pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Read me Changes

Browse Source 
- Display all available options
- Some Typos rectified
- Updated the "Roadmap"

Script Changes
- Reliable method of determining if a service command was completed successfully
- More (and reliable) logs to the logfile
- Bugfix - SSH Reverting
- Revert source list - check success on sub-folder file restores
- Logfile - removed multiple revert success notifications
- Revert Fail2ban - Stopped deleting the jail.conf*_bkp files
- Step 4 - Default source-list - check success flag on commenting out existing source.list & on appending new CNS to sources.list (check the same 2 for *.list in sub-folders)
- Step 7 - fail2ban - check operation success on backing up jail.local, jail.conf & defaults-debian.conf files
This commit is contained in:
Pratik
2019-02-11 00:52:34 +05:30
parent 349cde603d
commit 979e1b0657
2 changed files with 141 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
README.md
View File

@@ -1,6 +1,6 @@
__Linux Server Hardener__ is a bash script that automates few of the tasks that you need to perform on a new Linux server to give it basic amount security.
I wanted to change my VPS(Virtual Private Server) provider and was testing out many providers and many Linux flavours on those VPS. But before doing anything those servers needed to be given basic amount security and this involved a set of repetitive commands on terminal. Depending on network speed and number of mis-types, these took between 30-90 minutes to perform.
I wanted to change my VPS(Virtual Private Server) provider and was testing out many providers and many Linux flavours on those VPSes. But before doing anything those servers needed to be given basic amount security and this involved a set of repetitive commands on terminal. Depending on network speed and number of mis-types, these took between 30-90 minutes to perform.
This script is meant to save that time.
@@ -12,7 +12,7 @@ This script can potentially make your server inaccessible. Proceed with caution.
Alpha testing. NOT production ready.
# Getting Started
# Usage
## Prerequisites
@@ -22,16 +22,14 @@ Alpha testing. NOT production ready.
- Ubuntu 14.x
- Ubuntu 16.x
- Ubuntu 18.x
* *wget* should be installed
* *wget* should be installed (comes preinstalled on the above OSes anyways)
* *root* access to the server
## Usage
## Examples
The script is intended to be executed immediately after you have access to a *__new__* Linux server (most likely a VPS) as *__root__*.
```bash
bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --help
bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --username someusername --resetrootpwd --defaultsourcelist
bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --quiet
@@ -39,8 +37,29 @@ bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/ma
> There are inherent risks involved with running scripts directly (without reviewing it first) from web - as done above. Everyone does it anyways, but you have been warned.
## Available Options
Run the script with below option to see all available options:-
```bash
bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --help
Usage: sudo bash /dev/fd/63 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]
-u, --username Username for your server (If omitted script will choose an username for you)
-r, --resetrootpwd Reset current root password
-d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org.
NOTE - If you fail to update system after using it, you need to manually reset it. This script keeps a backup in the same folder.
Example: bash ./server_init_harden.sh --username myuseraccount --resetrootpwd
Below restrictions apply to username this script accepts -
- [a-zA-Z0-9] [-] [_] are allowed
- NO special characters.
- NO spaces.
```
# What does it do ?
Script performed the following operations:-
Script performs the following operations:-
1. [Create non-root user and give it "sudo" privilege](https://github.com/pratiktri/init-li-harden#1-create-non-root-user-and-give-it-sudo-privilege "Goto details of the step")
2. [Generate passphrage protected *ed25519* SSH Keys](https://github.com/pratiktri/init-li-harden#2-generate-passphrage-protected-ed25519-ssh-keys-private--public "Goto details of the step")
@@ -92,6 +111,8 @@ Script *tries* to recover from an error if it can determine that an error has oc
### 1. Create non-root user and give it "sudo" privilege
You can specify your own username with "--username" or "-u" flag.
If the username provided already exists, then the script will terminate without doing any operation.
When accepting username through "--username", __*script actively rejects special characters in the name*__ because bash does not act well with special characters. The values accepted by the script [a-zA-Z0-9_-] i.e., alphanumeric and [_] and [-]
If "--username" is not provided, __*script will randomly generate an username for you*__. Script generated usernames are 9 character long and are alphanumeric (i.e., numbers & English characters).
@@ -118,7 +139,7 @@ You need the following 3 to be able to access the server after the script is don
* Private Key
* Passphrase for the Key
These 3 will be diplayed on screen at the end of the script. Copy them and __keep them safe. Without these won't be able to access the server.__
These 3 will be diplayed on screen at the end of the script. Copy them and __keep them safe. Without these you won't be able to access the server.__
We use OpenSSH keyformat and ed25519 algorithm to generate ours. You can read the reason for that [here](https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices#answer-144044) and [here](https://stribika.github.io/2015/01/04/secure-secure-shell.html). For additional security the key is secured by a passphrase. This passphrase is randomly generated. Passphrase are 15 character long and are alphanumeric. Algorithm used for user's password and SSH Private Key's passphrase are the same.
@@ -162,11 +183,11 @@ Following are the file access restrictions that the script applies:-
### 4. [Optionally] Reset the url for apt repo from VPS provided CDN to OS provided ones
Most VPS provider change the location from which operating system downloads software from (i.e. *apt* repository); usually to CDNs that are maintained by them. While, this greatly improves application installations, it does come with its security implications (what if they insert tracker in application?).
Most VPS provider change the location from which operating system downloads software from (i.e. *apt* repository); usually to CDNs that are maintained by them. While, this greatly improves time taken to install applications, it does come with its security implications (what if they insert tracker/sniffer in application?).
However, one can also argue that if the OS (i.e. Linux) itself is installed by the providers, then OS itself is a more likely place where they might want to insert something dirty.
However, one can also argue that if the OS (i.e. Linux) is installed by the providers, then OS itself is a more likely place where they might want to insert something dirty.
Depending on which argument you find valid, __you can use this option in the script to ensure the default OS provided CDNs are used__. This is done by updating the [/etc/apt/sources.list](https://linoxide.com/debian/configure-sources-list-debian-9/) file.
Depending on which argument you find valid, __you can use this option in the script to ensure the default OS-provided CDNs are used__. This is done by updating the [/etc/apt/sources.list](https://linoxide.com/debian/configure-sources-list-debian-9/) file.
If the script is started with --defaultsourcelist option, then for Debian http://deb.debian.org/debian is used and for Ubuntu http://archive.ubuntu.com/ubuntu/ is used.
@@ -217,14 +238,14 @@ This script sets up UFW so that only __ssh__(required for user login), __http__(
### 7. Configure Fail2Ban
While UFW restrict access to ports, the ports that are required (and are allowed by UFW in above step) for our purpose can be exploited by nefarious actors.
While UFW restricts access to ports, the ports that are required (and are allowed by UFW in above step) for our purpose can be exploited by nefarious actors.
Fail2ban watches traffic coming through the allowed ports to determine if it is indeed a legitimate one. This determination is usually done by analyzing various *log files* being generated by Linux and other applications running on the server. If anything suspicious is found then after a certain number of illegitimate attempts the intruder(IP) is banned. Ban is then lifted after a desired amount of time.
This script sets up Fail2ban as following:-
* default ban time is 5 hours,
* Whitelists your server's IP from detection (uses https://ipinfo.io/ip to determine the IP),
* sets (backend = polling). *polling* is an algoritm used to check if the *log files* are updated. This algorithm does not required any additional software and if no additional software are installed then is faster option to choose.
* sets (backend = polling). *polling* is an algoritm used to check if the *log files* are updated. This algorithm does not require any additional software and is faster option to choose for our configuration.
* Explicitly enables protection for *ssh* with (maxretry = 3) & (bantime = 2592000)
#### Error Handling
@@ -240,7 +261,7 @@ This script sets up Fail2ban as following:-
### 8. Alter SSH options
This step contines from step 3 to harden our ssh login. Here, we do edit */etc/ssh/sshd_config* file to achieve the following:-
This step contines from step 3 to harden our ssh login. Here, we edit */etc/ssh/sshd_config* file to achieve the following:-
* Disable *root* login (**PermitRootLogin no**). No one needs to work on *root*. The new user created already has *root* privileges anyways.
* Disable password login (**PasswordAuthentication no**). This ensures we can ONLY login though SSH Keys.
* Specify where to find authorized public keys which are granted login (\\.ssh\authorized_keys %h\\.ssh\authorized_keys)
@@ -260,7 +281,7 @@ This step contines from step 3 to harden our ssh login. Here, we do edit */etc/s
### 9. [Optionally] Reset root password
Since, VPS providers sends you the password of your VPS's *root* user in email in plain text. So, password needs to be changed immediately. **Since we have disabled *root* login AND password login in the above step, changing *root* password might be an overkill**. But, still...
