From c4de5a088b8bdc7f3ad6cc6cc55a78d28b20425b Mon Sep 17 00:00:00 2001
From: Pratik <github@pratik.social>
Date: Fri, 18 Jan 2019 09:45:16 +0530
Subject: [PATCH] Updates

---
 init-linux-harden.sh | 382 ++++++++++++++++++++++++-------------------
 1 file changed, 216 insertions(+), 166 deletions(-)

diff --git a/init-linux-harden.sh b/init-linux-harden.sh
index a5eb79b..c80a19b 100644
--- a/init-linux-harden.sh
+++ b/init-linux-harden.sh
@@ -28,7 +28,10 @@
 SCRIPT_NAME=server_harden
 SCRIPT_VERSION=0.2
 LOGFILE=/tmp/"$SCRIPT_NAME"_v"$SCRIPT_VERSION".log
-BACKUP_EXTENSION='.'$(date '+%d%m%Y%H%M%S')"_bak"
+# Reset previous log file
+TS=$(date '+%d_%m_%Y-%H_%M_%S')
+echo "Starting $0 - $TS" > "$LOGFILE"
+BACKUP_EXTENSION='.'$TS"_bak"
 
 # Colors
 CSI='\033['
@@ -36,13 +39,40 @@ CEND="${CSI}0m"
 CRED="${CSI}1;31m"
 CGREEN="${CSI}1;32m"
 
+
+##############################################################
+# Usage
+##############################################################
+# Script takes arguments as follows
+# init-linux-harden -username=pratik --resetrootpwd
+# init-linux-harden -u pratik --resetrootpwd
+
+function usage() {
+    if [ -n "$1" ]; then
+        echo ""
+        echo -e "${CRED}$1${CEND}\n"
+    fi
+
+    echo "Usage: sudo bash $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]"
+    echo "  -u, --username            Username for your server (If omitted script will choose an username for you)"
+    echo "  -r, --resetrootpwd        Reset current root password"
+    echo "  -d, --defaultsourcelist   Updates /etc/apt/sources.list to download software from debian.org."
+    echo "                            NOTE - If you fail to update system after using it, you need to manually reset it. This script keeps a backup in the same folder."
+
+    echo ""
+    echo "Example: $0 --username myuseraccount --resetrootpwd"
+    printf "\\nBelow restrictions apply to username this script accepts - \\n"
+    printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " "
+}
+
+
 ##############################################################
 # Basic checks before starting
 ##############################################################
 
 # No root - no good
 [ "$(id -u)" != "0" ] && {
-    printf "ERROR: You must be root to run this script.\\nPlease login as root and execute the script again."
+    usage "ERROR: You must be root to run this script.\\nPlease login as root and execute the script again."
     exit 1
 }
 
@@ -57,32 +87,11 @@ else
     exit 1
 fi
 
+
 ##################################
 # Parse script arguments
 ##################################
 
-# Script takes arguments as follows
-# init-linux-harden -username=pratik --resetroot
-# init-linux-harden -u pratik --resetroot
-
-function usage() {
-    if [ -n "$1" ]; then
-        echo ""
-        echo -e "${CRED}$1${CEND}\n"
-    fi
-
-    echo "Usage: $0 [-u|--username username] [-r|--resetrootpwd] [--defaultsourcelist]"
-    echo "  -u, --username            Username for your server (If omitted script will choose an username for you)"
-    echo "  -r, --resetrootpwd        Reset current root password"
-    echo "  -d, --defaultsourcelist   Updates /etc/apt/sources.list to download software from debian.org."
-    echo "                            NOTE - If you fail to update system after using it, you need to manually reset it. This script keeps a backup in the same folder."
-
-    echo ""
-    echo "Example: $0 --username myuseraccount --resetrootpwd"
-    printf "\\nBelow restrictions apply to username this script accepts - \\n"
-    printf "%2s - [a-zA-Z0-9] [-] [_] are allowed\\n%2s - NO special characters.\\n%2s - NO spaces.\\n" " " " " " "
-}
-
 # defaults
 AUTO_GEN_USERNAME="y"
 RESET_ROOT_PWD="n"
@@ -130,39 +139,112 @@ done
 
