External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #55 from buildplan/ownership_fix

Browse Source 
Fix: Improve robustness and safety of SSH hardening
This commit is contained in:
buildplan
2025-10-13 20:24:04 +01:00
committed by GitHub
parent 0f477d81ef 67689136a9
commit 79ca010c1a
2 changed files with 37 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
du_setup.sh
View File

@@ -1,8 +1,9 @@
#!/bin/bash #!/bin/bash
# Debian and Ubuntu Server Hardening Interactive Script # Debian and Ubuntu Server Hardening Interactive Script
# Version: 0.68 | 2025-09-07 # Version: 0.69 | 2025-10-13
# Changelog: # Changelog:
# - v0.69: Ensure .ssh directory ownership is set for new user.
# - v0.68: Enable UFW IPv6 support if available # - v0.68: Enable UFW IPv6 support if available
# - v0.67: Do not log taiscale auth key in log file # - v0.67: Do not log taiscale auth key in log file
# - v0.66: While configuring and in the summary, display both IPv6 and IPv4. # - v0.66: While configuring and in the summary, display both IPv6 and IPv4.
@@ -68,7 +69,7 @@
set -euo pipefail # Exit on error, undefined vars, pipe failures set -euo pipefail # Exit on error, undefined vars, pipe failures
# --- Update Configuration --- # --- Update Configuration ---
CURRENT_VERSION="0.68" CURRENT_VERSION="0.69"
SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh"
CHECKSUM_URL="${SCRIPT_URL}.sha256" CHECKSUM_URL="${SCRIPT_URL}.sha256"
@@ -129,7 +130,7 @@ print_header() {
echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}"
echo -e "${CYAN}║ v0.68 | 2025-09-07${NC}" echo -e "${CYAN}║ v0.69 | 2025-10-13${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
echo echo
@@ -749,6 +750,7 @@ cleanup_and_exit() {
print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'." print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'."
fi fi
fi fi
trap - ERR
exit $exit_code exit $exit_code
} }
@@ -779,6 +781,10 @@ configure_ssh() {
print_info "Using SSH service: $SSH_SERVICE" print_info "Using SSH service: $SSH_SERVICE"
log "Detected SSH service: $SSH_SERVICE" log "Detected SSH service: $SSH_SERVICE"
print_info "Backing up original SSH config..."
SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"
# Store the current active port as the previous port # Store the current active port as the previous port
PREVIOUS_SSH_PORT=$(ss -tuln | grep -E ":(22|.*$SSH_SERVICE.*)" | awk '{print $5}' | cut -d':' -f2 | head -n1 || echo "22") PREVIOUS_SSH_PORT=$(ss -tuln | grep -E ":(22|.*$SSH_SERVICE.*)" | awk '{print $5}' | cut -d':' -f2 | head -n1 || echo "22")
CURRENT_SSH_PORT=$PREVIOUS_SSH_PORT CURRENT_SSH_PORT=$PREVIOUS_SSH_PORT
@@ -788,9 +794,14 @@ configure_ssh() {
if [[ $LOCAL_KEY_ADDED == false ]] && [[ ! -s "$AUTH_KEYS" ]]; then if [[ $LOCAL_KEY_ADDED == false ]] && [[ ! -s "$AUTH_KEYS" ]]; then
print_info "No local key provided. Generating new SSH key..." print_info "No local key provided. Generating new SSH key..."
mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR" mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR"; chown "$USERNAME:$USERNAME" "$SSH_DIR"
sudo -u "$USERNAME" ssh-keygen -t ed25519 -f "$SSH_DIR/id_ed25519" -N "" -q sudo -u "$USERNAME" ssh-keygen -t ed25519 -f "$SSH_DIR/id_ed25519" -N "" -q
cat "$SSH_DIR/id_ed25519.pub" >> "$AUTH_KEYS" cat "$SSH_DIR/id_ed25519.pub" >> "$AUTH_KEYS"
# Verify the key was added
if [[ ! -s "$AUTH_KEYS" ]]; then
print_error "Failed to create authorized_keys file."
return 1
fi
chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR" chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR"
print_success "SSH key generated." print_success "SSH key generated."
echo -e "${YELLOW}Public key for remote access:${NC}"; cat "$SSH_DIR/id_ed25519.pub" echo -e "${YELLOW}Public key for remote access:${NC}"; cat "$SSH_DIR/id_ed25519.pub"
@@ -798,10 +809,10 @@ configure_ssh() {
print_warning "SSH Key Authentication Required for Next Steps!" print_warning "SSH Key Authentication Required for Next Steps!"
echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}" echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}"
if [[ "$SERVER_IP_V4" != "unknown" ]]; then if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
echo -e "${CYAN} Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}" echo -e "${CYAN} Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}"
fi fi
if [[ "$SERVER_IP_V6" != "not available" ]]; then if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
echo -e "${CYAN} Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}" echo -e "${CYAN} Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}"
fi fi
@@ -810,10 +821,6 @@ configure_ssh() {
return 1 return 1
fi fi
print_info "Backing up original SSH config..."
SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"
# Apply port override # Apply port override
if [[ $ID == "ubuntu" ]] && dpkg --compare-versions "$(lsb_release -rs)" ge "24.04"; then if [[ $ID == "ubuntu" ]] && dpkg --compare-versions "$(lsb_release -rs)" ge "24.04"; then
print_info "Updating SSH port in /etc/ssh/sshd_config for Ubuntu 24.04+..." print_info "Updating SSH port in /etc/ssh/sshd_config for Ubuntu 24.04+..."
@@ -846,7 +853,21 @@ EOF
════ all attempts are logged and reviewed ════ ════ all attempts are logged and reviewed ════
****************************************************************************** ******************************************************************************
EOF EOF
print_info "Testing SSH configuration syntax..."
if ! sshd -t 2>&1 | tee -a "$LOG_FILE"; then
print_warning "SSH configuration test detected potential issues (see above)."
print_info "This may be due to existing configuration files on the system."
if ! confirm "Continue despite configuration warnings?"; then
print_error "Aborting SSH configuration."
rm -f /etc/ssh/sshd_config.d/99-hardening.conf
rm -f /etc/issue.net
rm -f /etc/systemd/system/ssh.socket.d/override.conf
rm -f /etc/systemd/system/ssh.service.d/override.conf
rm -f /etc/systemd/system/sshd.service.d/override.conf
systemctl daemon-reload
return 1
fi
fi
print_info "Reloading systemd and restarting SSH service..." print_info "Reloading systemd and restarting SSH service..."
systemctl daemon-reload systemctl daemon-reload
systemctl restart "$SSH_SERVICE" systemctl restart "$SSH_SERVICE"
@@ -859,6 +880,7 @@ EOF
# Verify root SSH is disabled # Verify root SSH is disabled
print_info "Verifying root SSH login is disabled..." print_info "Verifying root SSH login is disabled..."
sleep 2
if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then
print_error "Root SSH login is still possible! Check configuration." print_error "Root SSH login is still possible! Check configuration."
return 1 return 1
@@ -867,10 +889,10 @@ EOF
fi fi
print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!" print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!"
if [[ "$SERVER_IP_V4" != "unknown" ]]; then if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4" print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4"
fi fi
if [[ "$SERVER_IP_V6" != "not available" ]]; then if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6" print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6"
fi fi

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
bb67b89744341b8f693814883db15034bc1a72372280a19e5c60b9752af62017 du_setup.sh 8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh