chore(docs): refine project description for clarity and accuracy & remove old files

2024-12-21 19:53:41 +05:30
parent 534b2f50a6
commit 2f2d4142d4
2 changed files with 80 additions and 284 deletions
--- a/206
+++ b/206
@@ -1,206 +0,0 @@
 Step 1 Failure > expectation
    - Delete user + delete home directory
    - Exit
        - Ubuntu 14 
            - Works as expected.
            - Shows error & Revert status
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            - Works as expected
        - Debian 9
            - Works as expected
 Step 2 Failure > expectation
    - Delete user + delete home directory
    - Exit
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 3 Failure > expectation
    - Reset the attributes of "authorized_keys"
    - Delete user + delete home directory
    - Exit
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 4 Failure > expectation
    - Restore backup files in /etc/apt folder and sub-folders
    - Differs for each provider (Hetzner specially)
    - Script continues
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 5 Failure > expectation
    - Continue to Step 8
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 6 Failure > expectation
    - Disable UFW
    - Continue to next Step
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 7 Failure > expectation
    - For 1st run of the script Restore /etc/fail2ban/jail.conf 
    - For 2nd run of the script restore /etc/fail2ban/jail.local
    - Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present
    - Continue to next step
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 8 Failure > expectation
    - Display that something did not complete successfully
    - Continue to next step
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 Step 9 Failure > expectation
    - Reset the attributes of "authorized_keys"
    - Delete user + delete home directory
    - [If opted] Restore backup files in /etc/apt folder and sub-folders
    - Disable UFW
    - For 1st run of the script Restore /etc/fail2ban/jail.conf 
    - For 2nd run of the script restore /etc/fail2ban/jail.local
    - Restore /etc/fail2ban/jail.d/defaults-debian.conf file if present
    - Restore the /etc/ssh/sshd_config file
    - Exit
        - Ubuntu 14
            - Works as expected
        - Ubuntu 16 
            - Works as expected.
        - Ubuntu 18 
            - Works as expected.
        - Debian 8
            Works as expected
        - Debian 9
            - Works as expected
 ## Testing
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 9.6
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Debian 8.10
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 14.04.5
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 16.04.5
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.04.5
 - [x] Test - ([Digital Ocean](https://m.do.co/c/90b426e9b307 "Get $100 free credit")) - Ubuntu 18.10
 - [x] Test - ([Hetzner](https://www.hetzner.com/)) - Debian 9
 - [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 16.04.5
 - [x] Test - ([Hetzner](https://www.hetzner.com/)) - Ubuntu 18.04.1
 - [x] Test - ([OVH](https://www.ovh.com)) - Debian 9
 - [x] Test - ([OVH](https://www.ovh.com)) - Debian 8
 - [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 14.04
 - [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 16.04
 - [x] Test - ([OVH](https://www.ovh.com)) - Ubuntu 18.04
 - [x] Test failures - Debian 9 - Step 1
 - [x] Test failures - Debian 9 - Step 2
 - [x] Test failures - Debian 9 - Step 3
 - [x] Test failures - Debian 9 - Step 4
 - [x] Test failures - Debian 9 - Step 5
 - [x] Test failures - Debian 9 - Step 6
 - [x] Test failures - Debian 9 - Step 7
 - [x] Test failures - Debian 9 - Step 8
 - [x] Test failures - Debian 9 - Step 9
 - [x] Test failures - Debian 8 - Step 1
 - [x] Test failures - Debian 8 - Step 2
 - [x] Test failures - Debian 8 - Step 3
 - [x] Test failures - Debian 8 - Step 4
 - [x] Test failures - Debian 8 - Step 5
 - [x] Test failures - Debian 8 - Step 6
 - [x] Test failures - Debian 8 - Step 7
 - [x] Test failures - Debian 8 - Step 8
 - [x] Test failures - Debian 8 - Step 9
 - [x] Test failures - Ubuntu 14.04 - Step 1
 - [x] Test failures - Ubuntu 14.04 - Step 2
 - [x] Test failures - Ubuntu 14.04 - Step 3
 - [x] Test failures - Ubuntu 14.04 - Step 4
 - [x] Test failures - Ubuntu 14.04 - Step 5
 - [x] Test failures - Ubuntu 14.04 - Step 6
 - [x] Test failures - Ubuntu 14.04 - Step 7
 - [x] Test failures - Ubuntu 14.04 - Step 8
 - [x] Test failures - Ubuntu 14.04 - Step 9
 - [x] Test failures - Ubuntu 16.04 - Step 1
 - [x] Test failures - Ubuntu 16.04 - Step 2
 - [x] Test failures - Ubuntu 16.04 - Step 3
 - [x] Test failures - Ubuntu 16.04 - Step 4
 - [x] Test failures - Ubuntu 16.04 - Step 5
 - [x] Test failures - Ubuntu 16.04 - Step 6
 - [x] Test failures - Ubuntu 16.04 - Step 7
 - [x] Test failures - Ubuntu 16.04 - Step 8
 - [x] Test failures - Ubuntu 16.04 - Step 9
 - [x] Test failures - Ubuntu 18.04 - Step 1
 - [x] Test failures - Ubuntu 18.04 - Step 2
 - [x] Test failures - Ubuntu 18.04 - Step 3
 - [x] Test failures - Ubuntu 18.04 - Step 4
 - [x] Test failures - Ubuntu 18.04 - Step 5
 - [x] Test failures - Ubuntu 18.04 - Step 6
 - [x] Test failures - Ubuntu 18.04 - Step 7
 - [x] Test failures - Ubuntu 18.04 - Step 8
 - [x] Test failures - Ubuntu 18.04 - Step 9
 - [x] Test - How it behaves on repeat execution
--- a/README.md
+++ b/README.md
@@ -1,37 +1,39 @@
 # Linux Server Hardener
-Bash script that automates server security hardening on a new Linux server.
