pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Completed Fail2ban & UFW

Browse Source
This commit is contained in:
Pratik
2019-01-22 17:43:07 +05:30
parent b9c482336e
commit 524423e3bb
1 changed files with 42 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
init-linux-harden.sh
View File

@@ -1,7 +1,6 @@
#!/etc/bin/env bash #!/etc/bin/env bash
# What to do if making .bkp file fails? # What to do if making .bkp file fails?
# Add timestamp` to all backup files filename.071218_171731_bak
#Test #Test
# 1 - Deb 9.x # 1 - Deb 9.x
# 2 - Deb 8.x # 2 - Deb 8.x
@@ -12,7 +11,7 @@
# OVH # OVH
# Hetzner # Hetzner
# TODO - Deal with multiple backup files during restoration
SCRIPT_NAME=server_harden SCRIPT_NAME=server_harden
SCRIPT_VERSION=0.2 SCRIPT_VERSION=0.2
@@ -33,8 +32,9 @@ CGREEN="${CSI}1;32m"
# Usage # Usage
############################################################## ##############################################################
# Script takes arguments as follows # Script takes arguments as follows
# init-linux-harden -username=pratik --resetrootpwd # init-linux-harden -username pratik --resetrootpwd
# init-linux-harden -u pratik --resetrootpwd # init-linux-harden -u pratik --resetrootpwd
# init-linux-harden -username pratik --resetrootpwd -q
function usage() { function usage() {
if [ -n "$1" ]; then if [ -n "$1" ]; then
@@ -436,6 +436,12 @@ function revert_config_fail2ban(){
success=$? success=$?
fi fi
if [[ -f /etc/fail2ban/jail.conf"$BACKUP_EXTENSION" ]]; then
#Because we created this file when no .local file exists
rm /etc/fail2ban/jail.conf"$BACKUP_EXTENSION"
success=$?
fi
if [[ -f /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" ]]; then if [[ -f /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null unalias cp &>/dev/null
cp -rf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" /etc/fail2ban/jail.d/defaults-debian.conf 2>> "$LOGFILE" >&2 cp -rf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" /etc/fail2ban/jail.d/defaults-debian.conf 2>> "$LOGFILE" >&2
@@ -778,6 +784,7 @@ fi
# Enable SSH-only login # Enable SSH-only login
############################################################## ##############################################################
# TODO - Replace this horror with sed
function config_search_regex(){ function config_search_regex(){
local search_key=$1 local search_key=$1
declare -i isCommented=$2 declare -i isCommented=$2
@@ -818,7 +825,7 @@ function set_config_key(){
fi fi
# If Config file already has active keys # If Config file already has active keys
# Keep only the LAST correct one and comment out the rest # Keep only the LAST correct one and comment out the rest
if [[ $(grep -Pnc "$ACTIVE_KEYS_REGEX" "$file_location") -gt 0 ]]; if [[ $(grep -Pnc "$ACTIVE_KEYS_REGEX" "$file_location") -gt 0 ]];
then then
# Last correct active entry's line number # Last correct active entry's line number
@@ -954,21 +961,21 @@ fi
############################################################## ##############################################################
reset_op_code reset_op_code
update_event_status "Installing required softwares" 1 update_event_status "${OP_TEXT[5]}" 1
op_log "Installing required softwares" op_log "${OP_TEXT[5]}"
{ {
apt-get update apt-get update
apt-get upgrade -y apt-get upgrade -y
apt-get install -y sudo curl screen apt-get install -y sudo curl screen ufw fail2ban
set_op_code $? set_op_code $?
