pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added new "Step 9" - Scheduling daily update download

Browse Source
This commit is contained in:
Pratik
2019-02-11 21:18:25 +05:30
parent 6a6f466123
commit 31809f35ee
2 changed files with 117 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
README.md
View File

@@ -68,12 +68,13 @@ Script performs the following operations:-
5. [Update + Upgrade + Install softwares (sudo curl screen ufw fail2ban)](https://github.com/pratiktri/init-li-harden#5-updates--upgrades--installs-required-softwares-sudo--screen-ufw-fail2ban "Goto details of the step") 5. [Update + Upgrade + Install softwares (sudo curl screen ufw fail2ban)](https://github.com/pratiktri/init-li-harden#5-updates--upgrades--installs-required-softwares-sudo--screen-ufw-fail2ban "Goto details of the step")
6. [Configure UFW](https://github.com/pratiktri/init-li-harden#6-configure-ufw "Goto details of the step") 6. [Configure UFW](https://github.com/pratiktri/init-li-harden#6-configure-ufw "Goto details of the step")
7. [Configure Fail2Ban](https://github.com/pratiktri/init-li-harden#7-configure-fail2ban "Goto details of the step") 7. [Configure Fail2Ban](https://github.com/pratiktri/init-li-harden#7-configure-fail2ban "Goto details of the step")
8. [Alter SSH options(/etc/ssh/sshd_config) to do the following:-](https://github.com/pratiktri/init-li-harden#8-alter-ssh-options "Goto details of the step") 8. [Schedule cron for daily system update](https://github.com/pratiktri/init-li-harden#8-schedule-cron-for-daily-system-update "Goto details of the step")
9. [[Optionally] Reset *root* password](https://github.com/pratiktri/init-li-harden#9-optionally-reset-root-password "Goto details of the step")
10. [Alter SSH options(/etc/ssh/sshd_config) to do the following:-](https://github.com/pratiktri/init-li-harden#10-alter-ssh-options "Goto details of the step")
* Disable SSH login for *root* (PermitRootLogin no) * Disable SSH login for *root* (PermitRootLogin no)
* Disable SSH login through password for all users (PasswordAuthentication no) * Disable SSH login through password for all users (PasswordAuthentication no)
* Updates path for *authoried_keys* file * Updates path for *authoried_keys* file
9. [[Optionally] Reset *root* password](https://github.com/pratiktri/init-li-harden#9-optionally-reset-root-password "Goto details of the step") 11. [On successfully completing above operations, display the following on screen:-](https://github.com/pratiktri/init-li-harden#11-display-summary "Goto details of the step")
10. [On successfully completing above operations, display the following on screen:-](https://github.com/pratiktri/init-li-harden#10-display-summary "Goto details of the step")
* Username * Username
* User Password * User Password
* SSH Private Key's path on the server * SSH Private Key's path on the server
@@ -259,26 +260,24 @@ This script sets up Fail2ban as following:-
> __After Error__ - Continue to next step after restoration. > __After Error__ - Continue to next step after restoration.
### 8. Alter SSH options
This step contines from step 3 to harden our ssh login. Here, we edit */etc/ssh/sshd_config* file to achieve the following:-
* Disable *root* login (**PermitRootLogin no**). No one needs to work on *root*. The new user created already has *root* privileges anyways.
* Disable password login (**PasswordAuthentication no**). This ensures we can ONLY login though SSH Keys.
* Specify where to find authorized public keys which are granted login (\\.ssh\authorized_keys %h\\.ssh\authorized_keys)
### 8. Schedule cron for daily system update
While it is a bad idea to schedule automatic installation of updates ([read more here](https://debian-administration.org/article/162/A_short_introduction_to_cron-apt)), sizable amount of server administration time can be saved by *downloading* updates when no one is looking.
In this step we schedule a daily crontab (/etc/cron.daily/linux_init_harden_apt_update.sh) to download updates. You would want to manually do the installation running the below command.
