pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(docs): refine project description for clarity and accuracy & remove old files

Browse Source
This commit is contained in:
Pratik Tripathy
2024-12-21 19:53:41 +05:30
parent 534b2f50a6
commit 2f2d4142d4
2 changed files with 80 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
Failure-test
View File

@@ -1,206 +0,0 @@
Step 1 Failure > expectation
- Delete user + delete home directory
- Exit
- Ubuntu 14
- Works as expected.
- Shows error & Revert status
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
- Works as expected
- Debian 9
- Works as expected
Step 2 Failure > expectation
- Delete user + delete home directory
- Exit
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 3 Failure > expectation
- Reset the attributes of "authorized_keys"
- Delete user + delete home directory
- Exit
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 4 Failure > expectation
- Restore backup files in /etc/apt folder and sub-folders
- Differs for each provider (Hetzner specially)
- Script continues
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 5 Failure > expectation
- Continue to Step 8
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 6 Failure > expectation
- Disable UFW
- Continue to next Step
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 7 Failure > expectation
- For 1st run of the script Restore /etc/fail2ban/jail.conf
- For 2nd run of the script restore /etc/fail2ban/jail.local
- Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present
- Continue to next step
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 8 Failure > expectation
- Display that something did not complete successfully
- Continue to next step
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
Step 9 Failure > expectation
- Reset the attributes of "authorized_keys"
- Delete user + delete home directory
- [If opted] Restore backup files in /etc/apt folder and sub-folders
- Disable UFW
- For 1st run of the script Restore /etc/fail2ban/jail.conf
- For 2nd run of the script restore /etc/fail2ban/jail.local
- Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present
- Restore the /etc/ssh/sshd_config file
- Exit
- Ubuntu 14
- Works as expected
- Ubuntu 16
- Works as expected.
- Ubuntu 18
- Works as expected.
- Debian 8
Works as expected
- Debian 9
- Works as expected
## Testing
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 9.6
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 8.10
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 14.04.5
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 16.04.5
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.04.5
- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.10
- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Debian 9
- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 16.04.5
- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 18.04.1
- [x] Test - ([OVH](https://www.ovh.com)) - Debian 9
- [x] Test - ([OVH](https://www.ovh.com)) - Debian 8
- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 14.04
- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 16.04
- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 18.04
- [x] Test failures - Debian 9 - Step 1
- [x] Test failures - Debian 9 - Step 2
- [x] Test failures - Debian 9 - Step 3
- [x] Test failures - Debian 9 - Step 4
- [x] Test failures - Debian 9 - Step 5
- [x] Test failures - Debian 9 - Step 6
- [x] Test failures - Debian 9 - Step 7
- [x] Test failures - Debian 9 - Step 8
- [x] Test failures - Debian 9 - Step 9
- [x] Test failures - Debian 8 - Step 1
- [x] Test failures - Debian 8 - Step 2
- [x] Test failures - Debian 8 - Step 3
- [x] Test failures - Debian 8 - Step 4
- [x] Test failures - Debian 8 - Step 5
- [x] Test failures - Debian 8 - Step 6
- [x] Test failures - Debian 8 - Step 7
- [x] Test failures - Debian 8 - Step 8
- [x] Test failures - Debian 8 - Step 9
- [x] Test failures - Ubuntu 14.04 - Step 1
- [x] Test failures - Ubuntu 14.04 - Step 2
- [x] Test failures - Ubuntu 14.04 - Step 3
- [x] Test failures - Ubuntu 14.04 - Step 4
- [x] Test failures - Ubuntu 14.04 - Step 5
- [x] Test failures - Ubuntu 14.04 - Step 6
- [x] Test failures - Ubuntu 14.04 - Step 7
- [x] Test failures - Ubuntu 14.04 - Step 8
- [x] Test failures - Ubuntu 14.04 - Step 9
- [x] Test failures - Ubuntu 16.04 - Step 1
- [x] Test failures - Ubuntu 16.04 - Step 2
- [x] Test failures - Ubuntu 16.04 - Step 3
- [x] Test failures - Ubuntu 16.04 - Step 4
- [x] Test failures - Ubuntu 16.04 - Step 5
- [x] Test failures - Ubuntu 16.04 - Step 6
- [x] Test failures - Ubuntu 16.04 - Step 7
- [x] Test failures - Ubuntu 16.04 - Step 8
- [x] Test failures - Ubuntu 16.04 - Step 9
- [x] Test failures - Ubuntu 18.04 - Step 1
- [x] Test failures - Ubuntu 18.04 - Step 2
- [x] Test failures - Ubuntu 18.04 - Step 3
- [x] Test failures - Ubuntu 18.04 - Step 4
- [x] Test failures - Ubuntu 18.04 - Step 5
- [x] Test failures - Ubuntu 18.04 - Step 6
- [x] Test failures - Ubuntu 18.04 - Step 7
- [x] Test failures - Ubuntu 18.04 - Step 8
- [x] Test failures - Ubuntu 18.04 - Step 9
- [x] Test - How it behaves on repeat execution

158
README.md
View File

@@ -1,37 +1,39 @@
# Linux Server Hardener
Bash script that automates server security hardening on a new Linux server.
