Update README.md

2025-12-29 16:14:59 +00:00 · 2025-06-26 22:48:55 +01:00
parent 45df07c9e0
commit 8a40239393
1 changed files with 88 additions and 58 deletions
--- a/README.md
+++ b/README.md
@@ -1,114 +1,144 @@
-## Debian & Ubuntu Server Setup & Hardening Script
+# Debian & Ubuntu Server Setup & Hardening Script
-**Version:** 3.8  
+**Version:** 3.9
-**Last Updated:** 2025-06-26  
+
-**Compatible With:**  
+**Last Updated:** 2025-06-26
- Debian 12 (Bookworm)  
+
- Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS  
+**Compatible With:**
 - Debian 12 (Bookworm)
 - Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS
 ---
 ## 📌 Overview
-This script automates the secure provisioning and hardening of a fresh Debian or Ubuntu server. It covers essential system settings, user management, SSH hardening, firewall configuration, and optional installation of Docker and Tailscale.
+This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is designed to be **idempotent**, **safe**, and suitable for **production environments**, establishing a secure baseline from which to build upon.
-It is designed to be **idempotent**, **safe**, and suitable for **production environments**.
+It runs interactively, guiding the user through critical choices while automating the tedious but essential steps of securing a new server.
 ---
-## ⚙️ Features
+## ✨ Features
- Root login disabled, new admin user creation  
+- **Secure User Management:** Creates a new administrator user with `sudo` privileges and disables the root account's SSH access.
- SSH key-based login support and key detection  
+- **SSH Hardening:** Configures the SSH server to use a custom port, disable password authentication (enforcing key-based login), and apply other security best practices.
- UFW firewall configuration with custom port support  
+- **Firewall Configuration:** Sets up UFW (Uncomplicated Firewall) with sensible defaults and allows for custom rules.
- SSH and system configuration backup and rollback safety  
+- **Intrusion Prevention:** Installs and configures **Fail2Ban** to automatically block IPs that show malicious signs, such as repeated password failures.
- Timezone and swap file setup  
+- **Automated Security Updates:** Configures `unattended-upgrades` to automatically install new security patches.
- Optional installation of:
+- **System Stability:** Sets up NTP time synchronization with `chrony` and can configure a swap file for systems with low RAM.
 - **Safety First:** Automatically backs up all critical configuration files before modification, with simple restoration instructions.
 - **Optional Software:** Provides optional, interactive installation for:
  - Docker & Docker Compose
  - Tailscale (Mesh VPN)
- Logging to `/var/log/`
+- **Comprehensive Logging:** All actions are logged to `/var/log/setup_harden_debian_ubuntu_*.log`.
- Optional quiet mode for automated scripts
+- **Automation-Friendly:** Includes a `--quiet` mode to suppress non-essential output for use in automated provisioning workflows.
 ---
-## 📥 Installation & Usage
+## 🚀 Installation & Usage
-### 1. Download the script
+### Prerequisites
-```
+- A fresh installation of a compatible OS.
-wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh
+- Root or `sudo` privileges.
 - Internet access for downloading packages.
 ### 1. Download the Script
 ```bash
 wget [https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh](https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh)
 chmod +x setup_harden_debian_ubuntu.sh
 ````
 ### 2. Run the script as root
 ```
 ### 2. Run the Script Interactively
 It is highly recommended to run the script interactively the first time.
 ```bash
 sudo ./setup_harden_debian_ubuntu.sh
 ```
-### 3. Optional: Run in quiet mode
+### 3. Run in Quiet Mode (for automation)
-```
+```bash
 sudo ./setup_harden_debian_ubuntu.sh --quiet
 ```
-> 🔒 The script must be run as root (or with sudo privileges).
+> 🔒 **Critical Safety Check:** The script will pause and require you to test your new SSH connection from a separate terminal before it proceeds to disable old access methods. **Do not skip this step!**
 ---
-## 📂 What It Does
+## 🗂️ What It Does in Detail
-| Task                          | Description                                    |
+| Task                    | Description                                                                 |
-| ----------------------------- | ---------------------------------------------- |
+| ----------------------- | --------------------------------------------------------------------------- |
-| Admin User Creation           | Creates new sudo user with password or SSH key |
+| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity.      |
-| SSH Hardening                 | Disables root login, adjusts secure options    |
+| **Package Management** | Updates all packages and installs essential tools (`ufw`, `fail2ban`, `chrony`, etc.). |
-| Firewall                      | UFW setup with customisable ports              |
+| **Admin User Creation** | Creates a new `sudo` user with a password and/or a provided SSH public key. |
-| Package Installation          | Essential tools (curl, fail2ban, etc.)         |
+| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port.       |
-| System Config Backup          | Creates backups before making changes          |
+| **Firewall Setup** | Configures UFW to deny incoming traffic by default and allow specific ports. |
-| Swap File Setup               | Creates a swap file with size selection        |
+| **System Backups** | Creates timestamped backups of configs in `/root/` before modification.    |
-| Timezone Selection            | Interactive timezone configuration             |
+| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size.                  |
-| Docker & Tailscale (optional) | Only installed when prompted                   |
+| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales.       |
 | **Docker Install** | (Optional) Installs and configures Docker Engine and adds the user to the `docker` group. |
 | **Tailscale Install** | (Optional) Installs the Tailscale client.                                   |
 | **Final Cleanup** | Removes unused packages and reloads system daemons.                         |
 ---
 ## 🪵 Logs & Backups
-* **Logs:** `/var/log/setup_harden_debian_ubuntu_*.log`
+- **Log Files:** `/var/log/setup_harden_debian_ubuntu_*.log`
-* **Config Backups:** `/root/setup_harden_backup_*`
+- **Configuration Backups:** `/root/setup_harden_backup_*`
 * **SSHD Backup:** Restorable from the backup directory in case of issues
 ---
 ## 🧪 Tested On
-* Debian 12
+- Debian 12
-* Ubuntu 24.04
+- Ubuntu 24.04 LTS, 22.04 LTS
-* VMs, and common VPS providers (OCI, DigitalOcean, etc.)
+- Common cloud providers (DigitalOcean, AWS, GCP, Oracle Cloud) and local VMs.
 ---
 ## ❗ Important Notes
-* Always test in a VM or staging VPS before using in production.
+- **Run this on a fresh system.** While idempotent, the script is designed for initial provisioning.
-* Run this script before setting up anything else on brand new VM/VPS.
+- **A system reboot is required** after the script completes to ensure all changes, especially to the kernel and services, are applied cleanly.
-* Ensure you have console or out-of-band access in case SSH becomes inaccessible.
+- Always test the script in a non-production environment (like a staging VM) before deploying to a live server.
-* A system **reboot is recommended** after running the script.
+- Ensure you have out-of-band console access to your server in case you accidentally lock yourself out.
 ---
-## 🛠 Troubleshooting
+## 🛠️ Troubleshooting
-* **SSH Locked Out?** Use the server console and restore:
+### SSH Lockout Recovery
-  ```
+If you are locked out of SSH, use your provider's web console to perform the following steps:
-  cp /root/setup_harden_backup_*/sshd_config /etc/ssh/sshd_config
+
-  systemctl restart ssh
+1.  **Remove the hardened configuration:**
-  ```
+    ```bash
-* **No internet?** The script requires internet access to install packages.
+    # This file overrides the main config, so it must be removed.
    rm /etc/ssh/sshd_config.d/99-hardening.conf
    ```
 2.  **Restore the original `sshd_config` file:**
    ```bash
    # Find the latest backup directory
    LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)
    # Copy the original config back into place
    cp "$LATEST_BACKUP"/sshd_config.backup_* /etc/ssh/sshd_config
    ```
 3.  **Restart the SSH service:**
    ```bash
    systemctl restart ssh
    ```
    You should now be able to log in using the original port (usually 22) and credentials.
 ---
 ## 📝 License
-This script is open-source and provided "as is" without warranty.
+This script is open-source and provided "as is" without warranty. Use at your own risk.
 Use at your own risk.