From abd0a42d11e5e03bdc184212b22a72f275b084f0 Mon Sep 17 00:00:00 2001 From: Pratik Date: Thu, 14 Feb 2019 05:25:05 +0530 Subject: [PATCH] Readme - Added license - Sane defaults in the example - Marked stable Script - Bumped the version to 1.0 - Fixed bug - While reverting user creation revert always fails - was an issue with reseting the exit code - Bugfix - Does not show all operation succeed when schedule apt download was not executed - Prettier recap --- README.md | 49 +++++++++++---------- init-linux-harden.sh | 102 +++++++++++++++++++++++-------------------- 2 files changed, 79 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index 7cb2baa..d69aadc 100644 --- a/README.md +++ b/README.md @@ -6,18 +6,15 @@ I wanted to change my VPS(Virtual Private Server) provider and was testing out m This script is meant to save that time. ## *** __WARNING__ *** ---- This script can potentially make your server inaccessible. -At the very least read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing. +At the very least, read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing. If your connection gets reset during this operation, you WILL loose all access to the server. ---- - ## Status -Beta testing. NOT production ready. +Stable. Production ready. ## Usage @@ -37,10 +34,9 @@ Beta testing. NOT production ready. The script is intended to be executed immediately after you have access to a *__new__* Linux server (most likely a VPS) as *__root__*. ```console -root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --username someusername --resetrootpwd --defaultsourcelist --quiet --hide-credentials - -root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -u someusername -r -d -q -hide +root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -d -q -hide +root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --defaultsourcelist --quiet --hide-credentials ``` > There are inherent risks involved with running scripts directly (without reviewing it first) from web - as done above. Everyone does it anyways, but you have been warned. @@ -56,9 +52,9 @@ Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourc -u, --username Username for your server (If omitted script will choose an username for you) -r, --resetrootpwd Reset current root password -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile - eg - tail -n 20 logfile + eg: tail -n 20 logfile -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org - -ou, --only-create-user Only creates the user and its SSH authorizations + -ou, --only-user Only creates the user and its SSH authorizations NOTE: -r, -d would be ignored Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd @@ -434,22 +430,27 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har ## Todo ### Bug fixes -- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter-productive) -- [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension -- [x] What to do if creating .bkp file fails? Ans - fail that entire step -- [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not - [ ] fail2ban on Ubuntu 14.04 => need apply default-debian.conf to jail.local itself. - [ ] Exception handle - when curl https://ipinfo.io/ip fails ### Roadmap -- [x] Update README - provide example of how it can be used from a non-root account. -- [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server. -- [x] Update README - Add some screen captures -- [x] Update README - Detail all the locations where backup files would be created -- [x] Update README - Note that we never uninstall any software during restore operations -- [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours) -- [x] New - Schedule daily system update downloads -- [x] New - Display time taken to complete all operations -- [x] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user +- [ ] Update README - Assumptions - TOFU, Trust on VPS provider - [ ] New - Enable LUKS (is it even worth it???) -- [ ] New - DNSCrypt \ No newline at end of file +- [ ] New - DNSCrypt + + +## License + +Copyright 2019 Pratik Kumar Tripathy + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/init-linux-harden.sh b/init-linux-harden.sh index b178c2f..55bfb6f 100644 --- a/init-linux-harden.sh +++ b/init-linux-harden.sh @@ -1,7 +1,7 @@ #!/etc/bin/env bash SCRIPT_NAME=linux_init_harden -SCRIPT_VERSION=0.9 +SCRIPT_VERSION=1.0 LOGFILE=/tmp/"$SCRIPT_NAME"_v"$SCRIPT_VERSION".log # Reset previous log file @@ -35,9 +35,9 @@ function usage() { echo " -u, --username Username for your server (If omitted script will choose an username for you)" echo " -r, --resetrootpwd Reset current root password" echo " -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile" - echo " eg - tail -n 20 logfile" + echo " eg: tail -n 20 logfile" echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org" - echo " -ou, --only-create-user Only creates the user and its SSH authorizations" + echo " -ou, --only-user Only creates the user and its SSH authorizations" echo " NOTE: -r, -d would be ignored" echo "" @@ -138,7 +138,7 @@ while [[ "$#" -gt 0 ]]; do shift shift ;; - -ou|--only-create-user) + -ou|--only-user) USER_CREATION_ALONE="y" shift ;; @@ -386,8 +386,6 @@ function revert_create_user(){ file_log "Error Code - ${exit_code}" log_revert_error "Reverting - New User Creation" fi - - reset_exit_code } function revert_create_ssh_key(){ @@ -404,8 +402,6 @@ function revert_create_ssh_key(){ file_log "Error Code - ${exit_code}" log_revert_error "Reverting - SSH Key Generation" fi - - reset_exit_code } function revert_secure_authorized_key(){ @@ -431,11 +427,11 @@ function revert_secure_authorized_key(){ file_log "Error Code - ${exit_code}" log_revert_error "Reverting - SSH Key Authorization" fi - - reset_exit_code } function revert_source_list_changes(){ + reset_exit_code + file_log "Reverting Source_list Changes..." unalias cp &>/dev/null @@ -467,15 +463,16 @@ function revert_source_list_changes(){ } function revert_root_pass_change(){ + reset_exit_code + echo center_err_text "Changing root password failed..." center_err_text "Your earlier root password remains VALID" center_err_text "Script will continue to next step" - - reset_exit_code } function revert_config_UFW(){ + reset_exit_code file_log "Reverting UFW Configuration..." ufw disable 2>> "$LOGFILE" >&2 @@ -492,6 +489,8 @@ function revert_config_UFW(){ } function revert_config_fail2ban(){ + reset_exit_code + file_log "Reverting Fail2ban Config..." unalias cp &>/dev/null @@ -532,17 +531,18 @@ function revert_config_fail2ban(){ } function revert_software_installs(){ + reset_exit_code + echo center_err_text "Error while installing softwares" center_err_text "This may be a false-alarm" center_err_text "Script will continue to next step" file_log "Installing software failed..." file_log "This is NOT a catastrophic error" - - reset_exit_code } function revert_schedule_updates() { + reset_exit_code file_log "Reverting Daily Update Download..." rm "$dailycron_filename" @@ -560,6 +560,7 @@ function revert_schedule_updates() { function revert_ssh_only_login(){ revert_secure_authorized_key + if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then revert_source_list_changes fi @@ -608,6 +609,8 @@ function revert_everything_and_exit() { file_log "Starting revert operation..." + reset_exit_code + if [[ $1 = "${STEP_TEXT[0]}" ]]; then revert_create_user elif [[ $1 = "${STEP_TEXT[1]}" ]]; then @@ -732,47 +735,17 @@ function recap() { if [[ $CreateNonRootUser -eq 2 ]] && [[ $CreateSSHKey -eq 2 ]] && [[ $SecureAuthkeysfile -eq 2 ]] && - [[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success [[ $InstallReqSoftwares -eq 2 ]] && + [[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success - [[ $ScheduleUpdate -eq 2 ]] && + [[ $ScheduleUpdate -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ChangeRootPwd -le 2 ]] && # Since 0 (NO-OP) is still success [[ $EnableSSHOnly -eq 2 ]]; then echo line_fill "$CHORIZONTAL" "$CLINESIZE" - line_fill "$CHORIZONTAL" "$CLINESIZE" center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY" fi - - #Recap - file_log "" - file_log "" - file_log "" - file_log "" - - line_fill "$CHORIZONTAL" "$CLINESIZE" - log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME" - log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS" - log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem - log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub - log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS" - if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then - log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT" - fi - line_fill "$CHORIZONTAL" "$CLINESIZE" - - log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem - log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub - - line_fill "$CHORIZONTAL" "$CLINESIZE" - center_reg_text "!!! DO NOT LOG OUT JUST YET !!!" - center_reg_text "Use another window to test out the above credentials" - center_reg_text "If you face issue logging in look at the log file to see what went wrong" - center_reg_text "Log file at ${LOGFILE}" - - line_fill "$CHORIZONTAL" "$CLINESIZE" - echo if [[ $ChangeSourceList -eq 3 ]] || [[ $InstallReqSoftwares -eq 3 ]] || @@ -781,13 +754,46 @@ function recap() { [[ $ScheduleUpdate -eq 3 ]] && [[ $ChangeRootPwd -eq 3 ]]; then center_err_text "Some operations failed..." - center_err_text "These may NOT be catastrophic" + center_err_text "System would function with reduced security" center_err_text "Please check $LOGFILE file for details" echo fi + + #Recap + file_log "" + file_log "" + file_log "" + file_log "" + + if [[ $HIDE_CREDENTIALS == "n" ]]; then + line_fill "$CHORIZONTAL" "$CLINESIZE" + fi + log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME" + log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS" + log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem + log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub + log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS" + if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then + log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT" + fi + if [[ $HIDE_CREDENTIALS == "n" ]]; then + line_fill "$CHORIZONTAL" "$CLINESIZE" + fi + + log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem + log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub + + line_fill "$CHORIZONTAL" "$CLINESIZE" + center_reg_text "!!! DO NOT LOG OUT JUST YET !!!" + center_reg_text "Use another window to test out the above credentials" + center_reg_text "If you face issue logging in, check the log file to see what went wrong" + center_reg_text "Log file at ${LOGFILE}" + + line_fill "$CHORIZONTAL" "$CLINESIZE" + echo if [[ $HIDE_CREDENTIALS == "y" ]]; then - center_reg_text "Issue the following command to see all credentials" + center_reg_text "Use the following command to see all credentials" center_reg_text "tail -n 20 ${LOGFILE}" fi