External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #55 from buildplan/ownership_fix

Browse Source 
Fix: Improve robustness and safety of SSH hardening
This commit is contained in:
buildplan
2025-10-13 20:24:04 +01:00
committed by GitHub
parent 0f477d81ef 67689136a9
commit 79ca010c1a
2 changed files with 37 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
du_setup.sh
View File

@@ -1,8 +1,9 @@
#!/bin/bash #!/bin/bash
# Debian and Ubuntu Server Hardening Interactive Script # Debian and Ubuntu Server Hardening Interactive Script
# Version: 0.68 | 2025-09-07 # Version: 0.69 | 2025-10-13
# Changelog: # Changelog:
# - v0.69: Ensure .ssh directory ownership is set for new user.
# - v0.68: Enable UFW IPv6 support if available # - v0.68: Enable UFW IPv6 support if available
# - v0.67: Do not log taiscale auth key in log file # - v0.67: Do not log taiscale auth key in log file
# - v0.66: While configuring and in the summary, display both IPv6 and IPv4. # - v0.66: While configuring and in the summary, display both IPv6 and IPv4.
@@ -68,7 +69,7 @@
set -euo pipefail # Exit on error, undefined vars, pipe failures set -euo pipefail # Exit on error, undefined vars, pipe failures
# --- Update Configuration --- # --- Update Configuration ---
CURRENT_VERSION="0.68" CURRENT_VERSION="0.69"
SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh"
CHECKSUM_URL="${SCRIPT_URL}.sha256" CHECKSUM_URL="${SCRIPT_URL}.sha256"
@@ -129,7 +130,7 @@ print_header() {
echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}"
echo -e "${CYAN}║ v0.68 | 2025-09-07${NC}" echo -e "${CYAN}║ v0.69 | 2025-10-13${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
echo echo
@@ -749,6 +750,7 @@ cleanup_and_exit() {
print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'." print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'."
fi fi
fi fi
trap - ERR
exit $exit_code exit $exit_code
} }
@@ -779,6 +781,10 @@ configure_ssh() {
print_info "Using SSH service: $SSH_SERVICE" print_info "Using SSH service: $SSH_SERVICE"
log "Detected SSH service: $SSH_SERVICE" log "Detected SSH service: $SSH_SERVICE"
print_info "Backing up original SSH config..."
SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"
# Store the current active port as the previous port # Store the current active port as the previous port
PREVIOUS_SSH_PORT=$(ss -tuln | grep -E ":(22|.*$SSH_SERVICE.*)" | awk '{print $5}' | cut -d':' -f2 | head -n1 || echo "22") PREVIOUS_SSH_PORT=$(ss -tuln | grep -E ":(22|.*$SSH_SERVICE.*)" | awk '{print $5}' | cut -d':' -f2 | head -n1 || echo "22")
CURRENT_SSH_PORT=$PREVIOUS_SSH_PORT CURRENT_SSH_PORT=$PREVIOUS_SSH_PORT
@@ -788,9 +794,14 @@ configure_ssh() {
if [[ $LOCAL_KEY_ADDED == false ]] && [[ ! -s "$AUTH_KEYS" ]]; then if [[ $LOCAL_KEY_ADDED == false ]] && [[ ! -s "$AUTH_KEYS" ]]; then
print_info "No local key provided. Generating new SSH key..." print_info "No local key provided. Generating new SSH key..."
mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR" mkdir -p "$SSH_DIR"; chmod 700 "$SSH_DIR"; chown "$USERNAME:$USERNAME" "$SSH_DIR"
sudo -u "$USERNAME" ssh-keygen -t ed25519 -f "$SSH_DIR/id_ed25519" -N "" -q sudo -u "$USERNAME" ssh-keygen -t ed25519 -f "$SSH_DIR/id_ed25519" -N "" -q
cat "$SSH_DIR/id_ed25519.pub" >> "$AUTH_KEYS" cat "$SSH_DIR/id_ed25519.pub" >> "$AUTH_KEYS"
# Verify the key was added
if [[ ! -s "$AUTH_KEYS" ]]; then
print_error "Failed to create authorized_keys file."
return 1
fi
chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR" chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR"
print_success "SSH key generated." print_success "SSH key generated."
echo -e "${YELLOW}Public key for remote access:${NC}"; cat "$SSH_DIR/id_ed25519.pub" echo -e "${YELLOW}Public key for remote access:${NC}"; cat "$SSH_DIR/id_ed25519.pub"
@@ -798,10 +809,10 @@ configure_ssh() {
print_warning "SSH Key Authentication Required for Next Steps!" print_warning "SSH Key Authentication Required for Next Steps!"
echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}" echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}"
if [[ "$SERVER_IP_V4" != "unknown" ]]; then if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
echo -e "${CYAN} Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}" echo -e "${CYAN} Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}"
fi fi
if [[ "$SERVER_IP_V6" != "not available" ]]; then if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
echo -e "${CYAN} Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}" echo -e "${CYAN} Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}"
fi fi
@@ -810,10 +821,6 @@ configure_ssh() {
return 1 return 1
fi fi
print_info "Backing up original SSH config..."
SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"
# Apply port override # Apply port override
if [[ $ID == "ubuntu" ]] && dpkg --compare-versions "$(lsb_release -rs)" ge "24.04"; then if [[ $ID == "ubuntu" ]] && dpkg --compare-versions "$(lsb_release -rs)" ge "24.04"; then
print_info "Updating SSH port in /etc/ssh/sshd_config for Ubuntu 24.04+..." print_info "Updating SSH port in /etc/ssh/sshd_config for Ubuntu 24.04+..."
@@ -846,7 +853,21 @@ EOF
════ all attempts are logged and reviewed ════ ════ all attempts are logged and reviewed ════
****************************************************************************** ******************************************************************************
EOF EOF
print_info "Testing SSH configuration syntax..."
if ! sshd -t 2>&1 | tee -a "$LOG_FILE"; then
print_warning "SSH configuration test detected potential issues (see above)."
print_info "This may be due to existing configuration files on the system."
if ! confirm "Continue despite configuration warnings?"; then
print_error "Aborting SSH configuration."
rm -f /etc/ssh/sshd_config.d/99-hardening.conf
rm -f /etc/issue.net
rm -f /etc/systemd/system/ssh.socket.d/override.conf
rm -f /etc/systemd/system/ssh.service.d/override.conf
rm -f /etc/systemd/system/sshd.service.d/override.conf
systemctl daemon-reload
return 1
fi
fi
print_info "Reloading systemd and restarting SSH service..." print_info "Reloading systemd and restarting SSH service..."
systemctl daemon-reload systemctl daemon-reload
systemctl restart "$SSH_SERVICE" systemctl restart "$SSH_SERVICE"
@@ -859,6 +880,7 @@ EOF
# Verify root SSH is disabled # Verify root SSH is disabled
print_info "Verifying root SSH login is disabled..." print_info "Verifying root SSH login is disabled..."
sleep 2
if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then
print_error "Root SSH login is still possible! Check configuration." print_error "Root SSH login is still possible! Check configuration."
return 1 return 1
@@ -867,10 +889,10 @@ EOF
fi fi
print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!" print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!"
if [[ "$SERVER_IP_V4" != "unknown" ]]; then if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4" print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4"
fi fi
if [[ "$SERVER_IP_V6" != "not available" ]]; then if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6" print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6"
fi fi
@@ -1176,7 +1198,7 @@ configure_firewall() {
print_info "No IPv6 detected on this system. Skipping UFW IPv6 configuration." print_info "No IPv6 detected on this system. Skipping UFW IPv6 configuration."
log "UFW IPv6 configuration skipped as no kernel support was detected." log "UFW IPv6 configuration skipped as no kernel support was detected."
fi fi
print_info "Enabling firewall..." print_info "Enabling firewall..."
if ! ufw --force enable; then if ! ufw --force enable; then
print_error "Failed to enable UFW. Check 'journalctl -u ufw' for details." print_error "Failed to enable UFW. Check 'journalctl -u ufw' for details."

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
bb67b89744341b8f693814883db15034bc1a72372280a19e5c60b9752af62017 du_setup.sh 8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh