From 526148fc6d39bd05df6723af4840e9ebfaccb21e Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:14:56 -0600 Subject: [PATCH 01/27] Remove multiple commands for PasswordAuthentication ssh config In the latest config file there isn't a duplicate anymore, so we can streamline this. --- scripts/cloud-init.sh.txt | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index fc78bd3..0ccd9b6 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -49,10 +49,8 @@ runcmd: - cp /etc/ssh/sshd_config /etc/ssh/_sshd_config.original ## Change the default SSH port to something else: # - sed -i -e '/^Port/s/^.*$/Port 4444/' /etc/ssh/sshd_config -## If there's a duplicate PasswordAuthentication line, get rid of it: (?) - - sed -i -e '/^PasswordAuthentication/s/^.*$//' /etc/ssh/sshd_config -## If there's a commented-out PasswordAuthentication line, disable password authentication: - - sed -i -e '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config +## Disable password authentication: + - sed -i -e '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config ## Prevent root login via SSH: - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config ## Disable X11Forwarding: From 3b082c029666abfcb11b528e8e946ad0e64eb6c4 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:15:50 -0600 Subject: [PATCH 02/27] Comment out UsePrivilegeSeparation Maybe we will eventually add it back, but I can't remember where the line came from, and maybe it's not necessary. --- scripts/cloud-init.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 0ccd9b6..80f8bd8 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -56,7 +56,7 @@ runcmd: ## Disable X11Forwarding: - sed -i -e '/^X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config ## Whatever is currently set for UsePrivilegeSeparation, set it to sandbox: - - sed -i -e '/^UsePrivilegeSeparation/s/^.*$/UsePrivilegeSeparation sandbox/' /etc/ssh/sshd_config +# - sed -i -e '/^UsePrivilegeSeparation/s/^.*$/UsePrivilegeSeparation sandbox/' /etc/ssh/sshd_config ## Disable TCPKeepAlive: - sed -i -e '/^TCPKeepAlive/s/^.*$/TCPKeepAlive no/' /etc/ssh/sshd_config ## Set logging level to verbose: (I think some log analysis tools count on this) From 4057094324e1d52414b768cbb546c9bb85488964 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:16:35 -0600 Subject: [PATCH 03/27] Uncomment commented TCPKeepAlive It's commented in the config now, so we need to update our replacement script accordingly. --- scripts/cloud-init.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 80f8bd8..ed79ef6 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -58,7 +58,7 @@ runcmd: ## Whatever is currently set for UsePrivilegeSeparation, set it to sandbox: # - sed -i -e '/^UsePrivilegeSeparation/s/^.*$/UsePrivilegeSeparation sandbox/' /etc/ssh/sshd_config ## Disable TCPKeepAlive: - - sed -i -e '/^TCPKeepAlive/s/^.*$/TCPKeepAlive no/' /etc/ssh/sshd_config + - sed -i -e '/^#TCPKeepAlive/s/^.*$/TCPKeepAlive no/' /etc/ssh/sshd_config ## Set logging level to verbose: (I think some log analysis tools count on this) - sed -i -e '/^LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Add a comment that we're gonna add some things below: From 67d60c32fc60979864c916fd2a8711f6e1d0f43b Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:17:13 -0600 Subject: [PATCH 04/27] Uncomment commented-out LogLevel config Again, it's in the config now, so we need to update our replacement script. --- scripts/cloud-init.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index ed79ef6..95a8f4c 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -60,11 +60,11 @@ runcmd: ## Disable TCPKeepAlive: - sed -i -e '/^#TCPKeepAlive/s/^.