pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added "-q" option for quiet opertion

Browse Source
This commit is contained in:
Pratik
2019-01-21 20:42:45 +05:30
parent 94d2e2b253
commit 2383b2b073
1 changed files with 104 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
init-linux-harden.sh
View File

@@ -1,18 +1,5 @@
#!/etc/bin/env bash #!/etc/bin/env bash
# Something important fails
# Revert everything back to how it was
# Ask the user to NOT logout yet and login as normal user
# If he can - great
# Remove the SSH-only login and ask the user to login using password
# Report
# Root password
# User Password
# User SSH-Private Key
# User SSH-Public key
# If not
# Ask him to report back if he can login using the new user -with the ssh-private key
# - tell him to talk to the server provider's support to get help regarding SSH-only access
# What to do if making .bkp file fails? # What to do if making .bkp file fails?
# Add timestamp` to all backup files filename.071218_171731_bak # Add timestamp` to all backup files filename.071218_171731_bak
#Test #Test
@@ -100,6 +87,7 @@ fi
AUTO_GEN_USERNAME="y" AUTO_GEN_USERNAME="y"
RESET_ROOT_PWD="n" RESET_ROOT_PWD="n"
DEFAULT_SOURCE_LIST="n" DEFAULT_SOURCE_LIST="n"
QUIET="n"
while [[ "$#" -gt 0 ]]; do while [[ "$#" -gt 0 ]]; do
case $1 in case $1 in
@@ -128,6 +116,10 @@ while [[ "$#" -gt 0 ]]; do
DEFAULT_SOURCE_LIST="y" DEFAULT_SOURCE_LIST="y"
shift shift
;; ;;
-q|--quiet|--nowait|--noprompt)
QUIET="y"
shift
;;
-h|--help) -h|--help)
usage usage
shift shift
@@ -147,16 +139,29 @@ done
############################################################## ##############################################################
clear clear
cat <<INFORM1 | more
cat <<INFORM | more
!!! READ BELOW & PRESS ENTER/RETURN TO CONTINUE !!! !!! READ BELOW & PRESS ENTER/RETURN TO CONTINUE !!!
################################################################## ##################################################################
INFORM1
- Before editing any file, script creates a back up of that file in
the same directory. If script detects any error, then it restores the
original files.
- If any operation which involves credentials generation, succeeds -
then those credentials will be displayed at the end of all operations.
- If script reports any error or something does not work as expected,
please take a look at the log file at (${LOGFILE}).
All backup files have extension (${BACKUP_EXTENSION})
Script logs all operation into (${LOGFILE}) file.
INFORM
echo "Installation options selected - " | tee -a "$LOGFILE" echo "Installation options selected - " | tee -a "$LOGFILE"
if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then
printf "%3s Non-root Username will be auto generated by script\\n" " -" | tee -a "$LOGFILE" printf "%3s Username will be auto generated by script\\n" " -" | tee -a "$LOGFILE"
else else
printf "%3s Non-root Username = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE" printf "%3s Username you opted = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE"
fi fi
if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then
printf "%3s Use debian.org in /etc/apt/source.list file\\n" " -" | tee -a "$LOGFILE" printf "%3s Use debian.org in /etc/apt/source.list file\\n" " -" | tee -a "$LOGFILE"
@@ -164,29 +169,17 @@ fi
if [[ "$RESET_ROOT_PWD" == "y" ]]; then if [[ "$RESET_ROOT_PWD" == "y" ]]; then
printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE" printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE"
fi fi
if [[ "$QUIET" == "y" ]]; then
printf "%3s No prompt installtion selected\\n\\n" " -" | tee -a "$LOGFILE"
fi
cat <<INFORM2 | more echo "TO CONTINUE (press enter/return)..."
echo "TO EXIT (ctrl + c)..."
echo
All backup files have extension (${BACKUP_EXTENSION}) if [[ $QUIET == "n" ]]; then
Script logs all operation into (${LOGFILE}) file. read -r
fi
- Before editing any file, script creates a back up of that file in
the same directory. If script detects any error, then it restores the
original files.
- Script assumes you are running this on a brand new VPS and that
DATALOSS OR LOSS OF ACCESS TO THE SERVER IS NOT A MAJOR CONCERN. If
you do however lose access to the server most VPS provider allow to
create a new one easily.
- If any operation which involves credentials generation, succeeds -
then those credentials will be displayed at the end of all operations.
- If script reports any error or something does not work as expected,
please take a look at the log file at (${LOGFILE}).
TO CONTINUE (press enter/return)...
TO EXIT (ctrl + c)...
INFORM2
read -r
############################################################## ##############################################################
@@ -280,6 +273,17 @@ function revert_changes(){
file_log "Revert operation completed" file_log "Revert operation completed"
} }
function error_restoring(){
op_log "$1" "FAILED"
file_log "$1 - Failed"
echo
center_err_text "!!! Error restoring changes !!!"
center_err_text "!!! You may have to manually fix this !!!"
center_err_text "!!! Check the log file for details !!!"
center_reg_text "Log file at ${LOGFILE}"
echo
}
function revert_create_user(){ function revert_create_user(){
local success; local success;
file_log "Reverting New User Creation..." file_log "Reverting New User Creation..."
@@ -294,8 +298,7 @@ function revert_create_user(){
op_log "Reverting - New User Creation" "SUCCESSFUL" op_log "Reverting - New User Creation" "SUCCESSFUL"
file_log "Reverting New User Creation - Completed" file_log "Reverting New User Creation - Completed"
else else
op_log "Reverting - New User Creation" "FAILED" error_restoring "Reverting - New User Creation"
file_log "Reverting New User Creation - Failed"
fi fi
} }
@@ -319,8 +322,7 @@ function revert_create_ssh_key(){
op_log "Reverting - SSH Key Generation" "SUCCESSFUL" op_log "Reverting - SSH Key Generation" "SUCCESSFUL"
file_log "Reverting SSH Key Generation - Completed" file_log "Reverting SSH Key Generation - Completed"
else else
op_log "Reverting - SSH Key Generation" "FAILED" error_restoring "Reverting - SSH Key Generation"
file_log "Reverting SSH Key Generation - Failed"
fi fi
} }
@@ -328,7 +330,7 @@ function revert_secure_authorized_key(){
local success; local success;
revert_create_ssh_key revert_create_ssh_key
file_log "Reverting SSH Key Authorizations..." file_log "Reverting SSH Key Authorization..."
if [[ -f "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" ]]; then if [[ -f "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null unalias cp &>/dev/null
@@ -343,11 +345,10 @@ function revert_secure_authorized_key(){
fi fi
if [[ $success -eq 0 ]]; then if [[ $success -eq 0 ]]; then
op_log "Reverting - SSH Key Authorizations" "SUCCESSFUL" op_log "Reverting - SSH Key Authorization" "SUCCESSFUL"
file_log "Reverting SSH Key Authorizations - Completed" file_log "Reverting SSH Key Authorization - Completed"
else else
op_log "Reverting - SSH Key Authorizations" "FAILED" error_restoring "Reverting - SSH Key Authorization"
file_log "Reverting SSH Key Authorizations - Failed"
fi fi
} }
@@ -367,8 +368,7 @@ function revert_ssh_only_login(){
op_log "Reverting - SSH-only Login" "SUCCESSFUL" op_log "Reverting - SSH-only Login" "SUCCESSFUL"
file_log "Reverting SSH-only Login - Completed" file_log "Reverting SSH-only Login - Completed"
else else
op_log "Reverting - SSH-only Login" "FAILED" error_restoring "Reverting - SSH-only Login"
file_log "Reverting SSH-only Login - Failed"
fi fi
} }
@@ -395,8 +395,7 @@ function revert_source_list_changes(){
op_log "Reverting - Source_list Changes" "SUCCESSFUL" op_log "Reverting - Source_list Changes" "SUCCESSFUL"
file_log "Reverting Source_list Changes - Completed" file_log "Reverting Source_list Changes - Completed"
else else
op_log "Reverting - Source_list Changes" "FAILED" error_restoring "Reverting - Source_list Changes"
file_log "Reverting Source_list Changesn - Failed"
fi fi
} }
@@ -406,7 +405,25 @@ function revert_root_pass_change(){
center_err_text "Your earlier root password remains VALID" center_err_text "Your earlier root password remains VALID"
} }
revert_software_installs(){
echo
center_err_text "Installing software failed..."
center_err_text "This is NOT a catastrophic error"
}
function finally(){ function finally(){
if [[ $CreateNonRootUser -eq 2 ]] &&
[[ $CreateSSHKey -eq 2 ]] &&
[[ $SecureAuthkeysfile -eq 2 ]] &&
[[ $EnableSSHOnly -eq 2 ]] &&
[[ $ChangeSourceList -eq 2 ]] &&
[[ $InstallReqSoftwares -eq 2 ]]; then
echo
line_fill "$CHORIZONTAL" "$CLINESIZE"
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY"
fi
# If something failed - try to revert things back # If something failed - try to revert things back
if [[ "$#" -gt 0 ]]; then if [[ "$#" -gt 0 ]]; then
echo echo
@@ -426,7 +443,7 @@ function finally(){
[[ $EnableSSHOnly -eq 3 ]]; then [[ $EnableSSHOnly -eq 3 ]]; then
return 1 return 1
else else
line_fill "$CHORIZONTAL" $CLINESIZE line_fill "$CHORIZONTAL" "$CLINESIZE"
recap "User Name" "$CreateNonRootUser" "$NORM_USER_NAME" recap "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
recap "User's Password" "$CreateNonRootUser" "$USER_PASS" recap "User's Password" "$CreateNonRootUser" "$USER_PASS"
recap "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem recap "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
@@ -435,7 +452,19 @@ function finally(){
if [[ "$RESET_ROOT_PWD" == "y" ]]; then if [[ "$RESET_ROOT_PWD" == "y" ]]; then
recap "New root Password" "$ChangeRootPwd" "$PASS_ROOT" recap "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
fi fi
line_fill "$CHORIZONTAL" $CLINESIZE line_fill "$CHORIZONTAL" "$CLINESIZE"
recap_file_content "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
recap_file_content "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
center_reg_text "Use another window to test out the above credentials"
center_reg_text "If you face issue logging in look at the log file to see what went wrong"
center_reg_text "Log file at ${LOGFILE}"
line_fill "$CHORIZONTAL" "$CLINESIZE"
echo
fi fi
if [[ $ChangeSourceList -eq 3 ]] || if [[ $ChangeSourceList -eq 3 ]] ||
@@ -458,7 +487,7 @@ function finally(){
CVERTICAL="|" CVERTICAL="|"
CHORIZONTAL="_" CHORIZONTAL="_"
CLINESIZE=64 CLINESIZE=72
function center_text(){ function center_text(){
textsize=${#1} textsize=${#1}
@@ -469,7 +498,7 @@ function center_text(){
function center_err_text(){ function center_err_text(){
printf "${CRED}" printf "${CRED}"
center_text "$1" $CLINESIZE center_text "$1" "$CLINESIZE"
printf "${CEND}\\n" printf "${CEND}\\n"
} }
@@ -520,18 +549,35 @@ function recap (){
local value=$3 local value=$3
if [[ $status -eq 0 ]]; then if [[ $status -eq 0 ]]; then
file_log "${purpose}: Did not start this operation. See log above."
value="[${CGREEN}--NO_OP--${CEND}]" value="[${CGREEN}--NO_OP--${CEND}]"
elif [[ $status -eq 2 ]]; then elif [[ $status -eq 2 ]]; then
file_log "${purpose}: ${value}"
value="[${CGREEN}${value}${CEND}]" value="[${CGREEN}${value}${CEND}]"
elif [[ $status -eq 1 ]] || [[ $status -eq 3 ]]; then elif [[ $status -eq 1 ]] || [[ $status -eq 3 ]]; then
file_log "${purpose}: ERROR. See log above."
value="${CRED}--ERROR--${CEND}" value="${CRED}--ERROR--${CEND}"
fi fi
horizontal_fill "$CVERTICAL" 1 horizontal_fill "$CVERTICAL" 1
printf "%20s:%3s%-49s" "$purpose" " " "$(echo -e "$value")" printf "%23s:%3s%-54s" "$purpose" " " "$(echo -e "$value")"
line_fill "$CVERTICAL" 1 line_fill "$CVERTICAL" 1
} }
function recap_file_content(){
local file_type=$1
local file_location=$2
echo
center_reg_text "$file_type"
file_log "$file_type"
echo
printf "${CGREEN}"
cat "$file_location"
cat "$file_location" 2>> "$LOGFILE" >&2
printf "${CEND}"
}
############################################################## ##############################################################
# Create non-root user # Create non-root user
@@ -867,6 +913,7 @@ if [[ $OP_CODE -eq 0 ]]; then
else else
update_event_status "Installing required softwares" 3 update_event_status "Installing required softwares" 3
op_log "Installing required softwares" "FAILED" op_log "Installing required softwares" "FAILED"
revert_software_installs
fi fi
@@ -887,8 +934,7 @@ if [[ $RESET_ROOT_PWD == 'y' ]]; then
file_log "Generated Root Password - ${PASS_ROOT}" file_log "Generated Root Password - ${PASS_ROOT}"
# Change root's password # Change root's password
false echo -e "${PASS_ROOT}\\n${PASS_ROOT}" | passwd
#echo -e "${PASS_ROOT}\\n${PASS_ROOT}" | passwd
set_op_code $? set_op_code $?
} 2>> "$LOGFILE" >&2 } 2>> "$LOGFILE" >&2