pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added only-create-user flag to stop execution after creating the user

Browse Source 
Display script execution duration
This commit is contained in:
Pratik
2019-02-14 03:46:18 +05:30
parent 914ac35cb2
commit 9e2dfc4bd1
2 changed files with 43 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@@ -52,15 +52,18 @@ Run the script with below option to see all available options:-
```console ```console
root@host:~# bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --help root@host:~# bash <(wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O -) --help
Usage: sudo bash /dev/fd/63 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist] Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]
-u, --username Username for your server (If omitted script will choose an username for you) -u, --username Username for your server (If omitted script will choose an username for you)
-r, --resetrootpwd Reset current root password -r, --resetrootpwd Reset current root password
-hide, --hide-credentials Credentials will hidden from the screen and can ONLY be found in the logfile (tail -n 20 /tmp/logfilename) -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile
-d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org eg - tail -n 20 logfile
-d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org
-ou, --only-create-user Only creates the user and its SSH authorizations
NOTE: -r, -d would be ignored
Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd
Below restrictions apply to username this script accepts - Below restrictions apply to usernames -
- [a-zA-Z0-9] [-] [_] are allowed - [a-zA-Z0-9] [-] [_] are allowed
- NO special characters. - NO special characters.
- NO spaces. - NO spaces.
@@ -363,7 +366,7 @@ Ans - NO.
> >
> An operation is _idempotent_ if the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions. > An operation is _idempotent_ if the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions.
Q - How so? Q - Why is it not idempotent?
Ans - We take backup of the file which stays on your server after operations. After taking back up of the file - __script sometimes comments out older configuration__. This is specifically true for [Step 4](https://github.com/pratiktri/init-li-harden#4-optionally-reset-the-url--for-apt-repo-from-vps-provided-cdn-to-os-provided-ones "Goto details of the step") where we comment out older configurations and append new ones to the end of the file. Also, for the SSH configuration file (/etc/ssh/sshd_conf) where we comment out the line of configuration and add the new configuration below the commented out line. So, if we re-run the script multiple times, those changes would compound as listed below. Ans - We take backup of the file which stays on your server after operations. After taking back up of the file - __script sometimes comments out older configuration__. This is specifically true for [Step 4](https://github.com/pratiktri/init-li-harden#4-optionally-reset-the-url--for-apt-repo-from-vps-provided-cdn-to-os-provided-ones "Goto details of the step") where we comment out older configurations and append new ones to the end of the file. Also, for the SSH configuration file (/etc/ssh/sshd_conf) where we comment out the line of configuration and add the new configuration below the commented out line. So, if we re-run the script multiple times, those changes would compound as listed below.
@@ -431,7 +434,7 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har
## Todo ## Todo
### Bug fixes ### Bug fixes
- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter productive) - [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter-productive)
- [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension - [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
- [x] What to do if creating .bkp file fails? Ans - fail that entire step - [x] What to do if creating .bkp file fails? Ans - fail that entire step
- [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not - [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not
@@ -441,12 +444,12 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har
### Roadmap ### Roadmap
- [x] Update README - provide example of how it can be used from a non-root account. - [x] Update README - provide example of how it can be used from a non-root account.
- [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server. - [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server.
- [ ] Update README - Add some screen captures - [x] Update README - Add some screen captures
- [x] Update README - Detail all the locations where backup files would be created - [x] Update README - Detail all the locations where backup files would be created
- [x] Update README - Note that we never uninstall any software during restore operations - [x] Update README - Note that we never uninstall any software during restore operations
- [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours) - [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours)
- [x] New - Schedule daily system update downloads - [x] New - Schedule daily system update downloads
- [x] New - Display time taken to complete all operations
- [x] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user
- [ ] New - Enable LUKS (is it even worth it???) - [ ] New - Enable LUKS (is it even worth it???)
