timedatectl printf "Done.\n" fi } ####################################################################### # Add Hosts file # ####################################################################### creathostfile() { # does the Host already exist? if ! grep -q ${hstdomainname} /etc/hosts; then printf 'Hostfile not found. adding...\n' cat <<"eol" >>/etc/hosts 209.126.81.64 apollo.delainhosting.com apollo 209.145.52.110 athena.delainhosting.com athena 144.91.108.77 thor.delainhosting.com thor 154.12.224.183 saturn.delainhosting.com saturn eol printf "Print Host File.\n" cat /etc/hosts printf "Done.\n" else printf "Hostfile exsits.\nSee Below.\n" cat /etc/hosts fi } ####################################################################### # Set Server Hostname # ####################################################################### creathostname() { setipv6 # does the Host already exist? unset new_hostname printf "Please enter a Hostname to add: " read -r new_hostname if ! grep -q "$new_hostname" /etc/hosts; then printf 'Hostname not found. adding...\n' printf "Changing hostname %s from to %s...\n" "$cur_hostname" "$new_hostname" hostnamectl set-hostname "$new_hostname" serverip="$(hostname -I | awk '{print $1}')" serverip6="$(hostname -I | awk '{print $2}')" servername="$(hostname -s)" echo "${serverip} ${new_hostname} ${servername}" >>/etc/hosts echo "${serverip6} ${new_hostname} ${servername}" >>/etc/hosts printf "Print Host File.\n" cat /etc/hosts printf "\nDone.\n" else printf "Hostname exsits.\nAll good.\n" fi } ####################################################################### # Remove Hostnames # ####################################################################### removehosts() { printf "Here is the Host file.\n" cat /etc/hosts printf "\nWhat is the server name or ip to remove? " read -r removehosts sed -i.bkp '/'$removehosts'/d ' /etc/hosts printf "Print Host.\n" cat /etc/hosts printf "\nDone.\n" while true; do printf "Continue removing? (y/n)?" read -r yn yn=${yn:-n} case $yn in [Yy]*) removehosts break ;; [Nn]*) break ;; esac done } ####################################################################### # Add External Hosts # ####################################################################### addhosts() { # does the Host already exist? unset serverip add_hostname servername printf "Enter Hostname to add:[ IP FDQN Hostname ]: " read -r serverip add_hostname servername if ! grep -q "$add_hostname" /etc/hosts; then printf 'Hostname not found. adding...\n' echo "${serverip} ${add_hostname} ${servername}" | tee -a /etc/hosts printf "Print Host File.\n" cat /etc/hosts printf "Done.\n" else printf "Hostname exsits.\nAll good.\n" fi while true; do printf "Continue adding? (y/n)?" read -r yn yn=${yn:-n} case $yn in [Yy]*) creathostentry break ;; [Nn]*) break ;; esac done } ####################################################################### # Add Swapfile # ####################################################################### creatswapfile() { printf 'Enter Swapfile size in GB: ' read -r swapsize swapsize=${swapsize:-2} printf "You choose %s GB for swap.\n" "$swapsize" # does the swap file already exist? cp /etc/fstab /etc/fstab.bak # if not then create it if ! grep -q "swap" /etc/fstab; then printf 'Swap file not found.\nCreating Swap file.\n' fallocate -l "${swapsize}"G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile printf "/swapfile none swap defaults 0 0" | tee -a /etc/fstab printf "\nDone\nSwap should be active.\nIf not reboot.\n" else printf 'Swap file found.\nNo changes made.\n' fi } ####################################################################### # Update OS on Server # ####################################################################### serverupdate() { printf "Debian Cleaning and Updating.\n" apt-get ${aptargs} autoremove apt-get autoclean apt-get ${aptargs} update apt-get ${aptargs} upgrade apt-get ${aptargs} dist-upgrade printf "Done.\n" } ####################################################################### # Harden Server # ####################################################################### hardenserver() { printf "Do we need to Secure sshd? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) cursshport="$(grep -m1 -E "Port .*" /etc/ssh/sshd_config)" printf "Enter SSH port to change to: " read -r sshport sshport=${sshport:-14} printf "Set to Port: %s\n" "$sshport" printf "Securing the server, please wait...\n" sed -i -e "s/$cursshport/Port ${sshport}/g" /etc/ssh/sshd_config sed -i -e 's/.*UseDNS .*/UseDNS no/g' /etc/ssh/sshd_config sed -i -e 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config sed -i -e 's/#LoginGraceTime 2m/LoginGraceTime 2m/g' /etc/ssh/sshd_config sed -i -e 's/#MaxAuthTries 6/MaxAuthTries 5/g' /etc/ssh/sshd_config sed -i -e 's/#MaxStartups 10:30:100/MaxStartups 10:30:100/g' /etc/ssh/sshd_config sed -i -e 's/.*PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config sed -i -e 's/.*PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config sed -i -e 's/#ClientAliveInterval .*/ClientAliveInterval 120/g' /etc/ssh/sshd_config sed -i -e 's/#ClientAliveCountMax .*/ClientAliveCountMax 15/g' /etc/ssh/sshd_config sed -i -e 's/.*UseBlacklist no/UseBlacklist yes/g' /etc/ssh/sshd_config systemctl restart sshd ;; [Nn]*) ;; esac if [[ $(systemctl is-active rpcbind) = active ]]; then printf "rpcbind found.\nRemoving.\n" systemctl stop rpcbind systemctl disable rpcbind printf "Removal complete.\n" else printf "RPCbind not found.\nNo changes made.\n" fi if [[ $(systemctl is-active firewalld) = active ]]; then printf "Firewalld found.\nRemoving.\n" systemctl unmask --now firewalld systemctl disable firewalld apt-get ${aptargs} remove firewalld printf "Removal complete.\n" else printf "Firewalld not found.\nNo changes made.\n" fi printf "Do we need to install CSF? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) installfirewall ;; [Nn]*) ;; esac printf "Do we need to install Fail2Ban? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) installf2b ;; [Nn]*) ;; esac } ####################################################################### # Install Firewall # ####################################################################### installfirewall() { apt-get install ${aptargs} iptables inotify-tools ipset jq libwww-perl libcrypt-ssleay-perl libnet-http-perl libio-socket-ssl-perl ca-certificates printf "Securing the server, please wait...\n" curl -o vm-csf-install.sh -L https://files.delaintech.com/vm-csf-install.sh && bash vm-csf-install.sh } ####################################################################### # Install Fail2Ban # ####################################################################### installf2b() { if [[ $(systemctl is-active fail2ban) = active ]]; then printf "Fail2Ban already Installed.\nUpdating configuration.\n" sed -i -e "s|dbpurgeage = .*|dbpurgeage = 1296000|g" /etc/fail2ban/fail2ban.conf wget -rnH --cut-dirs=3 https://files.delaintech.com/f2b/vm/dns/jail.local -P /etc/fail2ban/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/fail2ban -P /etc/logrotate.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/paths-overrides.local -P /etc/fail2ban/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/abuseipdb.conf -P /etc/fail2ban/action.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/csf-ip-deny.conf -P /etc/fail2ban/action.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/wordpress.conf -P /etc/fail2ban/filter.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/wordpress-xmlrpc.conf -P /etc/fail2ban/filter.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/proftpd-anon.conf -P /etc/fail2ban/filter.d/ sed -i -e "s|comment=Fail2ban Reports Abuse.|comment=Fail2ban at $servername Reports Abuse.|g" /etc/fail2ban/action.d/abuseipdb.conf rm -f /etc/fail2ban/jail.d/00-firewalld.conf systemctl restart fail2ban systemctl is-active fail2ban else printf "Fail2Ban Installing.\n" apt-get install ${aptargs} fail2ban iptables geoip-bin geoip-database python3-pyinotify systemctl enable fail2ban systemctl start fail2ban sed -i -e "s|dbpurgeage = .*|dbpurgeage = 1296000|g" /etc/fail2ban/fail2ban.conf wget -rnH --cut-dirs=3 https://files.delaintech.com/f2b/vm/dns/jail.local -P /etc/fail2ban/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/paths-overrides.local -P /etc/fail2ban/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/abuseipdb.conf -P /etc/fail2ban/action.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/csf-ip-deny.conf -P /etc/fail2ban/action.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/wordpress.conf -P /etc/fail2ban/filter.d/ wget -rnH --cut-dirs=2 https://files.delaintech.com/f2b/vm/wordpress-xmlrpc.conf -P /etc/fail2ban/filter.d/ sed -i -e "s|comment=Fail2ban Reports Abuse.|comment=Fail2ban at $servername Reports Abuse.|g" /etc/fail2ban/action.d/abuseipdb.conf rm -f /etc/fail2ban/jail.d/00-firewalld.conf systemctl restart fail2ban fi bshrvals=("alias fbc='fail2ban-client status '") printf 'Adding values in to %s.\n Please wait.\n' "$bshrc" for bshrval in "${bshrvals[@]}"; do if grep -q "$bshrval" ${bshrc}; then printf '%s exists.\n Skipping.\n' "$bshrval" else printf '%s does not exist\n' "$bshrval" printf '#added by DH.