pratik/server_init_harden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Readme

Browse Source 
- Added license
- Sane defaults in the example
- Marked stable

Script
- Bumped the version to 1.0
- Fixed bug - While reverting user creation revert always  fails - was an issue with reseting the exit code
- Bugfix - Does not show all operation succeed when schedule apt download was not executed
- Prettier recap
This commit is contained in:
Pratik
2019-02-14 05:25:05 +05:30
parent 9e2dfc4bd1
commit abd0a42d11
2 changed files with 79 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@@ -6,18 +6,15 @@ I wanted to change my VPS(Virtual Private Server) provider and was testing out m
This script is meant to save that time. This script is meant to save that time.
## *** __WARNING__ *** ## *** __WARNING__ ***
---
This script can potentially make your server inaccessible. This script can potentially make your server inaccessible.
At the very least read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing. At the very least, read the [FAQ section](https://github.com/pratiktri/init-li-harden#faq) before executing.
If your connection gets reset during this operation, you WILL loose all access to the server. If your connection gets reset during this operation, you WILL loose all access to the server.
---
## Status ## Status
Beta testing. NOT production ready. Stable. Production ready.
## Usage ## Usage
@@ -37,10 +34,9 @@ Beta testing. NOT production ready.
The script is intended to be executed immediately after you have access to a *__new__* Linux server (most likely a VPS) as *__root__*. The script is intended to be executed immediately after you have access to a *__new__* Linux server (most likely a VPS) as *__root__*.
```console ```console
root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --username someusername --resetrootpwd --defaultsourcelist --quiet --hide-credentials root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -d -q -hide
root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh -u someusername -r -d -q -hide
root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_harden/master/init-linux-harden.sh -O init-linux-harden.sh && bash ./init-linux-harden.sh --defaultsourcelist --quiet --hide-credentials
``` ```
> There are inherent risks involved with running scripts directly (without reviewing it first) from web - as done above. Everyone does it anyways, but you have been warned. > There are inherent risks involved with running scripts directly (without reviewing it first) from web - as done above. Everyone does it anyways, but you have been warned.
@@ -56,9 +52,9 @@ Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourc
-u, --username Username for your server (If omitted script will choose an username for you) -u, --username Username for your server (If omitted script will choose an username for you)
-r, --resetrootpwd Reset current root password -r, --resetrootpwd Reset current root password
-hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile
eg - tail -n 20 logfile eg: tail -n 20 logfile
-d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org
-ou, --only-create-user Only creates the user and its SSH authorizations -ou, --only-user Only creates the user and its SSH authorizations
NOTE: -r, -d would be ignored NOTE: -r, -d would be ignored
Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd Example: bash ./linux_init_harden.sh --username myuseraccount --resetrootpwd
@@ -434,22 +430,27 @@ root@host:~# wget -q https://raw.githubusercontent.com/pratiktri/server_init_har
## Todo ## Todo
### Bug fixes ### Bug fixes
- [x] ~~On successful restoration - delete the bkp files~~ (Abandoned - as it could be counter-productive)
- [x] Investigate Warning - Ignoring file 'hetzner-mirror.list.29_01_2019-19_31_03_bak' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
- [x] What to do if creating .bkp file fails? Ans - fail that entire step
- [x] Step 6 & 7 - Instead of checking if installation was successful or not - check if the the software we need is installed or not
- [ ] fail2ban on Ubuntu 14.04 => need apply default-debian.conf to jail.local itself. - [ ] fail2ban on Ubuntu 14.04 => need apply default-debian.conf to jail.local itself.
- [ ] Exception handle - when curl https://ipinfo.io/ip fails - [ ] Exception handle - when curl https://ipinfo.io/ip fails
### Roadmap ### Roadmap
- [x] Update README - provide example of how it can be used from a non-root account. - [ ] Update README - Assumptions - TOFU, Trust on VPS provider
- [x] Update README - Warn that - If your connection gets reset during this operation, you WILL loose all access to the server.
- [x] Update README - Add some screen captures
- [x] Update README - Detail all the locations where backup files would be created
- [x] Update README - Note that we never uninstall any software during restore operations
- [x] New - Provide Flag - to NOT display credentials on screen (because - nosy neighbours)
- [x] New - Schedule daily system update downloads
- [x] New - Display time taken to complete all operations
- [x] New - Provide flag to ONLY create a new user (sudo???) - when script is already run and you just want to create another user
- [ ] New - Enable LUKS (is it even worth it???) - [ ] New - Enable LUKS (is it even worth it???)
- [ ] New - DNSCrypt - [ ] New - DNSCrypt
## License
Copyright 2019 Pratik Kumar Tripathy
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

102
init-linux-harden.sh
View File

@@ -1,7 +1,7 @@
#!/etc/bin/env bash #!/etc/bin/env bash
SCRIPT_NAME=linux_init_harden SCRIPT_NAME=linux_init_harden
SCRIPT_VERSION=0.9 SCRIPT_VERSION=1.0
LOGFILE=/tmp/"$SCRIPT_NAME"_v"$SCRIPT_VERSION".log LOGFILE=/tmp/"$SCRIPT_NAME"_v"$SCRIPT_VERSION".log
# Reset previous log file # Reset previous log file
@@ -35,9 +35,9 @@ function usage() {
echo " -u, --username Username for your server (If omitted script will choose an username for you)" echo " -u, --username Username for your server (If omitted script will choose an username for you)"
echo " -r, --resetrootpwd Reset current root password" echo " -r, --resetrootpwd Reset current root password"
echo " -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile" echo " -hide, --hide-credentials Credentials will hidden from screen and can ONLY be found in the logfile"
echo " eg - tail -n 20 logfile" echo " eg: tail -n 20 logfile"
echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org" echo " -d, --defaultsourcelist Updates /etc/apt/sources.list to download software from debian.org"
echo " -ou, --only-create-user Only creates the user and its SSH authorizations" echo " -ou, --only-user Only creates the user and its SSH authorizations"
echo " NOTE: -r, -d would be ignored" echo " NOTE: -r, -d would be ignored"
echo "" echo ""
@@ -138,7 +138,7 @@ while [[ "$#" -gt 0 ]]; do
shift shift
shift shift
;; ;;
-ou|--only-create-user) -ou|--only-user)
USER_CREATION_ALONE="y" USER_CREATION_ALONE="y"
shift shift
;; ;;
@@ -386,8 +386,6 @@ function revert_create_user(){
file_log "Error Code - ${exit_code}" file_log "Error Code - ${exit_code}"
log_revert_error "Reverting - New User Creation" log_revert_error "Reverting - New User Creation"
fi fi
reset_exit_code
} }
function revert_create_ssh_key(){ function revert_create_ssh_key(){
@@ -404,8 +402,6 @@ function revert_create_ssh_key(){
file_log "Error Code - ${exit_code}" file_log "Error Code - ${exit_code}"
log_revert_error "Reverting - SSH Key Generation" log_revert_error "Reverting - SSH Key Generation"
fi fi
reset_exit_code
} }
function revert_secure_authorized_key(){ function revert_secure_authorized_key(){
@@ -431,11 +427,11 @@ function revert_secure_authorized_key(){
file_log "Error Code - ${exit_code}" file_log "Error Code - ${exit_code}"
log_revert_error "Reverting - SSH Key Authorization" log_revert_error "Reverting - SSH Key Authorization"
fi fi
reset_exit_code
} }
function revert_source_list_changes(){ function revert_source_list_changes(){
reset_exit_code
file_log "Reverting Source_list Changes..." file_log "Reverting Source_list Changes..."
unalias cp &>/dev/null unalias cp &>/dev/null
@@ -467,15 +463,16 @@ function revert_source_list_changes(){
} }
function revert_root_pass_change(){ function revert_root_pass_change(){
reset_exit_code
echo echo
center_err_text "Changing root password failed..." center_err_text "Changing root password failed..."
center_err_text "Your earlier root password remains VALID" center_err_text "Your earlier root password remains VALID"
center_err_text "Script will continue to next step" center_err_text "Script will continue to next step"
reset_exit_code
} }
function revert_config_UFW(){ function revert_config_UFW(){
reset_exit_code
file_log "Reverting UFW Configuration..." file_log "Reverting UFW Configuration..."
ufw disable 2>> "$LOGFILE" >&2 ufw disable 2>> "$LOGFILE" >&2
@@ -492,6 +489,8 @@ function revert_config_UFW(){
} }
function revert_config_fail2ban(){ function revert_config_fail2ban(){
reset_exit_code
file_log "Reverting Fail2ban Config..." file_log "Reverting Fail2ban Config..."
unalias cp &>/dev/null unalias cp &>/dev/null
@@ -532,17 +531,18 @@ function revert_config_fail2ban(){
} }
function revert_software_installs(){ function revert_software_installs(){
reset_exit_code
echo echo
center_err_text "Error while installing softwares" center_err_text "Error while installing softwares"
center_err_text "This may be a false-alarm" center_err_text "This may be a false-alarm"
center_err_text "Script will continue to next step" center_err_text "Script will continue to next step"
file_log "Installing software failed..." file_log "Installing software failed..."
file_log "This is NOT a catastrophic error" file_log "This is NOT a catastrophic error"
reset_exit_code
} }
function revert_schedule_updates() { function revert_schedule_updates() {
reset_exit_code
file_log "Reverting Daily Update Download..." file_log "Reverting Daily Update Download..."
rm "$dailycron_filename" rm "$dailycron_filename"
@@ -560,6 +560,7 @@ function revert_schedule_updates() {
function revert_ssh_only_login(){ function revert_ssh_only_login(){
revert_secure_authorized_key revert_secure_authorized_key
if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then if [[ $DEFAULT_SOURCE_LIST = "y" ]]; then
revert_source_list_changes revert_source_list_changes
fi fi
@@ -608,6 +609,8 @@ function revert_everything_and_exit() {
file_log "Starting revert operation..." file_log "Starting revert operation..."
reset_exit_code
if [[ $1 = "${STEP_TEXT[0]}" ]]; then if [[ $1 = "${STEP_TEXT[0]}" ]]; then
revert_create_user revert_create_user
elif [[ $1 = "${STEP_TEXT[1]}" ]]; then elif [[ $1 = "${STEP_TEXT[1]}" ]]; then
@@ -732,48 +735,18 @@ function recap() {
if [[ $CreateNonRootUser -eq 2 ]] && if [[ $CreateNonRootUser -eq 2 ]] &&
[[ $CreateSSHKey -eq 2 ]] && [[ $CreateSSHKey -eq 2 ]] &&
[[ $SecureAuthkeysfile -eq 2 ]] && [[ $SecureAuthkeysfile -eq 2 ]] &&
[[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $InstallReqSoftwares -eq 2 ]] && [[ $InstallReqSoftwares -eq 2 ]] &&
[[ $ChangeSourceList -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ConfigureUFW -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ConfigureFail2Ban -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ScheduleUpdate -eq 2 ]] && [[ $ScheduleUpdate -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $ChangeRootPwd -le 2 ]] && # Since 0 (NO-OP) is still success [[ $ChangeRootPwd -le 2 ]] && # Since 0 (NO-OP) is still success
[[ $EnableSSHOnly -eq 2 ]]; then [[ $EnableSSHOnly -eq 2 ]]; then
echo echo
line_fill "$CHORIZONTAL" "$CLINESIZE" line_fill "$CHORIZONTAL" "$CLINESIZE"
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY" center_reg_text "ALL OPERATIONS COMPLETED SUCCESSFULLY"
fi fi
#Recap
file_log ""
file_log ""
file_log ""
file_log ""
line_fill "$CHORIZONTAL" "$CLINESIZE"
log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS"
log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"
if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
fi
line_fill "$CHORIZONTAL" "$CLINESIZE"
log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
center_reg_text "Use another window to test out the above credentials"
center_reg_text "If you face issue logging in look at the log file to see what went wrong"
center_reg_text "Log file at ${LOGFILE}"
line_fill "$CHORIZONTAL" "$CLINESIZE"
echo
if [[ $ChangeSourceList -eq 3 ]] || if [[ $ChangeSourceList -eq 3 ]] ||
[[ $InstallReqSoftwares -eq 3 ]] || [[ $InstallReqSoftwares -eq 3 ]] ||
[[ $ConfigureUFW -eq 3 ]] || [[ $ConfigureUFW -eq 3 ]] ||
@@ -781,13 +754,46 @@ function recap() {
[[ $ScheduleUpdate -eq 3 ]] && [[ $ScheduleUpdate -eq 3 ]] &&
[[ $ChangeRootPwd -eq 3 ]]; then [[ $ChangeRootPwd -eq 3 ]]; then
center_err_text "Some operations failed..." center_err_text "Some operations failed..."
center_err_text "These may NOT be catastrophic" center_err_text "System would function with reduced security"
center_err_text "Please check $LOGFILE file for details" center_err_text "Please check $LOGFILE file for details"
echo echo
fi fi
#Recap
file_log ""
file_log ""
file_log ""
file_log ""
if [[ $HIDE_CREDENTIALS == "n" ]]; then
line_fill "$CHORIZONTAL" "$CLINESIZE"
fi
log_ops_finish "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
log_ops_finish "User's Password" "$CreateNonRootUser" "$USER_PASS"
log_ops_finish "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
log_ops_finish "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
log_ops_finish "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"
if [[ "$RESET_ROOT_PWD" == "y" && "$USER_CREATION_ALONE" == "n" ]]; then
log_ops_finish "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
fi
if [[ $HIDE_CREDENTIALS == "n" ]]; then
line_fill "$CHORIZONTAL" "$CLINESIZE"
fi
log_ops_finish_file_contents "SSH Private Key" "$SSH_DIR"/"$NORM_USER_NAME".pem
log_ops_finish_file_contents "SSH Public Key" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
line_fill "$CHORIZONTAL" "$CLINESIZE"
center_reg_text "!!! DO NOT LOG OUT JUST YET !!!"
center_reg_text "Use another window to test out the above credentials"
center_reg_text "If you face issue logging in, check the log file to see what went wrong"
center_reg_text "Log file at ${LOGFILE}"
line_fill "$CHORIZONTAL" "$CLINESIZE"
echo
if [[ $HIDE_CREDENTIALS == "y" ]]; then if [[ $HIDE_CREDENTIALS == "y" ]]; then
center_reg_text "Issue the following command to see all credentials" center_reg_text "Use the following command to see all credentials"
center_reg_text "tail -n 20 ${LOGFILE}" center_reg_text "tail -n 20 ${LOGFILE}"
fi fi