- [ ] New - DNSCrypt - [ ] New - DNSCrypt
- [ ] New - Display time taken to complete all operations
- [ ] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user

33
init-linux-harden.sh
View File

@@ -34,12 +34,15 @@ function usage() {
echo "Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]" echo "Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]"
echo " -u, --username Username for your server (If omitted script will choose an username for you)" echo " -u, --username Username for your server (If omitted script will choose an username for you)"
echo " -r, --resetrootpwd Reset current root password" echo " -r, --resetrootpwd Reset current root password"
echo " -hide, --hide-credentials Credentials will hidden from the screen and can ONLY be found in the logfile (tail -n 20 logfile)" echo " -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile"
echo " eg - tail -n 20 logfile"
echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org" echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org"
echo " -ou, --only-create-user Only creates the user and its SSH authorizations"
echo " NOTE: -r, -d would be ignored"
echo "" echo ""
echo "Example: bash ./$SCRIPT_NAME.sh --username myuseraccount --resetrootpwd" echo "Example: bash ./$SCRIPT_NAME.sh --username myuseraccount --resetrootpwd"
printf "\\nBelow restrictions apply to username this script accepts - \\n" printf "\\nBelow restrictions apply to usernames - \\n"
printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " " printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " "
} }
@@ -114,6 +117,7 @@ RESET_ROOT_PWD="n"
DEFAULT_SOURCE_LIST="n" DEFAULT_SOURCE_LIST="n"
QUIET="n" QUIET="n"
HIDE_CREDENTIALS="n" HIDE_CREDENTIALS="n"
USER_CREATION_ALONE="n"
while [[ "$#" -gt 0 ]]; do while [[ "$#" -gt 0 ]]; do
case $1 in case $1 in
@@ -134,6 +138,10 @@ while [[ "$#" -gt 0 ]]; do
shift shift
shift shift
;; ;;
-ou|--only-create-user)
USER_CREATION_ALONE="y"
shift
;;
-r|--resetrootpwd) -r|--resetrootpwd)
RESET_ROOT_PWD="y" RESET_ROOT_PWD="y"
shift shift
@@ -199,10 +207,10 @@ if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then
else else
printf "%3s Username you opted = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE" printf "%3s Username you opted = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE"
fi fi
if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then if [[ "$DEFAULT_SOURCE_LIST" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
printf "%3s Reset the url for apt repo from VPS provided CDN to OS provided ones\\n" " -" | tee -a "$LOGFILE" printf "%3s Reset the url for apt repo from VPS provided CDN to OS provided ones\\n" " -" | tee -a "$LOGFILE"
fi fi
if [[ "$RESET_ROOT_PWD" == "y" ]]; then if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE" printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE"
fi fi
if [[ $HIDE_CREDENTIALS == "y" ]]; then if [[ $HIDE_CREDENTIALS == "y" ]]; then
@@ -224,6 +232,10 @@ if [[ $QUIET == "n" ]]; then
fi fi
# Start recording execution time from now on
SECONDS=0
############################################################## ##############################################################
# Log - Cosmetics # Log - Cosmetics
############################################################## ##############################################################
@@ -606,6 +618,8 @@ function revert_everything_and_exit() {
revert_ssh_only_login revert_ssh_only_login
fi fi
center_reg_text "Total execution time - ${SECONDS}s"
exit 1; exit 1;
} }
@@ -743,7 +757,7 @@ function recap() {
log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS" log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"
if [[ "$RESET_ROOT_PWD" == "y" ]]; then if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT" log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
fi fi
line_fill "$CHORIZONTAL" "$CLINESIZE" line_fill "$CHORIZONTAL" "$CLINESIZE"
@@ -776,6 +790,11 @@ function recap() {
center_reg_text "Issue the following command to see all credentials" center_reg_text "Issue the following command to see all credentials"
center_reg_text "tail -n 20 ${LOGFILE}" center_reg_text "tail -n 20 ${LOGFILE}"
fi fi
file_log "Total execution time in seconds - ${SECONDS}"
center_reg_text "Total execution time - ${SECONDS}s"
exit
} }
function setup_step_start() { function setup_step_start() {
@@ -903,6 +922,10 @@ if [[ $exit_code -gt 0 ]]; then
revert_everything_and_exit "${STEP_TEXT[2]}" revert_everything_and_exit "${STEP_TEXT[2]}"
fi fi
if [[ "$USER_CREATION_ALONE" == "y" ]]; then
recap
fi
############################################################## ##############################################################
# Step 4 - Change default source-list # Step 4 - Change default source-list