External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #68 from buildplan/revise_test_backup

Browse Source 
Revise test backup
This commit is contained in:
buildplan
2025-10-20 09:54:23 +01:00
committed by GitHub
parent 92115f6386 ce273650c6
commit 93e36fcb54
3 changed files with 66 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -7,9 +7,9 @@
----- -----
**Version:** v0.70.1 **Version:** v0.71
**Last Updated:** 2025-10-19 **Last Updated:** 2025-10-20
**Compatible With:** **Compatible With:**
@@ -20,6 +20,8 @@
This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks. This script automates the initial setup and security hardening of a fresh Debian or Ubuntu server. It is **idempotent**, **safe**, and suitable for **production environments**, providing a secure baseline for further customization. The script runs interactively, guiding users through critical choices while automating essential security and setup tasks.
-----
## Features ## Features
* **Secure User Management**: Creates a new `sudo` user and disables root SSH access. * **Secure User Management**: Creates a new `sudo` user and disables root SSH access.
@@ -40,6 +42,8 @@ This script automates the initial setup and security hardening of a fresh Debian
* **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`. * **Comprehensive Logging**: Logs all actions to `/var/log/du_setup_*.log`.
* **Automation-Friendly**: Supports `--quiet` mode for automated provisioning. * **Automation-Friendly**: Supports `--quiet` mode for automated provisioning.
-----
## Installation & Usage ## Installation & Usage
### Prerequisites ### Prerequisites
@@ -83,12 +87,12 @@ sha256sum du_setup.sh
Compare the output hash to the one below. They must match exactly. Compare the output hash to the one below. They must match exactly.
`783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8` `dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6`
Or echo the hash to check, it should output: `du_setup.sh: OK` Or echo the hash to check, it should output: `du_setup.sh: OK`
```bash ```bash
echo 783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh | sha256sum --check echo dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh | sha256sum --check
``` ```
### 3. Run the Script ### 3. Run the Script
@@ -117,6 +121,8 @@ sudo -E ./du_setup.sh --quiet
> >
> Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). > Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
-----
## What It Does ## What It Does
| Task | Description | | Task | Description |
@@ -140,7 +146,9 @@ sudo -E ./du_setup.sh --quiet
| **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. | | **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. |
| **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. | | **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
## Provider Package Cleanup (Since v0.70) -----
## Provider Package Cleanup
Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security. Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security.
@@ -162,6 +170,8 @@ Cleanup is optional but recommended for commercial VPS environments to reduce at
* Default provisioning users (ubuntu, debian, admin, cloud-user) * Default provisioning users (ubuntu, debian, admin, cloud-user)
* Unexpected SSH keys in `/root/.ssh/authorized_keys` * Unexpected SSH keys in `/root/.ssh/authorized_keys`
-----
## Post-Reboot Verification ## Post-Reboot Verification
After rebooting, verify the setup: After rebooting, verify the setup:
@@ -192,6 +202,8 @@ After rebooting, verify the setup:
* Check results: `sudo less /var/log/setup_harden_security_audit_*.log` * Check results: `sudo less /var/log/setup_harden_security_audit_*.log`
* Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output * Review Lynis hardening index and debsecan vulnerabilities in the scripts summary output
-----
## Tested On ## Tested On
* Debian 12, 13 * Debian 12, 13
@@ -200,6 +212,8 @@ After rebooting, verify the setup:
* Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers * Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers
* Tailscale: Standard network, custom self-hosted servers * Tailscale: Standard network, custom self-hosted servers
-----
## Important Notes ## Important Notes
* **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space. * **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space.
@@ -210,6 +224,8 @@ After rebooting, verify the setup:
* For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic. * For Tailscale, generate a pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic.
* For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations. * For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations.
-----
## Troubleshooting ## Troubleshooting
### SSH Lockout Recovery ### SSH Lockout Recovery
@@ -302,6 +318,8 @@ If Tailscale fails to connect:
* Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641` * Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
* Check VPS firewall for Tailscale traffic. * Check VPS firewall for Tailscale traffic.
-----
## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE) ## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
This script is open-source and provided "as is" without warranty. Use at your own risk. This script is open-source and provided "as is" without warranty. Use at your own risk.