A robust POSIX-compliant shell script that automates security hardening for Linux systems through SSH hardening, intrusion detection, firewall configuration, and granular access controls. This production-grade solution ensures consistent security baselines while maintaining compatibility across major Linux distributions.
## **WARNING**
This script can potentially make your server inaccessible if not used properly. Make sure you:
- Have a backup access method
- Review the script before running
- Keep the terminal session open until completion
- Save all credentials shown/logged during execution
- Have a backup access method
- Review the script before running
- Keep the terminal session open until completion
- Save all credentials shown/logged during execution
### IMPORTANT: SSH Key Management
After running the script, you MUST:
1. **Save the SSH Private Key**
- Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`)
- Store it securely on your local machine as `id_ed25519` or similar
- Keep it strictly private and NEVER share it with anyone
- Without this key, you cannot access your server
- Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`)
- Store it securely on your local machine as `id_ed25519` or similar
- Keep it strictly private and NEVER share it with anyone
- Without this key, you cannot access your server
2. **Save the Key Passphrase**
- Store the generated passphrase securely
- Required every time you use the private key
- Keep it secret like a password
- Cannot be recovered if lost
- Store the generated passphrase securely
- Required every time you use the private key
- Keep it secret like a password
- Cannot be recovered if lost
3. **Public Key (Optional Save)**
- The part ending in `.pub` (starts with `ssh-ed25519`)
- Already configured on the server
- Can be shared safely with others
- Used for adding access to other servers
- The part ending in `.pub` (starts with `ssh-ed25519`)
- Already configured on the server
- Can be shared safely with others
- Used for adding access to other servers
Without the private key and passphrase, you will permanently lose access to your server!
@@ -39,55 +41,55 @@ Without the private key and passphrase, you will permanently lose access to your
Tested and working on:
- Debian 11, 12
- Ubuntu 22.04, 24.04, 24.10
- Debian 11, 12
- Ubuntu 22.04, 24.04, 24.10
## What's New in v2.0 🚀
### Improved Logging 🎯
- **Sensitive Data Control**: New `-s` flag to control credential display
- Separate console/file logging levels
- Better organized log file structure
- More detailed operation logging
- **Sensitive Data Control**: New `-s` flag to control credential display
- Separate console/file logging levels
- Better organized log file structure
- More detailed operation logging
### Documentation 📚
- **Better Examples**: More usage examples and scenarios
- **Clear Warnings**: Improved warning messages and precautions
- **Better Examples**: More usage examples and scenarios
- **Clear Warnings**: Improved warning messages and precautions
### OS Support 🐧
- Removed unnecessary OS Restrictions
- Removed unnecessary OS Restrictions
- Tested on the following distributions:
- Ubuntu 22.04, 24.04, 24.10
- Debian 11, 12
- Fedora 40, 41 (in testing)
- FreeBSD (in future)
- Tested on the following distributions:
- Ubuntu 22.04, 24.04, 24.10
- Debian 11, 12
- Fedora 40, 41 (in testing)
- FreeBSD (in future)
### Test with Docker 🐳
- **Test Commands**: Added various test scenarios
- **Multi-distro**: Support for testing across distributions
- **Quick Testing**: Faster feedback loop for testing changes
- **Test Commands**: Added various test scenarios
- **Multi-distro**: Support for testing across distributions
- **Quick Testing**: Faster feedback loop for testing changes
## Usage
### Requirements
- Root/sudo privileges
- One of the supported Linux distributions:
- Debian 11/12