+A robust POSIX-compliant shell script that automates security hardening for Linux systems through SSH hardening, intrusion detection, firewall configuration, and granular access controls. This production-grade solution ensures consistent security baselines while maintaining compatibility across major Linux distributions.
 ## **WARNING**
 This script can potentially make your server inaccessible if not used properly. Make sure you:
- Have a backup access method
+-   Have a backup access method
- Review the script before running
+-   Review the script before running
- Keep the terminal session open until completion
+-   Keep the terminal session open until completion
- Save all credentials shown/logged during execution
+-   Save all credentials shown/logged during execution
 ### IMPORTANT: SSH Key Management
 After running the script, you MUST:
 1. **Save the SSH Private Key**
-   - Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`)
+
-   - Store it securely on your local machine as `id_ed25519` or similar
+    - Copy the entire private key content (starts with `-----BEGIN OPENSSH PRIVATE KEY-----`)
-   - Keep it strictly private and NEVER share it with anyone
+    - Store it securely on your local machine as `id_ed25519` or similar
-   - Without this key, you cannot access your server
+    - Keep it strictly private and NEVER share it with anyone
    - Without this key, you cannot access your server
 2. **Save the Key Passphrase**
-   - Store the generated passphrase securely
+
-   - Required every time you use the private key
+    - Store the generated passphrase securely
-   - Keep it secret like a password
+    - Required every time you use the private key
-   - Cannot be recovered if lost
+    - Keep it secret like a password
    - Cannot be recovered if lost
 3. **Public Key (Optional Save)**
-   - The part ending in `.pub` (starts with `ssh-ed25519`)
+    - The part ending in `.pub` (starts with `ssh-ed25519`)
-   - Already configured on the server
+    - Already configured on the server
-   - Can be shared safely with others
+    - Can be shared safely with others
-   - Used for adding access to other servers
+    - Used for adding access to other servers
 Without the private key and passphrase, you will permanently lose access to your server!
@@ -39,55 +41,55 @@ Without the private key and passphrase, you will permanently lose access to your
 Tested and working on:
- Debian 11, 12
+-   Debian 11, 12
- Ubuntu 22.04, 24.04, 24.10
+-   Ubuntu 22.04, 24.04, 24.10
 ## What's New in v2.0 🚀
 ### Improved Logging 🎯
- **Sensitive Data Control**: New `-s` flag to control credential display
+-   **Sensitive Data Control**: New `-s` flag to control credential display
- Separate console/file logging levels
+-   Separate console/file logging levels
- Better organized log file structure
+-   Better organized log file structure
- More detailed operation logging
+-   More detailed operation logging
 ### Documentation 📚
- **Better Examples**: More usage examples and scenarios
+-   **Better Examples**: More usage examples and scenarios
- **Clear Warnings**: Improved warning messages and precautions
+-   **Clear Warnings**: Improved warning messages and precautions
 ### OS Support 🐧
- Removed unnecessary OS Restrictions
+-   Removed unnecessary OS Restrictions
- Tested on the following distributions:
+-   Tested on the following distributions:
-    - Ubuntu 22.04, 24.04, 24.10
+    -   Ubuntu 22.04, 24.04, 24.10
-    - Debian 11, 12
+    -   Debian 11, 12
-    - Fedora 40, 41 (in testing)
+    -   Fedora 40, 41 (in testing)
-    - FreeBSD (in future)
+    -   FreeBSD (in future)
 ### Test with Docker 🐳
- **Test Commands**: Added various test scenarios
+-   **Test Commands**: Added various test scenarios
- **Multi-distro**: Support for testing across distributions
+-   **Multi-distro**: Support for testing across distributions
- **Quick Testing**: Faster feedback loop for testing changes
+-   **Quick Testing**: Faster feedback loop for testing changes
 ## Usage
 ### Requirements
- Root/sudo privileges
+-   Root/sudo privileges