 
 ##############################################################
-# Log
+# Display what the script does
 ##############################################################
 
-CVERTICAL="|"
-CHORIZONTAL="_"
+clear
+cat <<INFORM1 | more
+         !!! READ BELOW & PRESS ENTER/RETURN TO CONTINUE !!!
+##################################################################
+INFORM1
+
+echo "Installation options selected - " | tee -a "$LOGFILE"
+if [[ "$AUTO_GEN_USERNAME" == "y" ]]; then
+    printf "%3s Non-root Username will be auto generated by script\\n" " -" | tee -a "$LOGFILE"
+else
+    printf "%3s Non-root Username = %s\\n" " -" "$NORM_USER_NAME" | tee -a "$LOGFILE"
+fi
+if [[ "$DEFAULT_SOURCE_LIST" == "y" ]]; then
+    printf "%3s Use debian.org in /etc/apt/source.list file\\n" " -" | tee -a "$LOGFILE"
+fi
+if [[ "$RESET_ROOT_PWD" == "y" ]]; then
+    printf "%3s Reset root password\\n" " -" | tee -a "$LOGFILE"
+fi
+
+cat <<INFORM2 | more
+
+All backup files have extension (${BACKUP_EXTENSION})
+Script logs all operation into (${LOGFILE}) file.
+
+- Before editing any file, script creates a back up of that file in
+  the same directory. If script detects any error, then it restores the 
+  original files. 
+- Script assumes you are running this on a brand new VPS and that 
+  DATALOSS OR LOSS OF ACCESS TO THE SERVER IS NOT A MAJOR CONCERN. If 
+  you do however lose access to the server most VPS provider allow to 
+  create a new one easily.
+- If any operation which involves credentials generation, succeeds - 
+  then those credentials will be displayed at the end of all operations.
+- If script reports any error or something does not work as expected,
+  please take a look at the log file at (${LOGFILE}).
+
+TO CONTINUE (press enter/return)...
+TO EXIT (ctrl + c)...
+
+INFORM2
+read -r
 
 
-function horizontal_fill() {
-    local char=$1
-    declare -i rep=$2
-    for ((x = 0; x < "$rep"; x++)); do
-        printf %s "$char"
-    done
+##############################################################
+# Error Handling
+##############################################################
+
+# keep state of the script
+# Each step has 3 states
+    # 0 - not executed
+    # 1 - Started
+    # 2 - Completed
+    # 3 - Failed
+CreateNonRootUser=0
+CreateSSHKey=0
+AddToAuthkeysfile=0
+SecureAuthkeysfile=0
+EnableSSHOnly=0
+ChangeSourceList=0
+InstallReqSoftwares=0
+ChangeRootPwd=0
+
+function get_event_var_from_event() {
+    case $1 in
+        "Creating new user")
+            echo "CreateNonRootUser"
+            ;;
+        "Creating SSH Key for new user")
+            echo "CreateSSHKey"
+            ;;
+        "Adding SSH Key to 'authorized_keys' file")
+            echo "AddToAuthkeysfile"
+            ;;
+        "Securing 'authorized_keys' file")
+            echo "SecureAuthkeysfile"
+            ;;
+        "Enabling SSH-only login")
+            echo "EnableSSHOnly"
+            ;;
+        "Changing urls in sources.list to defaults")
+            echo "ChangeSourceList"
+            ;;
+        "Installing required softwares")
+            echo "InstallReqSoftwares"
+            ;;
+        "Changing root password")
+            echo "ChangeRootPwd"
+            ;;
+        *)
+            false
+            ;;
+    esac
 }
 
-function line_fill() {
-    horizontal_fill "$1" "$2"
-    printf "\\n"
+function update_event_status() {
+    local event
+    event=$(get_event_var_from_event "$1")
+    eval "$event"="$2"
 }
 
-function recap (){
-    local purpose=$1
-    local value=$2
-
-    if [[ $value ]]; then
-        value="[${CGREEN}${value}${CEND}]"
-    else
-        value="${CRED}-FAILED-${CEND}"
-    fi
-
-    horizontal_fill "$CVERTICAL" 1
-    printf "%20s:%5s%-33s" "$purpose" " " "$(echo -e "$value")"
-    line_fill "$CVERTICAL" 1
+function get_event_status() {
+    local event=get_event_var_from_event "$1"
+    return ${!event}
 }
 
 function revert_changes(){
@@ -190,9 +272,9 @@ function revert_changes(){
 }
 
 function revert_create_user(){
-    # Remove user and 
+    # Remove user and its home directory only if user was created
     if [[ $(getent passwd "$NORM_USER_NAME" | wc -l) -gt 0 ]]; then
-        deluser --remove-home "$NORM_USER_NAME"
+        deluser --remove-home "$NORM_USER_NAME" 2>> "$LOGFILE" >&2
     fi
 }
 
@@ -257,29 +339,25 @@ function revert_root_pass_change(){
     true
 }
 
-function finally(){
-    # Check if $what_failed is one of the catastrophic failures
-    #   if - Catastrofic failure - Check if any .bkp file exist and revert them to original
-        # Let user know nothing was changed
-    #   if - Non-catastrophic failure - Inform user of side effects
-    #local what_failed=$1
 
-    line_fill "$CHORIZONTAL" 60
-    recap "New root Password" "$PASS_ROOT"
-    recap "User Name" "$NORM_USER_NAME"
-    recap "User's Password" "$USER_PASS"
-    recap "User's SSH Private Key Location" "$KEY_PASS"
-    recap "User's SSH Public Key Location" "$KEY_PASS"
-    recap "User's SSH Key Passphrase" "$KEY_PASS"
-    line_fill "$CHORIZONTAL" 60
+##############################################################
+# Log
+##############################################################
 
-    # If something failed - try to revert things back
-    if [[ "$#" -gt 0 ]]; then
-        # show - something failed - trying to restore required changes
-        revert_changes "$1"
+CVERTICAL="|"
+CHORIZONTAL="_"
 
-        # If restoration failed - well you are f**ked
-    fi
+function horizontal_fill() {
+    local char=$1
+    declare -i rep=$2
+    for ((x = 0; x < "$rep"; x++)); do
+        printf %s "$char"
+    done
+}
+
+function line_fill() {
+    horizontal_fill "$1" "$2"
+    printf "\\n"
 }
 
 function file_log(){
@@ -292,69 +370,63 @@ function op_log() {
 
     if [ "$RESULT" = "SUCCESSFUL" ]
     then
-        printf "\r%30s %7s [${CGREEN}${RESULT}${CEND}]\\n" "$EVENT" " "
+        update_event_status "${EVENT}" 2
+        printf "\r%33s %7s [${CGREEN}${RESULT}${CEND}]\\n" "$EVENT" " "
         file_log "${EVENT} - ${RESULT}"
     elif [ "$RESULT" = "FAILED" ] 
     then
-        printf "\r%30s %7s [${CRED}${RESULT}${CEND}]\\n" "$EVENT" " "
+        update_event_status "${EVENT}" 3
+        printf "\r%33s %7s [${CRED}${RESULT}${CEND}]\\n" "$EVENT" " "
         printf "\\n\\nPlease look at %s\\n\\n" "$LOGFILE"
         file_log "${EVENT} - ${RESULT}"
         finally "$EVENT"
     else
-        printf "%30s %7s [${CRED}..${CEND}]" "$EVENT" " "
+        update_event_status "${EVENT}" 1
+        printf "%33s %7s [${CRED}..${CEND}]" "$EVENT" " "
         file_log "${EVENT} - begin..."
     fi
 }
 
-# Reset previous log file
-echo "Starting $0 - $(date '+%d-%b-%Y %H:%M:%S')" > "$LOGFILE"
+function recap (){
+    local purpose=$1
+    local status=$2
+    local value=$3
 
+    if [[ $status -eq 0 ]]; then
+        value="[${CGREEN}--NO_OP--${CEND}]"
+    elif [[ $status -eq 2 ]]; then
+        value="[${CGREEN}${value}${CEND}]"
+    elif [[ $status -eq 1 ]] || [[ $status -eq 3 ]]; then
+        value="${CRED}--ERROR--${CEND}"
+    fi
 
-##############################################################
-# Display what the script does
-##############################################################
+    horizontal_fill "$CVERTICAL" 1
+    printf "%20s:%3s%-49s" "$purpose" " " "$(echo -e "$value")"
+    line_fill "$CVERTICAL" 1
+}
 
-clear
-cat <<INFORM | more
-         !!! READ BELOW & PRESS ENTER TO CONTINUE !!!
-##################################################################
-This script performs the following tasks :-
-    1 - Change your root password (unless you have choosen NOT to)
-    2 - Create a non-root user (unless provided by you a random 
-        username will be created)
-    3 - Generate SSH keys on the server and store them at '~/.ssh'
-    4 - Adds the public key from the above step to 
-        '~/.ssh/authorized_keys' file
-    5 - Restricts access to '~/.ssh' folder
-    6 - Restricts login method to SSH-only by editing 
-        '/etc/ssh/sshd_config' file to enable 
-    7 - Restores the '/etc/apt/sources.list'
-        (Most server provider alter these to serve software from 
-        their CDNs)
-    8 - Installs "sudo" "curl" "screen"
-    9 - Display the following at the end
-            a) root password (if changed)
-            b) user name
-            c) user password
-            d) SSH Private Key
-            e) SSH Public Key
+function finally(){
+    line_fill "$CHORIZONTAL" 64
+    recap "User Name" "$CreateNonRootUser" "$NORM_USER_NAME"
+    recap "User's Password" "$CreateNonRootUser" "$USER_PASS"
+    recap "SSH Private Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem
+    recap "SSH Public Key File" "$CreateSSHKey" "$SSH_DIR"/"$NORM_USER_NAME".pem.pub
+    recap "SSH Key Passphrase" "$CreateSSHKey" "$KEY_PASS"    
+    if [[ "$RESET_ROOT_PWD" == "y" ]]; then
+        recap "New root Password" "$ChangeRootPwd" "$PASS_ROOT"
+    fi
+    line_fill "$CHORIZONTAL" 64
+    echo
+    echo
 
-Before editing any file, script creates a back up of that file with
-in the same directory. If script detects any catastrophic error, then 
-it restores the original files. Script assumes you are running this 
-on a brand new VPS and that DATALOSS OR LOSS OF ACCESS TO THE SERVER 
-IS NOT A MAJOR CONCERN. If you do however lose access to the server 
-most VPS provider allow to create a new one easily.
+    # If something failed - try to revert things back
+    if [[ "$#" -gt 0 ]]; then
+        # show - something failed - trying to restore required changes
+        revert_changes "$1"
 
-All backup files have extension (${BACKUP_EXTENSION})
-A log file can be found at ${LOGFILE}
-
-TO CONTINUE (press enter/return)...
-TO EXIT (ctrl + c)...
-INFORM
-
-read -r
-clear
+        # If restoration failed - well you are f**ked
+    fi
+}
 
 
 ##############################################################
@@ -364,26 +436,25 @@ clear
 op_log "Creating new user"
 {
     if [[ $AUTO_GEN_USERNAME == 'y' ]]; then
-        NORM_USER_NAME="$(< /dev/urandom tr -cd 'a-z' | head -c 6)""$(< /dev/urandom tr -cd '0-9' | head -c 2)" || exit 1
+        NORM_USER_NAME="$(< /dev/urandom tr -cd 'a-z' | head -c 6)""$(< /dev/urandom tr -cd '0-9' | head -c 2)" || false
         file_log "Generated user name - ${NORM_USER_NAME}"
     fi
 
     # Generate a 15 character random password
-    USER_PASS="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)" || exit 1
+    USER_PASS="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)"
     file_log "Generated user password - ${USER_PASS}"
 
     # Create the user and assign the above password
-    echo -e "${USER_PASS}\\n${USER_PASS}" | adduser "$NORM_USER_NAME" -q --gecos "First Last,RoomNumber,WorkPhone,HomePhone"
+    echo -e "${USER_PASS}\\n${USER_PASS}" | adduser "$NORM_USER_NAME" -q --gecos "First Last,RoomNumber,WorkPhone,HomePhone" || false
 
     # Give root privilages to the above user
-    usermod -aG sudo "$NORM_USER_NAME" || exit 1
+    usermod -aG sudo "$NORM_USER_NAME"
 } 2>> "$LOGFILE" >&2
 
 if [[ $? -eq 0 ]]; then
     op_log "Creating new user" "SUCCESSFUL"
 else
     op_log "Creating new user" "FAILED"
-    finally "CNU"
     exit 1;
 fi
 
@@ -401,19 +472,22 @@ op_log "Creating SSH Key for new user"
     # If SSH files already exist - rename them to .timestamp_bkp
     if [[ ${#KEY_FILES[@]} -gt 0 ]]; then
         for key in "${KEY_FILES[@]}"; do
-            cp "$key" "$key""$BACKUP_EXTENSION" || exit 1
+            cp "$key" "$key""$BACKUP_EXTENSION" || false
+            file_log "SSH Key File exists ($key) - Making backup ($key$BACKUP_EXTENSION) of the existing file"
         done
     fi
 
     SSH_DIR=/home/"$NORM_USER_NAME"/.ssh
-    mkdir "$SSH_DIR" || exit 1
+    mkdir "$SSH_DIR" || false
+    file_log "Created SSH directory - $SSH_DIR"
 
     # Generate a 15 character random password for key
-    KEY_PASS="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)" || exit 1
+    KEY_PASS="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)"
     file_log "Generated SSH Key Passphrase - ${KEY_PASS}"
 
     # Create a OpenSSH-compliant ed25519-type key
-    ssh-keygen -a 1000 -o -t ed25519 -N "$KEY_PASS" -C "$NORM_USER_NAME" -f "$SSH_DIR"/"$NORM_USER_NAME".pem -q || exit 1
+    ssh-keygen -a 1000 -o -t ed25519 -N "$KEY_PASS" -C "$NORM_USER_NAME" -f "$SSH_DIR"/"$NORM_USER_NAME".pem -q || false
+    file_log "Generated SSH Key File - $SSH_DIR/$NORM_USER_NAME.pem"
 
     # TODO - Below would capture bak files as well - filter out the bak files
     # See if the files actually got created
@@ -421,7 +495,7 @@ op_log "Creating SSH Key for new user"
     if [[ ${#KEY_FILES[@]} -eq 0 ]]; then
         file_log "Unknown error occured."
         file_log "Could not create SSH key files."
-        exit 1
+        retun false
     fi
 } 2>> "$LOGFILE" >&2
 
@@ -429,35 +503,6 @@ if [[ $? -eq 0 ]]; then
     op_log "Creating SSH Key for new user" "SUCCESSFUL"
 else
     op_log "Creating SSH Key for new user" "FAILED"
-    finally "CSK"
-    exit 1;
-fi
-
-
-##############################################################
-# Add generated key to authorized_keys file
-##############################################################
-
-op_log "Adding SSH Key to 'authorized_keys' file"
-{
-    # If 'authorized_keys' exists create backup
-    # BACKUP_EXTENSION
-    if [[ -e "$SSH_DIR"/authorized_keys ]]; then
-        cp "$SSH_DIR"/authorized_keys "$SSH_DIR"/authorized_keys"$BACKUP_EXTENSION" || exit 1
-    else
-        # Create authorized_keys if it does not exist yet
-        touch "$SSH_DIR"/authorized_keys || exit 1
-    fi
-
-    # Insert the public key into "authoried_keys" file
-    cat "$SSH_DIR"/"$NORM_USER_NAME".pem.pub >> "$SSH_DIR"/authorized_keys || exit 1
-} 2>> "$LOGFILE" >&2
-
-if [[ $? -eq 0 ]]; then
-    op_log "Adding SSH Key to 'authorized_keys' file" "SUCCESSFUL"
-else
-    op_log "Adding SSH Key to 'authorized_keys' file" "FAILED"
-    finally "ATAF"
     exit 1;
 fi
 
@@ -473,13 +518,16 @@ op_log "Securing 'authorized_keys' file"
         chgrp -R "$NORM_USER_NAME" "$SSH_DIR" && \
         chmod 700 "$SSH_DIR" && \
         chmod 400 "$SSH_DIR"/authorized_keys && \
-        chattr +i "$SSH_DIR"/authorized_keys
+        chattr +i "$SSH_DIR"/authorized_keys || false
+    file_log "Set appropriate permissions for $SSH_DIR dir and $SSH_DIR/authorized_keys file"
 
     # Restrict access to the generated SSH Key files as well
     for key in "${KEY_FILES[@]}"; do
         chmod 400 "$key" && \
         chattr +i "$key"
     done
+    file_log "Restrict access to the generated SSH Key files"
+    
 } 2>> "$LOGFILE" >&2
 
 if [[ $? -eq 0 ]]; then
@@ -575,16 +623,20 @@ function set_config_key(){
 op_log "Enabling SSH-only login"
 {
     # Backup the sshd_config file
-    cp /etc/ssh/sshd_config /etc/ssh/sshd_config"$BACKUP_EXTENSION" || exit 1
+    cp /etc/ssh/sshd_config /etc/ssh/sshd_config"$BACKUP_EXTENSION" || false
+    file_log "Backed up /etc/ssh/sshd_config file to /etc/ssh/sshd_config$BACKUP_EXTENSION"
 
     # Remove root login
-    set_config_key "/etc/ssh/sshd_config" "PermitRootLogin" "no" 
+    set_config_key "/etc/ssh/sshd_config" "PermitRootLogin" "no" || false
+    file_log "Remove root login -> PermitRootLogin no"
 
     # Disable password login
-    set_config_key "/etc/ssh/sshd_config" "PasswordAuthentication" "no"
+    set_config_key "/etc/ssh/sshd_config" "PasswordAuthentication" "no" || false
+    file_log "Disable password login -> PasswordAuthentication no"
 
     # Set SSH Authorization-Keys path
-    set_config_key "/etc/ssh/sshd_config" "AuthorizedKeysFile" '%h\/\.ssh\/authorized_keys'
+    set_config_key "/etc/ssh/sshd_config" "AuthorizedKeysFile" '%h\/\.ssh\/authorized_keys' || false
+    file_log "Set SSH Authorization-Keys path -> AuthorizedKeysFile '%h\/\.ssh\/authorized_keys'"
 
     systemctl restart sshd
 } 2>> "$LOGFILE" >&2
@@ -593,7 +645,6 @@ if [[ $? -eq 0 ]]; then
     op_log "Enabling SSH-only login" "SUCCESSFUL"
 else
     op_log "Enabling SSH-only login" "FAILED"
-    finally "ESOL"
     exit 1;
 fi
 
@@ -654,7 +705,6 @@ TAG
 fi
 
 
-
 ##############################################################
 # Install required softwares
 ##############################################################
@@ -676,10 +726,10 @@ fi
 ##############################################################
 
 if [[ $RESET_ROOT_PWD == 'y' ]]; then
-    op_log "    "
+    op_log "Changing root password"
     {
         # Generate a 15 character random password
-        PASS_ROOT="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)" || exit 1
+        PASS_ROOT="$(< /dev/urandom tr -cd "[:alnum:]" | head -c 15)" || false
 
         file_log "Generated Root Password - ${PASS_ROOT}"