Readme

- Added license - Sane defaults in the example - Marked stable Script - Bumped the version to 1.0 - Fixed bug - While reverting user creation revert always fails - was an issue with reseting the exit code - Bugfix - Does not show all operation succeed when schedule apt download was not executed - Prettier recap
2019-02-14 05:25:05 +05:30
parent 9e2dfc4bd1
commit abd0a42d11
2 changed files with 79 additions and 72 deletions
--- a/README.md
+++ b/README.md
@@ -6,18 +6,15 @@ I wanted to change my VPS(Virtual Private Server) provider and was testing out m
 This script is meant to save that time.

 ## *** __WARNING__ ***
---
 This script can potentially make your server inaccessible. 

-At the very least read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing.
+At the very least, read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing.

 If your connection gets reset during this operation, you WILL loose all access to the server.

---
-
 ## Status

-Beta testing. NOT production ready.
+Stable. Production ready.

 ## Usage

@@ -37,10 +34,9 @@ Beta testing. NOT production ready.
 The script is intended to be executed immediately after you have access to a *__new__* Linux server (most likely a VPS) as *__root__*.

 ```console
-root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --username someusername --resetrootpwd --defaultsourcelist --quiet --hide-credentials
-
-root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -u someusername -r -d -q -hide
+root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -d -q -hide

+root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --defaultsourcelist --quiet --hide-credentials
 ```

 > There are inherent risks involved with running scripts directly (without reviewing it first) from web - as done above. Everyone does it anyways, but you have been warned. 
@@ -56,9 +52,9 @@ Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourc
  -u,     --username              Username for your server (If omitted script will choose an username for you)
  -r,     --resetrootpwd          Reset current root password
  -hide,  --hide-credentials      Credentials will hidden from screen and can ONLY be found in the logfile
-                                  eg - tail -n 20 logfile
+                                  eg: tail -n 20 logfile
  -d,     --defaultsourcelist     Updates /etc/apt/sources.list to download software from debian.org
-  -ou,    --only-create-user      Only creates the user and its SSH authorizations
+  -ou,    --only-user             Only creates the user and its SSH authorizations
                                  NOTE: -r, -d would be ignored

 Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd
@@ -434,22 +430,27 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har
 ## Todo

 ### Bug fixes
- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter-productive)
- [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
- [x] What to do if creating .bkp file fails? Ans - fail that entire step
- [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not
 - [ ] fail2ban on Ubuntu 14.04 => need apply default-debian.conf to jail.local itself.
 - [ ] Exception handle - when curl https://ipinfo.io/ip fails

 ### Roadmap
- [x] Update README - provide example of how it can be used from a non-root account.
- [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server.
- [x] Update README - Add some screen captures
- [x] Update README - Detail all the locations where backup files would be created
- [x] Update README - Note that we never uninstall any software during restore operations
- [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours)
- [x] New - Schedule daily system update downloads
- [x] New - Display time taken to complete all operations
- [x] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user
+- [ ] Update README - Assumptions - TOFU, Trust on VPS provider
 - [ ] New - Enable LUKS (is it even worth it???)
- [ ] New - DNSCrypt
+- [ ] New - DNSCrypt
+
+
+## License
+
+Copyright 2019 Pratik Kumar Tripathy
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/init-linux-harden.sh
+++ b/init-linux-harden.sh
@@ -1,7 +1,7 @@
 #!/etc/bin/env bash

 SCRIPT_NAME=linux_init_harden
-SCRIPT_VERSION=0.9
+SCRIPT_VERSION=1.0

 LOGFILE=/tmp/"$SCRIPT_NAME"_v"$SCRIPT_VERSION".log
 # Reset previous log file
@@ -35,9 +35,9 @@ function usage() {
    echo "  -u,     --username              Username for your server (If omitted script will choose an username for you)"
    echo "  -r,     --resetrootpwd          Reset current root password"
    echo "  -hide,  --hide-credentials      Credentials will hidden from screen and can ONLY be found in the logfile"
-    echo "                                  eg - tail -n 20 logfile"
+    echo "                                  eg: tail -n 20 logfile"
    echo "  -d,     --defaultsourcelist     Updates /etc/apt/sources.list to download software from debian.org"
-    echo "  -ou,    --only-create-user      Only creates the user and its SSH authorizations"
+    echo "  -ou,    --only-user             Only creates the user and its SSH authorizations"
    echo "                                  NOTE: -r, -d would be ignored"

    echo ""
@@ -138,7 +138,7 @@ while [[ "$#" -gt 0 ]]; do
            shift
            shift
            ;;
-        -ou|--only-create-user)
+        -ou|--only-user)
            USER_CREATION_ALONE="y"
            shift
            ;;
@@ -386,8 +386,6 @@ function revert_create_user(){
        file_log "Error Code - ${exit_code}"
        log_revert_error "Reverting - New User Creation"
    fi
-
-    reset_exit_code
 }

 function revert_create_ssh_key(){
@@ -404,8 +402,6 @@ function revert_create_ssh_key(){
        file_log "Error Code - ${exit_code}"
        log_revert_error "Reverting - SSH Key Generation"
    fi
-
-    reset_exit_code
 }

 function revert_secure_authorized_key(){
@@ -431,11 +427,11 @@ function revert_secure_authorized_key(){
        file_log "Error Code - ${exit_code}"
        log_revert_error "Reverting - SSH Key Authorization"
    fi
-
-    reset_exit_code
 }

 function revert_source_list_changes(){
+    reset_exit_code
+
    file_log "Reverting Source_list Changes..."

