Server Setup
Decided to make shell scripts to allow simple setup of my server and to assure they were all uniform. Some are commented out due to the fact these tools were already installed by default.
​
Special Note: Some are full scripts, some are guidance on how to and not exepected to be executed.
RHEL Server Setup Using Shell Scripts
Setup and Testing
I was able to develop everything on a test server and then copy the files to new servers as they were spun up using WinSCP. I have a single test server where all script development is performed so when I am done I just shut it off. This allows me to make mistakes and roll back as needed without worrying about other changes\ settings on the server or breaking something on my production systems.
bashinstallscript.sh
##############################################################################
# Default Installed nano, net-tools, NetworkManager, firewalld, sshd #
# *** require editing like IP, Hostname, banner, Interace Name, Splunk IP #
##############################################################################
############################################
# Enable Coockpit #
# System Web Management over Port 9090 #
############################################
systemctl enable --now cockpit.socket
#################################################
# *** Create SSH Banner File #
#################################################
sudo touch /etc/banner
echo "###########################" | sudo tee -a /etc/banner
echo "### HOSTNAME RHEL9200 ###" | sudo tee -a /etc/banner
echo "### Server Function NFS ###" | sudo tee -a /etc/banner
echo "###########################" | sudo tee -a /etc/banner
########################################
# Update the sshd_config banner path #
########################################
sudo sed -i 's/#Banner none/Banner \/etc\/banner/g' /etc/ssh/sshd_config
sudo service sshd restart
#####@@@#############################################
# *** Setup Rsyslog to send to Splunk #
########@@@##########################################
echo "*.* @@192.168.254.34:514" | sudo tee -a /etc/rsyslog.conf
sudo systemctl restart rsyslog
###################################################
# Set Firewall Default Zone to Home #
###################################################
firewall-cmd --set-default-zone=home
#######################################################
# Check Firewall Default Zone #
#######################################################
firewall-cmd --get-default-zone
##############################################
# Install nmap network scanning tools #
#############################################
dnf install nmap -y
######################################################
# *** Set Network to Static IP #
######################################################
nmcli connection modify ens160 ipv4.address 192.168.254.210/24 ipv4.gateway 192.168.254.254 ipv4.dns 192.168.254.254 ipv4.dns-search rhel9210T.local ipv4.method manual
################################
# *** Stop & Start Interface #
################################
nmcli connection down ens160
nmcli connection up ens160
##################################################
# *** Set System Hostname #
##################################################
hostnamectl set-hostname "rhel9210T"
hostnamectl set-hostname --static "rhel9210T"
####################################################
# Install NFS Server and Update Firewalls #
####################################################
# Required for NFS Server and Client
dnf install nfs-utils -y
##############################
# Server Side Only Commands #
##############################
#systemctl enable --now nfs-server
#systemctl enable --now rpcbind
#firewall-cmd --add-service nfs --permanent
#firewall-cmd --reload
#systemctl restart rpc-statd nfs-server
######################################################################
# Create Default Group with Specific Group ID #
# Helps to have matching group ID for NFS permissions on share #
# I found group ID persists when mounting and groupID must match #
######################################################################
# Create Group and Specify GID
groupadd -g 1010 mynfs
# Add User to the Group
usermod --append --groups mynfs shead
# View Membership
id shead
###############################################################################
# Containers allow for having access to a multitude of packages and services #
# that can ran and allow for simple setup and access to applications #
###############################################################################
# Install Container Tools
dnf install container-tools -y
# Command to login to registry for access to container images
#podman login registry.redhat.io
mynfs.sh
#--------------------------------------------------------------------------------------------------------------
# Purpose of this script is to install NFS host server and update firewall
#--------------------------------------------------------------------------------------------------------------
dnf install nfs-utils -y
# ----Server Side Setup------
systemctl enable --now nfs-server
systemctl enable --now rpcbind
firewall-cmd --add-service nfs --permanent
firewall-cmd --reload
systemctl restart rpc-statd nfs-server
# Server Folder Creation
mkdir /mnt/myshare
# Server Folder Access Permissions add group
chown root:mynfs /mnt/myshare
# Server Folder Rights for Group Setup
chmod g+rwx /mnt/myshare
# Server Set so Rights Replicate to All New Files and Folders
chmod g+s /mnt/myshare
# View Folder Setup
ls -ls /mnt
# -- MANUAL ADD -- Line to file /etc/exports
#/mnt/myshare 192.168.254.0/24(rw)
#Set ACL for User and Group Permissions Inheritance from Parent DIR
setfacl -d -m u::rwX,g::rwX,o::- /mnt/myshare
# Make Directories Avvialbe as Share
exportfs -r
# View Mounts Readily Avaialbe on Server
showmount -e 192.168.254.200
mynfs_client.sh
#--------------------------------------------------------------------------------------------------------------
# Purpose of this script is to install NFS client
#--------------------------------------------------------------------------------------------------------------
# Create DIR to mount path to from NFS server
mkdir /mnt/myshare
# Change ownership | will be overwritten by NFS host server permissions
chown root:mynfs /mnt/myshare
# Set rights on directory
chmod g+rwx /mnt/myshare
# Install NFS utility tools
dnf install nfs-utils -y
​
# Temporary mount of the share | does not persist through reboots
mount 192.168.254.200:/mnt/myshare /mnt/myshare
​​
# Append to /etc/fstab to make persistant after reboots
#192.168.254.200:/mnt/myshare /mnt/myshare nfs defaults 0 0
​
# Executes the fstab
#sudo mount -a
User Guidance : Setup a New Drive
#---------------------------------------------------------------------------------------------------------------------------
# Purpose of this file is to show commands on how to install and mount a new drive
# Not a script to be ran.
#---------------------------------------------------------------------------------------------------------------------------
​# Power off VM and add new disk
# Identify new disk ( Lower Case L )
sudo fdisk -l
# Interactive fdisk to create partition
# Follow Prompts n for new and w for writable
# n for new | p for primary | 1 default parition id | w for write table and exit
sudo fdisk /dev/sdb
# Format the drive with ext4
sudo mkfs.ext4 /dev/sdb
# Create directory to mount it to
sudo mkdir /mnt/container
# Mount the new drve to directory
sudo mount /dev/sdb /mnt/container
# Review Drives
df -h
​​
#---Make Persistant ---#
# Get drive UUID
sudo blkid /dev/sdb
# Open fstab
nano /etc/fstab
# Add this line to fstab but replace with your UUID
UUID=95b61ccf-6437-4d93-81f0-84137814244e /mnt/container ext4 defaults 0 0
​
# Can test by unmounting the drive or rebooting
umount /mnt/container
# Mmount all drives again
mount -a
User Guidance : Account Lockout Setup
#####################################################
# User Guidance - Account Lockout (PAM)
# This is not a script to be ran
#####################################################
​
#==================================================
# Open the Config File for Editing
#==================================================
sudo nano /etc/security/faillock.conf
​
#========================================================================
# Update to Remove Commented Out Itemswith #
# Note: I don't lockout root becuase root is not enabled on my systems
#========================================================================
dir = /var/run/faillock
audit
deny = 3
fail_interval = 900
unlock_time = 600
​
#=================================
# Open the PAM Config Module
#=================================
sudo nano /etc/pam.d/system-auth
​
#=============================================================
# Update the Config File
#=============================================================
auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
#==================================
# Reset Profile Default Profile
#==================================
sudo authselect select minimal with-faillock --force
​
#============================
# Appply Settings
#============================
sudo authselect apply-changes
#=============================
# Bonus Note: Splunk Query
#=============================
index="linux_logging" process=login sourcetype=linux_messages_syslog locked
| fields host, _time, _raw
| table host, _time, _raw
​
System Setup | Menu Driven
Note: If you are going to reset your IP might want to be in a console session....
clear
echo ""
echo " ---------Do NOT Run From NFS Share, Copy to Home----------"
echo ""
PS3="Please select an option: "
options=("Update IP Address" "Set Hostname" "Configure Rsyslog" "Exit")
select opt in "${options[@]}"; do
case $opt in
"Update IP Address")
echo "-----------------------------------------------------------"
echo "You Selected Option to Update IP Address: Run From Console"
echo "-----------------------------------------------------------"
read -e -p "Enter IP Address CIDR Format: " ipaddress
read -e -p "Enter Default Gateway IP: " gateway
read -e -p "Enter Interface Name: " interface
read -e -p "Enter DNS IP Address: " dns
read -e -p "Enter DNS Name[Server.Local]: " dnssearch
sudo nmcli connection modify $interface ipv4.address $ipaddress ipv4.gateway $gateway ipv4.dns $dns ipv4.dns-search $dnssearch ipv4.method manual
sudo nmcli connection down $interface
sudo nmcli connection up $interface
echo "IP Address Updated"
echo "------------------"
;;
"Set Hostname")
echo "------------------------------"
echo "You Selected Set Hostname"
echo "------------------------------"
read -e -p "Enter New Hostname: " hostname
sudo hostnamectl set-hostname --pretty $hostname
sudo hostnamectl set-hostname --static $hostname
echo "Hostname has Been Set"
echo "---------------------"
;;
"Configure Rsyslog")
echo "-------------------------"
echo "You Selected Set Rsyslog"
echo "-------------------------"
echo "*.* @@192.168.254.34:514" | sudo tee -a /etc/rsyslog.conf
sudo systemctl restart rsyslog
echo "Rsyslog Settings Updated /etc/rsyslog.conf"
echo "------------------------------------------"
;;
"Exit")
echo "Exiting..."
break
;;
*)
echo "Invalid option. Please try again."
;;
esac
done
