sh 用于从ubuntu构建安全的mysql服务器的shell脚本。 （必须以root身份运行并准备使用大量密码）

Posted 2021-05-07

# build a hardened mysql server

your_email="kochmanncody@gmail.com"

ufw default deny outgoing
ufw default deny incoming
ufw deny ipv6
ufw allow 22/tcp
ufw allow 53
ufw allow 80/tcp
ufw allow 443
ufw allow 25 # security emails
ufw allow 3306 # mysql port

apt-get update -y -q
apt-get install -y -q fail2ban
apt-get upgrade -y -q
apt-get autoclean -y
apt-get autoremove -y


# create a db1 user for mysql
echo "Generating db1's password" \
&& db1_pass=`openssl rand -base64 4096 | openssl dgst -sha256 | sed "s/(stdin)= //g"` \
&& useradd -m -d /home/db1 -s /bin/bash -U db1 --password $db1_pass \
&& echo "db1's current password - ${db1_pass}" \
&& db1_pass="" \
&& usermod -a -G sudo db1
read -p "Press [Enter] once you've saved that..."

function db1cmd
{
  echo "running as user db1 ${@}"
  su db1 -c $@
}

db1cmd sudo apt-get install -y -q mysql-server
db1cmd sudo mysql_install_db
db1cmd sudo /usr/bin/mysql_secure_installation
db1cmd sudo service mysql restart


# create a tripwire user for tripwire
echo "Generating tw's password" \
&& tw_pass=`openssl rand -base64 4096 | openssl dgst -sha256 | sed "s/(stdin)= //g"` \
&& useradd -m -d /home/tw -s /bin/bash -U tw --password $tw_pass \
&& echo "tw's current password - ${tw_pass}" \
&& tw_pass="" \
&& usermod -a -G sudo tw
read -p "Press [Enter] once you've saved that..."

function twcmd
{
  echo "running as user tw ${@}"
  su tw -c $@
}

twcmd sudo apt-get install -y -q tripwire mailutils
twcmd sudo twadmin --create-polfile /etc/tripwire/twpol.txt
twcmd sudo tripwire --init
twcmd sudo sh -c 'tripwire --check | grep Filename > test_results'
twcmd sudo nano /etc/tripwire/twpol.txt
twcmd sudo twadmin -m P /etc/tripwire/twpol.txt
twcmd sudo tripwire --init
twcmd sudo tripwire --check
twcmd sudo rm /etc/tripwire/test_results
twcmd sudo tripwire --check | mail -s "Tripwire report for `uname -n`" $your_email


# set up a few security emails to run every day.
echo "30 7 * * * /usr/sbin/tripwire --check | mail -s \"Tripwire report for `uname -n`\" ${your_email}" > /etc/cron.d/daily_security_email
echo "30 12 * * * /usr/sbin/tripwire --check | mail -s \"Tripwire report for `uname -n`\" ${your_email}" > /etc/cron.d/noon_security_email
echo "30 19 * * * /usr/sbin/tripwire --check | mail -s \"Tripwire report for `uname -n`\" ${your_email}" > /etc/cron.d/nightly_security_email