```bash
sudo apt-get dist-upgrade
```
#### Error Handling #### Error Handling
> __Failure Impact__ - Potentially __CATASTROPHIC__. > __Failure Impact__ - Minimal. No auto download of software updates
> >
> __Restoration__ - Delete user and its home directory; Disable UFW: If back up of /etc/fail2ban/jail.local file found, then that is restored; else back up of /etc/fail2ban/jail.conf is restored. Also, back up of /etc/fail2ban/jail.d/defaults-debian.conf file restored if available. Restore the /etc/ssh/sshd_config file from backup file created before the operation. > __Restoration__ - Remove the script file (/etc/cron.daily/linux_init_harden_apt_update.sh).
> >
> __Impact of Restoration Failure__ - Fatal. DO NOT logout of the session. If you do then, you may not be able to log back in. Check the log file to see what went wrong. Issue the following command and see what is the out put. Search the error message on internet for solution. > __Impact of Restoration Failure__ - The cron job might execute once a day and *fail*. You might have to manually delete the file (/etc/cron.daily/linux_init_harden_apt_update.sh) manually.
> ```bash >
> # service sshd restart > __After Error__ - Continue to next step.
> ```
> __After Error__ - Script will be terminated.
### 9. [Optionally] Reset root password ### 9. [Optionally] Reset root password
Since, VPS providers sends you the password of your VPS's *root* user in email in plain text. So, password needs to be changed immediately. **But, since we have disabled *root* login AND password login in the above step, changing *root* password might be an overkill**. But, still... Since, VPS providers sends you the password of your VPS's *root* user in email in plain text. So, password needs to be changed immediately. **But, since we have disabled *root* login AND password login in the above step, changing *root* password might be an overkill**. But, still...
@@ -298,6 +297,26 @@ To change your *root* password provide option --resetrootpw. *root* password the
> __After Error__ - Continue to next step. > __After Error__ - Continue to next step.
### 10. Alter SSH options
This step contines from step 3 to harden our ssh login. Here, we edit */etc/ssh/sshd_config* file to achieve the following:-
* Disable *root* login (**PermitRootLogin no**). No one needs to work on *root*. The new user created already has *root* privileges anyways.
* Disable password login (**PasswordAuthentication no**). This ensures we can ONLY login though SSH Keys.
* Specify where to find authorized public keys which are granted login (\\.ssh\authorized_keys %h\\.ssh\authorized_keys)
#### Error Handling
> __Failure Impact__ - Potentially __CATASTROPHIC__.
>
> __Restoration__ - Delete user and its home directory; Disable UFW: If back up of /etc/fail2ban/jail.local file found, then that is restored; else back up of /etc/fail2ban/jail.conf is restored. Also, back up of /etc/fail2ban/jail.d/defaults-debian.conf file restored if available. Restore the /etc/ssh/sshd_config file from backup file created before the operation.
>
> __Impact of Restoration Failure__ - Fatal. DO NOT logout of the session. If you do then, you may not be able to log back in. Check the log file to see what went wrong. Issue the following command and see what is the out put. Search the error message on internet for solution.
> ```bash
> # service sshd restart
> ```
> __After Error__ - Script will be terminated.
### 10. Display Summary ### 10. Display Summary
All the generated username, passwords, SSH Key location & SSH Keys themselves are displayed on the screen. All the generated username, passwords, SSH Key location & SSH Keys themselves are displayed on the screen.
@@ -311,9 +330,9 @@ The logfile is located in /tmp/ directory - thus will be removed when server reb
# Todo # Todo
## Bug fixes ## Bug fixes
- [x] ~~On successful restoration - delete the bkp files~~ Could be counter productive - [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter productive)
- [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension - [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
- [x] What to do if creating .bkp file creation fails? Ans - fail that entire step - [x] What to do if creating .bkp file fails? Ans - fail that entire step
- [ ] fail2ban does not work on Ubuntu 14.04 => does NOT have the defaults-debian.conf file. - [ ] fail2ban does not work on Ubuntu 14.04 => does NOT have the defaults-debian.conf file.
