pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Don't store credentials in log file

Browse Source 
- Display the credentials on console
- Removed option to hide credentials on console
- Log file in `/var/log` and not in current directory
- Remove SSH private key after displaying its on console
This commit is contained in:
Pratik Tripathy
2025-10-09 22:42:07 +05:30
parent 202ef6a648
commit 9cd038c228
1 changed files with 63 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
init-linux-harden.sh
View File

@@ -1,13 +1,12 @@
#!/bin/sh #!/bin/sh
SCRIPT_NAME=server-init-harden SCRIPT_NAME=server-init-harden
SCRIPT_VERSION=2.7 SCRIPT_VERSION=3.1
TIMESTAMP=$(date '+%Y-%m-%d_%H-%M-%S') TIMESTAMP=$(date '+%Y-%m-%d-%H-%M-%S')
LOG_FILE_NAME="${SCRIPT_NAME}_${TIMESTAMP}.log" LOG_FILE_NAME="/var/log/${SCRIPT_NAME}_${TIMESTAMP}.log"
USERNAME="" USERNAME=""
RESET_ROOT=false RESET_ROOT=false
SHOW_CREDENTIALS=false
usage() { usage() {
cat <<EOF cat <<EOF
@@ -29,7 +28,6 @@ DESCRIPTION:
OPTIONS: OPTIONS:
-u USERNAME Create a new sudo user with the specified username -u USERNAME Create a new sudo user with the specified username
-r Reset root password to a secure random value -r Reset root password to a secure random value
-s Show sensitive information (passwords, keys) in console output
-h Display this help message -h Display this help message
EXAMPLES: EXAMPLES:
@@ -42,13 +40,9 @@ EXAMPLES:
# Create new user and reset root password # Create new user and reset root password
$0 -u jay -r $0 -u jay -r
# Show all credentials in console output (less secure)
$0 -u jay -s
LOGGING: LOGGING:
All operations are logged to: ./${SCRIPT_NAME}_TIMESTAMP.log All operations are logged to: /var/log/{SCRIPT_NAME}_TIMESTAMP.log
Sensitive information (passwords, keys) are only logged to file by default Sensitive information (passwords, keys) are only logged to file by default
Use -s flag to also show sensitive information in console output
NOTES: NOTES:
- Requires root/sudo privileges - Requires root/sudo privileges
@@ -85,10 +79,6 @@ parse_and_validate_args() {
RESET_ROOT=true RESET_ROOT=true
shift shift
;; ;;
-s)
SHOW_CREDENTIALS=true
shift
;;
-h | --help) -h | --help)
usage usage
;; ;;
@@ -105,7 +95,11 @@ parse_and_validate_args() {
###################################### HELPER FUNCTIONS ################################### ###################################### HELPER FUNCTIONS ###################################
create_log_file() { create_log_file() {
touch "$LOG_FILE_NAME" if [ ! -d "/var/log" ]; then
mkdir -p "/var/log"
fi
touch "/var/log/$LOG_FILE_NAME"
} }
file_log() { file_log() {
@@ -132,10 +126,7 @@ console_log() {
log_credentials() { log_credentials() {
message="$1" message="$1"
file_log "CREDENTIALS" "$message" console_log "CREDENTIALS" "$message"
if [ "$SHOW_CREDENTIALS" = true ]; then
console_log "CREDENTIALS" "$message"
fi
} }
print_operation_details() { print_operation_details() {
@@ -160,9 +151,13 @@ print_operation_details() {
} }
print_log_file_details() { print_log_file_details() {
printf "\nLog file location: %s\n" "$LOG_FILE_NAME" echo
printf " cat %s # View log file\n" "$LOG_FILE_NAME" echo "See logfile for detailed output for each operation."
printf " tail -f %s # Follow log in real-time\n\n" "$LOG_FILE_NAME" echo "Location: $LOG_FILE_NAME"
echo " tail -f $LOG_FILE_NAME # Follow log in real-time"
echo
echo "WARNING: Credentials WILL be displayed on this screen"
echo "WARNING: Save the credentials as they WILL NOT BE SHOWN AGAIN"
} }
formatted_execution_duration() { formatted_execution_duration() {
@@ -393,29 +388,29 @@ generate_ssh_key() {
fi fi
# Generate passphrase # Generate passphrase
key_passphrase=$(head -c 12 /dev/urandom | base64 | tr -dc "[:alnum:]" | head -c 15) SSH_KEY_PASSPHRASE=$(head -c 12 /dev/urandom | base64 | tr -dc "[:alnum:]" | head -c 15)
key_name="id_${SSH_KEY_USER}_ed25519" key_name="id_${SSH_KEY_USER}_ed25519"
key_path="$ssh_dir/$key_name" SSH_KEY_FILE="$ssh_dir/$key_name"
# Generate the SSH key # Generate the SSH key
file_log "INFO" "Generating SSH key for $SSH_KEY_USER" file_log "INFO" "Generating SSH key for $SSH_KEY_USER"
if ! output=$(ssh-keygen -o -a 1000 -t ed25519 -f "$key_path" -N "$key_passphrase" -C "$SSH_KEY_USER" -q 2>&1); then if ! output=$(ssh-keygen -o -a 1000 -t ed25519 -f "$SSH_KEY_FILE" -N "$SSH_KEY_PASSPHRASE" -C "$SSH_KEY_USER" -q 2>&1); then
console_log "ERROR" "Failed to generate SSH key for user: $SSH_KEY_USER" console_log "ERROR" "Failed to generate SSH key for user [ $SSH_KEY_USER ]"
file_log "ERROR" "Failed to generate SSH key for user: $SSH_KEY_USER" file_log "ERROR" "Failed to generate SSH key for user [ $SSH_KEY_USER ]"
file_log "ERROR" "$output" file_log "ERROR" "$output"
return 1 return 1
fi fi
file_log "INFO" "SSH key generated for user: $SSH_KEY_USER" file_log "INFO" "SSH key generated for $SSH_KEY_USER"
file_log "INFO" "To change passphrase: ssh-keygen -p -f $key_path -P" file_log "INFO" "To change passphrase: ssh-keygen -p -f $SSH_KEY_FILE -P"
# Set proper permissions for the key # Set proper permissions for the key
chmod 600 "$key_path" chmod 600 "$SSH_KEY_FILE"
chmod 644 "$key_path.pub" chmod 644 "$SSH_KEY_FILE.pub"
# Append public key to authorized_keys # Append public key to authorized_keys
authorized_keys="$ssh_dir/authorized_keys" authorized_keys="$ssh_dir/authorized_keys"
if ! cat "$key_path.pub" >>"$authorized_keys"; then if ! cat "$SSH_KEY_FILE.pub" >>"$authorized_keys"; then
console_log "ERROR" "Failed to append public key to authorized_keys" console_log "ERROR" "Failed to append public key to authorized_keys"
file_log "ERROR" "Failed to append public key to authorized_keys" file_log "ERROR" "Failed to append public key to authorized_keys"
return 1 return 1
@@ -427,18 +422,18 @@ generate_ssh_key() {
file_log "INFO" "Added public key to: $authorized_keys" file_log "INFO" "Added public key to: $authorized_keys"
# Log the key details # Log the key details
file_log "INFO" "SSH key generated for user: $SSH_KEY_USER" file_log "INFO" "SSH key generated for [ $SSH_KEY_USER ]"
console_log "SUCCESS" "SSH key generated for user: $SSH_KEY_USER" console_log "SUCCESS" "SSH key generated for [ $SSH_KEY_USER ]"
file_log "SUCCESS" "Key path: $key_path" file_log "SUCCESS" "Key path: [ $SSH_KEY_FILE ]"
console_log "INFO" "Key path: $key_path" console_log "INFO" "Key path: [ $SSH_KEY_FILE ]"
console_log "INFO" "Authorized keys path: $authorized_keys" console_log "INFO" "Authorized keys path: [ $authorized_keys ]"
log_credentials "SSH Key passphrase: $key_passphrase" log_credentials "SSH Key passphrase: [ $SSH_KEY_PASSPHRASE ]"
log_credentials "Private key content:" log_credentials "Private key content:"
log_credentials "$(cat "$key_path")" log_credentials "[$(cat "$SSH_KEY_FILE")]"
log_credentials "Public key content:" log_credentials "Public key content:"
log_credentials "$(cat "$key_path.pub")" log_credentials "[$(cat "$SSH_KEY_FILE.pub")]"
} }
revert_ssh_config_changes() { revert_ssh_config_changes() {
@@ -1021,6 +1016,33 @@ configure_fail2ban() {
fi fi
} }
print_credentials() {
echo
echo "#############################################################"
if [ "$RESET_ROOT" = "true" ]; then
echo "New password for root: $ROOT_PASSWORD"
echo
fi
if [ -n "$USERNAME" ]; then
echo "New user: $USERNAME"
echo "New user password: $USER_PASSWORD"
echo
fi
echo "SSH private key:"
cat "$SSH_KEY_FILE" && rm "$SSH_KEY_FILE" >/dev/null 2>&1
echo
echo "SSH Key's Passphrase: $SSH_KEY_PASSPHRASE"
echo
echo "SSH public key location: $SSH_KEY_FILE.pub:"
cat "$SSH_KEY_FILE.pub"
echo "#############################################################"
}
main() { main() {
parse_and_validate_args "$@" parse_and_validate_args "$@"
create_log_file create_log_file
@@ -1104,6 +1126,7 @@ main() {
file_log "INFO" "Total execution time: [ $FORMATTED_DURATION ]" file_log "INFO" "Total execution time: [ $FORMATTED_DURATION ]"
print_log_file_details print_log_file_details
print_credentials_and_clean_up
return 0 return 0
} }