*$/TCPKeepAlive no/' /etc/ssh/sshd_config ## Set logging level to verbose: (I think some log analysis tools count on this) - - sed -i -e '/^LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Add a comment that we're gonna add some things below: - sed -i -e '$a# Added by cloud-config init process' /etc/ssh/sshd_config ## Restrict SSH access to only our one allowed user: - sed -i -e '$aAllowUsers __username__' /etc/ssh/sshd_config + - sed -i -e '/^#LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Disable AllowTcpForwarding: - sed -i -e '$aAllowTcpForwarding no' /etc/ssh/sshd_config ## Disable compression: From b25809e3fd976f09660a499ce3f82f71fc12cc7d Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:18:14 -0600 Subject: [PATCH 05/27] Uncomment TCP forwarding, agent forwarding instead of adding new lines --- scripts/cloud-init.sh.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 95a8f4c..7d8a091 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -66,13 +66,13 @@ runcmd: - sed -i -e '$aAllowUsers __username__' /etc/ssh/sshd_config - sed -i -e '/^#LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Disable AllowTcpForwarding: - - sed -i -e '$aAllowTcpForwarding no' /etc/ssh/sshd_config ## Disable compression: - sed -i -e '$aCompression no' /etc/ssh/sshd_config + - sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config ## Disable AllowAgentForwarding: - - sed -i -e '$aAllowAgentForwarding no' /etc/ssh/sshd_config ## Set UsePrivilegeSeparation to sandbox: (you already do this above, though) # - sed -i -e '$aUsePrivilegeSeparation sandbox' /etc/ssh/sshd_config + - sed -i -e '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config ## Set the maximum sessions to 2: - sed -i -e '$aMaxSessions 2' /etc/ssh/sshd_config ## Now that we're done securing SSH, restart it: (this might disrupt SSH access, but so far that doesn't seem to be happening) From d4dbed6966ab613c9329c08b2134307ac539539b Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:18:45 -0600 Subject: [PATCH 06/27] Uncomment max sessions and add client alive count and max auth tries --- scripts/cloud-init.sh.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 7d8a091..04bee67 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -74,7 +74,11 @@ runcmd: # - sed -i -e '$aUsePrivilegeSeparation sandbox' /etc/ssh/sshd_config - sed -i -e '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config ## Set the maximum sessions to 2: - - sed -i -e '$aMaxSessions 2' /etc/ssh/sshd_config + - sed -i -e '/^#MaxSessions/s/^.*$/MaxSessions 2/' /etc/ssh/sshd_config +## Set the maximum auth tries to 2: + - sed -i -e '/^#MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config +## Set client alive count max to 2: + - sed -i -e '/^#ClientAliveCountMax/s/^.*$/ClientAliveCountMax 2/' /etc/ssh/sshd_config ## Now that we're done securing SSH, restart it: (this might disrupt SSH access, but so far that doesn't seem to be happening) - /etc/init.d/ssh restart From 55614739cf1adee1080bbbceb83f7cc04607b1dd Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:19:02 -0600 Subject: [PATCH 07/27] Uncomment compression config line --- scripts/cloud-init.sh.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 04bee67..47c520e 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -66,8 +66,6 @@ runcmd: - sed -i -e '$aAllowUsers __username__' /etc/ssh/sshd_config - sed -i -e '/^#LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Disable AllowTcpForwarding: -## Disable compression: - - sed -i -e '$aCompression no' /etc/ssh/sshd_config - sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config ## Disable AllowAgentForwarding: ## Set UsePrivilegeSeparation to sandbox: (you already do this above, though) @@ -79,6 +77,8 @@ runcmd: - sed -i -e '/^#MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config ## Set client alive count max to 2: - sed -i -e '/^#ClientAliveCountMax/s/^.*$/ClientAliveCountMax 2/' /etc/ssh/sshd_config +## Disable compression: + - sed -i -e '/^#Compression/s/^.*$/Compression no/' /etc/ssh/sshd_config ## Now that we're done securing SSH, restart it: (this might disrupt SSH access, but so far that doesn't seem to be happening) - /etc/init.d/ssh restart From 3cbd29db1bd085d2f5fae3eb9f8a3fc60cb90b5c Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:19:55 -0600 Subject: [PATCH 08/27] Re-organize new lines that we need to add to ssh config --- scripts/cloud-init.sh.