\n' >>${bshrc} printf '%s\n' "$bshrval" >>${bshrc} fi done } ####################################################################### # Install Standard Packages # ####################################################################### installpreq() { apt-get install ${aptargs} wget sudo openssl screen nano curl zip unzip htop mysqltuner rsync pigz tuned pcregrep rsync doas } ####################################################################### # Install Maldetect # ####################################################################### installmaldetect() { cd $builddir || return wget https://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzf maldetect-*.tar.gz rm -rf maldetect-*.tar.gz cd maldetect* || return sh install.sh wget https://files.delaintech.com/conf.maldet -O conf.maldet \cp -f conf.maldet /usr/local/maldetect/ maldet -u } ####################################################################### # Install Webmin # ####################################################################### installwebmin() { echo "Installing Webmin." if [ -f /usr/bin/webmin ]; then echo "Webmin is installed Skipping." else curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh sh setup-repos.sh apt-get install ${aptargs} webmin libdbd-mysql-perl systemctl enable webmin systemctl start webmin fi } ####################################################################### # Install Mysqltuner # ####################################################################### installmysqltuner() { cd /usr/bin || exit wget http://mysqltuner.pl/ -O mysqltuner wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/basic_passwords.txt -O basic_passwords.txt wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/vulnerabilities.csv -O vulnerabilities.csv chmod +x mysqltuner } ####################################################################### # Configure MariaDB # ####################################################################### installmariadb() { echo "Installing MariaDB 10.6 server." if [ -f /etc/my.cnf ]; then echo "Mysql is installed Skipping." else apt-get install ${aptargs} mariadb-server systemctl enable mariadb systemctl start mariadb mysql_secure_installation cp /root/.mysql_secret /root/.mysql_secret.bkp echo "Done." fi confmysql } ####################################################################### # Configure MariaDB # ####################################################################### confmysql() { printf "Do we need to config Mariadb? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) bpsize=$(echo "$mem_total" | awk '{print $1 * .50}') bplsize=$(echo "$bpsize" | awk '{print $1 * .25}') mkdir -p /var/log/mysql/ || return chown mysql:mysql "/var/log/mysql" touch "/var/log/mysql/${servername}.${svrdomainname}.com.err" chown mysql:mysql "/var/log/mysql/${servername}.${svrdomainname}.com.err" dir="/etc" cp "$myconf" "$myconf".bak >"$myconf" do_setting "[mysqld]" "$myconf" do_setting "local-infile=0" "$myconf" do_setting "log_error=/var/log/mysql/${servername}.${svrdomainname}.err" "$myconf" do_setting "performance_schema=ON" "$myconf" do_setting "bind-address = 127.0.0.1" "$myconf" do_setting "skip-name-resolve=1" "$myconf" do_setting "max_allowed_packet=64M" "$myconf" do_setting "key_buffer_size=10MB" "$myconf" do_setting "innodb_file_per_table" "$myconf" do_setting "innodb_buffer_pool_size=${bpsize}G" "$myconf" do_setting "innodb_log_file_size=${bplsize}G" "$myconf" do_setting "max_allowed_packet=64M" "$myconf" echo ' ' >> "$myconf" do_setting "[client]" "$myconf" do_setting "socket=/run/mysqld/mysqld.sock" "$myconf" sed -i -e "s|socket = /run/mysqld/mysqld.sock.*|#socket = /run/mysqld/mysqld.sock|g" /etc/mysql/my.cnf do_setting "mysql soft nofile 65535" "$limitsconf" do_setting "mysql hard nofile 65535" "$limitsconf" do_setting "mysql soft core unlimited" "$limitsconf" do_setting "mysql hard core unlimited" "$limitsconf" do_setting "vm.swappiness = 1" "$sysctlconf" echo "Downloading and importing PDNS Database schema..." wget https://files.delaintech.com/dns/mariadb_pdns.sql -O mariadb_pdns.sql mysql -u$db_root_user -p /etc/powerdns/pdns.conf <&1 OS_VER=$(sed 's/\..*//' /etc/debian_version) if [ "$OS_VER" = 11 ]; then printf "This appears to be Debian version %s which is Good!!\n" "$OS_VER" elif [ "$OS_VER" = 12 ]; then printf "This appears to be Debian version %s which is Better!!\n" "$OS_VER" else [ "$OS_VER" != 11 ] printf "System runs on unsupported Linux. Exiting...\n" exit fi #Menus Starts here linebreak printf "Hostname: %s Server IP: %s Server IPV6: %s \n" "$cur_hostname" "$serverip" "$serverip6" linebreak cat <<"eot" MASTER DNS SETUP MENU eot linebreak while true; do options=("Add Admin User" "Timezone" "Host file" "Hostname" "Add hosts" "Remove hosts" "Swap file" "Update server" "Install Required Packages" "Harden Server" "Install Webmin" "Install Mysql" "Install PowerDNS" "Performance Tweaks" "Check Server Status" "Quit") printf "Choose an option: \n" select opt in "${options[@]}"; do case $REPLY in 1) addadminuser break ;; 2) settimezone break ;; 3) creathostfile break ;; 4) creathostname break ;; 5) creathostentry break ;; 6) removehosts break ;; 7) creatswapfile break ;; 8) serverupdate break ;; 9) installpreq break ;; 10) hardenserver break ;; 11) installwebmin break ;; 12) installmariadb break ;; 13) installpowerdns break ;; 14) perfmserver break ;; 15) serverstatus break ;; 16) break 2 ;; *) echo "Invalid option. Try again." >&2 ;; esac done done if [ -d "$builddir" ]; then rm -rf $builddir fi mkdir $builddir if [ "$run" ]; then ${run} exit fi printf "Cleaning up build files, please wait...\n" cd ~ || exit rm -rf $builddir