    unalias cp &>/dev/null
@@ -467,15 +463,16 @@ function revert_source_list_changes(){
 }

 function revert_root_pass_change(){
+    reset_exit_code
+
    echo
    center_err_text "Changing root password failed..."
    center_err_text "Your earlier root password remains VALID"
    center_err_text "Script will continue to next step"
-
-    reset_exit_code
 }

 function revert_config_UFW(){
+    reset_exit_code
    file_log "Reverting UFW Configuration..."

    ufw disable 2>> "$LOGFILE" >&2
@@ -492,6 +489,8 @@ function revert_config_UFW(){
 }

 function revert_config_fail2ban(){
+    reset_exit_code
+
    file_log "Reverting Fail2ban Config..."

    unalias cp &>/dev/null
@@ -532,17 +531,18 @@ function revert_config_fail2ban(){
 }

 function revert_software_installs(){
+    reset_exit_code
+    
    echo
    center_err_text "Error while installing softwares"
    center_err_text "This may be a false-alarm"
    center_err_text "Script will continue to next step"
    file_log "Installing software failed..."
    file_log "This is NOT a catastrophic error"
-
-    reset_exit_code
 }

 function revert_schedule_updates() {
+    reset_exit_code
    file_log "Reverting Daily Update Download..."

    rm "$dailycron_filename"
@@ -560,6 +560,7 @@ function revert_schedule_updates() {

 function revert_ssh_only_login(){
    revert_secure_authorized_key
+
    if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then
        revert_source_list_changes
    fi
@@ -608,6 +609,8 @@ function revert_everything_and_exit() {

    file_log "Starting revert operation..."

+    reset_exit_code
+    
    if [[ $1 = "${STEP_TEXT[0]}" ]]; then
        revert_create_user
    elif [[ $1 = "${STEP_TEXT[1]}" ]]; then
@@ -732,47 +735,17 @@ function recap() {
    if [[ $CreateNonRootUser -eq 2 ]] &&
        [[ $CreateSSHKey -eq 2 ]] &&
        [[ $SecureAuthkeysfile -eq 2 ]] &&
-        [[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success
        [[ $InstallReqSoftwares -eq 2 ]] &&
+        [[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success
        [[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success
        [[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success
-        [[ $ScheduleUpdate -eq 2 ]] &&
+        [[ $ScheduleUpdate -le 2 ]] && # Since 0 (NO-OP) is still success
        [[ $ChangeRootPwd -le 2 ]] && # Since 0 (NO-OP) is still success
        [[ $EnableSSHOnly -eq 2 ]]; then
        echo
        line_fill "$CHORIZONTAL" "$CLINESIZE"
-        line_fill "$CHORIZONTAL" "$CLINESIZE"
        center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY"
    fi
-    
-    #Recap
-    file_log ""
-    file_log ""
-    file_log ""
-    file_log ""
-
-    line_fill "$CHORIZONTAL" "$CLINESIZE"
-    log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
-    log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS"
-    log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
-    log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
-    log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"    
-    if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
-        log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
-    fi
-    line_fill "$CHORIZONTAL" "$CLINESIZE"
-
-    log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
-    log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
-    
-    line_fill "$CHORIZONTAL" "$CLINESIZE"
-    center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
-    center_reg_text "Use another window to test out the above credentials"
-    center_reg_text "If you face issue logging in look at the log file to see what went wrong"
-    center_reg_text "Log file at ${LOGFILE}"
-
-    line_fill "$CHORIZONTAL" "$CLINESIZE"
-    echo

    if [[ $ChangeSourceList -eq 3 ]] ||
       [[ $InstallReqSoftwares -eq 3 ]] ||
@@ -781,13 +754,46 @@ function recap() {
       [[ $ScheduleUpdate -eq 3 ]] &&
       [[ $ChangeRootPwd -eq 3 ]]; then
        center_err_text "Some operations failed..."
-        center_err_text "These may NOT be catastrophic"
+        center_err_text "System would function with reduced security"
        center_err_text "Please check $LOGFILE file for details"
        echo
    fi
+    
+    #Recap
+    file_log ""
+    file_log ""
+    file_log ""
+    file_log ""
+
+    if [[ $HIDE_CREDENTIALS == "n" ]]; then
+        line_fill "$CHORIZONTAL" "$CLINESIZE"
+    fi
+    log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
+    log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS"
+    log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
+    log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
+    log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"    
+    if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
+        log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
+    fi
+    if [[ $HIDE_CREDENTIALS == "n" ]]; then
+        line_fill "$CHORIZONTAL" "$CLINESIZE"
+    fi
+
+    log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
+    log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
+    
+    line_fill "$CHORIZONTAL" "$CLINESIZE"
+    center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
+    center_reg_text "Use another window to test out the above credentials"
+    center_reg_text "If you face issue logging in, check the log file to see what went wrong"
+    center_reg_text "Log file at ${LOGFILE}"
+
+    line_fill "$CHORIZONTAL" "$CLINESIZE"
+    echo

    if [[ $HIDE_CREDENTIALS == "y" ]]; then
-        center_reg_text "Issue the following command to see all credentials"
+        center_reg_text "Use the following command to see all credentials"
        center_reg_text "tail -n 20 ${LOGFILE}"
    fi