- Ubuntu 20.04/22.04/24.04
- Fedora 40/41
- Root/sudo privileges
- One of the supported Linux distributions:
- Debian 11/12
- Ubuntu 20.04/22.04/24.04
- Fedora 40/41
### Options
- `-u USERNAME`: Create a new sudo user
- `-r`: Reset root password to secure random value
- `-s`: Show sensitive information in console output
- `-h`: Display help message
- `-u USERNAME`: Create a new sudo user
- `-r`: Reset root password to secure random value
- `-s`: Show sensitive information in console output
- `-h`: Display help message
```bash
# Basic hardening (SSH, Fail2ban, UFW, create & secure SSH key for logged in user)
@@ -108,7 +110,7 @@ Tested and working on:
### Post Installation
- Check if the services are working properly
- Check if the services are working properly
```bash
sudo ufw status
@@ -122,58 +124,58 @@ The script performs comprehensive security hardening:
### SSH Hardening
- Uses Ed25519 SSH keys (stronger than RSA)
- Disables root login
- Disables password authentication
- Enforces public key authentication
- Creates backup of original config
- Secures authorized_keys file with proper permissions
- Uses Ed25519 SSH keys (stronger than RSA)
- Disables root login
- Disables password authentication
- Enforces public key authentication
- Creates backup of original config
- Secures authorized_keys file with proper permissions
### Fail2ban Protection
- Protects against brute force attempts
- Configures SSH jail (1 day ban time)
- Configures recidive jail (30 days for repeat offenders)
- Configures nginx-http-auth jail
- Auto-excludes server's public IP
- TIP: Unban using `fail2ban-client set sshd unbanip <IP>`
- Protects against brute force attempts
- Configures SSH jail (1 day ban time)
- Configures recidive jail (30 days for repeat offenders)
- Configures nginx-http-auth jail
- Auto-excludes server's public IP
- TIP: Unban using `fail2ban-client set sshd unbanip <IP>`
### UFW Firewall
- Enables and configures UFW
- Allows SSH (22), HTTP (80), HTTPS (443)
- Blocks all other incoming traffic
- Allows all outgoing traffic
- TIP: Add new rules with `ufw allow <service>`
- Enables and configures UFW
- Allows SSH (22), HTTP (80), HTTPS (443)
- Blocks all other incoming traffic
- Allows all outgoing traffic
- TIP: Add new rules with `ufw allow <service>`
### User Management
- Option to reset root password
- Creates new sudo user (optional)
- Generates secure random password
- Creates Ed25519 SSH key pair with 1000 KDF rounds
- Configures authorized_keys securely
- TIP: Copy the user credentials from the log file after the script completes
- Option to reset root password
- Creates new sudo user (optional)
- Generates secure random password
- Creates Ed25519 SSH key pair with 1000 KDF rounds
- Configures authorized_keys securely
- TIP: Copy the user credentials from the log file after the script completes
### Backup and Recovery
- Creates backups of all modified configuration files
- Automatic recovery if operations fail
- Restarts affected services as needed
- Detailed logging for troubleshooting
- Creates backups of all modified configuration files
- Automatic recovery if operations fail
- Restarts affected services as needed
- Detailed logging for troubleshooting
### Logging
- All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log`
- Sensitive information only logged to file by default
- Optional console display with `-s` flag
- Execution time tracking
- Separate console/file logging levels
- All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log`
- Sensitive information only logged to file by default
- Optional console display with `-s` flag
- Execution time tracking
- Separate console/file logging levels
## To-do
- [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now)
- [ ] Test on FreeBSD
- [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now)
- [ ] Test on FreeBSD
## License