From 2f2d4142d432864dac9ebb45980a20b7e9a2fc07 Mon Sep 17 00:00:00 2001 From: Pratik Tripathy <> Date: Sat, 21 Dec 2024 19:53:41 +0530 Subject: [PATCH] chore(docs): refine project description for clarity and accuracy & remove old files --- Failure-test | 206 --------------------------------------------------- README.md | 158 ++++++++++++++++++++------------------- 2 files changed, 80 insertions(+), 284 deletions(-) delete mode 100644 Failure-test diff --git a/Failure-test b/Failure-test deleted file mode 100644 index 8c9342b..0000000 --- a/Failure-test +++ /dev/null @@ -1,206 +0,0 @@ -Step 1 Failure > expectation - - Delete user + delete home directory - - Exit - - Ubuntu 14 - - Works as expected. - - Shows error & Revert status - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - - Works as expected - - Debian 9 - - Works as expected - -Step 2 Failure > expectation - - Delete user + delete home directory - - Exit - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 3 Failure > expectation - - Reset the attributes of "authorized_keys" - - Delete user + delete home directory - - Exit - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 4 Failure > expectation - - Restore backup files in /etc/apt folder and sub-folders - - Differs for each provider (Hetzner specially) - - Script continues - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 5 Failure > expectation - - Continue to Step 8 - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 6 Failure > expectation - - Disable UFW - - Continue to next Step - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 7 Failure > expectation - - For 1st run of the script Restore /etc/fail2ban/jail.conf - - For 2nd run of the script restore /etc/fail2ban/jail.local - - Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present - - Continue to next step - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - -Step 8 Failure > expectation - - Display that something did not complete successfully - - Continue to next step - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - - -Step 9 Failure > expectation - - Reset the attributes of "authorized_keys" - - Delete user + delete home directory - - [If opted] Restore backup files in /etc/apt folder and sub-folders - - Disable UFW - - For 1st run of the script Restore /etc/fail2ban/jail.conf - - For 2nd run of the script restore /etc/fail2ban/jail.local - - Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present - - Restore the /etc/ssh/sshd_config file - - Exit - - Ubuntu 14 - - Works as expected - - Ubuntu 16 - - Works as expected. - - Ubuntu 18 - - Works as expected. - - Debian 8 - Works as expected - - Debian 9 - - Works as expected - - -## Testing -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 9.6 -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 8.10 -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 14.04.5 -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 16.04.5 -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.04.5 -- [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.10 -- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Debian 9 -- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 16.04.5 -- [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 18.04.1 -- [x] Test - ([OVH](https://www.ovh.com)) - Debian 9 -- [x] Test - ([OVH](https://www.ovh.com)) - Debian 8 -- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 14.04 -- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 16.04 -- [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 18.04 - -- [x] Test failures - Debian 9 - Step 1 -- [x] Test failures - Debian 9 - Step 2 -- [x] Test failures - Debian 9 - Step 3 -- [x] Test failures - Debian 9 - Step 4 -- [x] Test failures - Debian 9 - Step 5 -- [x] Test failures - Debian 9 - Step 6 -- [x] Test failures - Debian 9 - Step 7 -- [x] Test failures - Debian 9 - Step 8 -- [x] Test failures - Debian 9 - Step 9 - -- [x] Test failures - Debian 8 - Step 1 -- [x] Test failures - Debian 8 - Step 2 -- [x] Test failures - Debian 8 - Step 3 -- [x] Test failures - Debian 8 - Step 4 -- [x] Test failures - Debian 8 - Step 5 -- [x] Test failures - Debian 8 - Step 6 -- [x] Test failures - Debian 8 - Step 7 -- [x] Test failures - Debian 8 - Step 8 -- [x] Test failures - Debian 8 - Step 9 - -- [x] Test failures - Ubuntu 14.04 - Step 1 -- [x] Test failures - Ubuntu 14.04 - Step 2 -- [x] Test failures - Ubuntu 14.04 - Step 3 -- [x] Test failures - Ubuntu 14.04 - Step 4 -- [x] Test failures - Ubuntu 14.04 - Step 5 -- [x] Test failures - Ubuntu 14.04 - Step 6 -- [x] Test failures - Ubuntu 14.04 - Step 7 -- [x] Test failures - Ubuntu 14.04 - Step 8 -- [x] Test failures - Ubuntu 14.04 - Step 9 - -- [x] Test failures - Ubuntu 16.04 - Step 1 -- [x] Test failures - Ubuntu 16.04 - Step 2 -- [x] Test failures - Ubuntu 16.04 - Step 3 -- [x] Test failures - Ubuntu 16.04 - Step 4 -- [x] Test failures - Ubuntu 16.04 - Step 5 -- [x] Test failures - Ubuntu 16.04 - Step 6 -- [x] Test failures - Ubuntu 16.04 - Step 7 -- [x] Test failures - Ubuntu 16.04 - Step 8 -- [x] Test failures - Ubuntu 16.04 - Step 9 - -- [x] Test failures - Ubuntu 18.04 - Step 1 -- [x] Test failures - Ubuntu 18.04 - Step 2 -- [x] Test failures - Ubuntu 18.04 - Step 3 -- [x] Test failures - Ubuntu 18.04 - Step 4 -- [x] Test failures - Ubuntu 18.04 - Step 5 -- [x] Test failures - Ubuntu 18.04 - Step 6 -- [x] Test failures - Ubuntu 18.04 - Step 7 -- [x] Test failures - Ubuntu 18.04 - Step 8 -- [x] Test failures - Ubuntu 18.04 - Step 9 - -- [x] Test - How it behaves on repeat execution \ No newline at end of file diff --git a/README.md b/README.md index b17541a..a3928eb 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,39 @@ # Linux Server Hardener -Bash script that automates server security hardening on a new Linux server. +A robust POSIX-compliant shell script that automates security hardening for Linux systems through SSH hardening, intrusion detection, firewall configuration, and granular access controls. This production-grade solution ensures consistent security baselines while maintaining compatibility across major Linux distributions. ## **WARNING** This script can potentially make your server inaccessible if not used properly. Make sure you: -- Have a backup access method -- Review the script before running -- Keep the terminal session open until completion -- Save all credentials shown/logged during execution +- Have a backup access method +- Review the script before running +- Keep the terminal session open until completion +- Save all credentials shown/logged during execution ### IMPORTANT: SSH Key Management After running the script, you MUST: 1. **Save the SSH Private Key** - - Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`) - - Store it securely on your local machine as `id_ed25519` or similar - - Keep it strictly private and NEVER share it with anyone - - Without this key, you cannot access your server + + - Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`) + - Store it securely on your local machine as `id_ed25519` or similar + - Keep it strictly private and NEVER share it with anyone + - Without this key, you cannot access your server 2. **Save the Key Passphrase** - - Store the generated passphrase securely - - Required every time you use the private key - - Keep it secret like a password - - Cannot be recovered if lost + + - Store the generated passphrase securely + - Required every time you use the private key + - Keep it secret like a password + - Cannot be recovered if lost 3. **Public Key (Optional Save)** - - The part ending in `.pub` (starts with `ssh-ed25519`) - - Already configured on the server - - Can be shared safely with others - - Used for adding access to other servers + - The part ending in `.pub` (starts with `ssh-ed25519`) + - Already configured on the server + - Can be shared safely with others + - Used for adding access to other servers Without the private key and passphrase, you will permanently lose access to your server! @@ -39,55 +41,55 @@ Without the private key and passphrase, you will permanently lose access to your Tested and working on: -- Debian 11, 12 -- Ubuntu 22.04, 24.04, 24.10 +- Debian 11, 12 +- Ubuntu 22.04, 24.04, 24.10 ## What's New in v2.0 🚀 ### Improved Logging 🎯 -- **Sensitive Data Control**: New `-s` flag to control credential display -- Separate console/file logging levels -- Better organized log file structure -- More detailed operation logging +- **Sensitive Data Control**: New `-s` flag to control credential display +- Separate console/file logging levels +- Better organized log file structure +- More detailed operation logging ### Documentation 📚 -- **Better Examples**: More usage examples and scenarios -- **Clear Warnings**: Improved warning messages and precautions +- **Better Examples**: More usage examples and scenarios +- **Clear Warnings**: Improved warning messages and precautions ### OS Support 🐧 -- Removed unnecessary OS Restrictions +- Removed unnecessary OS Restrictions -- Tested on the following distributions: - - Ubuntu 22.04, 24.04, 24.10 - - Debian 11, 12 - - Fedora 40, 41 (in testing) - - FreeBSD (in future) +- Tested on the following distributions: + - Ubuntu 22.04, 24.04, 24.10 + - Debian 11, 12 + - Fedora 40, 41 (in testing) + - FreeBSD (in future) ### Test with Docker 🐳 -- **Test Commands**: Added various test scenarios -- **Multi-distro**: Support for testing across distributions -- **Quick Testing**: Faster feedback loop for testing changes +- **Test Commands**: Added various test scenarios +- **Multi-distro**: Support for testing across distributions +- **Quick Testing**: Faster feedback loop for testing changes ## Usage ### Requirements -- Root/sudo privileges -- One of the supported Linux distributions: - - Debian 11/12 - - Ubuntu 20.04/22.04/24.04 - - Fedora 40/41 +- Root/sudo privileges +- One of the supported Linux distributions: + - Debian 11/12 + - Ubuntu 20.04/22.04/24.04 + - Fedora 40/41 ### Options -- `-u USERNAME`: Create a new sudo user -- `-r`: Reset root password to secure random value -- `-s`: Show sensitive information in console output -- `-h`: Display help message +- `-u USERNAME`: Create a new sudo user +- `-r`: Reset root password to secure random value +- `-s`: Show sensitive information in console output +- `-h`: Display help message ```bash # Basic hardening (SSH, Fail2ban, UFW, create & secure SSH key for logged in user) @@ -108,7 +110,7 @@ Tested and working on: ### Post Installation -- Check if the services are working properly +- Check if the services are working properly ```bash sudo ufw status @@ -122,58 +124,58 @@ The script performs comprehensive security hardening: ### SSH Hardening -- Uses Ed25519 SSH keys (stronger than RSA) -- Disables root login -- Disables password authentication -- Enforces public key authentication -- Creates backup of original config -- Secures authorized_keys file with proper permissions +- Uses Ed25519 SSH keys (stronger than RSA) +- Disables root login +- Disables password authentication +- Enforces public key authentication +- Creates backup of original config +- Secures authorized_keys file with proper permissions ### Fail2ban Protection -- Protects against brute force attempts -- Configures SSH jail (1 day ban time) -- Configures recidive jail (30 days for repeat offenders) -- Configures nginx-http-auth jail -- Auto-excludes server's public IP -- TIP: Unban using `fail2ban-client set sshd unbanip ` +- Protects against brute force attempts +- Configures SSH jail (1 day ban time) +- Configures recidive jail (30 days for repeat offenders) +- Configures nginx-http-auth jail +- Auto-excludes server's public IP +- TIP: Unban using `fail2ban-client set sshd unbanip ` ### UFW Firewall -- Enables and configures UFW -- Allows SSH (22), HTTP (80), HTTPS (443) -- Blocks all other incoming traffic -- Allows all outgoing traffic -- TIP: Add new rules with `ufw allow ` +- Enables and configures UFW +- Allows SSH (22), HTTP (80), HTTPS (443) +- Blocks all other incoming traffic +- Allows all outgoing traffic +- TIP: Add new rules with `ufw allow ` ### User Management -- Option to reset root password -- Creates new sudo user (optional) -- Generates secure random password -- Creates Ed25519 SSH key pair with 1000 KDF rounds -- Configures authorized_keys securely -- TIP: Copy the user credentials from the log file after the script completes +- Option to reset root password +- Creates new sudo user (optional) +- Generates secure random password +- Creates Ed25519 SSH key pair with 1000 KDF rounds +- Configures authorized_keys securely +- TIP: Copy the user credentials from the log file after the script completes ### Backup and Recovery -- Creates backups of all modified configuration files -- Automatic recovery if operations fail -- Restarts affected services as needed -- Detailed logging for troubleshooting +- Creates backups of all modified configuration files +- Automatic recovery if operations fail +- Restarts affected services as needed +- Detailed logging for troubleshooting ### Logging -- All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log` -- Sensitive information only logged to file by default -- Optional console display with `-s` flag -- Execution time tracking -- Separate console/file logging levels +- All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log` +- Sensitive information only logged to file by default +- Optional console display with `-s` flag +- Execution time tracking +- Separate console/file logging levels ## To-do -- [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now) -- [ ] Test on FreeBSD +- [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now) +- [ ] Test on FreeBSD ## License