diff --git a/README.md b/README.md index 63f73ef..a13d7c8 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,15 @@ # Debian & Ubuntu Server Setup & Hardening Script -**Version:** 3.12 +**Version:** 3.13 **Last Updated:** 2025-06-27 **Compatible With:** + - Debian 12 - Ubuntu 22.04, 24.04, 24.10 ---- +* * * ## Overview @@ -16,7 +17,7 @@ This script automates the initial setup and security hardening of a fresh Debian It runs interactively, guiding the user through critical choices while automating the tedious but essential steps of securing a new server. ---- +* * * ## Features @@ -28,12 +29,12 @@ It runs interactively, guiding the user through critical choices while automatin - **System Stability:** Sets up NTP time synchronization with `chrony` and can configure a swap file for systems with low RAM. - **Safety First:** Automatically backs up all critical configuration files before modification, with simple restoration instructions. - **Optional Software:** Provides optional, interactive installation for: - - Docker & Docker Compose - - Tailscale (Mesh VPN) + - Docker & Docker Compose + - Tailscale (Mesh VPN) - **Comprehensive Logging:** All actions are logged to `/var/log/setup_harden_debian_ubuntu_*.log`. - **Automation-Friendly:** Includes a `--quiet` mode to suppress non-essential output for use in automated provisioning workflows. ---- +* * * ## Installation & Usage @@ -43,14 +44,14 @@ It runs interactively, guiding the user through critical choices while automatin - Root or `sudo` privileges. - Internet access for downloading packages. -### 1. Download the Script +### 1\. Download the Script ``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh chmod +x setup_harden_debian_ubuntu.sh ``` -### 2. Run the Script Interactively +### 2\. Run the Script Interactively It is highly recommended to run the script interactively the first time. @@ -58,40 +59,42 @@ It is highly recommended to run the script interactively the first time. sudo ./setup_harden_debian_ubuntu.sh ``` -### 3. Run in Quiet Mode (for automation - not recmmended) +### 3\. Run in Quiet Mode (for automation - not recmmended) ``` sudo ./setup_harden_debian_ubuntu.sh --quiet ``` > :warning: **Critical Safety Check:** The script will pause and require you to test your new SSH connection from a separate terminal before it proceeds to disable old access methods. **Do not skip this step!** +> +> *Make sure to check VPS providers firewall, you will have to open your selected custom SSH port there.* ---- +* * * ## What It Does in Detail -| Task | Description | -| ----------------------- | --------------------------------------------------------------------------- | -| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. | +| Task | Description | +| --- | --- | +| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. | | **Package Management** | Updates all packages and installs essential tools (`ufw`, `fail2ban`, `chrony`, etc.). | | **Admin User Creation** | Creates a new `sudo` user with a password and/or a provided SSH public key. | -| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. | +| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. | | **Firewall Setup** | Configures UFW to deny incoming traffic by default and allow specific ports. | -| **System Backups** | Creates timestamped backups of configs in `/root/` before modification. | -| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size. | -| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales. | +| **System Backups** | Creates timestamped backups of configs in `/root/` before modification. | +| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size. | +| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales. | | **Docker Install** | (Optional) Installs and configures Docker Engine and adds the user to the `docker` group. | -| **Tailscale Install** | (Optional) Installs the Tailscale client. | -| **Final Cleanup** | Removes unused packages and reloads system daemons. | +| **Tailscale Install** | (Optional) Installs the Tailscale client. | +| **Final Cleanup** | Removes unused packages and reloads system daemons. | ---- +* * * ## Logs & Backups - **Log Files:** `/var/log/setup_harden_debian_ubuntu_*.log` - **Configuration Backups:** `/root/setup_harden_backup_*` ---- +* * * ## Tested On @@ -99,7 +102,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet - Ubuntu 24.04 and 24.10 - Cloud providers (DigitalOcean, Oracle Cloud, Hetzner, Netcup) and local VMs. ---- +* * * ## :exclamation: Important Notes @@ -108,7 +111,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet - Always test the script in a non-production environment (like a staging VM) before deploying to a live server. - Ensure you have out-of-band console access to your server in case you accidentally lock yourself out. ---- +* * * ## Troubleshooting @@ -117,12 +120,14 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet If you are locked out of SSH, use your provider's web console to perform the following steps: 1. **Remove the hardened configuration:** + ``` # This file overrides the main config, so it must be removed. rm /etc/ssh/sshd_config.d/99-hardening.conf ``` - + 2. **Restore the original `sshd_config` file:** + ``` # Find the latest backup directory LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)