- One of the supported Linux distributions:
+-   One of the supported Linux distributions:
-    - Debian 11/12
+    -   Debian 11/12
-    - Ubuntu 20.04/22.04/24.04
+    -   Ubuntu 20.04/22.04/24.04
-    - Fedora 40/41
+    -   Fedora 40/41
 ### Options
- `-u USERNAME`: Create a new sudo user
+-   `-u USERNAME`: Create a new sudo user
- `-r`: Reset root password to secure random value
+-   `-r`: Reset root password to secure random value
- `-s`: Show sensitive information in console output
+-   `-s`: Show sensitive information in console output
- `-h`: Display help message
+-   `-h`: Display help message
 ```bash
 # Basic hardening (SSH, Fail2ban, UFW, create & secure SSH key for logged in user)
@@ -108,7 +110,7 @@ Tested and working on:
 ### Post Installation
- Check if the services are working properly
+-   Check if the services are working properly
 ```bash
 sudo ufw status
@@ -122,58 +124,58 @@ The script performs comprehensive security hardening:
 ### SSH Hardening
- Uses Ed25519 SSH keys (stronger than RSA)
+-   Uses Ed25519 SSH keys (stronger than RSA)
- Disables root login
+-   Disables root login
- Disables password authentication
+-   Disables password authentication
- Enforces public key authentication
+-   Enforces public key authentication
- Creates backup of original config
+-   Creates backup of original config
- Secures authorized_keys file with proper permissions
+-   Secures authorized_keys file with proper permissions
 ### Fail2ban Protection
- Protects against brute force attempts
+-   Protects against brute force attempts
- Configures SSH jail (1 day ban time)
+-   Configures SSH jail (1 day ban time)
- Configures recidive jail (30 days for repeat offenders)
+-   Configures recidive jail (30 days for repeat offenders)
- Configures nginx-http-auth jail
+-   Configures nginx-http-auth jail
- Auto-excludes server's public IP
+-   Auto-excludes server's public IP
- TIP: Unban using `fail2ban-client set sshd unbanip <IP>`
+-   TIP: Unban using `fail2ban-client set sshd unbanip <IP>`
 ### UFW Firewall
- Enables and configures UFW
+-   Enables and configures UFW
- Allows SSH (22), HTTP (80), HTTPS (443)
+-   Allows SSH (22), HTTP (80), HTTPS (443)
- Blocks all other incoming traffic
+-   Blocks all other incoming traffic
- Allows all outgoing traffic
+-   Allows all outgoing traffic
- TIP: Add new rules with `ufw allow <service>`
+-   TIP: Add new rules with `ufw allow <service>`
 ### User Management
- Option to reset root password
+-   Option to reset root password
- Creates new sudo user (optional)
+-   Creates new sudo user (optional)
- Generates secure random password
+-   Generates secure random password
- Creates Ed25519 SSH key pair with 1000 KDF rounds
+-   Creates Ed25519 SSH key pair with 1000 KDF rounds
- Configures authorized_keys securely
+-   Configures authorized_keys securely
- TIP: Copy the user credentials from the log file after the script completes
+-   TIP: Copy the user credentials from the log file after the script completes
 ### Backup and Recovery
- Creates backups of all modified configuration files
+-   Creates backups of all modified configuration files
- Automatic recovery if operations fail
+-   Automatic recovery if operations fail
- Restarts affected services as needed
+-   Restarts affected services as needed
- Detailed logging for troubleshooting
+-   Detailed logging for troubleshooting
 ### Logging
- All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log`
+-   All operations logged to `./${SCRIPT_NAME}_TIMESTAMP.log`
- Sensitive information only logged to file by default
+-   Sensitive information only logged to file by default
- Optional console display with `-s` flag
+-   Optional console display with `-s` flag
- Execution time tracking
+-   Execution time tracking
- Separate console/file logging levels
+-   Separate console/file logging levels
 ## To-do
- [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now)
+-   [ ] Test on Fedora 40, 41 on VPS and not on Docker (it fails on Docker right now)
- [ ] Test on FreeBSD
+-   [ ] Test on FreeBSD
 ## License