diff --git a/README.md b/README.md index fe7476d..696c9b1 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,9 @@ ----- -**Version:** v0.70.1 +**Version:** v0.71 -**Last Updated:** 2025-10-19 +**Last Updated:** 2025-10-20 **Compatible With:** @@ -20,6 +20,8 @@ This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks. +----- + ## Features * **Secure User Management**: Creates a new `sudo` user and disables root SSH access. @@ -40,6 +42,8 @@ This script automates the initial setup and security hardening of a fresh Debian * **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`. * **Automation-Friendly**: Supports `--quiet` mode for automated provisioning. +----- + ## Installation & Usage ### Prerequisites @@ -83,12 +87,12 @@ sha256sum du_setup.sh Compare the output hash to the one below. They must match exactly. -`783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8` +`dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6` Or echo the hash to check, it should output: `du_setup.sh: OK` ```bash -echo 783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh | sha256sum --check +echo dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh | sha256sum --check ``` ### 3. Run the Script @@ -117,6 +121,8 @@ sudo -E ./du_setup.sh --quiet > > Ensure your VPS provider’s firewall allows the custom SSH port, backup server’s SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). +----- + ## What It Does | Task | Description | @@ -140,7 +146,9 @@ sudo -E ./du_setup.sh --quiet | **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. | | **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. | -## Provider Package Cleanup (Since v0.70) +----- + +## Provider Package Cleanup Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security. @@ -162,6 +170,8 @@ Cleanup is optional but recommended for commercial VPS environments to reduce at * Default provisioning users (ubuntu, debian, admin, cloud-user) * Unexpected SSH keys in `/root/.ssh/authorized_keys` +----- + ## Post-Reboot Verification After rebooting, verify the setup: @@ -192,6 +202,8 @@ After rebooting, verify the setup: * Check results: `sudo less /var/log/setup_harden_security_audit_*.log` * Review Lynis hardening index and debsecan vulnerabilities in the script’s summary output +----- + ## Tested On * Debian 12, 13 @@ -200,6 +212,8 @@ After rebooting, verify the setup: * Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers * Tailscale: Standard network, custom self-hosted servers +----- + ## Important Notes * **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space. @@ -210,6 +224,8 @@ After rebooting, verify the setup: * For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic. * For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations. +----- + ## Troubleshooting ### SSH Lockout Recovery @@ -302,6 +318,8 @@ If Tailscale fails to connect: * Ensure UDP 41641 is open: `nc -zvu 41641` * Check VPS firewall for Tailscale traffic. +----- + ## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE) This script is open-source and provided "as is" without warranty. Use at your own risk. diff --git a/du_setup.sh b/du_setup.sh index 5062010..de97834 100644 --- a/du_setup.sh +++ b/du_setup.sh @@ -1,9 +1,10 @@ #!/bin/bash # Debian and Ubuntu Server Hardening Interactive Script -# Version: 0.70.1 | 2025-10-19 +# Version: 0.71 | 2025-10-20 # Changelog: -# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions. +# - v0.71: Simplify test backup function to work reliably with Hetzner storagebox +# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions. # - v0.70: Option to remove cloud VPS provider packages (like cloud-init). # New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup. # Add help and usage instructions with --help flag. @@ -74,7 +75,7 @@ set -euo pipefail # --- Update Configuration --- -CURRENT_VERSION="0.70.1" +CURRENT_VERSION="0.71" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" CHECKSUM_URL="${SCRIPT_URL}.sha256" @@ -225,7 +226,7 @@ print_header() { printf '%s\n' "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" printf '%s\n' "${CYAN}║ ║${NC}" printf '%s\n' "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - printf '%s\n' "${CYAN}║ v0.70.1 | 2025-10-18 ║${NC}" + printf '%s\n' "${CYAN}║ v0.71 | 2025-10-20 ║${NC}" printf '%s\n' "${CYAN}║ ║${NC}" printf '%s\n' "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" printf '\n' @@ -2986,33 +2987,42 @@ test_backup() { fi # Create a temporary directory and file for the test - local TEST_DIR + local TEST_DIR TEST_FILE TEST_DIR="/root/test_backup_$(date +%Y%m%d_%H%M%S)" - if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification" > "$TEST_DIR/test.txt"; then + TEST_FILE="$TEST_DIR/test_backup_verification_$(date +%s).txt" + if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification - $(date)" > "$TEST_FILE"; then print_error "Failed to create test directory or file in /root/." log "Backup test failed: Cannot create test directory/file." rm -rf "$TEST_DIR" 2>/dev/null return 0 fi - print_info "Running test backup to $BACKUP_DEST:$REMOTE_BACKUP_PATH..." - local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=120 + print_info "Running test backup of single file to ${BACKUP_DEST}:${REMOTE_BACKUP_PATH}..." + local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=60 local SSH_KEY="/root/.ssh/id_ed25519" local SSH_COMMAND="ssh -p $BACKUP_PORT -i $SSH_KEY -o BatchMode=yes -o StrictHostKeyChecking=no" set +e - RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz --delete -e "$SSH_COMMAND" "$TEST_DIR/" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}test_backup/" 2>&1) + RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz -e "$SSH_COMMAND" "$TEST_FILE" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}" 2>&1) RSYNC_EXIT_CODE=$? - set -e # Re-enable 'exit on error' + set -e - echo "--- Test Backup at $(date) ---" >> "$BACKUP_LOG" - echo "$RSYNC_OUTPUT" >> "$BACKUP_LOG" + { + echo "--- Test Backup at $(date) ---" + echo "Command: rsync -avz -e \"$SSH_COMMAND\" \"$TEST_FILE\" \"${BACKUP_DEST}:${REMOTE_BACKUP_PATH}\"" + echo "Output:" + echo "$RSYNC_OUTPUT" + echo "Exit Code: $RSYNC_EXIT_CODE" + } >> "$BACKUP_LOG" if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then - print_success "Test backup successful! Check $BACKUP_LOG for details." - log "Test backup successful." + print_success "Test backup (single file) successful! Check $BACKUP_LOG for details." + log "Test backup successful (single file)." + ssh -p "$BACKUP_PORT" -i "$SSH_KEY" -o BatchMode=yes -o StrictHostKeyChecking=no "$BACKUP_DEST" "rm -f '${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")'" > /dev/null 2>&1 || true + log "Attempted cleanup of remote test file: ${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")" + else - print_warning "The backup test failed. This is not critical, and the script will continue." + print_warning "The backup test (single file transfer) failed. This is not critical, and the script will continue." print_info "You can troubleshoot this after the server setup is complete." if [[ $RSYNC_EXIT_CODE -eq 124 ]]; then @@ -3021,15 +3031,29 @@ test_backup() { else print_error "Test backup failed (exit code: $RSYNC_EXIT_CODE). See $BACKUP_LOG for details." log "Test backup failed with exit code $RSYNC_EXIT_CODE." + # Hints based on common rsync errors + case "$RSYNC_OUTPUT" in + *"Permission denied"*) + print_info "Hint: Check SSH key authentication and permissions on the remote path." + ;; + *"Connection timed out"*|*"Connection refused"*|*"Network is unreachable"*) + print_info "Hint: Check network connectivity, firewall rules (local and remote), and the SSH port." + ;; + *"No such file or directory"*) + print_info "Hint: Verify the remote path '${REMOTE_BACKUP_PATH}' is correct and accessible." + ;; + esac fi print_info "Common troubleshooting steps:" - print_info " - Ensure the root SSH key is copied to the destination: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\"" - print_info " - Check firewall rules on both this server and the destination." + print_info " - Ensure the root SSH key is copied: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\"" + print_info " - Manually test SSH connection: ssh -p \"$BACKUP_PORT\" -i \"$SSH_KEY\" \"$BACKUP_DEST\"" + print_info " - Check permissions on the remote path: '${REMOTE_BACKUP_PATH}'" fi - # Clean up the temporary test directory + # Clean up the local temporary test directory and file rm -rf "$TEST_DIR" 2>/dev/null + print_info "Local test directory cleaned up." print_success "Backup test completed." log "Backup test completed." return 0 diff --git a/du_setup.sh.sha256 b/du_setup.sh.sha256 index 1d13c6e..b446a55 100644 --- a/du_setup.sh.sha256 +++ b/du_setup.sh.sha256 @@ -1 +1 @@ -783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh +dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh