diff --git a/README.md b/README.md index 4574d40..7cb2baa 100644 --- a/README.md +++ b/README.md @@ -52,15 +52,18 @@ Run the script with below option to see all available options:- ```console root@host:~# bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --help -Usage: sudo bash /dev/fd/63 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist] - -u, --username Username for your server (If omitted script will choose an username for you) - -r, --resetrootpwd Reset current root password - -hide, --hide-credentials Credentials will hidden from the screen and can ONLY be found in the logfile (tail -n 20 /tmp/logfilename) - -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org +Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist] + -u, --username Username for your server (If omitted script will choose an username for you) + -r, --resetrootpwd Reset current root password + -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile + eg - tail -n 20 logfile + -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org + -ou, --only-create-user Only creates the user and its SSH authorizations + NOTE: -r, -d would be ignored Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd -Below restrictions apply to username this script accepts - +Below restrictions apply to usernames - - [a-zA-Z0-9] [-] [_] are allowed - NO special characters. - NO spaces. @@ -363,7 +366,7 @@ Ans - NO. > > An operation is _idempotent_ if the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions. -Q - How so? +Q - Why is it not idempotent? Ans - We take backup of the file which stays on your server after operations. After taking back up of the file - __script sometimes comments out older configuration__. This is specifically true for [Step 4](https://github.com/pratiktri/init-li-harden#4-optionally-reset-the-url--for-apt-repo-from-vps-provided-cdn-to-os-provided-ones "Goto details of the step") where we comment out older configurations and append new ones to the end of the file. Also, for the SSH configuration file (/etc/ssh/sshd_conf) where we comment out the line of configuration and add the new configuration below the commented out line. So, if we re-run the script multiple times, those changes would compound as listed below. @@ -431,7 +434,7 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har ## Todo ### Bug fixes -- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter productive) +- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter-productive) - [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension - [x] What to do if creating .bkp file fails? Ans - fail that entire step - [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not @@ -441,12 +444,12 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har ### Roadmap - [x] Update README - provide example of how it can be used from a non-root account. - [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server. -- [ ] Update README - Add some screen captures +- [x] Update README - Add some screen captures - [x] Update README - Detail all the locations where backup files would be created - [x] Update README - Note that we never uninstall any software during restore operations - [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours) - [x] New - Schedule daily system update downloads +- [x] New - Display time taken to complete all operations +- [x] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user - [ ] New - Enable LUKS (is it even worth it???) -- [ ] New - DNSCrypt -- [ ] New - Display time taken to complete all operations -- [ ] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user \ No newline at end of file +- [ ] New - DNSCrypt \ No newline at end of file diff --git a/init-linux-harden.sh b/init-linux-harden.sh index 8e46f0a..b178c2f 100644 --- a/init-linux-harden.sh +++ b/init-linux-harden.sh @@ -34,12 +34,15 @@ function usage() { echo "Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]" echo " -u, --username Username for your server (If omitted script will choose an username for you)" echo " -r, --resetrootpwd Reset current root password" - echo " -hide, --hide-credentials Credentials will hidden from the screen and can ONLY be found in the logfile (tail -n 20 logfile)" + echo " -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile" + echo " eg - tail -n 20 logfile" echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org" + echo " -ou, --only-create-user Only creates the user and its SSH authorizations" + echo " NOTE: -r, -d would be ignored" echo "" echo "Example: bash ./$SCRIPT_NAME.sh --username myuseraccount --resetrootpwd" - printf "\\nBelow restrictions apply to username this script accepts - \\n" + printf "\\nBelow restrictions apply to usernames - \\n" printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " " } @@ -114,6 +117,7 @@ RESET_ROOT_PWD="n" DEFAULT_SOURCE_LIST="n" QUIET="n" HIDE_CREDENTIALS="n" +USER_CREATION_ALONE="n" while [[ "$#" -gt 0 ]]; do case $1 in @@ -134,6 +138,10 @@ while [[ "$#" -gt 0 ]]; do shift shift ;; + -ou|--only-create-user) + USER_CREATION_ALONE="y" + shift + ;; -r|--resetrootpwd) RESET_ROOT_PWD="y" shift @@ -199,10 +207,10 @@ if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then else printf "%3s Username you opted = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE" fi -if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then +if [[ "$DEFAULT_SOURCE_LIST" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then printf "%3s Reset the url for apt repo from VPS provided CDN to OS provided ones\\n" " -" | tee -a "$LOGFILE" fi -if [[ "$RESET_ROOT_PWD" == "y" ]]; then +if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE" fi if [[ $HIDE_CREDENTIALS == "y" ]]; then @@ -224,6 +232,10 @@ if [[ $QUIET == "n" ]]; then fi +# Start recording execution time from now on +SECONDS=0 + + ############################################################## # Log - Cosmetics ############################################################## @@ -606,6 +618,8 @@ function revert_everything_and_exit() { revert_ssh_only_login fi + center_reg_text "Total execution time - ${SECONDS}s" + exit 1; } @@ -743,7 +757,7 @@ function recap() { log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS" - if [[ "$RESET_ROOT_PWD" == "y" ]]; then + if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT" fi line_fill "$CHORIZONTAL" "$CLINESIZE" @@ -776,6 +790,11 @@ function recap() { center_reg_text "Issue the following command to see all credentials" center_reg_text "tail -n 20 ${LOGFILE}" fi + + file_log "Total execution time in seconds - ${SECONDS}" + center_reg_text "Total execution time - ${SECONDS}s" + + exit } function setup_step_start() { @@ -903,6 +922,10 @@ if [[ $exit_code -gt 0 ]]; then revert_everything_and_exit "${STEP_TEXT[2]}" fi +if [[ "$USER_CREATION_ALONE" == "y" ]]; then + recap +fi + ############################################################## # Step 4 - Change default source-list