External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #66 from buildplan/fix_firewall

Browse Source 
Add a temporary firewall rule for current SSH port
This commit is contained in:
buildplan
2025-10-19 20:11:35 +01:00
committed by GitHub
parent a7edeb8cd3 4548cd0117
commit 5ae50510f5
3 changed files with 36 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -83,12 +83,12 @@ sha256sum du_setup.sh
Compare the output hash to the one below. They must match exactly. Compare the output hash to the one below. They must match exactly.
`aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff` `6a84e9a58aaec481e4fa921b29dd8ab3a6004f77d6da66b31c17c8bd7c8120de`
Or echo the hash to check, it should output: `du_setup.sh: OK` Or echo the hash to check, it should output: `du_setup.sh: OK`
```bash ```bash
echo aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff du_setup.sh | sha256sum --check echo 6a84e9a58aaec481e4fa921b29dd8ab3a6004f77d6da66b31c17c8bd7c8120de du_setup.sh | sha256sum --check
``` ```
### 3. Run the Script ### 3. Run the Script

46
du_setup.sh
View File

@@ -1,8 +1,9 @@
#!/bin/bash #!/bin/bash
# Debian and Ubuntu Server Hardening Interactive Script # Debian and Ubuntu Server Hardening Interactive Script
# Version: 0.70 | 2025-10-18 # Version: 0.70.1 | 2025-10-19
# Changelog: # Changelog:
# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions.
# - v0.70: Option to remove cloud VPS provider packages (like cloud-init). # - v0.70: Option to remove cloud VPS provider packages (like cloud-init).
# New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup. # New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup.
# Add help and usage instructions with --help flag. # Add help and usage instructions with --help flag.
@@ -70,10 +71,10 @@
# - If SSH access is lost, use the server console to restore /etc/ssh/sshd_config.backup_*. # - If SSH access is lost, use the server console to restore /etc/ssh/sshd_config.backup_*.
# - Ensure sufficient disk space (>2GB) for swap file creation. # - Ensure sufficient disk space (>2GB) for swap file creation.
set -euo pipefail # Exit on error, undefined vars, pipe failures set -euo pipefail
# --- Update Configuration --- # --- Update Configuration ---
CURRENT_VERSION="0.70" CURRENT_VERSION="0.70.1"
SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh"
CHECKSUM_URL="${SCRIPT_URL}.sha256" CHECKSUM_URL="${SCRIPT_URL}.sha256"
@@ -125,6 +126,7 @@ LOCAL_KEY_ADDED=false
SSH_SERVICE="" SSH_SERVICE=""
ID="" # This will be populated from /etc/os-release ID="" # This will be populated from /etc/os-release
FAILED_SERVICES=() FAILED_SERVICES=()
PREVIOUS_SSH_PORT=""
# --- --help --- # --- --help ---
show_usage() { show_usage() {
@@ -1329,14 +1331,13 @@ collect_config() {
if validate_hostname "$SERVER_NAME"; then break; else print_error "Invalid hostname."; fi if validate_hostname "$SERVER_NAME"; then break; else print_error "Invalid hostname."; fi
done done
read -rp "$(printf '%s' "${CYAN}Enter a 'pretty' hostname (optional): ${NC}")" PRETTY_NAME read -rp "$(printf '%s' "${CYAN}Enter a 'pretty' hostname (optional): ${NC}")" PRETTY_NAME
local INITIAL_DETECTED_PORT PREVIOUS_SSH_PORT=$(ss -tlpn | grep sshd | grep -oP ':\K\d+' | head -n 1)
INITIAL_DETECTED_PORT=$(ss -tlpn | grep sshd | grep -oP ':\K\d+' | head -n 1) local PROMPT_DEFAULT_PORT=${PREVIOUS_SSH_PORT:-2222}
local PROMPT_DEFAULT_PORT=${INITIAL_DETECTED_PORT:-2222}
[[ -z "$PRETTY_NAME" ]] && PRETTY_NAME="$SERVER_NAME" [[ -z "$PRETTY_NAME" ]] && PRETTY_NAME="$SERVER_NAME"
while true; do while true; do
read -rp "$(printf '%s' "${CYAN}Enter custom SSH port (1024-65535) [$PROMPT_DEFAULT_PORT]: ${NC}")" SSH_PORT read -rp "$(printf '%s' "${CYAN}Enter custom SSH port (1024-65535) [$PROMPT_DEFAULT_PORT]: ${NC}")" SSH_PORT
SSH_PORT=${SSH_PORT:-$PROMPT_DEFAULT_PORT} SSH_PORT=${SSH_PORT:-$PROMPT_DEFAULT_PORT}
if validate_port "$SSH_PORT" || [[ -n "$INITIAL_DETECTED_PORT" && "$SSH_PORT" == "$INITIAL_DETECTED_PORT" ]]; then if validate_port "$SSH_PORT" || [[ -n "$PREVIOUS_SSH_PORT" && "$SSH_PORT" == "$PREVIOUS_SSH_PORT" ]]; then
break; else print_error "Invalid port. Choose a port between 1024-65535."; fi break; else print_error "Invalid port. Choose a port between 1024-65535."; fi
done done
SERVER_IP_V4=$(curl -4 -s https://ifconfig.me 2>/dev/null || echo "unknown") SERVER_IP_V4=$(curl -4 -s https://ifconfig.me 2>/dev/null || echo "unknown")
@@ -1351,8 +1352,8 @@ collect_config() {
printf " %-15s %s\n" "Username:" "$USERNAME" printf " %-15s %s\n" "Username:" "$USERNAME"
printf " %-15s %s\n" "Hostname:" "$SERVER_NAME" printf " %-15s %s\n" "Hostname:" "$SERVER_NAME"
if [[ -n "$INITIAL_DETECTED_PORT" && "$SSH_PORT" != "$INITIAL_DETECTED_PORT" ]]; then if [[ -n "$PREVIOUS_SSH_PORT" && "$SSH_PORT" != "$PREVIOUS_SSH_PORT" ]]; then
printf " %-15s %s (change from current: %s)\n" "SSH Port:" "$SSH_PORT" "$INITIAL_DETECTED_PORT" printf " %-15s %s (change from current: %s)\n" "SSH Port:" "$SSH_PORT" "$PREVIOUS_SSH_PORT"
else else
printf " %-15s %s\n" "SSH Port:" "$SSH_PORT" printf " %-15s %s\n" "SSH Port:" "$SSH_PORT"
fi fi
@@ -1657,6 +1658,15 @@ cleanup_and_exit() {
local exit_code=$? local exit_code=$?
if [[ $exit_code -ne 0 && $(type -t rollback_ssh_changes) == "function" ]]; then if [[ $exit_code -ne 0 && $(type -t rollback_ssh_changes) == "function" ]]; then
print_error "An error occurred. Rolling back SSH changes to port $PREVIOUS_SSH_PORT..." print_error "An error occurred. Rolling back SSH changes to port $PREVIOUS_SSH_PORT..."
print_info "Rolling back firewall rules..."
ufw delete allow "$SSH_PORT"/tcp 2>/dev/null || true
if [[ -n "$PREVIOUS_SSH_PORT" ]]; then
ufw allow "$PREVIOUS_SSH_PORT"/tcp comment 'SSH Rollback' 2>/dev/null || true
print_info "Firewall rolled back to allow port $PREVIOUS_SSH_PORT."
else
print_warning "Could not determine previous SSH port for firewall rollback."
fi
rollback_ssh_changes rollback_ssh_changes
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'." print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'."
@@ -1670,7 +1680,7 @@ configure_ssh() {
trap cleanup_and_exit ERR trap cleanup_and_exit ERR
print_section "SSH Hardening" print_section "SSH Hardening"
local CURRENT_SSH_PORT USER_HOME SSH_DIR SSH_KEY AUTH_KEYS NEW_SSH_CONFIG PREVIOUS_SSH_PORT local CURRENT_SSH_PORT USER_HOME SSH_DIR SSH_KEY AUTH_KEYS
# Ensure openssh-server is installed # Ensure openssh-server is installed
if ! dpkg -l openssh-server | grep -q ^ii; then if ! dpkg -l openssh-server | grep -q ^ii; then
@@ -1697,9 +1707,7 @@ configure_ssh() {
SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)" SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE" cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"
# Store the current active port as the previous port for rollback purposes # Check globally detected port, falling back to 22 if detection failed
PREVIOUS_SSH_PORT=$(ss -tlpn | grep sshd | grep -oP ':\K\d+' | head -n 1)
if [[ -z "$PREVIOUS_SSH_PORT" ]]; then if [[ -z "$PREVIOUS_SSH_PORT" ]]; then
print_warning "Could not detect an active SSH port. Assuming port 22 for the initial test." print_warning "Could not detect an active SSH port. Assuming port 22 for the initial test."
log "Could not detect active SSH port, fell back to 22." log "Could not detect active SSH port, fell back to 22."
@@ -1821,6 +1829,11 @@ EOF
while (( retry_count < max_retries )); do while (( retry_count < max_retries )); do
if confirm "Was the new SSH connection successful?"; then if confirm "Was the new SSH connection successful?"; then
print_success "SSH hardening confirmed and finalized." print_success "SSH hardening confirmed and finalized."
# Remove temporary UFW rule
if [[ -n "$PREVIOUS_SSH_PORT" && "$PREVIOUS_SSH_PORT" != "$SSH_PORT" ]]; then
print_info "Removing temporary UFW rule for old SSH port $PREVIOUS_SSH_PORT..."
ufw delete allow "$PREVIOUS_SSH_PORT"/tcp 2>/dev/null || true
fi
break break
else else
(( retry_count++ )) (( retry_count++ ))
@@ -2130,6 +2143,13 @@ configure_firewall() {
log "UFW IPv6 configuration skipped as no kernel support was detected." log "UFW IPv6 configuration skipped as no kernel support was detected."
fi fi
# Add temporary rule for current SSH port
if [[ -n "$PREVIOUS_SSH_PORT" && "$PREVIOUS_SSH_PORT" != "$SSH_PORT" ]]; then
print_info "Temporarily adding UFW rule for current SSH port $PREVIOUS_SSH_PORT for transition..."
if ! ufw status | grep -qw "$PREVIOUS_SSH_PORT/tcp"; then
ufw allow "$PREVIOUS_SSH_PORT"/tcp comment 'Temporary SSH for transition'
fi
fi
print_info "Enabling firewall..." print_info "Enabling firewall..."
if ! ufw --force enable; then if ! ufw --force enable; then
print_error "Failed to enable UFW. Check 'journalctl -u ufw' for details." print_error "Failed to enable UFW. Check 'journalctl -u ufw' for details."

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff du_setup.sh 6a84e9a58aaec481e4fa921b29dd8ab3a6004f77d6da66b31c17c8bd7c8120de du_setup.sh