chore: Usage text updated
This commit is contained in:
Pratik Tripathy
@@ -11,27 +11,33 @@ RESET_ROOT=false
|
|||||||
usage() {
|
usage() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
${SCRIPT_NAME} v${SCRIPT_VERSION}
|
${SCRIPT_NAME} v${SCRIPT_VERSION}
|
||||||
A script to harden Linux server security configurations
|
Shell script to harden a new Linux/FreeBSD server's security configurations
|
||||||
|
|
||||||
USAGE:
|
SYNOPSIS
|
||||||
$0 [OPTIONS]
|
$0 [OPTIONS]
|
||||||
|
|
||||||
DESCRIPTION:
|
DESCRIPTION
|
||||||
This script performs several security hardening operations on a Linux server:
|
Following security hardening operations are performed:
|
||||||
- Hardens SSH configuration (disables root login, password auth)
|
- Reset root password (optional)
|
||||||
- Creates new user with sudo access (optional)
|
- SSH Hardening (disables root login & password auth)
|
||||||
- Generates secure SSH keys
|
- New user with privileged access (optional)
|
||||||
- Resets root password (optional)
|
- Generate OpenSSH keys for the new user
|
||||||
|
- Sets up Firewalld/pf firewall rules
|
||||||
- Configures Fail2ban for intrusion prevention
|
- Configures Fail2ban for intrusion prevention
|
||||||
- Sets up Firewalld firewall rules
|
|
||||||
|
|
||||||
OPTIONS:
|
Require root/sudo privileges
|
||||||
-u USERNAME Create a new sudo user with the specified username
|
Creates backups of each modified configuration files
|
||||||
|
If some operation fails, configurations are reverted
|
||||||
|
|
||||||
|
All operations are logged to: /var/log/{SCRIPT_NAME}_TIMESTAMP.log
|
||||||
|
|
||||||
|
OPTIONS
|
||||||
|
-u USERNAME Create new user with privileged (sudo) access
|
||||||
-r Reset root password to a secure random value
|
-r Reset root password to a secure random value
|
||||||
-h Display this help message
|
-h Display this help message
|
||||||
|
|
||||||
EXAMPLES:
|
EXAMPLES
|
||||||
# Basic hardening (SSH, Fail2ban, Firewalld)
|
# Basic hardening (SSH, Fail2ban, Firewalld/pf)
|
||||||
$0
|
$0
|
||||||
|
|
||||||
# Create new sudo user during hardening
|
# Create new sudo user during hardening
|
||||||
@@ -40,16 +46,7 @@ EXAMPLES:
|
|||||||
# Create new user and reset root password
|
# Create new user and reset root password
|
||||||
$0 -u jay -r
|
$0 -u jay -r
|
||||||
|
|
||||||
LOGGING:
|
REPORTING BUGS
|
||||||
All operations are logged to: /var/log/{SCRIPT_NAME}_TIMESTAMP.log
|
|
||||||
Sensitive information (passwords, keys) are only logged to file by default
|
|
||||||
|
|
||||||
NOTES:
|
|
||||||
- Requires root/sudo privileges
|
|
||||||
- Creates backups of modified configuration files
|
|
||||||
- If some operation fails, configurations will be reverted
|
|
||||||
|
|
||||||
For bug reports and contributions:
|
|
||||||
https://github.com/pratiktri/server-init-harden
|
https://github.com/pratiktri/server-init-harden
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
@@ -144,20 +141,20 @@ print_operation_details() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo " SSH: login to root account will be disabled"
|
echo " SSH: login to root account will be disabled"
|
||||||
echo " SSH: login can only happen using generated SSH keys"
|
echo " SSH: can only login using generated SSH keys"
|
||||||
echo " Software repository will be updated & required software will be installed"
|
echo " Software repository will be updated & required software will be installed"
|
||||||
echo " Firewalld: Firewall will be configured to only allow SSH, HTTP, HTTPS traffic into the server"
|
echo " Firewalld/pf: Firewall will be configured to only allow SSH, HTTP, HTTPS traffic into the server"
|
||||||
echo " Fail2ban: Configured to automatically block repeat offender IPs"
|
echo " Fail2ban: Configured to automatically block repeat offender IPs"
|
||||||
}
|
}
|
||||||
|
|
||||||
print_log_file_details() {
|
print_log_file_details() {
|
||||||
echo
|
echo
|
||||||
echo "See logfile for detailed output for each operation."
|
echo "See following log file for detailed output of each operation."
|
||||||
echo "Location: $LOG_FILE_NAME"
|
echo "Location: $LOG_FILE_NAME"
|
||||||
echo " tail -f $LOG_FILE_NAME # Follow log in real-time"
|
echo " tail -f $LOG_FILE_NAME # Follow log in real-time"
|
||||||
echo
|
echo
|
||||||
echo "WARNING: Credentials WILL be displayed on this screen"
|
echo "WARNING: Credentials WILL be displayed on this screen"
|
||||||
echo "WARNING: Save the credentials as they WILL NOT BE SHOWN AGAIN"
|
echo "WARNING: Save the credentials. CREDENTIALS WILL NOT BE SHOWN AGAIN."
|
||||||
}
|
}
|
||||||
|
|
||||||
formatted_execution_duration() {
|
formatted_execution_duration() {
|
||||||
@@ -1016,9 +1013,9 @@ configure_fail2ban() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
print_credentials() {
|
print_credentials_and_clean_up() {
|
||||||
echo
|
echo
|
||||||
echo "#############################################################"
|
echo "#########################################################################################"
|
||||||
|
|
||||||
if [ "$RESET_ROOT" = "true" ]; then
|
if [ "$RESET_ROOT" = "true" ]; then
|
||||||
echo "New password for root: $ROOT_PASSWORD"
|
echo "New password for root: $ROOT_PASSWORD"
|
||||||
@@ -1040,7 +1037,7 @@ print_credentials() {
|
|||||||
|
|
||||||
echo "SSH public key location: $SSH_KEY_FILE.pub:"
|
echo "SSH public key location: $SSH_KEY_FILE.pub:"
|
||||||
cat "$SSH_KEY_FILE.pub"
|
cat "$SSH_KEY_FILE.pub"
|
||||||
echo "#############################################################"
|
echo "########################################################################################"
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
|
|||||||
Reference in New Issue
Block a user