pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: FreeBSD support for "SSH hardening" operation

Browse Source 
- POSIX compliant usage of `sed` with `-i.tmp` for FreeBSD
- Reverting on error, moved to its own method
- refactor: Better variable names
- chore: Better logging; begin, success, failure
This commit is contained in:
Pratik Tripathy
2025-09-08 16:49:43 +05:30
parent 9590130d06
commit 8fbed3d811
1 changed files with 50 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
init-linux-harden.sh
View File

@@ -441,21 +441,51 @@ generate_ssh_key() {
log_credentials "$(cat "$key_path.pub")" log_credentials "$(cat "$key_path.pub")"
} }
return 0 revert_ssh_config_changes() {
# Revert to backup and try restarting again
console_log "INFO" "Reverting to backup configuration..."
file_log "INFO" "Reverting to backup configuration from: $SSH_CONFIG_BACKUP_FILE"
if ! cp "$SSH_CONFIG_BACKUP_FILE" "$SSHD_CONFIG_FILE"; then
console_log "ERROR" "Failed to restore SSH config backup"
file_log "ERROR" "Failed to restore SSH config backup"
exit 1
fi
# Try restarting SSH with original config
if manage_service sshd restart || manage_service ssh restart; then
console_log "SUCCESS" "SSH service restarted with original configuration"
file_log "SUCCESS" "SSH service restarted with original configuration"
exit 1
fi
console_log "ERROR" "Failed to restart SSH service even with original configuration"
file_log "ERROR" "Failed to restart SSH service even with original configuration"
exit 1
} }
update_ssh_setting() { update_ssh_setting() {
setting="$1" setting="$1"
value="$2" value="$2"
# Comment out existing setting if found file_log "INFO" "Updating $SSHD_CONFIG_FILE [ $setting $value ]"
output=$(sed -i "s/^${setting}/#${setting}/" "$SSHD_CONFIG" 2>&1)
if [ -n "$output" ]; then # Comment out existing setting if enabled
file_log "INFO" "sed command output: $output" # New settings are always appended to the end of file
output=$(sed -i.tmp "s/^${setting}/#${setting}/" "$SSHD_CONFIG_FILE" 2>&1)
command_status=$?
rm -f "$SSHD_CONFIG_FILE.tmp" >/dev/null 2>&1
if [ $command_status -ne 0 ]; then
console_log "ERROR" "Updating SSH configuration [ $setting $value ] failed"
file_log "ERROR" "Updating SSH configuration [ $setting $value ] failed: $output"
revert_ssh_config_changes
fi fi
file_log "INFO" "$output"
# Add new setting at the end of file # Add new setting at the end of file
echo "${setting} ${value}" >>"$SSHD_CONFIG" echo "${setting} ${value}" >>"$SSHD_CONFIG_FILE"
file_log "INFO" "Updated SSH setting: ${setting} ${value}" file_log "INFO" "Updated SSH setting: ${setting} ${value}"
} }
@@ -463,21 +493,21 @@ harden_ssh_config() {
console_log "INFO" "Configuring SSH hardening settings..." console_log "INFO" "Configuring SSH hardening settings..."
file_log "INFO" "Starting SSH configuration hardening..." file_log "INFO" "Starting SSH configuration hardening..."
SSHD_CONFIG="/etc/ssh/sshd_config" SSHD_CONFIG_FILE="/etc/ssh/sshd_config"
if [ ! -f "$SSHD_CONFIG" ]; then if [ ! -f "$SSHD_CONFIG_FILE" ]; then
console_log "ERROR" "SSH config file not found at $SSHD_CONFIG" console_log "ERROR" "SSH config file not found at $SSHD_CONFIG_FILE"
file_log "ERROR" "SSH config file not found at $SSHD_CONFIG" file_log "ERROR" "SSH config file not found at $SSHD_CONFIG_FILE"
return 1 return 1
fi fi
# Create backup with timestamps # Create backup with timestamps
BACKUP_FILE="${SSHD_CONFIG}.bak.${TIMESTAMP}" SSH_CONFIG_BACKUP_FILE="${SSHD_CONFIG_FILE}.bak.${TIMESTAMP}"
output=$(cp "$SSHD_CONFIG" "$BACKUP_FILE" 2>&1) output=$(cp "$SSHD_CONFIG_FILE" "$SSH_CONFIG_BACKUP_FILE" 2>&1)
if [ -n "$output" ]; then if [ -n "$output" ]; then
file_log "INFO" "cp command output: $output" file_log "INFO" "cp command output: $output"
fi fi
file_log "INFO" "Created backup of sshd_config at: $BACKUP_FILE" file_log "INFO" "Created backup of sshd_config at: $SSH_CONFIG_BACKUP_FILE"
# Update SSH settings # Update SSH settings
update_ssh_setting "PermitRootLogin" "no" update_ssh_setting "PermitRootLogin" "no"
@@ -490,34 +520,14 @@ harden_ssh_config() {
# Restart SSH service # Restart SSH service
if manage_service sshd restart || manage_service ssh restart; then if manage_service sshd restart || manage_service ssh restart; then
console_log "SUCCESS" "SSH service restarted successfully" console_log "SUCCESS" "SSH service restarted"
file_log "SUCCESS" "SSH service restarted successfully" file_log "SUCCESS" "SSH service restarted"
return 0 return 0
else
console_log "ERROR" "Failed to restart SSH service"
file_log "ERROR" "Failed to restart SSH service"
revert_ssh_config_changes
fi fi
console_log "ERROR" "Failed to restart SSH service"
file_log "ERROR" "Failed to restart SSH service"
# Revert to backup and try restarting again
console_log "INFO" "Reverting to backup configuration..."
file_log "INFO" "Reverting to backup configuration from: $BACKUP_FILE"
if ! cp "$BACKUP_FILE" "$SSHD_CONFIG"; then
console_log "ERROR" "Failed to restore SSH config backup"
file_log "ERROR" "Failed to restore SSH config backup"
exit 1
fi
# Try restarting SSH with original config
if manage_service sshd restart || manage_service ssh restart; then
console_log "SUCCESS" "SSH service restarted successfully with original configuration"
file_log "SUCCESS" "SSH service restarted successfully with original configuration"
exit 1
fi
console_log "ERROR" "Failed to restart SSH service even with original configuration"
file_log "ERROR" "Failed to restart SSH service even with original configuration"
exit 1
} }
install_package() { install_package() {
@@ -796,7 +806,7 @@ main() {
# Step 4: Configure SSH # Step 4: Configure SSH
if ! harden_ssh_config; then if ! harden_ssh_config; then
print_logfile_details console_log "ERROR" "Failed to update ssh configuration to harden it"
return 1 # Abort on error return 1 # Abort on error
fi fi