First, generate a key without password:
root@example:~# ssh-keygen -f ~/.ssh/id_rsa -q -P ""
You will see id_rsa and id_rsa.pub
root@example:~# ls -la .ssh total 20 drwx------ 2 root root 4096 Nov 18 15:19 . drwx------ 7 root root 4096 Apr 14 2018 .. -rw------- 1 root root 1679 Nov 18 15:19 id_rsa -rw-r--r-- 1 root root 401 Nov 18 15:19 id_rsa.pub -rw-r--r-- 1 root root 444 Sep 22 2017 known_hosts
https://github.com/xdth/misc/blob/master/acgrep.sh
#!/bin/bash
######################### acgrep.sh v0.1 ###############################
# This script will grep a given set of strings from a text file (syslog)
# and output the result, excluding lines containing another set of
# strings, to a specified location, with a dated file name.
#
# The script will then delete all files in the destination folder older
# than X days and change the ownership of the resulting files to the
# web server.
#
# It can be used, for example, to generate logs from AssaultCube or
# UrbanTerror servers, one log per server.
#
# author: dth@dthlabs.com
#
# To run daily, add to your cron:
# 0 */1 * * * /root/aclogs/acgrep.sh
# #######################################################################
# ## Parameters
# The file to grep
acgrep_filePath="/var/log/syslog"
# Location where the files will be generated. Keep the trailing slash.
acgrep_destinationPath="/root/aclogs/"
# grep this string
acgrep_string="AssaultCube"
# The AC servers' ports
acgrep_substrings="28763 8000 9000 10000 16000"
# Delete generate files after this amount of days
acgrep_keep_days=7
# Regex to skip lines containing these strings
acgrep_skipline="/xskip\|pwd/d"
# #######################################################################
# ## Functions
function acgrep_init {
# feed $YESTERDAY with the syslog format "Jan 31"
YESTERDAY=$(date -d "yesterday 06:00" '+%b %d')
# feed $YESTERDAY2 with yesterday's date in the format 2018-01-31
YESTERDAY2=$(date -d "yesterday 06:00" '+%Y-%m-%d')
}
function acgrep_finish {
# Make destination folder readable to the web server
chown www-data:www-data -R "$acgrep_destinationPath"
# Delete file older than x days
/usr/bin/find "$acgrep_destinationPath" -mtime +$acgrep_keep_days -type f -delete
}
function acgrep_main {
# initialize date variables
acgrep_init
# main loop
for i in $acgrep_substrings
do
# cat /var/log/syslog | grep "AssaultCube" | grep "$YESTERDAY" | grep 8000 > /home/dth/8000_2018-01-31.txt
sed $acgrep_skipline $acgrep_filePath | grep $acgrep_string | grep "$YESTERDAY" | grep $i > "$acgrep_destinationPath"$i"_"$YESTERDAY2.txt
done
# clean up and finish
acgrep_finish
}
# Execute
acgrep_main
This is my new basic firewall script. For updates, check my github: https://github.com/xdth
#! /bin/bash
# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
# needs.
# 2. For convenience, add this script to your /usr/bin or alike with
# chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
# Site: https://dthlabs.com
# github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################
# #######################################################################
# ## Rules function -- edit this according to your needs
function qfw_rules {
# Block everything
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo " > Block everything"
# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " > Don't break established connections"
# Authorize loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo " > Authorize Loopback"
# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo " > Authorize ICMP (ping)"
# SSH in/out
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
echo " > Authorize SSH"
# DNS in/out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo " > Authorize DNS"
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo " > Authorize NTP outbound"
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
echo " > Authorize http and https"
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " > Authorize FTP"
# Mail SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
echo " > Authorize mail"
# OpenVZ Web Pannel
# iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
# echo " > Authorize OpenVZ panel"
# Allow WMs
# iptables -P FORWARD ACCEPT
# iptables -F FORWARD
# echo "WMs ok"
# echo " > Authorize WMs"
# Saltstack
# iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
# echo " > Authorize Saltstack"
# Block UDP attack
# iptables -A INPUT -m state --state INVALID -j DROP
# echo " > Block UDP attack"
}
# #######################################################################
# ## Other functions
function qfw_help {
echo "qFirewall usage: ./qfw {start|stop}"
exit 1
}
function qfw_seeya {
echo " > Thanks for using qFirewall (qfw) v1. Have a good day."
echo ""
echo ""
}
function qfw_separator {
echo ""
echo ""
echo "===================== qFirewall (qfw) v0.1 ====================="
echo ""
}
function qfw_reset {
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
}
function qfw_start {
qfw_separator
echo " > Starting qFirewall..."
qfw_clean
echo " > Loading the rules..."
qfw_rules
echo " > Rules loaded"
echo " > qFirewall started"
}
function qfw_clean {
echo " > Cleaning rules..."
qfw_reset
echo " > Rules cleaned"
}
function qfw_stop {
qfw_separator
echo " > Stopping qFirewall..."
qfw_clean
echo " > qFirewall stopped"
}
# #######################################################################
# ## Main
case "$1" in
start)
qfw_start
;;
stop)
qfw_stop
;;
*)
qfw_help
exit 1
;;
esac
qfw_seeya
exit 0