- Update & upgrade packages before installing
- Alma, Rocky, CentOS: Install `epel-release` package
- Debian 12: Install `python3-systemd` package
- openSUSE: Enable `USERGROUPS_ENAB` in `/etc/login.defs` so groups gets
auto-created for new users
- fix: Capture unrecognized OS as failure
- fix: quotes removed from `emptylog` in jail.local
- refactor: Remove separate fn for Linux fail2ban
- fix: Check fail2ban config validity before starting the service
- fix: FreeBSD: enable fail2ban before starting the service
- Display the credentials on console
- Removed option to hide credentials on console
- Log file in `/var/log` and not in current directory
- Remove SSH private key after displaying its on console
- POSIX compliant usage of `sed` with `-i.tmp` for FreeBSD
- Reverting on error, moved to its own method
- refactor: Better variable names
- chore: Better logging; begin, success, failure
operation
- Split "User creation" & "Granting new user sudo" into separate methods
- new: Abort on user creation failure
- new: Abort on sudo privilege failure
- Removed user existence check; it is done during argument parsing
- Consistent console & file logs; start, success & failure
- FreeBSD, Fedora, SUSE: Add `wheel` group to sudoer & add user to
`wheel` group
- Debian, Ubuntu: Add user to `sudo` group
- feat: Add log-level to file logs
- refactor: Calculate duration inside `formatted_execution_duration`
- refactor: Console log display `OK` -> `DONE`
- fix: Debian/Ubuntu: Set default TZ -> UTC to let the installation
continue without getting stuck
- fix: Use local variable to store `JAIL_LOCAL_FILE` in
`update_fail2ban_jail_local_file`
- feat: Give user option to quit before starting the script
- Script name internally changed to `linux-init-harden` -> `server-init-harden`
- Removed unnecessary comments
- Better function names explaining when they do
- Console log format simplified: OK, FAIL, WARN, INFO with colors
- Log file to contain everything else with timestamp
- User creation optional and only happens when -u <username> is provided
- SSH config: PubkeyAuthentication setting added
- Script now supports: debian, ubuntu, fedora & freebsd
- Service management fallbacks: service, systemctl, init.d
- UFW: enable ssh, http, https
- Fail2ban: WIP
feat(test): Docker file to test across all active debian, ubuntu & fedora dist
refactor(script): improve code organization and logging
- Group functions into helper and operations sections
- Order operations chronologically
- Enhance console log formatting and messages
- Update usage examples and comments
- Improve error handling and output logging
- Use darker color for credentials output for security
- Add shellcheck disable comments where necessary
- Added license
- Sane defaults in the example
- Marked stable
Script
- Bumped the version to 1.0
- Fixed bug - While reverting user creation revert always fails - was an issue with reseting the exit code
- Bugfix - Does not show all operation succeed when schedule apt download was not executed
- Prettier recap
- Logs updated
- root password change made possible from non-root user
Readme
- Added Screenshots
- Added FAQ section with - Non-Idempotency explained, rerun consequences expained, Listed all files that script edits and creates, Explained how to execute as non-root user
- Examples refined
- Informed that no software is even uninstalled
-
- Renamed function names to be more consistent
- Renamed function names to mean what thet do
- Renamed variables to mean what they do
The op_code variable was confusing and would have created bugs
- Refined use of op_code and exit_code
- Need full tests to be done all over again
- Beta testing
- Flag all dev-testings to be completed
- Add bugs
- Add Roadmaps
Script
- Bumped the version to 0.9
- Aligned the logfile name with the name of the script
- Restore Operation - Adopted the set_op_code method for determining successes
- Restore Operations - took the remove-immutable flag code to revert_secure_authorized_key function
- Restore Operation - removed redundant operations from revert_secure_authorized_key method - as script is never goes into an existing user's .ssh folder - so no need to care for existing files
- Restore Operation - Call revert ssh key AFTER immutable file restoration has completed
- reset_op_code after all restore function & in the beginning of error segment of each step
- Bugfix - revert source list changes
- Bugfix - restore fail2ban
- Step 2 - removed checks for existing file - we never operate on existing users - so this is an useless check
- File Log - since we do not check if the last operation's success before writing to logfile - changed the tense to -ing
- Step 4 - added more file logs
- Step 6 & 7 - Instead of checking if installation succeess - check if ufw/fail2ban is installed before processing
- Step 7 - added more file logs
- Step 8 - added more file logs
- Display all available options
- Some Typos rectified
- Updated the "Roadmap"
Script Changes
- Reliable method of determining if a service command was completed successfully
- More (and reliable) logs to the logfile
- Bugfix - SSH Reverting
- Revert source list - check success on sub-folder file restores
- Logfile - removed multiple revert success notifications
- Revert Fail2ban - Stopped deleting the jail.conf*_bkp files
- Step 4 - Default source-list - check success flag on commenting out existing source.list & on appending new CNS to sources.list (check the same 2 for *.list in sub-folders)
- Step 7 - fail2ban - check operation success on backing up jail.local, jail.conf & defaults-debian.conf files
