From 98e26e612d3ff99eb7f155d1a7372b8ba54eb2fe Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 11:20:46 +0100 Subject: [PATCH 1/6] fix ssh permissions error for new user --- du_setup.sh | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/du_setup.sh b/du_setup.sh index 7748654..43e7fe5 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -1,8 +1,9 @@ #!/bin/bash # Debian and Ubuntu Server Hardening Interactive Script -# Version: 0.68 | 2025-09-07 +# Version: 0.69 | 2025-10-13 # Changelog: +# - v0.69: Ensure .ssh directory ownership is set for new user. # - v0.68: Enable UFW IPv6 support if available # - v0.67: Do not log taiscale auth key in log file # - v0.66: While configuring and in the summary, display both IPv6 and IPv4. @@ -68,7 +69,7 @@ set -euo pipefail # Exit on error, undefined vars, pipe failures # --- Update Configuration --- -CURRENT_VERSION="0.68" +CURRENT_VERSION="0.69" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" CHECKSUM_URL="${SCRIPT_URL}.sha256" @@ -129,7 +130,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v0.68 | 2025-09-07 ║${NC}" + echo -e "${CYAN}║ v0.69 | 2025-10-13 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo @@ -788,9 +789,14 @@ configure_ssh() { if [[ $LOCAL_KEY_ADDED == false ]] && [[ ! -s "$AUTH_KEYS" ]]; then print_info "No local key provided. Generating new SSH key..." - mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR" + mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR"; chown "$USERNAME:$USERNAME" "$SSH_DIR" sudo -u "$USERNAME" ssh-keygen -t ed25519 -f "$SSH_DIR/id_ed25519" -N "" -q cat "$SSH_DIR/id_ed25519.pub" >> "$AUTH_KEYS" + # Verify the key was added + if [[ ! -s "$AUTH_KEYS" ]]; then + print_error "Failed to create authorized_keys file." + return 1 + fi chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR" print_success "SSH key generated." echo -e "${YELLOW}Public key for remote access:${NC}"; cat "$SSH_DIR/id_ed25519.pub" @@ -846,7 +852,17 @@ EOF ════ all attempts are logged and reviewed ════ ****************************************************************************** EOF - + print_info "Testing SSH configuration syntax..." + if ! sshd -t 2>&1 | tee -a "$LOGFILE"; then + print_warning "SSH configuration test detected potential issues (see above)." + print_info "This may be due to existing configuration files on the system." + if ! confirm "Continue despite configuration warnings?"; then + print_error "Aborting SSH configuration." + rm /etc/ssh/sshd_config.d/99-hardening.conf + rm /etc/issue.net + return 1 + fi + fi print_info "Reloading systemd and restarting SSH service..." systemctl daemon-reload systemctl restart "$SSH_SERVICE" @@ -859,6 +875,7 @@ EOF # Verify root SSH is disabled print_info "Verifying root SSH login is disabled..." + sleep 2 if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then print_error "Root SSH login is still possible! Check configuration." return 1 @@ -1176,7 +1193,7 @@ configure_firewall() { print_info "No IPv6 detected on this system. Skipping UFW IPv6 configuration." log "UFW IPv6 configuration skipped as no kernel support was detected." fi - + print_info "Enabling firewall..." if ! ufw --force enable; then print_error "Failed to enable UFW. Check 'journalctl -u ufw' for details." From 1f3932d1e284d8be827253d53b27580ec874d675 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 14:31:47 +0100 Subject: [PATCH 2/6] Fix variable name for log file in SSH test --- du_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/du_setup.sh b/du_setup.sh index 43e7fe5..c760628 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -853,7 +853,7 @@ EOF ****************************************************************************** EOF print_info "Testing SSH configuration syntax..." - if ! sshd -t 2>&1 | tee -a "$LOGFILE"; then + if ! sshd -t 2>&1 | tee -a "$LOG_FILE"; then print_warning "SSH configuration test detected potential issues (see above)." print_info "This may be due to existing configuration files on the system." if ! confirm "Continue despite configuration warnings?"; then From d12d50d5be471e4c97b1e7101f995e6ed1457413 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 14:45:15 +0100 Subject: [PATCH 3/6] Add backup for original SSH config Backup original SSH configuration before making changes. --- du_setup.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/du_setup.sh b/du_setup.sh index c760628..0af163f 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -780,6 +780,10 @@ configure_ssh() { print_info "Using SSH service: $SSH_SERVICE" log "Detected SSH service: $SSH_SERVICE" + print_info "Backing up original SSH config..." + SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)" + cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE" + # Store the current active port as the previous port PREVIOUS_SSH_PORT=$(ss -tuln | grep -E ":(22|.*$SSH_SERVICE.*)" | awk '{print $5}' | cut -d':' -f2 | head -n1 || echo "22") CURRENT_SSH_PORT=$PREVIOUS_SSH_PORT @@ -816,10 +820,6 @@ configure_ssh() { return 1 fi - print_info "Backing up original SSH config..." - SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)" - cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE" - # Apply port override if [[ $ID == "ubuntu" ]] && dpkg --compare-versions "$(lsb_release -rs)" ge "24.04"; then print_info "Updating SSH port in /etc/ssh/sshd_config for Ubuntu 24.04+..." @@ -860,6 +860,10 @@ EOF print_error "Aborting SSH configuration." rm /etc/ssh/sshd_config.d/99-hardening.conf rm /etc/issue.net + rm -rf /etc/systemd/system/ssh.socket.d + rm -rf /etc/systemd/system/ssh.service.d + rm -rf /etc/systemd/system/sshd.service.d + systemctl daemon-reload return 1 fi fi From e1bef0b150b20efd6758d49dd7fa7156221cf699 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:39:04 +0100 Subject: [PATCH 4/6] Refactor SSH service checks and error handling --- du_setup.sh | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/du_setup.sh b/du_setup.sh index 0af163f..fc097cb 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -750,6 +750,7 @@ cleanup_and_exit() { print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'." fi fi + trap - ERR exit $exit_code } @@ -762,6 +763,7 @@ configure_ssh() { # Ensure openssh-server is installed if ! dpkg -l openssh-server | grep -q ^ii; then print_error "openssh-server package is not installed." + trap - ERR return 1 fi @@ -775,6 +777,7 @@ configure_ssh() { SSH_SERVICE="sshd.service" else print_error "No SSH service or daemon detected." + trap - ERR return 1 fi print_info "Using SSH service: $SSH_SERVICE" @@ -799,6 +802,7 @@ configure_ssh() { # Verify the key was added if [[ ! -s "$AUTH_KEYS" ]]; then print_error "Failed to create authorized_keys file." + trap - ERR return 1 fi chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR" @@ -808,15 +812,16 @@ configure_ssh() { print_warning "SSH Key Authentication Required for Next Steps!" echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}" - if [[ "$SERVER_IP_V4" != "unknown" ]]; then + if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then echo -e "${CYAN} Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}" fi - if [[ "$SERVER_IP_V6" != "not available" ]]; then + if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then echo -e "${CYAN} Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}" fi if ! confirm "Can you successfully log in using your SSH key?"; then print_error "SSH key authentication is mandatory to proceed." + trap - ERR return 1 fi @@ -858,12 +863,13 @@ EOF print_info "This may be due to existing configuration files on the system." if ! confirm "Continue despite configuration warnings?"; then print_error "Aborting SSH configuration." - rm /etc/ssh/sshd_config.d/99-hardening.conf - rm /etc/issue.net - rm -rf /etc/systemd/system/ssh.socket.d - rm -rf /etc/systemd/system/ssh.service.d - rm -rf /etc/systemd/system/sshd.service.d + rm -f /etc/ssh/sshd_config.d/99-hardening.conf + rm -f /etc/issue.net + rm -f /etc/systemd/system/ssh.socket.d/override.conf + rm -f /etc/systemd/system/ssh.service.d/override.conf + rm -f /etc/systemd/system/sshd.service.d/override.conf systemctl daemon-reload + trap - ERR return 1 fi fi @@ -873,6 +879,7 @@ EOF sleep 5 if ! ss -tuln | grep -q ":$SSH_PORT"; then print_error "SSH not listening on port $SSH_PORT after restart!" + trap - ERR return 1 fi print_success "SSH service restarted on port $SSH_PORT." @@ -882,16 +889,17 @@ EOF sleep 2 if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then print_error "Root SSH login is still possible! Check configuration." + trap - ERR return 1 else print_success "Confirmed: Root SSH login is disabled." fi print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!" - if [[ "$SERVER_IP_V4" != "unknown" ]]; then + if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4" fi - if [[ "$SERVER_IP_V6" != "not available" ]]; then + if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6" fi @@ -915,6 +923,7 @@ EOF else print_success "Rollback successful. SSH restored on original port $PREVIOUS_SSH_PORT." fi + trap - ERR return 1 fi fi From a431785ed6b362d66694ef451e970ff749307f82 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:57:26 +0100 Subject: [PATCH 5/6] Remove trap - ERR statements for error handling --- du_setup.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/du_setup.sh b/du_setup.sh index fc097cb..4888358 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -763,7 +763,6 @@ configure_ssh() { # Ensure openssh-server is installed if ! dpkg -l openssh-server | grep -q ^ii; then print_error "openssh-server package is not installed." - trap - ERR return 1 fi @@ -777,7 +776,6 @@ configure_ssh() { SSH_SERVICE="sshd.service" else print_error "No SSH service or daemon detected." - trap - ERR return 1 fi print_info "Using SSH service: $SSH_SERVICE" @@ -802,7 +800,6 @@ configure_ssh() { # Verify the key was added if [[ ! -s "$AUTH_KEYS" ]]; then print_error "Failed to create authorized_keys file." - trap - ERR return 1 fi chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR" @@ -821,7 +818,6 @@ configure_ssh() { if ! confirm "Can you successfully log in using your SSH key?"; then print_error "SSH key authentication is mandatory to proceed." - trap - ERR return 1 fi @@ -869,7 +865,6 @@ EOF rm -f /etc/systemd/system/ssh.service.d/override.conf rm -f /etc/systemd/system/sshd.service.d/override.conf systemctl daemon-reload - trap - ERR return 1 fi fi @@ -879,7 +874,6 @@ EOF sleep 5 if ! ss -tuln | grep -q ":$SSH_PORT"; then print_error "SSH not listening on port $SSH_PORT after restart!" - trap - ERR return 1 fi print_success "SSH service restarted on port $SSH_PORT." @@ -889,7 +883,6 @@ EOF sleep 2 if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then print_error "Root SSH login is still possible! Check configuration." - trap - ERR return 1 else print_success "Confirmed: Root SSH login is disabled." @@ -923,7 +916,6 @@ EOF else print_success "Rollback successful. SSH restored on original port $PREVIOUS_SSH_PORT." fi - trap - ERR return 1 fi fi From 67689136a9de16e987243a1e9d327ee0362835a9 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Mon, 13 Oct 2025 17:26:00 +0100 Subject: [PATCH 6/6] sha256 for v0.69 --- du_setup.sh.sha256 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/du_setup.sh.sha256 b/du_setup.sh.sha256 index f065dbc..187b794 100644 --- a/du_setup.sh.sha256 +++ b/du_setup.sh.sha256 @@ -1 +1 @@ -bb67b89744341b8f693814883db15034bc1a72372280a19e5c60b9752af62017 du_setup.sh +8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh