pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added "-q" option for quiet opertion

Browse Source
This commit is contained in:
Pratik
2019-01-21 20:42:45 +05:30
parent 94d2e2b253
commit 2383b2b073
1 changed files with 104 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
init-linux-harden.sh
View File

@@ -1,18 +1,5 @@
#!/etc/bin/env bash
# Something important fails
# Revert everything back to how it was
# Ask the user to NOT logout yet and login as normal user
# If he can - great
# Remove the SSH-only login and ask the user to login using password
# Report
# Root password
# User Password
# User SSH-Private Key
# User SSH-Public key
# If not
# Ask him to report back if he can login using the new user -with the ssh-private key
# - tell him to talk to the server provider's support to get help regarding SSH-only access
# What to do if making .bkp file fails?
# Add timestamp` to all backup files filename.071218_171731_bak
#Test
@@ -100,6 +87,7 @@ fi
AUTO_GEN_USERNAME="y"
RESET_ROOT_PWD="n"
DEFAULT_SOURCE_LIST="n"
QUIET="n"
while [[ "$#" -gt 0 ]]; do
case $1 in
@@ -128,6 +116,10 @@ while [[ "$#" -gt 0 ]]; do
DEFAULT_SOURCE_LIST="y"
shift
;;
-q|--quiet|--nowait|--noprompt)
QUIET="y"
shift
;;
-h|--help)
usage
shift
@@ -147,16 +139,29 @@ done
##############################################################
clear
cat <<INFORM1 | more
cat <<INFORM | more
!!! READ BELOW & PRESS ENTER/RETURN TO CONTINUE !!!
##################################################################
INFORM1
- Before editing any file, script creates a back up of that file in
the same directory. If script detects any error, then it restores the
original files.
- If any operation which involves credentials generation, succeeds -
then those credentials will be displayed at the end of all operations.
- If script reports any error or something does not work as expected,
please take a look at the log file at (${LOGFILE}).
All backup files have extension (${BACKUP_EXTENSION})
Script logs all operation into (${LOGFILE}) file.
INFORM
echo "Installation options selected - " | tee -a "$LOGFILE"
if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then
printf "%3s Non-root Username will be auto generated by script\\n" " -" | tee -a "$LOGFILE"
printf "%3s Username will be auto generated by script\\n" " -" | tee -a "$LOGFILE"
else
printf "%3s Non-root Username = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE"
printf "%3s Username you opted = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE"
fi
if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then
printf "%3s Use debian.org in /etc/apt/source.list file\\n" " -" | tee -a "$LOGFILE"
@@ -164,29 +169,17 @@ fi
if [[ "$RESET_ROOT_PWD" == "y" ]]; then
printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE"
fi
if [[ "$QUIET" == "y" ]]; then
printf "%3s No prompt installtion selected\\n\\n" " -" | tee -a "$LOGFILE"
fi
cat <<INFORM2 | more
echo "TO CONTINUE (press enter/return)..."
echo "TO EXIT (ctrl + c)..."
echo
All backup files have extension (${BACKUP_EXTENSION})
Script logs all operation into (${LOGFILE}) file.
- Before editing any file, script creates a back up of that file in
the same directory. If script detects any error, then it restores the
original files.
- Script assumes you are running this on a brand new VPS and that
DATALOSS OR LOSS OF ACCESS TO THE SERVER IS NOT A MAJOR CONCERN. If
you do however lose access to the server most VPS provider allow to
create a new one easily.
- If any operation which involves credentials generation, succeeds -
then those credentials will be displayed at the end of all operations.
- If script reports any error or something does not work as expected,
please take a look at the log file at (${LOGFILE}).
TO CONTINUE (press enter/return)...
TO EXIT (ctrl + c)...
INFORM2
read -r
if [[ $QUIET == "n" ]]; then
read -r
fi
##############################################################
@@ -280,6 +273,17 @@ function revert_changes(){
file_log "Revert operation completed"
}
function error_restoring(){
op_log "$1" "FAILED"
file_log "$1 - Failed"
echo
center_err_text "!!! Error restoring changes !!!"
center_err_text "!!! You may have to manually fix this !!!"
center_err_text "!!! Check the log file for details !!!"
center_reg_text "Log file at ${LOGFILE}"
echo
}
function revert_create_user(){
local success;
file_log "Reverting New User Creation..."
@@ -294,8 +298,7 @@ function revert_create_user(){
op_log "Reverting - New User Creation" "SUCCESSFUL"
file_log "Reverting New User Creation - Completed"
else
op_log "Reverting - New User Creation" "FAILED"
file_log "Reverting New User Creation - Failed"
error_restoring "Reverting - New User Creation"
fi
}
@@ -319,8 +322,7 @@ function revert_create_ssh_key(){
op_log "Reverting - SSH Key Generation" "SUCCESSFUL"
file_log "Reverting SSH Key Generation - Completed"
else
op_log "Reverting - SSH Key Generation" "FAILED"
file_log "Reverting SSH Key Generation - Failed"
error_restoring "Reverting - SSH Key Generation"
fi
}
@@ -328,7 +330,7 @@ function revert_secure_authorized_key(){
local success;
revert_create_ssh_key
file_log "Reverting SSH Key Authorizations..."
file_log "Reverting SSH Key Authorization..."
if [[ -f "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null
@@ -343,11 +345,10 @@ function revert_secure_authorized_key(){
fi
if [[ $success -eq 0 ]]; then
op_log "Reverting - SSH Key Authorizations" "SUCCESSFUL"
file_log "Reverting SSH Key Authorizations - Completed"
op_log "Reverting - SSH Key Authorization" "SUCCESSFUL"
file_log "Reverting SSH Key Authorization - Completed"
else
op_log "Reverting - SSH Key Authorizations" "FAILED"
file_log "Reverting SSH Key Authorizations - Failed"
error_restoring "Reverting - SSH Key Authorization"
fi
}
@@ -367,8 +368,7 @@ function revert_ssh_only_login(){
op_log "Reverting - SSH-only Login" "SUCCESSFUL"
file_log "Reverting SSH-only Login - Completed"
else
op_log "Reverting - SSH-only Login" "FAILED"
file_log "Reverting SSH-only Login - Failed"
error_restoring "Reverting - SSH-only Login"
fi
}
@@ -395,8 +395,7 @@ function revert_source_list_changes(){
op_log "Reverting - Source_list Changes" "SUCCESSFUL"
file_log "Reverting Source_list Changes - Completed"
else
op_log "Reverting - Source_list Changes" "FAILED"
file_log "Reverting Source_list Changesn - Failed"
error_restoring "Reverting - Source_list Changes"
fi
}
@@ -406,7 +405,25 @@ function revert_root_pass_change(){
center_err_text "Your earlier root password remains VALID"
}
revert_software_installs(){
echo
center_err_text "Installing software failed..."
center_err_text "This is NOT a catastrophic error"
}
function finally(){
if [[ $CreateNonRootUser -eq 2 ]] &&
[[ $CreateSSHKey -eq 2 ]] &&
[[ $SecureAuthkeysfile -eq 2 ]] &&
[[ $EnableSSHOnly -eq 2 ]] &&
[[ $ChangeSourceList -eq 2 ]] &&
[[ $InstallReqSoftwares -eq 2 ]]; then
echo
line_fill "$CHORIZONTAL" "$CLINESIZE"
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY"
fi
# If something failed - try to revert things back
if [[ "$#" -gt 0 ]]; then
echo
@@ -426,7 +443,7 @@ function finally(){
[[ $EnableSSHOnly -eq 3 ]]; then
return 1
else
line_fill "$CHORIZONTAL" $CLINESIZE
line_fill "$CHORIZONTAL" "$CLINESIZE"
recap "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
recap "User's Password" "$CreateNonRootUser" "$USER_PASS"
recap "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
@@ -435,7 +452,19 @@ function finally(){
if [[ "$RESET_ROOT_PWD" == "y" ]]; then
recap "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
fi
line_fill "$CHORIZONTAL" $CLINESIZE
line_fill "$CHORIZONTAL" "$CLINESIZE"
recap_file_content "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
recap_file_content "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
center_reg_text "Use another window to test out the above credentials"
center_reg_text "If you face issue logging in look at the log file to see what went wrong"
center_reg_text "Log file at ${LOGFILE}"
line_fill "$CHORIZONTAL" "$CLINESIZE"
echo
fi
if [[ $ChangeSourceList -eq 3 ]] ||
@@ -458,7 +487,7 @@ function finally(){
CVERTICAL="|"
CHORIZONTAL="_"
CLINESIZE=64
CLINESIZE=72
function center_text(){
textsize=${#1}
@@ -469,7 +498,7 @@ function center_text(){
function center_err_text(){
printf "${CRED}"
center_text "$1" $CLINESIZE
center_text "$1" "$CLINESIZE"
printf "${CEND}\\n"
}
@@ -520,18 +549,35 @@ function recap (){
local value=$3
if [[ $status -eq 0 ]]; then
file_log "${purpose}: Did not start this operation. See log above."
value="[${CGREEN}--NO_OP--${CEND}]"
elif [[ $status -eq 2 ]]; then
file_log "${purpose}: ${value}"
value="[${CGREEN}${value}${CEND}]"
elif [[ $status -eq 1 ]] || [[ $status -eq 3 ]]; then
file_log "${purpose}: ERROR. See log above."
value="${CRED}--ERROR--${CEND}"
fi
horizontal_fill "$CVERTICAL" 1
printf "%20s:%3s%-49s" "$purpose" " " "$(echo -e "$value")"
printf "%23s:%3s%-54s" "$purpose" " " "$(echo -e "$value")"
line_fill "$CVERTICAL" 1
}
function recap_file_content(){
local file_type=$1
local file_location=$2
echo
center_reg_text "$file_type"
file_log "$file_type"
echo
printf "${CGREEN}"
cat "$file_location"
cat "$file_location" 2>> "$LOGFILE" >&2
printf "${CEND}"
}
##############################################################
# Create non-root user
@@ -867,6 +913,7 @@ if [[ $OP_CODE -eq 0 ]]; then
else
update_event_status "Installing required softwares" 3
op_log "Installing required softwares" "FAILED"
revert_software_installs
fi
@@ -887,8 +934,7 @@ if [[ $RESET_ROOT_PWD == 'y' ]]; then
file_log "Generated Root Password - ${PASS_ROOT}"
# Change root's password
false
#echo -e "${PASS_ROOT}\\n${PASS_ROOT}" | passwd
echo -e "${PASS_ROOT}\\n${PASS_ROOT}" | passwd
set_op_code $?
} 2>> "$LOGFILE" >&2