Since, VPS providers sends you the password of your VPS's *root* user in email in plain text. So, password needs to be changed immediately. **But, since we have disabled *root* login AND password login in the above step, changing *root* password might be an overkill**. But, still...
Also most VPS providers these days, allow you to provide SSH Public Key in their website. If you have done that you can skip this step. **It is disabled by default anyways**.
@@ -281,9 +302,11 @@ To change your *root* password provide option --resetrootpw. *root* password the
### 10. Display Summary
All the generated username, passwords, SSH Key location & SSH Keys themselves are displayed on the screen.
This might not be desired, on future version you might find option to NOT show the details and find them from the log file.
This might not be desired (nosy neighbours), on future versions you might find option to NOT show the details on screen and find them from the log file.
The logfile is located in /tmp/ directory - thus will be removed server reboots. All the details shown on the screen and a lot more can be found in the log. Exact logfile location will be shown on the screen as well.
NOTE - while we login through SSH Keys, you will still be asked for your password (after logging in) while installing softwares and other operations. So, you NEED ALL of the information displayed on the screen.
The logfile is located in /tmp/ directory - thus will be removed when server reboots. All the details shown on the screen and a lot more can be found in the log. Exact logfile location will be shown on the screen as well.
# Todo
## Testing
@@ -351,19 +374,22 @@ The logfile is located in /tmp/ directory - thus will be removed server reboots.
- [ ] Test failures - Ubuntu 18.04 - Step 7
- [ ] Test failures - Ubuntu 18.04 - Step 8
- [ ] Test failures - Ubuntu 18.04 - Step 9
- [ ] Test - How it behaves on repeat execution
## Bug fixes
- [ ] On successful restoration - delete the bkp files
- [ ] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
- [ ] What to do if creating .bkp file fails?
- [ ] fail2ban does not work on Ubuntu 14.04 => does NOT read the defaults-debian.conf file.
- [ ] What to do if creating .bkp file creation fails?
- [ ] fail2ban does not work on Ubuntu 14.04 => does NOT have the defaults-debian.conf file.
## Add Features
## Roadmap
- [ ] Update README - provide example of how it can be used from an non-root account.
- [ ] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server.
- [ ] Update README - Add some screen captures
- [ ] New - Flag to NOT display credentials on screen
- [ ] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours)
- [ ] New - Schedule daily system update
- [ ] New - Enable LUKS (is it even worth it???)
- [ ] New - DNSCrypt
- [ ] New - Display time taken to complete all operations
- [ ] Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user

136
init-linux-harden.sh
View File

@@ -37,7 +37,7 @@ function usage() {
echo " NOTE - If you fail to update system after using it, you need to manually reset it. This script keeps a backup in the same folder."
echo ""
echo "Example: $0 --username myuseraccount --resetrootpwd"
echo "Example: bash ./$SCRIPT_NAME.sh --username myuseraccount --resetrootpwd"
printf "\\nBelow restrictions apply to username this script accepts - \\n"
printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " "
}
@@ -245,6 +245,16 @@ function reset_op_code(){
OP_CODE=0
}
function service_action_and_chk_error() {
local servicename=$1
local serviceaction=$2
local servicemsg
servicemsg=$(service "$servicename" "$serviceaction" 2>&1)
file_log "$servicemsg"
return $(echo "$servicemsg" | grep -c 'ERROR')
}
function get_event_var_from_event() {
case $1 in
"${OP_TEXT[0]}")
@@ -329,8 +339,13 @@ function revert_create_user(){
# Remove user and its home directory only if user was created
if [[ $(getent passwd "$NORM_USER_NAME" | wc -l) -gt 0 ]]; then
{
file_log "Deleting user ${NORM_USER_NAME} ..."
deluser "$NORM_USER_NAME"
file_log "Removing the immutable flag from /home/${NORM_USER_NAME}/.ssh/ directory ..."
chattr -i /home/"$NORM_USER_NAME"/.ssh/*
file_log "Deleting user ${NORM_USER_NAME} home directory and all its content ..."
rm -rf /home/"${NORM_USER_NAME:?}"
success=$?
} 2>> "$LOGFILE" >&2
@@ -339,7 +354,6 @@ function revert_create_user(){
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - New User Creation" "SUCCESSFUL"
file_log "Reverting New User Creation - Completed"
else
error_restoring "Reverting - New User Creation"
fi
@@ -357,7 +371,6 @@ function revert_create_ssh_key(){
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - SSH Key Generation" "SUCCESSFUL"
file_log "Reverting SSH Key Generation - Completed"
else
error_restoring "Reverting - SSH Key Generation"
fi
@@ -372,18 +385,23 @@ function revert_secure_authorized_key(){
if [[ -f "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null
{
file_log "Removing immutable flag on the ${SSH_DIR}/authorized_keys file ..."
chattr -i "$SSH_DIR"/authorized_keys
#chmod 700 "$SSH_DIR"/authorized_keys
file_log "Restoring ${SSH_DIR}/authorized_keys${BACKUP_EXTENSION} into ${SSH_DIR}/authorized_keys ..."
cp -rf "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" "$SSH_DIR"/authorized_keys
success=$?
file_log "Adding file access restriction (chmod 400) on the restored file ${SSH_DIR}/authorized_keys ..."
chmod 400 "$SSH_DIR"/authorized_keys
file_log "Adding file immutability restriction (chattr +i) on the restored file ${SSH_DIR}/authorized_keys ..."
chattr +i "$SSH_DIR"/authorized_keys
} 2>> "$LOGFILE" >&2
fi
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - SSH Key Authorization" "SUCCESSFUL"
file_log "Reverting SSH Key Authorization - Completed"
else
error_restoring "Reverting - SSH Key Authorization"
fi
@@ -399,16 +417,26 @@ function revert_ssh_only_login(){
if [[ -f /etc/ssh/sshd_config"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null
file_log "Restoring /etc/ssh/sshd_config${BACKUP_EXTENSION} into /etc/ssh/sshd_config ..."
cp -rf /etc/ssh/sshd_config"$BACKUP_EXTENSION" /etc/ssh/sshd_config 2>> "$LOGFILE" >&2
success=$?
fi
service sshd restart 2>> "$LOGFILE" >&2
success=$?
file_log "Restarting ssh service ..."
{
success=$(service_action_and_chk_error "sshd" "restart")
if [[ $success -eq 0 ]]; then
false
fi
} || {
# Because Ubuntu 14.04 does not have sshd
success=$(service_action_and_chk_error "ssh" "restart")
} 2>> "$LOGFILE" >&2
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - SSH-only Login" "SUCCESSFUL"
file_log "Reverting SSH-only Login - Completed"
else
error_restoring "Reverting - SSH-only Login"
fi
@@ -418,24 +446,26 @@ function revert_source_list_changes(){
local success;
file_log "Reverting Source_list Changes..."
unalias cp &>/dev/null
if [[ -f /etc/apt/sources.list"${BACKUP_EXTENSION}" ]]; then
unalias cp &>/dev/null
file_log "Restoring /etc/apt/sources.list${BACKUP_EXTENSION} into /etc/apt/sources.list ..."
cp -rf /etc/apt/sources.list"${BACKUP_EXTENSION}" /etc/apt/sources.list 2>> "$LOGFILE" >&2
success=$?
fi
SOURCE_FILES_BKP=(/etc/apt/source*/*.list"${BACKUP_EXTENSION}")
if [[ ${#SOURCE_FILES_BKP[@]} -gt 0 ]]; then
unalias cp &>/dev/null
for file in "${SOURCE_FILES[@]}";
do
file_log "Restoring ${file} into ${file//$BACKUP_EXTENSION/} ..."
cp -rf "$file" "${file//$BACKUP_EXTENSION/}" 2>> "$LOGFILE" >&2
success=$?
done
fi
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - Source_list Changes" "SUCCESSFUL"
file_log "Reverting Source_list Changes - Completed"
else
error_restoring "Reverting - Source_list Changes"
fi
@@ -445,6 +475,7 @@ function revert_root_pass_change(){
echo
center_err_text "Changing root password failed..."
center_err_text "Your earlier root password remains VALID"
center_err_text "Script will continue to next step"
}
function revert_config_UFW(){
@@ -456,7 +487,6 @@ function revert_config_UFW(){
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - UFW Configuration" "SUCCESSFUL"
file_log "Reverting UFW Configuration - Completed"
else
error_restoring "Reverting - UFW Configuration"
fi
@@ -467,30 +497,27 @@ function revert_config_fail2ban(){
file_log "Reverting Fail2ban Config..."
unalias cp &>/dev/null
if [[ -f /etc/fail2ban/jail.local"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null
file_log "Restoring /etc/fail2ban/jail.local${BACKUP_EXTENSION} into /etc/fail2ban/jail.local ..."
cp -rf /etc/fail2ban/jail.local"$BACKUP_EXTENSION" /etc/fail2ban/jail.local 2>> "$LOGFILE" >&2
success=$?
fi
if [[ -f /etc/fail2ban/jail.conf"$BACKUP_EXTENSION" ]]; then
#Because we created this file when no .local file exists
rm /etc/fail2ban/jail.conf"$BACKUP_EXTENSION"
success=$?
fi
if [[ -f /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" ]]; then
unalias cp &>/dev/null
file_log "Restoring /etc/fail2ban/jail.d/defaults-debian.conf${BACKUP_EXTENSION} into /etc/fail2ban/jail.d/defaults-debian.conf ..."
cp -rf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION" /etc/fail2ban/jail.d/defaults-debian.conf 2>> "$LOGFILE" >&2
success=$?
fi
service fail2ban restart 2>> "$LOGFILE" >&2
success=$?
file_log "Stopping fail2ban service ..."
{
set_op_code $(service_action_and_chk_error "fail2ban" "stop")
} 2>> "$LOGFILE" >&2
if [[ $success -eq 0 ]]; then
op_rev_log "Reverting - Fail2ban Config" "SUCCESSFUL"
file_log "Reverting Fail2ban Config - Completed"
else
error_restoring "Reverting - Fail2ban Config"
fi
@@ -836,8 +863,11 @@ if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then
{
cp /etc/apt/sources.list /etc/apt/sources.list"${BACKUP_EXTENSION}"
set_op_code $?
file_log "Backed up /etc/apt/sources.list file to /etc/apt/sources.list${BACKUP_EXTENSION}"
sed -i "1,$(wc -l < /etc/apt/sources.list) s/^/#/" /etc/apt/sources.list
set_op_code $?
file_log "Commented out everthing in /etc/apt/sources.list"
if [[ $OS = "debian" ]]; then
@@ -857,6 +887,7 @@ deb-src http://deb.debian.org/debian ${DEB_VER_STR}-updates main contrib non-fre
deb http://deb.debian.org/debian ${DEB_VER_STR}-backports main contrib non-free
deb-src http://deb.debian.org/debian ${DEB_VER_STR}-backports main contrib non-free
DEBIAN
set_op_code $?
elif [[ $OS = "ubuntu" ]]; then
@@ -882,20 +913,28 @@ deb-src http://security.ubuntu.com/ubuntu ${UBT_VER_STR}-security universe
deb http://security.ubuntu.com/ubuntu ${UBT_VER_STR}-security multiverse
deb-src http://security.ubuntu.com/ubuntu ${UBT_VER_STR}-security multiverse
UBUNTU
set_op_code $?
fi
file_log "Added default CDN sources to /etc/apt/sources.list"
# Find any additional sources listed by the provider and comment them out
SOURCE_FILES=(/etc/apt/source*/*.list)
if [[ ${#SOURCE_FILES[@]} -gt 0 ]]; then
for file in "${SOURCE_FILES[@]}";
do
cp "$file" "$file""${BACKUP_EXTENSION}"
set_op_code $?
file_log "Backed up ${file} file to ${file}${BACKUP_EXTENSION}"
sed -i "1,$(wc -l < "$file") s/^/#/" "$file"
set_op_code $?
file_log "Commented out the ${file}"
done
fi
} 2>> "$LOGFILE" >&2
if [[ $? -eq 0 ]]; then
if [[ $OP_CODE -eq 0 ]]; then
update_event_status "${OP_TEXT[4]}" 2
op_log "${OP_TEXT[4]}" "SUCCESSFUL"
else
@@ -972,29 +1011,38 @@ if [[ $InstallReqSoftwares -eq 2 ]]; then
{
if [[ -f /etc/fail2ban/jail.local ]]; then
cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local"$BACKUP_EXTENSION"
set_op_code $?
else
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
set_op_code $?
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf"$BACKUP_EXTENSION"
set_op_code $?
fi
# startline & endline - restrict the search to [DEFAULT] section
startline=$(grep -Pnxm 1 "(^ *)\[DEFAULT\]" /etc/fail2ban/jail.local | cut -d: -f 1)
endline=$(grep -Pnxm 1 "(^ *)\[sshd\]" /etc/fail2ban/jail.local | cut -d: -f 1)
pub_ip=$(curl https://ipinfo.io/ip 2>> /dev/null)
# Do not do anything if copying jail.conf to jail.local failed
if [[ -f /etc/fail2ban/jail.local ]]; then
# startline & endline - restrict the search to [DEFAULT] section
pub_ip=$(curl https://ipinfo.io/ip 2>> /dev/null)
# TODO - Exception handle
# - No [DEFAULT] section present
# - no "bantime" or "backend" or "ignoreip" - options present
# But that is NOT very important - cause fail2ban defaults are sane anyways
# Start search from the line that contains [DEFAULT] - end search before the line that contains # JAILS
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^bantime[[:blank:]]*= .*/bantime = 18000/" /etc/fail2ban/jail.local
set_op_code $?
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^backend[[:blank:]]*=.*/backend = polling/" /etc/fail2ban/jail.local
set_op_code $?
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^ignoreip[[:blank:]]*=.*/ignoreip = 127.0.0.1\/8 ::1 ${pub_ip}/" /etc/fail2ban/jail.local
set_op_code $?
# Start search from the line that contains [DEFAULT] - end search before the line that contains # JAILS
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^bantime[[:blank:]]*= .*/bantime = 18000/" /etc/fail2ban/jail.local
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^backend[[:blank:]]*=.*/backend = polling/" /etc/fail2ban/jail.local
sed -ri "/^\[DEFAULT\]$/,/^# JAILS$/ s/^ignoreip[[:blank:]]*=.*/ignoreip = 127.0.0.1\/8 ::1 ${pub_ip}/" /etc/fail2ban/jail.local
# TODO- Exception handle - when curl https://ipinfo.io/ip fails
# TODO - Exception handle
# - No [DEFAULT] section present
# - no "bantime" or "backend" or "ignoreip" - options present
# But that is NOT very important - cause fail2ban defaults are sane anyways
fi
if [[ -f /etc/fail2ban/jail.d/defaults-debian.conf ]]; then
cp /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf"$BACKUP_EXTENSION"
set_op_code $?
fi
cat <<FAIL2BAN > /etc/fail2ban/jail.d/defaults-debian.conf
@@ -1014,11 +1062,9 @@ bantime = 31536000 ; 1 year
findtime = 86400 ; 1 days
maxretry = 10
FAIL2BAN
set_op_code $?
set_op_code $(service_action_and_chk_error "fail2ban" "start")
service fail2ban start
set_op_code $?
} 2>> "$LOGFILE" >&2
if [[ $OP_CODE -eq 0 ]]; then
@@ -1031,7 +1077,7 @@ FAIL2BAN
fi
else
op_log "${OP_TEXT[7]}" "NO-OP"
file_log "Skipping UFW Config since software install failed..."
file_log "Skipping Fail2Ban config since software installation failed..."
fi
@@ -1072,7 +1118,7 @@ fi
# Step 9 - Enable SSH-only login
##############################################################
# TODO - Replace this horror with sed
# TODO - Make this cleaner
function config_search_regex(){
local search_key=$1
declare -i isCommented=$2
@@ -1174,12 +1220,14 @@ op_log "${OP_TEXT[3]}"
file_log "Set SSH Authorization-Keys path -> AuthorizedKeysFile '%h\/\.ssh\/authorized_keys'"
{
service sshd restart 2>> "$LOGFILE" >&2
set_op_code $(service_action_and_chk_error "sshd" "restart")
if [[ $OP_CODE -eq 0 ]]; then
false
fi
} || {
# Because Ubuntu 14.04 does not have sshd
service ssh restart 2>> "$LOGFILE" >&2
set_op_code $(service_action_and_chk_error "ssh" "restart")
}
set_op_code $?
} 2>> "$LOGFILE" >&2
if [[ $OP_CODE -eq 0 ]]; then