From 31809f35ee8741b3ac5f2d5d41758ca862f79159 Mon Sep 17 00:00:00 2001 From: Pratik Date: Mon, 11 Feb 2019 21:18:25 +0530 Subject: [PATCH] Added new "Step 9" - Scheduling daily update download --- README.md | 61 +++++++++++++++++++----------- init-linux-harden.sh | 88 ++++++++++++++++++++++++++++++++++++++------ 2 files changed, 117 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 30bada6..6007a1c 100644 --- a/README.md +++ b/README.md @@ -68,12 +68,13 @@ Script performs the following operations:- 5. [Update + Upgrade + Install softwares (sudo curl screen ufw fail2ban)](https://github.com/pratiktri/init-li-harden#5-updates--upgrades--installs-required-softwares-sudo--screen-ufw-fail2ban "Goto details of the step") 6. [Configure UFW](https://github.com/pratiktri/init-li-harden#6-configure-ufw "Goto details of the step") 7. [Configure Fail2Ban](https://github.com/pratiktri/init-li-harden#7-configure-fail2ban "Goto details of the step") -8. [Alter SSH options(/etc/ssh/sshd_config) to do the following:-](https://github.com/pratiktri/init-li-harden#8-alter-ssh-options "Goto details of the step") +8. [Schedule cron for daily system update](https://github.com/pratiktri/init-li-harden#8-schedule-cron-for-daily-system-update "Goto details of the step") +9. [[Optionally] Reset *root* password](https://github.com/pratiktri/init-li-harden#9-optionally-reset-root-password "Goto details of the step") +10. [Alter SSH options(/etc/ssh/sshd_config) to do the following:-](https://github.com/pratiktri/init-li-harden#10-alter-ssh-options "Goto details of the step") * Disable SSH login for *root* (PermitRootLogin no) * Disable SSH login through password for all users (PasswordAuthentication no) * Updates path for *authoried_keys* file -9. [[Optionally] Reset *root* password](https://github.com/pratiktri/init-li-harden#9-optionally-reset-root-password "Goto details of the step") -10. [On successfully completing above operations, display the following on screen:-](https://github.com/pratiktri/init-li-harden#10-display-summary "Goto details of the step") +11. [On successfully completing above operations, display the following on screen:-](https://github.com/pratiktri/init-li-harden#11-display-summary "Goto details of the step") * Username * User Password * SSH Private Key's path on the server @@ -259,26 +260,24 @@ This script sets up Fail2ban as following:- > __After Error__ - Continue to next step after restoration. - -### 8. Alter SSH options -This step contines from step 3 to harden our ssh login. Here, we edit */etc/ssh/sshd_config* file to achieve the following:- -* Disable *root* login (**PermitRootLogin no**). No one needs to work on *root*. The new user created already has *root* privileges anyways. -* Disable password login (**PasswordAuthentication no**). This ensures we can ONLY login though SSH Keys. -* Specify where to find authorized public keys which are granted login (\\.ssh\authorized_keys %h\\.ssh\authorized_keys) +### 8. Schedule cron for daily system update +While it is a bad idea to schedule automatic installation of updates ([read more here](https://debian-administration.org/article/162/A_short_introduction_to_cron-apt)), sizable amount of server administration time can be saved by *downloading* updates when no one is looking. + +In this step we schedule a daily crontab (/etc/cron.daily/linux_init_harden_apt_update.sh) to download updates. You would want to manually do the installation running the below command. + +```bash +sudo apt-get dist-upgrade +``` #### Error Handling -> __Failure Impact__ - Potentially __CATASTROPHIC__. +> __Failure Impact__ - Minimal. No auto download of software updates > -> __Restoration__ - Delete user and its home directory; Disable UFW: If back up of /etc/fail2ban/jail.local file found, then that is restored; else back up of /etc/fail2ban/jail.conf is restored. Also, back up of /etc/fail2ban/jail.d/defaults-debian.conf file restored if available. Restore the /etc/ssh/sshd_config file from backup file created before the operation. +> __Restoration__ - Remove the script file (/etc/cron.daily/linux_init_harden_apt_update.sh). > -> __Impact of Restoration Failure__ - Fatal. DO NOT logout of the session. If you do then, you may not be able to log back in. Check the log file to see what went wrong. Issue the following command and see what is the out put. Search the error message on internet for solution. -> ```bash -> # service sshd restart -> ``` -> __After Error__ - Script will be terminated. - - +> __Impact of Restoration Failure__ - The cron job might execute once a day and *fail*. You might have to manually delete the file (/etc/cron.daily/linux_init_harden_apt_update.sh) manually. +> +> __After Error__ - Continue to next step. ### 9. [Optionally] Reset root password Since, VPS providers sends you the password of your VPS's *root* user in email in plain text. So, password needs to be changed immediately. **But, since we have disabled *root* login AND password login in the above step, changing *root* password might be an overkill**. But, still... @@ -298,6 +297,26 @@ To change your *root* password provide option --resetrootpw. *root* password the > __After Error__ - Continue to next step. + +### 10. Alter SSH options +This step contines from step 3 to harden our ssh login. Here, we edit */etc/ssh/sshd_config* file to achieve the following:- +* Disable *root* login (**PermitRootLogin no**). No one needs to work on *root*. The new user created already has *root* privileges anyways. +* Disable password login (**PasswordAuthentication no**). This ensures we can ONLY login though SSH Keys. +* Specify where to find authorized public keys which are granted login (\\.ssh\authorized_keys %h\\.ssh\authorized_keys) + +#### Error Handling + +> __Failure Impact__ - Potentially __CATASTROPHIC__. +> +> __Restoration__ - Delete user and its home directory; Disable UFW: If back up of /etc/fail2ban/jail.local file found, then that is restored; else back up of /etc/fail2ban/jail.conf is restored. Also, back up of /etc/fail2ban/jail.d/defaults-debian.conf file restored if available. Restore the /etc/ssh/sshd_config file from backup file created before the operation. +> +> __Impact of Restoration Failure__ - Fatal. DO NOT logout of the session. If you do then, you may not be able to log back in. Check the log file to see what went wrong. Issue the following command and see what is the out put. Search the error message on internet for solution. +> ```bash +> # service sshd restart +> ``` +> __After Error__ - Script will be terminated. + + ### 10. Display Summary All the generated username, passwords, SSH Key location & SSH Keys themselves are displayed on the screen. @@ -311,9 +330,9 @@ The logfile is located in /tmp/ directory - thus will be removed when server reb # Todo ## Bug fixes -- [x] ~~On successful restoration - delete the bkp files~~ Could be counter productive +- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter productive) - [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension -- [x] What to do if creating .bkp file creation fails? Ans - fail that entire step +- [x] What to do if creating .bkp file fails? Ans - fail that entire step - [ ] fail2ban does not work on Ubuntu 14.04 => does NOT have the defaults-debian.conf file. - [ ] Exception handle - when curl https://ipinfo.io/ip fails - [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not @@ -325,7 +344,7 @@ The logfile is located in /tmp/ directory - thus will be removed when server reb - [ ] Update README - Detail all the locations where backup files would be created - [ ] Update README - Note that we never uninstall any software during restore operations - [ ] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours) -- [ ] New - Schedule daily system update +- [x] New - Schedule daily system update downloads - [ ] New - Enable LUKS (is it even worth it???) - [ ] New - DNSCrypt - [ ] New - Display time taken to complete all operations diff --git a/init-linux-harden.sh b/init-linux-harden.sh index 31c40ec..f51fc58 100644 --- a/init-linux-harden.sh +++ b/init-linux-harden.sh @@ -228,12 +228,13 @@ OP_CODE=0 CreateNonRootUser=0 CreateSSHKey=0 SecureAuthkeysfile=0 -EnableSSHOnly=0 ChangeSourceList=0 InstallReqSoftwares=0 ConfigureUFW=0 ConfigureFail2Ban=0 ChangeRootPwd=0 +ScheduleUpdate=0 +EnableSSHOnly=0 function set_op_code() { if [[ $OP_CODE -eq 0 ]] && [[ $1 -gt 0 ]]; then @@ -284,6 +285,9 @@ function get_event_var_from_event() { "${OP_TEXT[8]}") echo "ChangeRootPwd" ;; + "${OP_TEXT[9]}") + echo "ScheduleUpdate" + ;; *) false ;; @@ -491,7 +495,7 @@ function revert_config_fail2ban(){ reset_op_code } -revert_software_installs(){ +function revert_software_installs(){ echo center_err_text "Error while installing softwares" center_err_text "This may be a false-alarm" @@ -500,6 +504,21 @@ revert_software_installs(){ file_log "This is NOT a catastrophic error" } +function revert_schedule_updates() { + file_log "Reverting Daily Update Download..." + + rm $dailycron_filename + set_op_code $? + + if [[ $OP_CODE -eq 0 ]]; then + op_rev_log "Reverting - Daily Update Download" "SUCCESSFUL" + else + error_restoring "Reverting - Daily Update Download" + fi + + reset_op_code +} + function revert_ssh_only_login(){ revert_secure_authorized_key if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then @@ -507,7 +526,7 @@ function revert_ssh_only_login(){ fi revert_config_UFW revert_config_fail2ban - + revert_schedule_updates file_log "Reverting SSH-only Login..." @@ -539,12 +558,15 @@ function revert_ssh_only_login(){ } function finally(){ - if [[ $CreateNonRootUser -eq 2 ]] && - [[ $CreateSSHKey -eq 2 ]] && - [[ $SecureAuthkeysfile -eq 2 ]] && - [[ $EnableSSHOnly -eq 2 ]] && + if [[ $CreateNonRootUser -eq 2 ]] && + [[ $CreateSSHKey -eq 2 ]] && + [[ $SecureAuthkeysfile -eq 2 ]] && [[ $ChangeSourceList -eq 2 ]] && - [[ $InstallReqSoftwares -eq 2 ]]; then + [[ $InstallReqSoftwares -eq 2 ]] && + [[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success + [[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success + [[ $ScheduleUpdate -eq 2 ]] && + [[ $EnableSSHOnly -eq 2 ]]; then echo line_fill "$CHORIZONTAL" "$CLINESIZE" line_fill "$CHORIZONTAL" "$CLINESIZE" @@ -596,10 +618,13 @@ function finally(){ if [[ $ChangeSourceList -eq 3 ]] || [[ $InstallReqSoftwares -eq 3 ]] || + [[ $ConfigureUFW -eq 3 ]] || + [[ $ConfigureFail2Ban -eq 3 ]] + [[ $ScheduleUpdate -eq 3 ]] && [[ $ChangeRootPwd -eq 3 ]]; then center_err_text "Some operations failed..." center_err_text "These may NOT be catastrophic" - center_err_text "Please look at $LOGFILE for details" + center_err_text "Please check $LOGFILE file for details" revert_changes "$1" echo fi @@ -719,6 +744,7 @@ OP_TEXT=( "Configure UFW" #6 "Configure Fail2Ban" #7 "Changing root password" #8 + "Scheduling daily update download" #9 ) @@ -1093,7 +1119,47 @@ fi ############################################################## -# Step 8 - Change root's password +# Step 8 - Schedule cron for daily system update +############################################################## + +reset_op_code +update_event_status "${OP_TEXT[9]}" 1 + +op_log "${OP_TEXT[9]}" +{ + dailycron_filename=/etc/cron.daily/linux_init_harden_apt_update.sh + + # Check if we created a schedule already + if [[ -f $dailycron_filename ]] ; then + true + else + # If not created already - create one into the file + file_log "Adding our schedule to the script file ${dailycron_filename}" + echo "#!/bin/sh" >> $dailycron_filename + echo 'apt-get update && apt-get -y -d upgrade' >> $dailycron_filename + set_op_code $? + + file_log "Granting execute permission on ${dailycron_filename} file" + chmod +x $dailycron_filename + set_op_code $? + fi +} 2>> "$LOGFILE" >&2 + +if [[ $OP_CODE -eq 0 ]]; then + update_event_status "${OP_TEXT[9]}" 2 + op_log "${OP_TEXT[9]}" "SUCCESSFUL" + file_log "NOTE - we only DOWNLOAD the updates" + file_log "\\t - to install use \"apt-get dist-upgrade\"" +else + reset_op_code + update_event_status "${OP_TEXT[9]}" 3 + op_log "${OP_TEXT[9]}" "FAILED" + revert_schedule_updates +fi + + +############################################################## +# Step 9 - Change root's password ############################################################## if [[ $RESET_ROOT_PWD == 'y' ]]; then @@ -1128,7 +1194,7 @@ fi ############################################################## -# Step 9 - Enable SSH-only login +# Step 10 - Enable SSH-only login ############################################################## # TODO - Make this cleaner