External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #68 from buildplan/revise_test_backup

Browse Source 
Revise test backup
This commit is contained in:
buildplan
2025-10-20 09:54:23 +01:00
committed by GitHub
parent 92115f6386 ce273650c6
commit 93e36fcb54
3 changed files with 66 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -7,9 +7,9 @@
-----
**Version:** v0.70.1
**Version:** v0.71
**Last Updated:** 2025-10-19
**Last Updated:** 2025-10-20
**Compatible With:**
@@ -20,6 +20,8 @@
This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks.
-----
## Features
* **Secure User Management**: Creates a new `sudo` user and disables root SSH access.
@@ -40,6 +42,8 @@ This script automates the initial setup and security hardening of a fresh Debian
* **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`.
* **Automation-Friendly**: Supports `--quiet` mode for automated provisioning.
-----
## Installation & Usage
### Prerequisites
@@ -83,12 +87,12 @@ sha256sum du_setup.sh
Compare the output hash to the one below. They must match exactly.
`783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8`
`dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6`
Or echo the hash to check, it should output: `du_setup.sh: OK`
```bash
echo 783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh | sha256sum --check
echo dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh | sha256sum --check
```
### 3. Run the Script
@@ -117,6 +121,8 @@ sudo -E ./du_setup.sh --quiet
>
> Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
-----
## What It Does
| Task | Description |
@@ -140,7 +146,9 @@ sudo -E ./du_setup.sh --quiet
| **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. |
| **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
## Provider Package Cleanup (Since v0.70)
-----
## Provider Package Cleanup
Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security.
@@ -162,6 +170,8 @@ Cleanup is optional but recommended for commercial VPS environments to reduce at
* Default provisioning users (ubuntu, debian, admin, cloud-user)
* Unexpected SSH keys in `/root/.ssh/authorized_keys`
-----
## Post-Reboot Verification
After rebooting, verify the setup:
@@ -192,6 +202,8 @@ After rebooting, verify the setup:
* Check results: `sudo less /var/log/setup_harden_security_audit_*.log`
* Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output
-----
## Tested On
* Debian 12, 13
@@ -200,6 +212,8 @@ After rebooting, verify the setup:
* Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers
* Tailscale: Standard network, custom self-hosted servers
-----
## Important Notes
* **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space.
@@ -210,6 +224,8 @@ After rebooting, verify the setup:
* For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic.
* For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations.
-----
## Troubleshooting
### SSH Lockout Recovery
@@ -302,6 +318,8 @@ If Tailscale fails to connect:
* Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
* Check VPS firewall for Tailscale traffic.
-----
## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
This script is open-source and provided "as is" without warranty. Use at your own risk.

