# Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) # Version=CentOS 8 (RHEL 8) # Tastaturlayout definieren keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' # Systemsprache setzen lang en_US.UTF-8 # Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname # die aus dem Preinstall-Script beim PXE-Boot übernommen wurden. %include /tmp/networks.cfg # Zeitzone setzen timezone Europe/Berlin --isUtc --ntpservers=vml000027.dmz.nausch.org services --enabled="chronyd" # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen url --url="" repo --name="AppStream" --baseurl= # Root-Passwort verschlüsselt vorgeben rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01 # Default-Benutzerkonto anlegen user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell" # vorhandene Partitionen löschen ignoredisk --only-use=vda clearpart --all --initlabel --drives=vda # autopart --type=lvm # GUI für Installation verwenden graphical # Kein X Window System konfigurieren, da dieses nicht installiert wird skipx # Reboot nach der Installation ausführen reboot # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen %packages @^minimal-environment -iwl*firmware vim bash-completion bind-utils wget telnet net-tools lsof %end %addon com_redhat_kdump --disable --reserve-mb='auto' %end %anaconda pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty %end #%end %addon com_redhat_kdump --disable --reserve-mb='auto' %end # Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen %pre #!/bin/bash echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x NULL=${SERVERNAME:6:1} if [ "$SERVERNAME" == "" ]; then echo "network --bootproto=static --device=eth0 --gateway= --ip --nameserver= --netmask --ipv6=auto --activate --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg else if [ "$NULL" == "0" ]; then OCTET=${SERVERNAME:7:2} else OCTET=${SERVERNAME:6:3} fi echo "network --bootproto=static --device=eth0 --gateway= --ip 10.0.0.${OCTET} --nameserver= --netmask --ipv6=auto --activate --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg fi ;; esac; done %end # Postinstall-Anweisungen %post --log=/root/anaconda-postinstall.log #!/bin/bash DATUM=$(date +"%Y-%m-%d") for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x ############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ########### sed -i 's/rhgb//g' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg ################################################################################# ######################## MOTD und ISSUE.NET individualisieren ################### # /etc/issue.net anlegen cat < /etc/issue.net ############################################################################## # # # This is a private home server. # # # # Unauthorized access to this system is prohibited ! # # # # This system is actively monitored and all connections may be logged. # # By accessing this system, you consent to this monitoring. # # # ############################################################################## ISSUE.NET chown root:root /etc/issue.net chmod 644 /etc/issue.net # /etc/motd anlegen cat < /etc/motd ############################################################################## # # # This is the home server of Michael Nausch. # # # # $SERVERNAME.nausch.org # # # # Unauthorized access to this system is prohibited ! # # # # This system is actively monitored and all connections may be logged. # # By accessing this system, you consent to this monitoring. # # # ############################################################################## MOTD chown root:root /etc/motd chmod 644 /etc/motd ################################################################################# ########################### ssh-daemon konfigurieren ############################ cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig cat < /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # # Specifies which address family should be used by sshd(8). Valid arguments # are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). #AddressFamily any # Specifies the local addresses sshd(8) should listen on. The following # forms may be used: # ListenAddress host|IPv4_addr|IPv6_addr # ListenAddress host|IPv4_addr:port # ListenAddress [host|IPv6_addr]:port # If port is not specified, sshd will listen on the address and all prior # Port options specified. The default is to listen on all local addresses. # Multiple ListenAddress options are permitted. Additionally, any Port # options must precede this option for non-port qualified addresses. #Port 22 #ListenAddress #ListenAddress :: # Specifies a file containing a private host key used by SSH. The default # is /etc/ssh/ssh_host_key for protocol version 1, and # /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol # version 2. Note that sshd(8) will refuse to use a file if it is # group/world-accessible. It is possible to have multiple host key files. # ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for # version 2 of the SSH protocol. HostKey /etc/ssh/ssh_host_ed25519_key # Specifies the ciphers allowed for protocol version 2. Multiple ciphers # must be comma-separated. The supported ciphers are ''3des-cbc'', # ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', # ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', # ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr # MACs' Specifies the available MAC (message authentication code) # algorithms. The MAC algorithm is used in protocol version 2 for data # integrity protection. Multiple algorithms must be comma-separated. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 # Specifies the available KEX (Key Exchange) algorithms. Multiple # algorithms must be comma-separated. For ineroperability with Eclipse # and WinSCP): # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # If needed, open /etc/ssh/moduli if exists, and delete lines where the # 5th column is less than 2000. # awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # wc -l "${HOME}/moduli" # make sure there is something left # mv "${HOME}/moduli" /etc/ssh/moduli # KexAlgorithms curve25519-sha256@libssh.org # Ciphers and keying #RekeyLimit default none # System-wide Crypto policy: # This system is following system-wide crypto policy. The changes to # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any # effect here. They will be overridden by command-line options passed on # the server start up. # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= # variable in /etc/sysconfig/sshd to overwrite the policy. # For more information, see manual page for update-crypto-policies(8). # Logging # Gives the facility code that is used when logging messages from sshd(8). # The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, # LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. SyslogFacility AUTHPRIV # Gives the verbosity level that is used when logging messages from sshd(8). # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are # equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging # output. Logging with a DEBUG level violates the privacy of users and is # not recommended. # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a # clear audit track of which key was using to log in. LogLevel VERBOSE # Authentication: # The server disconnects after this time if the user has not successfully # logged in. If the value is 0, there is no time limit. LoginGraceTime 0 # Specifies whether root can log in using ssh(1). The argument must be # ''yes'', ''without-password'', ''forced-commands-only'', or ''no''. # The default is ''yes''. If this option is set to ''without-password'', # password authentication is disabled for root. If this option is set to # ''forced-commands-only'', root login with public key authentication will # be allowed, but only if the command option has been specified (which # may be useful for taking remote backups even if root login is normally # not allowed). All other authentication methods are disabled for root. # If this option is set to ''no'', root is not allowed to log in. PermitRootLogin no # This keyword can be followed by a list of user name patterns, separated # by spaces. If specified, login is allowed only for user names that match # one of the patterns. Only user names are valid; a numerical user ID is # not recognized. By default, login is allowed for all users. If the pattern # takes the form USER@HOST then USER and HOST are separately checked, # restricting logins to particular users from particular hosts. The # allow/deny directives are processed in the following order: # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. AllowUsers django # Specifies whether sshd(8) should check file modes and ownership of the # user's files and home directory before accepting login. This is normally # desirable because novices sometimes accidentally leave their directory # or files world-writable. StrictModes yes # Specifies the maximum number of authentication attempts permitted per # connection. Once the number of failures reaches half this value, # additional failures are logged. MaxAuthTries 10 # Specifies the maximum number of open sessions permitted per network # connection. MaxSessions 10 # Specifies the file that contains the public keys that can be used for # user authentication. AuthorizedKeysFile may contain tokens of the form # %T which are substituted during connection setup. The following tokens # are defined: %% is replaced by a literal '%', %h is replaced by the # home directory of the user being authenticated, and %u is replaced by # the username of that user. After expansion, AuthorizedKeysFile is # taken to be an absolute path or one relative to the user's home directory. AuthorizedKeysFile .ssh/authorized_keys # Specifies whether public key authentication is allowed. The default is # ''yes''. Note that this option applies to protocol version 2 only. PubkeyAuthentication yes #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Specifies whether password authentication is allowed. To disable tunneled # clear text passwords, change to no here! PasswordAuthentication no # Specifies whether challenge-response authentication is allowed # (e.g. via PAM or though authentication styles supported in login.conf(5)) # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication yes # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key # exchange doesn't rely on ssh keys to verify host identity. #GSSAPIKeyExchange no # Specifies whether to automatically destroy the user's credentials cache # on logout. GSSAPICleanupCredentials no # Determines whether to be strict about the identity of the GSSAPI acceptor # a client authenticates against. If ''yes'' then the client must authenticate # against the host service on the current hostname. If ''no'' then the client # may authenticate against any service key stored in the machine's default # store. This facility is provided to assist with operation on multi homed # machines. The default is ''yes''. Note that this option applies only to # protocol version 2 GSSAPI connections, and setting it to ''no'' may only # work with recent Kerberos GSSAPI libraries. #GSSAPIStrictAcceptorCheck yes #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. UsePAM yes # Specifies whether X11 forwarding is permitted. The argument must be # ''yes'' or ''no''. The default is ''no''. # When X11 forwarding is enabled, there may be additional exposure to the # server and to client displays if the sshd(8) proxy display is configured # to listen on the wildcard address (see X11UseLocalhost below), though this # is not the default. Additionally, the authentication spoofing and # authentication data verification and substitution occur on the client side. # The security risk of using X11 forwarding is that the client's X11 display # server may be exposed to attack when the SSH client requests forwarding # (see the warnings for ForwardX11 in ssh_config(5)). A system administrator # may have a stance in which they want to protect clients that may expose # themselves to attack by unwittingly requesting X11 forwarding, which can # warrant a ''no'' setting. Note that disabling X11 forwarding does not # prevent users from forwarding X11 traffic, as users can always install # their own forwarders. X11 forwarding is automatically disabled if UseLogin # is enabled. X11Forwarding yes # Specifies the first display number available for sshd(8)'s X11 forwarding. # This prevents sshd from interfering with real X11 servers. # The default is 10. #X11DisplayOffset 10 # Specifies whether sshd(8) should bind the X11 forwarding server to the # loopback address or to the wildcard address. By default, sshd binds the # forwarding server to the loopback address and sets the hostname part of # the DISPLAY environment variable to ''localhost''. This prevents remote # hosts from connecting to the proxy display. However, some older X11 clients # may not function with this configuration. X11UseLocalhost may be set to # ''no'' to specify that the forwarding server should be bound to the # wildcard address. The argument must be ''yes'' or ''no''. The default is # ''yes''. #X11UseLocalhost yes # Specifies whether ssh-agent(1) forwarding is permitted. The default is # ''yes''. Note that disabling agent forwarding does not improve security # unless users are also denied shell access, as they can always install # their own forwarders. #AllowAgentForwarding yes # Specifies whether TCP forwarding is permitted. The default is ''yes''. # Note that disabling TCP forwarding does not improve security unless users # are also denied shell access, as they can always install their own # forwarders. #AllowTcpForwarding yes # Specifies whether remote hosts are allowed to connect to ports forwarded # for the client. By default, sshd(8) binds remote port forwardings to the # loopback address. This prevents other remote hosts from connecting to # forwarded ports. GatewayPorts can be used to specify that sshd should # allow remote port forwardings to bind to non-loopback addresses, thus # allowing other hosts to connect. The argument may be ''no'' to force # remote port forwardings to be available to the local host only, ''yes'' # to force remote port forwardings to bind to the wildcard address, or # ''clientspecified'' to allow the client to select the address to which # the forwarding is bound. The default is ''no''. #GatewayPorts no #PermitTTY yes # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # The contents of the specified file are sent to the remote user before # authentication is allowed. Banner /etc/issue.net # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # Configures an external subsystem (e.g. file transfer daemon). Arguments # should be a subsystem name and a command (with optional arguments) to # execute upon subsystem request. Log sftp level file access # (read/write/etc.) that would not be easily logged otherwise. Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server SSHD_CONFIG chown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config ################################################################################# ####################### Django's ssh-pubkey hinterlegen ######################### mkdir /home/django/.ssh chmod 700 /home/django/.ssh chown django:django /home/django/.ssh cat </home/django/.ssh/authorized_keys ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA/F1CKDicH1n5Kn13+YjpbHqHOkhsMagrrD5dIbkU6ddoBSp django@nausch.org AUTHORIZED_KEYS chmod 644 /home/django/.ssh/authorized_keys chown django:django /home/django/.ssh/authorized_keys ################################################################################# ############### lokales gespiegeltes CentOS-Repository benutzen ################# cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig cat < /etc/yum.repos.d/epel-modular.repo # CentOS-AppStream.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [AppStream] name=CentOS-\$releasever - AppStream baseurl=\$releasever/AppStream/\$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial CENTOS-APPSTREAM chown root:root /etc/yum.repos.d/CentOS-AppStream.repo chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig cat < /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [BaseOS] name=CentOS-\$releasever - Base baseurl=\$releasever/BaseOS/\$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial CENTOS-BASE chown root:root /etc/yum.repos.d/CentOS-AppStream.repo chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig cat < /etc/yum.repos.d/CentOS-Extras.repo # CentOS-Extras.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # #additional packages that may be useful [extras] name=CentOS-\$releasever - Extras baseurl=\$releasever/extras/\$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial CENTOS-EXTRAS chown root:root /etc/yum.repos.d/CentOS-Extras.repo chmod 644 /etc/yum.repos.d/CentOS-Extras.repo ################################################################################# ###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ###### dnf install epel-release -y rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL- cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig cat < /etc/yum.repos.d/epel-modular.repo [epel-modular] name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch baseurl=\$releasever/Modular/\$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 [epel-modular-debuginfo] name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug baseurl=\$releasever/Modular/\$basearch/debug enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 gpgcheck=1 [epel-modular-source] name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source baseurl=\$releasever/Modular/\$basearch/SRPMS enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 gpgcheck=1 EPEL-MODULAR chown root:root /etc/yum.repos.d/epel-modular.repo chmod 644 /etc/yum.repos.d/epel-modular.repo cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig cat < /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux \$releasever - \$basearch baseurl=\$releasever/Everything/\$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 [epel-debuginfo] name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug baseurl=\$releasever/Everything/\$basearch/debug enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source baseurl=\$releasever/Everything/SRPMS enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 gpgcheck=1 EPEL chown root:root /etc/yum.repos.d/epel.repo chmod 644 /etc/yum.repos.d/epel.repo ################################################################################# ############################ System Updaten ##################################### dnf update -y ################################################################################# ;; esac; done %end