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 47c520e..e51be0a 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -60,10 +60,6 @@ runcmd: ## Disable TCPKeepAlive: - sed -i -e '/^#TCPKeepAlive/s/^.*$/TCPKeepAlive no/' /etc/ssh/sshd_config ## Set logging level to verbose: (I think some log analysis tools count on this) -## Add a comment that we're gonna add some things below: - - sed -i -e '$a# Added by cloud-config init process' /etc/ssh/sshd_config -## Restrict SSH access to only our one allowed user: - - sed -i -e '$aAllowUsers __username__' /etc/ssh/sshd_config - sed -i -e '/^#LogLevel/s/^.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config ## Disable AllowTcpForwarding: - sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config @@ -79,6 +75,11 @@ runcmd: - sed -i -e '/^#ClientAliveCountMax/s/^.*$/ClientAliveCountMax 2/' /etc/ssh/sshd_config ## Disable compression: - sed -i -e '/^#Compression/s/^.*$/Compression no/' /etc/ssh/sshd_config +## Add a comment that we're adding new config things below + - sed -i -e '$a# Added by cloud-config init process' /etc/ssh/sshd_config +## Restrict SSH access to only our one allowed user: + - sed -i -e '$aAllowUsers __username__' /etc/ssh/sshd_config + ## Now that we're done securing SSH, restart it: (this might disrupt SSH access, but so far that doesn't seem to be happening) - /etc/init.d/ssh restart From 84cb9ef10928926ac6a6f7b6c2c4cc4c4b0b541a Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:20:07 -0600 Subject: [PATCH 09/27] Remove duplicate privilege separation line --- scripts/cloud-init.sh.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index e51be0a..f160fa7 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -64,8 +64,6 @@ runcmd: ## Disable AllowTcpForwarding: - sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config ## Disable AllowAgentForwarding: -## Set UsePrivilegeSeparation to sandbox: (you already do this above, though) -# - sed -i -e '$aUsePrivilegeSeparation sandbox' /etc/ssh/sshd_config - sed -i -e '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config ## Set the maximum sessions to 2: - sed -i -e '/^#MaxSessions/s/^.*$/MaxSessions 2/' /etc/ssh/sshd_config From 5771a4a15ce6c73826928414a5103802879a0ded Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:21:36 -0600 Subject: [PATCH 10/27] Bump Lynis, Nginx, MariaDB from xenial to bionic --- scripts/cloud-init.sh.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index f160fa7..a1f80e0 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -150,8 +150,8 @@ runcmd: - printf '=======\n\n' - wget http://nginx.org/keys/nginx_signing.key -P /home/__username__/ - apt-key add /home/__username__/nginx_signing.key - - echo 'deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx' >> /etc/apt/sources.list - - echo 'deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx' >> /etc/apt/sources.list + - echo 'deb http://nginx.org/packages/mainline/ubuntu/ bionic nginx' >> /etc/apt/sources.list + - echo 'deb-src http://nginx.org/packages/mainline/ubuntu/ bionic nginx' >> /etc/apt/sources.list - apt update -yq - DEBIAN_FRONTEND=noninteractive apt install -yq nginx @@ -176,7 +176,7 @@ runcmd: - echo 'ADDING APT FOR MARIADB' - printf '=======\n\n' - apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 - - add-apt-repository -y 'deb [arch=amd64,i386,ppc64el] http://sfo1.mirrors.digitalocean.com/mariadb/repo/10.3/ubuntu xenial main' + - add-apt-repository -y 'deb [arch=amd64,i386,ppc64el] http://sfo1.mirrors.digitalocean.com/mariadb/repo/10.3/ubuntu bionic main' - apt update -y ############## @@ -287,7 +287,8 @@ runcmd: ## Add a keyserver for grabbing the latest version of lynis off their own package server: - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F ## Add the URL for lynis' package server: - - echo 'deb https://packages.cisofy.com/community/lynis/deb/ xenial main' >> /etc/apt/sources.list.d/cisofy-lynis.list + - echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list + ## Grab latest apt updates now that we can query lynis' package server, and install the latest available version of lynis: - apt update -yq - DEBIAN_FRONTEND=noninteractive apt install -yq lynis From 17b5fde6b1f26c8809df4239cb3ca17eccd1939a Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:22:06 -0600 Subject: [PATCH 11/27] Bump PHP to 7.3 --- scripts/cloud-init.sh.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index a1f80e0..6257015 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -300,7 +300,7 @@ runcmd: - echo 'CONFIGURING MORE PHP AND NGINX' - printf '=======\n\n' ## Stop PHP because we're gonna make index.php a legit default route file: - - service php7.2-fpm stop + - service php7.3-fpm stop ## Stop nginx because we're going to configure some PHP stuff and a whole lotta server blocks: - service nginx stop @@ -356,16 +356,16 @@ runcmd: ## Test our nginx config - nginx -t ## Change php user and group to new user - - sed -i -e 's/user = www-data/user = __username__/' /etc/php/7.2/fpm/pool.d/www.conf - - sed -i -e 's/group = www-data/group = __username__/' /etc/php/7.2/fpm/pool.d/www.conf - - sed -i -e 's/listen.owner = www-data/listen.owner = __username__/' /etc/php/7.2/fpm/pool.d/www.conf - - sed -i -e 's/listen.group = www-data/listen.group = __username__/' /etc/php/7.2/fpm/pool.d/www.conf - - sed -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 64M/' /etc/php/7.2/fpm/pool.d/www.conf - - sed -i -e 's/post_max_size = 8M/post_max_size = 64M/' /etc/php/7.2/fpm/pool.d/www.conf + - sed -i -e 's/user = www-data/user = __username__/' /etc/php/7.3/fpm/pool.d/www.conf + - sed -i -e 's/group = www-data/group = __username__/' /etc/php/7.3/fpm/pool.d/www.conf + - sed -i -e 's/listen.owner = www-data/listen.owner = __username__/' /etc/php/7.3/fpm/pool.d/www.conf + - sed -i -e 's/listen.group = www-data/listen.group = __username__/' /etc/php/7.3/fpm/pool.d/www.conf + - sed -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 64M/' /etc/php/7.3/fpm/pool.d/www.conf + - sed -i -e 's/post_max_size = 8M/post_max_size = 64M/' /etc/php/7.3/fpm/pool.d/www.conf ## Test our php config - - php-fpm7.2 -t + - php-fpm7.3 -t ## Start PHP: - - service php7.2-fpm start + - service php7.3-fpm start ## Start nginx: - service nginx start From a1bc6caf15a1f991128d2165caf076a7b30861f0 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:22:40 -0600 Subject: [PATCH 12/27] Skip downloading language translations from apt --- scripts/cloud-init.sh.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 6257015..8272e67 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -286,6 +286,8 @@ runcmd: - printf '=======\n\n' ## Add a keyserver for grabbing the latest version of lynis off their own package server: - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F +## Skip translations + - echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations ## Add the URL for lynis' package server: - echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list From 12d1927315220537974c995d95c58dbfd221f0a3 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:23:28 -0600 Subject: [PATCH 13/27] Update rkhunter and remove comment about fix (as it's fixed and we're using bionic now) --- scripts/cloud-init.sh.txt | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 8272e67..cc6944a 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -271,10 +271,7 @@ runcmd: - printf '\n\n=======\n' - echo 'CONFIGURING RKHUNTER' - printf '=======\n\n' -## Don't update rkhunter, as updating has been disabled due to an attack vector -## This has been fixed in rkhunter 1.4.6, but xenial only installs 1.4.2, so I don't think the attack vector is patched -## https://askubuntu.com/questions/989492/rkhunter-doesnt-update-in-ubuntu-17-10 - # - rkhunter --update + - rkhunter --update ## Update rookit hunter properties definition list: - rkhunter --propupd From b5eb1a57c9c7f88971aa34e0a20946580c256e09 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:24:01 -0600 Subject: [PATCH 14/27] Keep updating PHP to 7.3 --- scripts/cloud-init.sh.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index cc6944a..2b492a7 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -163,11 +163,11 @@ runcmd: - printf '=======\n\n' - LC_ALL=en_US.UTF-8 add-apt-repository -y ppa:ondrej/php - apt update -y - - DEBIAN_FRONTEND=noninteractive apt install -y php7.2-fpm php7.2-common php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-mysql php7.2-cli php7.2-zip php7.2-curl + - DEBIAN_FRONTEND=noninteractive apt install -y php7.3-fpm php7.3-common php7.3-mbstring php7.3-xmlrpc php7.3-gd php7.3-xml php7.3-mysql php7.3-cli php7.3-zip php7.3-curl ## Back up our php.ini configuration file: - - cp /etc/php/7.2/fpm/php.ini /etc/php/7.2/fpm/_php.ini.original + - cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/_php.ini.original ## Set cgi fix_pathinfo to true (we're protected in other ways, and I absolutely could not get PHP to work without enabling this): - - sed -i -e 's/fix_pathinfo=.*$/cgi.fix_pathinfo=1/' /etc/php/7.2/fpm/php.ini + - sed -i -e 's/fix_pathinfo=.*$/cgi.fix_pathinfo=1/' /etc/php/7.3/fpm/php.ini ############################ ## ADDING APT FOR MARIADB ## From 0a51600a5ea1939df46efdfc8db10b45bce2f496 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:24:11 -0600 Subject: [PATCH 15/27] Enable secure shared memory --- scripts/cloud-init.sh.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 2b492a7..c156d10 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -230,6 +230,16 @@ runcmd: ## Show the rules that are active: - ufw status verbose +########### +## FSTAB ## +########### + - printf '\n\n=======\n' + - echo 'CONFIGURING FSTAB' + - printf '=======\n\n' +# https://hostadvice.com/how-to/how-to-harden-your-ubuntu-18-04-server/ +# Enable secure shared memory: + - sed -i -e '$anone /run/shm tmpfs defaults,ro 0 0' /etc/fstab + ############## ## LOGWATCH ## ############## From e2ecad0b260ee114348a3169faaa712323d267a0 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:24:39 -0600 Subject: [PATCH 16/27] Autoremove apt things we don't need anymore --- scripts/cloud-init.sh.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index c156d10..baf7133 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -386,6 +386,7 @@ runcmd: - printf '=======\n\n' - apt update -yq - apt upgrade -yq + - apt autoremove -yq ################ ## END RUNCMD ## From 5d8742d0773f715b499de58de1b755474c42cc54 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:24:58 -0600 Subject: [PATCH 17/27] Add apt-transport-https in case it's not installed by default --- scripts/cloud-init.sh.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index baf7133..1f1726a 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -4,6 +4,7 @@ package_upgrade: true packages: - apt-listchanges - apt-show-versions + - apt-transport-https - chkrootkit - debsecan - debsums From 7fd3ce4f75c08df6e617637abf5ded9f19eaa1dc Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 13:57:55 -0600 Subject: [PATCH 18/27] Update templates for PHP 7.3 --- templates/etc/nginx/fastcgi_params.txt | 2 +- templates/etc/nginx/sites-available/domain.tld.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/nginx/fastcgi_params.txt b/templates/etc/nginx/fastcgi_params.txt index 31f2266..1f98483 100755 --- a/templates/etc/nginx/fastcgi_params.txt +++ b/templates/etc/nginx/fastcgi_params.txt @@ -11,7 +11,7 @@ fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; -# Added for php7.2-fpm +# Added for php7.3-fpm fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; diff --git a/templates/etc/nginx/sites-available/domain.tld.txt b/templates/etc/nginx/sites-available/domain.tld.txt index 2d038f2..3a8419b 100755 --- a/templates/etc/nginx/sites-available/domain.tld.txt +++ b/templates/etc/nginx/sites-available/domain.tld.txt @@ -52,7 +52,7 @@ server { location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php/php7.2-fpm.sock; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; From 1a895874392c72f0fe778fb5ead2c84c2fd86350 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 14:02:49 -0600 Subject: [PATCH 19/27] Comment out PHP config lines that don't exist in 7.3 anymore --- scripts/cloud-init.sh.