- [ ] Exception handle - when curl https://ipinfo.io/ip fails - [ ] Exception handle - when curl https://ipinfo.io/ip fails
- [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not - [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not
@@ -325,7 +344,7 @@ The logfile is located in /tmp/ directory - thus will be removed when server reb
- [ ] Update README - Detail all the locations where backup files would be created - [ ] Update README - Detail all the locations where backup files would be created
- [ ] Update README - Note that we never uninstall any software during restore operations - [ ] Update README - Note that we never uninstall any software during restore operations
- [ ] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours) - [ ] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours)
- [ ] New - Schedule daily system update - [x] New - Schedule daily system update downloads
- [ ] New - Enable LUKS (is it even worth it???) - [ ] New - Enable LUKS (is it even worth it???)
- [ ] New - DNSCrypt - [ ] New - DNSCrypt
- [ ] New - Display time taken to complete all operations - [ ] New - Display time taken to complete all operations

88
init-linux-harden.sh
View File

@@ -228,12 +228,13 @@ OP_CODE=0
CreateNonRootUser=0 CreateNonRootUser=0
CreateSSHKey=0 CreateSSHKey=0
SecureAuthkeysfile=0 SecureAuthkeysfile=0
EnableSSHOnly=0
ChangeSourceList=0 ChangeSourceList=0
InstallReqSoftwares=0 InstallReqSoftwares=0
ConfigureUFW=0 ConfigureUFW=0
ConfigureFail2Ban=0 ConfigureFail2Ban=0
ChangeRootPwd=0 ChangeRootPwd=0
ScheduleUpdate=0
EnableSSHOnly=0
function set_op_code() { function set_op_code() {
if [[ $OP_CODE -eq 0 ]] && [[ $1 -gt 0 ]]; then if [[ $OP_CODE -eq 0 ]] && [[ $1 -gt 0 ]]; then
@@ -284,6 +285,9 @@ function get_event_var_from_event() {
"${OP_TEXT[8]}") "${OP_TEXT[8]}")
echo "ChangeRootPwd" echo "ChangeRootPwd"
;; ;;
"${OP_TEXT[9]}")
echo "ScheduleUpdate"
;;
*) *)
false false
;; ;;
@@ -491,7 +495,7 @@ function revert_config_fail2ban(){
reset_op_code reset_op_code
} }
revert_software_installs(){ function revert_software_installs(){
echo echo
center_err_text "Error while installing softwares" center_err_text "Error while installing softwares"
center_err_text "This may be a false-alarm" center_err_text "This may be a false-alarm"
@@ -500,6 +504,21 @@ revert_software_installs(){
file_log "This is NOT a catastrophic error" file_log "This is NOT a catastrophic error"
} }
function revert_schedule_updates() {
file_log "Reverting Daily Update Download..."
rm $dailycron_filename
set_op_code $?
if [[ $OP_CODE -eq 0 ]]; then
op_rev_log "Reverting - Daily Update Download" "SUCCESSFUL"
else
error_restoring "Reverting - Daily Update Download"
fi
reset_op_code
}
function revert_ssh_only_login(){ function revert_ssh_only_login(){
revert_secure_authorized_key revert_secure_authorized_key
if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then
@@ -507,7 +526,7 @@ function revert_ssh_only_login(){
fi fi
revert_config_UFW revert_config_UFW
revert_config_fail2ban revert_config_fail2ban
revert_schedule_updates
file_log "Reverting SSH-only Login..." file_log "Reverting SSH-only Login..."