60
du_setup.sh
View File

@@ -1,9 +1,10 @@
#!/bin/bash
# Debian and Ubuntu Server Hardening Interactive Script
# Version: 0.70.1 | 2025-10-19
# Version: 0.71 | 2025-10-20
# Changelog:
# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions.
# - v0.71: Simplify test backup function to work reliably with Hetzner storagebox
# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions.
# - v0.70: Option to remove cloud VPS provider packages (like cloud-init).
# New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup.
# Add help and usage instructions with --help flag.
@@ -74,7 +75,7 @@
set -euo pipefail
# --- Update Configuration ---
CURRENT_VERSION="0.70.1"
CURRENT_VERSION="0.71"
SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh"
CHECKSUM_URL="${SCRIPT_URL}.sha256"
@@ -225,7 +226,7 @@ print_header() {
printf '%s\n' "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
printf '%s\n' "${CYAN}║ ║${NC}"
printf '%s\n' "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}"
printf '%s\n' "${CYAN}║ v0.70.1 | 2025-10-18${NC}"
printf '%s\n' "${CYAN}║ v0.71 | 2025-10-20 ${NC}"
printf '%s\n' "${CYAN}║ ║${NC}"
printf '%s\n' "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
printf '\n'
@@ -2986,33 +2987,42 @@ test_backup() {
fi
# Create a temporary directory and file for the test
local TEST_DIR
local TEST_DIR TEST_FILE
TEST_DIR="/root/test_backup_$(date +%Y%m%d_%H%M%S)"
if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification" > "$TEST_DIR/test.txt"; then
TEST_FILE="$TEST_DIR/test_backup_verification_$(date +%s).txt"
if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification - $(date)" > "$TEST_FILE"; then
print_error "Failed to create test directory or file in /root/."
log "Backup test failed: Cannot create test directory/file."
rm -rf "$TEST_DIR" 2>/dev/null
return 0
fi
print_info "Running test backup to $BACKUP_DEST:$REMOTE_BACKUP_PATH..."
local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=120
print_info "Running test backup of single file to ${BACKUP_DEST}:${REMOTE_BACKUP_PATH}..."
local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=60
local SSH_KEY="/root/.ssh/id_ed25519"
local SSH_COMMAND="ssh -p $BACKUP_PORT -i $SSH_KEY -o BatchMode=yes -o StrictHostKeyChecking=no"
set +e
RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz --delete -e "$SSH_COMMAND" "$TEST_DIR/" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}test_backup/" 2>&1)
RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz -e "$SSH_COMMAND" "$TEST_FILE" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}" 2>&1)
RSYNC_EXIT_CODE=$?
set -e # Re-enable 'exit on error'
set -e
echo "--- Test Backup at $(date) ---" >> "$BACKUP_LOG"
echo "$RSYNC_OUTPUT" >> "$BACKUP_LOG"
{
echo "--- Test Backup at $(date) ---"
echo "Command: rsync -avz -e \"$SSH_COMMAND\" \"$TEST_FILE\" \"${BACKUP_DEST}:${REMOTE_BACKUP_PATH}\""
echo "Output:"
echo "$RSYNC_OUTPUT"
echo "Exit Code: $RSYNC_EXIT_CODE"
} >> "$BACKUP_LOG"
if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then
print_success "Test backup successful! Check $BACKUP_LOG for details."
log "Test backup successful."
print_success "Test backup (single file) successful! Check $BACKUP_LOG for details."
log "Test backup successful (single file)."
ssh -p "$BACKUP_PORT" -i "$SSH_KEY" -o BatchMode=yes -o StrictHostKeyChecking=no "$BACKUP_DEST" "rm -f '${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")'" > /dev/null 2>&1 || true
log "Attempted cleanup of remote test file: ${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")"
else
print_warning "The backup test failed. This is not critical, and the script will continue."
print_warning "The backup test (single file transfer) failed. This is not critical, and the script will continue."
print_info "You can troubleshoot this after the server setup is complete."
if [[ $RSYNC_EXIT_CODE -eq 124 ]]; then
@@ -3021,15 +3031,29 @@ test_backup() {
else
print_error "Test backup failed (exit code: $RSYNC_EXIT_CODE). See $BACKUP_LOG for details."
log "Test backup failed with exit code $RSYNC_EXIT_CODE."
# Hints based on common rsync errors
case "$RSYNC_OUTPUT" in
*"Permission denied"*)
print_info "Hint: Check SSH key authentication and permissions on the remote path."
;;
*"Connection timed out"*|*"Connection refused"*|*"Network is unreachable"*)
print_info "Hint: Check network connectivity, firewall rules (local and remote), and the SSH port."
;;
*"No such file or directory"*)
print_info "Hint: Verify the remote path '${REMOTE_BACKUP_PATH}' is correct and accessible."
;;
esac
fi
print_info "Common troubleshooting steps:"
print_info " - Ensure the root SSH key is copied to the destination: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\""
print_info " - Check firewall rules on both this server and the destination."
print_info " - Ensure the root SSH key is copied: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\""
print_info " - Manually test SSH connection: ssh -p \"$BACKUP_PORT\" -i \"$SSH_KEY\" \"$BACKUP_DEST\""
print_info " - Check permissions on the remote path: '${REMOTE_BACKUP_PATH}'"
fi
# Clean up the temporary test directory
# Clean up the local temporary test directory and file
rm -rf "$TEST_DIR" 2>/dev/null
print_info "Local test directory cleaned up."
print_success "Backup test completed."
log "Backup test completed."
return 0

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh
dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh