49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ServerSetup
2 | __ __ _
3 | / _\ ___ _ ____ _____ _ __/ _\ ___| |_ _ _ _ __
4 | \ \ / _ \ '__\ \ / / _ \ '__\ \ / _ \ __| | | | '_ \
5 | _\ \ __/ | \ V / __/ | _\ \ __/ |_| |_| | |_) |
6 | \__/\___|_| \_/ \___|_| \__/\___|\__|\__,_| .__/
7 | |_|
8 |
9 | ## Features
10 | * EZ setup 4
11 | * mail server (Dovecot/Postfix/OpenDKIM/OpenDMARC)
12 | * mail sender accounts
13 | * SSL certs
14 | * setting up SMB share
15 | * setting up WebDAV server (NOT secure)
16 | * installing webmail
17 | * rolling a domain
18 | * setting up VPN server (wireguard)
19 |
20 | # Installation
21 | ## commands
22 | ```
23 | git clone https://github.com/noahpowers/ServerSetup
24 | cd ServerSetup && chmod +x serversetup.sh
25 | ./serversetup.sh
26 | ```
27 |
28 | ## what you'll see
29 | ```
30 | 1) Debian Prep 7) Get DNS Entries 13) Setup WebDAV Share
31 | 2) Account Setup 8) Create HTA File 14) Install WebMail
32 | 3) Install SSL 9) Check DKIM 15) Roll da Domain
33 | 4) Install Mail Server 10) Check A Records 16) Install VPN
34 | 5) Setup HTTPS Website 11) UFW allow hosts 17) Quit
35 | 6) HTTPS C2 Done Right 12) Setup SMB Share
36 | Server Setup Script - Pick an option:
37 | ```
38 |
39 | ## next steps...
40 | Start with Option-1 and progress through as many options as you want! Minimal mail server consists of options 1-4, & 7. This script is not designed to be run without thinking, so please know **what you are running** and **why you are running it**.
41 |
42 | # Common Problems...
43 | ### Initial Updates are stuck on `...keep waiting...`
44 | If you have a relatively fast internet connection, and it's hanging for 10+ minutes, then go-ahead and click `ENTER` once. The script silences output, and chances are good one of the updates wants you to accept a default option before progressing. This has only been observed in cloud-based images (ie. Digital Ocean).
45 |
46 | ### Why is it asking for the external internet address/range?
47 | The script stands-up a UFW firewall instance and adds your external address/range to the `always allow` list. This way you're system isn't blocked from connecting to your server.
48 |
49 | ### Where do I obtain a Domain Name from?
50 | You need to purchase your own domain names.
51 |
52 | ### I ran `4) Setup HTTPS Website` and `13) Install WebMail` and now I cannot access my secure website.
53 | Yes. This goes back to the idea that this script has many options and not all are designed to be run together. This isn't to say it cannot be done, just that you'll have some manual leg work to do. Here's the reason this occurs. The `Setup HTTPS Website` uses standard web ports (80/TCP and 443/TCP) to do what it does, since this is standard internet stuff. When we `Install WebMail` it changes the configuration of the ports so that only our host range can connect to it (for security purposes), and de-activates any webpages not our webmail. Don't worry though, all the information is there and just needs to be turned on again. See the commands below to do just that.
54 | ```
55 | service apache2 stop
56 | nano /etc/apache2/ports.conf
57 | ```
58 | * add port 80 and port 443 in their applicable areas, but DO NOT delete ports 81 and 8443.
59 | ```
60 | cd /etc/apache2/sites-available
61 | a2ensite 000-default.conf
62 | a2ensite default-ssl.conf
63 | service apache2 start
64 | ```
65 |
66 | ### I configured my mail server, but DKIM fails and my messages go to JUNK...
67 | This is an expert question and one you'll get better at with your own research. All I can do is direct you to resources I find to be helpful.
68 | * Debugging Mode
69 | * Edit /etc/opendkim.conf
70 | * add the following, save the file, and restart opendkim service:
71 | ```
72 | KeepTemporaryFiles Yes
73 | TemporaryDirectory /etc/opendkim/debug/
74 | ```
75 | * You can now see detailed failures and diagnose them
76 | * MXToolBox (https://mxtoolbox.com/)
77 | * checks everything mail server related, and more!
78 | * Mail Tester (https://www.mail-tester.com/)
79 | * you send an email and it rates the Spamminess of your email for delivery
80 | * require score of 7.0+ to have a chance of being delivered
81 | * able to dive-in to the results and receive great feedback for fixing stuff
82 | * limited to 5 emails per day
83 | * AppMailDev (http://www.appmaildev.com/en/dkim)
84 | * similar to Mail Tester, but without the nice scoring
85 | * unlimited email tests
86 | * great for large configuration problems with DKIM
87 |
88 | ### What's a Use-Case for rolling a domain?
89 | Uh... you guess...
90 |
91 | ### After rolling my domain, I'm having DKIM problems.
92 | Not sure why, but sometimes the server has troubles with what appears to be name records and entries lingering. The only thing I've found that helps thus far is the following.
93 | 1. Make sure you've generated SSL certs for your new domain, which means you need basic records already setup for your new domain before running `3) Install SSL`.
94 | 2. Make sure you're using the most recent DKIM key by running `7) Get DNS Entries` and inputting the right DKIM key to your Domain Name Provider.
95 | 3. Prior to inputting the DKIM key for your new domain, **delete** the MX Record and DKIM Record on your old domain.
96 | 4. After the MX and DKIM records are cleared from your Domain Name Servers, *then* input your new MX and DKIM records.
97 |
98 | ### My VPN won't work!..!
99 | First... use OS versions at/above Ubuntu 20 or Debian 10. The preference for ease of setup should be Ubuntu 20 for the VPN. If using a cloud-based image of Debian 10 here's what you'll need to do *prior* to installing the VPN:
100 | 1. update linux-headers // apt install linux-headers-$(uname -r)
101 | 2. reboot server
102 | 3. run option `16) Install VPN`
103 |
--------------------------------------------------------------------------------
/profiles/blank.profile:
--------------------------------------------------------------------------------
1 | https-certificate {
2 | set keystore "";
3 | set password "";
4 | }
5 |
6 | https-certificate {
7 | set CN "";
8 | set O "";
9 | set C "";
10 | set L "";
11 | set OU "";
12 | set ST "";
13 | set validity "";
14 | }
15 |
16 | # sleeptime given in milliseconds
17 | set sleeptime "48000";
18 | set jitter "65";
19 | # User-Agent String is for Chrome 60 on Windows 10
20 | set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36";
21 | # Change DNS to non-Google; preferably something client uses...
22 | set dns_idle "8.8.4.4";
23 | # default value for CS is 255, but many sec tools flag on '255'
24 | set maxdns "238";
25 |
26 | # REFERENCE: https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
27 |
28 | http-get {
29 |
30 | # if your request contains a '?' prior to query, don't put it... CS automatically inserts it
31 | set uri "/search/";
32 |
33 | # byte size of client section must be under 252 bytes; count of this blank section is ~166 bytes
34 | client {
35 |
36 | header "Host" "";
37 | header "Accept" "";
38 | header "Cookie" "";
39 |
40 | metadata {
41 | base64url;
42 | parameter "";
43 | }
44 |
45 | parameter "go" "Search";
46 | parameter "qs" "bs";
47 | # this value needs to be in the output-preprend...
48 | # the 'QBRE' value is what will get replaced by CS beacon info...
49 | parameter "form" "QBRE";
50 |
51 |
52 | }
53 |
54 | server {
55 |
56 | header "Cache-Control" "";
57 | header "Content-Type" "";
58 | header "Vary" "";
59 | header "Server" "";
60 | header "Connection" "";
61 |
62 |
63 | output {
64 | netbios;
65 | # make sure to escape all double-quotes...
66 | # replace any '\b' characters, or other stuff that might be interpreted as REGEX...
67 | prepend "Bing