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 1f1726a..b4acaf7 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -370,8 +370,10 @@ runcmd: - sed -i -e 's/group = www-data/group = __username__/' /etc/php/7.3/fpm/pool.d/www.conf - sed -i -e 's/listen.owner = www-data/listen.owner = __username__/' /etc/php/7.3/fpm/pool.d/www.conf - sed -i -e 's/listen.group = www-data/listen.group = __username__/' /etc/php/7.3/fpm/pool.d/www.conf - - sed -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 64M/' /etc/php/7.3/fpm/pool.d/www.conf - - sed -i -e 's/post_max_size = 8M/post_max_size = 64M/' /etc/php/7.3/fpm/pool.d/www.conf +## This line doesn't exist anymore in PHP 7.3: +# - sed -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 64M/' /etc/php/7.3/fpm/pool.d/www.conf +## This line doesn't exist anymore in PHP 7.3: +# - sed -i -e 's/post_max_size = 8M/post_max_size = 64M/' /etc/php/7.3/fpm/pool.d/www.conf ## Test our php config - php-fpm7.3 -t ## Start PHP: From cfce10dbb1f609cc3cb6523c622980efd72c3327 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 14:03:29 -0600 Subject: [PATCH 20/27] Use single-quotes --- scripts/cloud-init.sh.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index b4acaf7..3d428a4 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -140,8 +140,8 @@ runcmd: - printf '\n\n=======\n' - echo 'CHANGING PASSWDS' - printf '=======\n\n' - - echo "root:__temporary_password_change_me_immediately__"|chpasswd - - echo "__username__:__temporary_password_change_me_immediately__"|chpasswd + - echo 'root:__temporary_password_change_me_immediately__' | chpasswd + - echo '__username__:__temporary_password_change_me_immediately__' | chpasswd ########### ## NGINX ## @@ -265,7 +265,7 @@ runcmd: ## Back up our blacklist.conf configuration file: - cp /etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.original ## Blacklist USB storage: - - echo "blacklist usb-storage" | tee -a /etc/modprobe.d/blacklist.conf + - echo 'blacklist usb-storage' | tee -a /etc/modprobe.d/blacklist.conf ############### ## INITRAMFS ## From 8f47405870e3318a9b942b9339ef57294dbaf157 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 14:03:54 -0600 Subject: [PATCH 21/27] Reference the tip of the 18.04 feature branch for templates --- scripts/cloud-init.sh.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 3d428a4..77b9239 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -357,12 +357,12 @@ runcmd: ## Back up our original nginx configuration file: - mv /etc/nginx/nginx.conf /etc/nginx/nginx.original ## Grab our new nginx configuration file: - - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/0.6.1/templates/etc/nginx/nginx.conf.txt -o /etc/nginx/nginx.conf + - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/feature/use-ubuntu-1804/templates/etc/nginx/nginx.conf.txt -o /etc/nginx/nginx.conf ## Replace the placeholder username in our nginx config with - sed -i -e 's/user[ ]*__placeholder_username__/user __username__/' /etc/nginx/nginx.conf ## Update fastcgi_params for PHP - mv /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.original - - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/0.6.1/templates/etc/nginx/fastcgi_params.txt -o /etc/nginx/fastcgi_params + - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/feature/use-ubuntu-1804/templates/etc/nginx/fastcgi_params.txt -o /etc/nginx/fastcgi_params ## Test our nginx config - nginx -t ## Change php user and group to new user From 20850518a2929b99487c6350581b5ec4e403dbbd Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 14:05:56 -0600 Subject: [PATCH 22/27] Keep updating PHP to 7.3 --- scripts/manual-commands.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/manual-commands.sh.txt b/scripts/manual-commands.sh.txt index 9b54d31..bd9712d 100644 --- a/scripts/manual-commands.sh.txt +++ b/scripts/manual-commands.sh.txt @@ -43,7 +43,7 @@ sudo nginx -t ## Start nginx sudo service nginx start ## Start PHP (in case it hasn't started yet) -sudo service php7.2-fpm start +sudo service php7.3-fpm start ## Install and configure sendmail ## This command will take a long time and appear to freeze From c89d9e108c7f0d0ea1ffb70202ad2b1451d7e41e Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 16:47:12 -0600 Subject: [PATCH 23/27] Reference feature branch for template --- scripts/cloud-init.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index 77b9239..e48c99c 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -334,7 +334,7 @@ runcmd: ## Add the sites-available and sites-enabled folders because the nginx mainline doesn't have them - mkdir /etc/nginx/sites-available /etc/nginx/sites-enabled ## Grab our nginx sites-available config files off GitHub Gist and make 'em - - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/0.6.1/templates/etc/nginx/sites-available/domain.tld.txt -o /etc/nginx/sites-available/__domain.tld__ + - curl https://raw.githubusercontent.com/thegreatsunra/lemp-cloud-init/feature/use-ubuntu-1804/templates/etc/nginx/sites-available/domain.tld.txt -o /etc/nginx/sites-available/__domain.tld__ ## Symlink all server block sites-available definition files in the sites-enabled folder: - ln -s /etc/nginx/sites-available/__domain.tld__ /etc/nginx/sites-enabled/ ## Change owner of public web server files to default user: From f33cce06630a6cb8943ddab9d6dde7955be9afbc Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 16:47:28 -0600 Subject: [PATCH 24/27] Update based on latest example from Nginx site Hello, ARM. --- scripts/cloud-init.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cloud-init.sh.txt b/scripts/cloud-init.sh.txt index e48c99c..86a0261 100755 --- a/scripts/cloud-init.sh.txt +++ b/scripts/cloud-init.sh.txt @@ -177,7 +177,7 @@ runcmd: - echo 'ADDING APT FOR MARIADB' - printf '=======\n\n' - apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 - - add-apt-repository -y 'deb [arch=amd64,i386,ppc64el] http://sfo1.mirrors.digitalocean.com/mariadb/repo/10.3/ubuntu bionic main' + - add-apt-repository -y 'deb [arch=amd64,arm64,ppc64el] http://sfo1.mirrors.digitalocean.com/mariadb/repo/10.3/ubuntu bionic main' - apt update -y ############## From dc27c1365b4a11a3e5751edc0c68c6a9e3f102f3 Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 16:48:06 -0600 Subject: [PATCH 25/27] Make sure to install php-mysql 7.3 --- scripts/manual-commands.sh.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/manual-commands.sh.txt b/scripts/manual-commands.sh.txt index bd9712d..2a695df 100644 --- a/scripts/manual-commands.sh.txt +++ b/scripts/manual-commands.sh.txt @@ -16,7 +16,7 @@ sudo passwd root sudo passwd __REPLACE_THIS_TEXT_WITH_YOUR_ACTUAL_USERNAME__ ## Don't enter a password because we'll enter one later, even though it asks three times -sudo apt install -y mariadb-server php-mysql +sudo apt install -y mariadb-server php7.3-mysql ## Secure the mysql installation ## Steps for the following task From 21722c2fc9a42c89872a91bffd6d208622d62ddb Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 16:48:48 -0600 Subject: [PATCH 26/27] MariaDB fails to finish installing, so run mysql_install_db to clean up after it --- scripts/manual-commands.sh.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/manual-commands.sh.txt b/scripts/manual-commands.sh.txt index 2a695df..4820385 100644 --- a/scripts/manual-commands.sh.txt +++ b/scripts/manual-commands.sh.txt @@ -17,6 +17,7 @@ sudo passwd __REPLACE_THIS_TEXT_WITH_YOUR_ACTUAL_USERNAME__ ## Don't enter a password because we'll enter one later, even though it asks three times sudo apt install -y mariadb-server php7.3-mysql +sudo mysql_install_db ## Secure the mysql installation ## Steps for the following task From 9e1495643ead85750d918e9b5e4cfdf5802f805b Mon Sep 17 00:00:00 2001 From: Dane Petersen Date: Fri, 28 Dec 2018 16:49:54 -0600 Subject: [PATCH 27/27] Bump version to 1.0.0 If it's in production it's 1.0 whether you like it or not, and this stuff has been running in production for years now. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ee6cdce..3eefcb9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.6.1 +1.0.0