@@ -539,12 +558,15 @@ function revert_ssh_only_login(){
} }
function finally(){ function finally(){
if [[ $CreateNonRootUser -eq 2 ]] && if [[ $CreateNonRootUser -eq 2 ]] &&
[[ $CreateSSHKey -eq 2 ]] && [[ $CreateSSHKey -eq 2 ]] &&
[[ $SecureAuthkeysfile -eq 2 ]] && [[ $SecureAuthkeysfile -eq 2 ]] &&
[[ $EnableSSHOnly -eq 2 ]] &&
[[ $ChangeSourceList -eq 2 ]] && [[ $ChangeSourceList -eq 2 ]] &&
[[ $InstallReqSoftwares -eq 2 ]]; then [[ $InstallReqSoftwares -eq 2 ]] &&
[[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ScheduleUpdate -eq 2 ]] &&
[[ $EnableSSHOnly -eq 2 ]]; then
echo echo
line_fill "$CHORIZONTAL" "$CLINESIZE" line_fill "$CHORIZONTAL" "$CLINESIZE"
line_fill "$CHORIZONTAL" "$CLINESIZE" line_fill "$CHORIZONTAL" "$CLINESIZE"
@@ -596,10 +618,13 @@ function finally(){
if [[ $ChangeSourceList -eq 3 ]] || if [[ $ChangeSourceList -eq 3 ]] ||
[[ $InstallReqSoftwares -eq 3 ]] || [[ $InstallReqSoftwares -eq 3 ]] ||
[[ $ConfigureUFW -eq 3 ]] ||
[[ $ConfigureFail2Ban -eq 3 ]]
[[ $ScheduleUpdate -eq 3 ]] &&
[[ $ChangeRootPwd -eq 3 ]]; then [[ $ChangeRootPwd -eq 3 ]]; then
center_err_text "Some operations failed..." center_err_text "Some operations failed..."
center_err_text "These may NOT be catastrophic" center_err_text "These may NOT be catastrophic"
center_err_text "Please look at $LOGFILE for details" center_err_text "Please check $LOGFILE file for details"
revert_changes "$1" revert_changes "$1"
echo echo
fi fi
@@ -719,6 +744,7 @@ OP_TEXT=(
"Configure UFW" #6 "Configure UFW" #6
"Configure Fail2Ban" #7 "Configure Fail2Ban" #7
"Changing root password" #8 "Changing root password" #8
"Scheduling daily update download" #9
) )
@@ -1093,7 +1119,47 @@ fi
############################################################## ##############################################################
# Step 8 - Change root's password # Step 8 - Schedule cron for daily system update
##############################################################
reset_op_code
update_event_status "${OP_TEXT[9]}" 1
op_log "${OP_TEXT[9]}"
{
dailycron_filename=/etc/cron.daily/linux_init_harden_apt_update.sh
# Check if we created a schedule already
if [[ -f $dailycron_filename ]] ; then
true
else
# If not created already - create one into the file
file_log "Adding our schedule to the script file ${dailycron_filename}"
echo "#!/bin/sh" >> $dailycron_filename
echo 'apt-get update && apt-get -y -d upgrade' >> $dailycron_filename
set_op_code $?
file_log "Granting execute permission on ${dailycron_filename} file"
chmod +x $dailycron_filename
set_op_code $?
fi
} 2>> "$LOGFILE" >&2
if [[ $OP_CODE -eq 0 ]]; then
update_event_status "${OP_TEXT[9]}" 2
op_log "${OP_TEXT[9]}" "SUCCESSFUL"
file_log "NOTE - we only DOWNLOAD the updates"
file_log "\\t - to install use \"apt-get dist-upgrade\""
else
reset_op_code
update_event_status "${OP_TEXT[9]}" 3
op_log "${OP_TEXT[9]}" "FAILED"
revert_schedule_updates
fi
##############################################################
# Step 9 - Change root's password
############################################################## ##############################################################
if [[ $RESET_ROOT_PWD == 'y' ]]; then if [[ $RESET_ROOT_PWD == 'y' ]]; then
@@ -1128,7 +1194,7 @@ fi
############################################################## ##############################################################
# Step 9 - Enable SSH-only login # Step 10 - Enable SSH-only login
############################################################## ##############################################################
# TODO - Make this cleaner # TODO - Make this cleaner