} 2>> "$LOGFILE" >&2 } 2>> "$LOGFILE" >&2
if [[ $OP_CODE -eq 0 ]]; then if [[ $OP_CODE -eq 0 ]]; then
update_event_status "Installing required softwares" 2 update_event_status "${OP_TEXT[5]}" 2
op_log "Installing required softwares" "SUCCESSFUL" op_log "${OP_TEXT[5]}" "SUCCESSFUL"
else else
update_event_status "Installing required softwares" 3 update_event_status "${OP_TEXT[5]}" 3
op_log "Installing required softwares" "FAILED" op_log "${OP_TEXT[5]}" "FAILED"
revert_software_installs revert_software_installs
fi fi
@@ -994,7 +1001,6 @@ if [[ $InstallReqSoftwares -eq 2 ]]; then
update_event_status "${OP_TEXT[6]}" 3 update_event_status "${OP_TEXT[6]}" 3
op_log "${OP_TEXT[6]}" "FAILED" op_log "${OP_TEXT[6]}" "FAILED"
revert_config_UFW revert_config_UFW
# TODO - Revert Configure UFW
fi fi
fi fi
@@ -1011,16 +1017,25 @@ if [[ $InstallReqSoftwares -eq 2 ]]; then
{ {
if [[ -f /etc/fail2ban/jail.local ]]; then if [[ -f /etc/fail2ban/jail.local ]]; then
cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local"$BACKUP_EXTENSION" cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local"$BACKUP_EXTENSION"
else
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
set_op_code $?
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf"$BACKUP_EXTENSION"
fi fi
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # startline & endline - restrict the search to [DEFAULT] section
set_op_code $? startline=$(grep -Pnxm 1 "(^ *)\[DEFAULT\]" /etc/fail2ban/jail.local | cut -d: -f 1)
# TODO - 1st instance - that appear below [DEFAULT] endline=$(grep -Pnxm 1 "(^ *)\[sshd\]" /etc/fail2ban/jail.local | cut -d: -f 1)
# Delete all commented lines until 1st uncommented line is encountered pub_ip=$(curl https://ipinfo.io/ip 2>> /dev/null)
# ignoreip = 127.0.0.1/8 ::1 <ServersPublicIP>
# bantime = 10800 # TODO - Exception handle
# backend = polling # - No [DEFAULT] section present
# # - no "bantime" or "backend" or "ignoreip" - options present
# But that is NOT very important - cause fail2ban defaults are sane anyways
sed -ri "$startline,$endline s/^bantime = .*/bantime = 18000/" /etc/fail2ban/jail.local
sed -ri "$startline,$endline s/^backend[[:blank:]]*=.*/backend = polling/" /etc/fail2ban/jail.local
sed -ri "$startline,$endline s/^ignoreip[[:blank:]]*=.*/ignoreip = 127.0.0.1\/8 ::1 ${pub_ip}/" /etc/fail2ban/jail.local
# TODO - Below - make it usable for Ubuntu as well # TODO - Below - make it usable for Ubuntu as well
cp /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" cp /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION"
@@ -1054,7 +1069,7 @@ FAIL2BAN
else else
update_event_status "${OP_TEXT[7]}" 3 update_event_status "${OP_TEXT[7]}" 3
op_log "${OP_TEXT[7]}" "FAILED" op_log "${OP_TEXT[7]}" "FAILED"
# TODO - Revert Configure Fail2Ban revert_config_fail2ban
fi fi
fi fi
@@ -1066,8 +1081,8 @@ fi
if [[ $RESET_ROOT_PWD == 'y' ]]; then if [[ $RESET_ROOT_PWD == 'y' ]]; then
reset_op_code reset_op_code
update_event_status "Changing root password" 1 update_event_status "${OP_TEXT[8]}" 1
op_log "Changing root password" op_log "${OP_TEXT[8]}"
{ {
# Generate a 15 character random password # Generate a 15 character random password
PASS_ROOT="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)" PASS_ROOT="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)"
@@ -1081,12 +1096,12 @@ if [[ $RESET_ROOT_PWD == 'y' ]]; then
} 2>> "$LOGFILE" >&2 } 2>> "$LOGFILE" >&2
if [[ $OP_CODE -eq 0 ]]; then if [[ $OP_CODE -eq 0 ]]; then
update_event_status "Changing root password" 2 update_event_status "${OP_TEXT[8]}" 2
op_log "Changing root password" "SUCCESSFUL" op_log "${OP_TEXT[8]}" "SUCCESSFUL"
else else
# Low priority - since we are disabling root login anyways # Low priority - since we are disabling root login anyways
update_event_status "Changing root password" 3 update_event_status "${OP_TEXT[8]}" 3
op_log "Changing root password" "FAILED" op_log "${OP_TEXT[8]}" "FAILED"
revert_root_pass_change revert_root_pass_change
fi fi
fi fi