60
du_setup.sh
View File

@@ -1,9 +1,10 @@
#!/bin/bash #!/bin/bash
# Debian and Ubuntu Server Hardening Interactive Script # Debian and Ubuntu Server Hardening Interactive Script
# Version: 0.70.1 | 2025-10-19 # Version: 0.71 | 2025-10-20
# Changelog: # Changelog:
# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions. # - v0.71: Simplify test backup function to work reliably with Hetzner storagebox
# - v0.70.1: Fix SSH port validation and improve firewall handling during SSH port transitions.
# - v0.70: Option to remove cloud VPS provider packages (like cloud-init). # - v0.70: Option to remove cloud VPS provider packages (like cloud-init).
# New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup. # New operational modes: --cleanup-preview, --cleanup-only, --skip-cleanup.
# Add help and usage instructions with --help flag. # Add help and usage instructions with --help flag.
@@ -74,7 +75,7 @@
set -euo pipefail set -euo pipefail
# --- Update Configuration --- # --- Update Configuration ---
CURRENT_VERSION="0.70.1" CURRENT_VERSION="0.71"
SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh"
CHECKSUM_URL="${SCRIPT_URL}.sha256" CHECKSUM_URL="${SCRIPT_URL}.sha256"
@@ -225,7 +226,7 @@ print_header() {
printf '%s\n' "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" printf '%s\n' "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
printf '%s\n' "${CYAN}║ ║${NC}" printf '%s\n' "${CYAN}║ ║${NC}"
printf '%s\n' "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" printf '%s\n' "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}"
printf '%s\n' "${CYAN}║ v0.70.1 | 2025-10-18${NC}" printf '%s\n' "${CYAN}║ v0.71 | 2025-10-20 ${NC}"
printf '%s\n' "${CYAN}║ ║${NC}" printf '%s\n' "${CYAN}║ ║${NC}"
printf '%s\n' "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" printf '%s\n' "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
printf '\n' printf '\n'
@@ -2986,33 +2987,42 @@ test_backup() {
fi fi
# Create a temporary directory and file for the test # Create a temporary directory and file for the test
local TEST_DIR local TEST_DIR TEST_FILE
TEST_DIR="/root/test_backup_$(date +%Y%m%d_%H%M%S)" TEST_DIR="/root/test_backup_$(date +%Y%m%d_%H%M%S)"
if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification" > "$TEST_DIR/test.txt"; then TEST_FILE="$TEST_DIR/test_backup_verification_$(date +%s).txt"
if ! mkdir -p "$TEST_DIR" || ! echo "Test file for backup verification - $(date)" > "$TEST_FILE"; then
print_error "Failed to create test directory or file in /root/." print_error "Failed to create test directory or file in /root/."
log "Backup test failed: Cannot create test directory/file." log "Backup test failed: Cannot create test directory/file."
rm -rf "$TEST_DIR" 2>/dev/null rm -rf "$TEST_DIR" 2>/dev/null
return 0 return 0
fi fi
print_info "Running test backup to $BACKUP_DEST:$REMOTE_BACKUP_PATH..." print_info "Running test backup of single file to ${BACKUP_DEST}:${REMOTE_BACKUP_PATH}..."
local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=120 local RSYNC_OUTPUT RSYNC_EXIT_CODE TIMEOUT_DURATION=60
local SSH_KEY="/root/.ssh/id_ed25519" local SSH_KEY="/root/.ssh/id_ed25519"
local SSH_COMMAND="ssh -p $BACKUP_PORT -i $SSH_KEY -o BatchMode=yes -o StrictHostKeyChecking=no" local SSH_COMMAND="ssh -p $BACKUP_PORT -i $SSH_KEY -o BatchMode=yes -o StrictHostKeyChecking=no"
set +e set +e
RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz --delete -e "$SSH_COMMAND" "$TEST_DIR/" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}test_backup/" 2>&1) RSYNC_OUTPUT=$(timeout "$TIMEOUT_DURATION" rsync -avz -e "$SSH_COMMAND" "$TEST_FILE" "${BACKUP_DEST}:${REMOTE_BACKUP_PATH}" 2>&1)
RSYNC_EXIT_CODE=$? RSYNC_EXIT_CODE=$?
set -e # Re-enable 'exit on error' set -e
echo "--- Test Backup at $(date) ---" >> "$BACKUP_LOG" {
echo "$RSYNC_OUTPUT" >> "$BACKUP_LOG" echo "--- Test Backup at $(date) ---"
echo "Command: rsync -avz -e \"$SSH_COMMAND\" \"$TEST_FILE\" \"${BACKUP_DEST}:${REMOTE_BACKUP_PATH}\""
echo "Output:"
echo "$RSYNC_OUTPUT"
echo "Exit Code: $RSYNC_EXIT_CODE"
} >> "$BACKUP_LOG"
if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then
print_success "Test backup successful! Check $BACKUP_LOG for details." print_success "Test backup (single file) successful! Check $BACKUP_LOG for details."
log "Test backup successful." log "Test backup successful (single file)."
ssh -p "$BACKUP_PORT" -i "$SSH_KEY" -o BatchMode=yes -o StrictHostKeyChecking=no "$BACKUP_DEST" "rm -f '${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")'" > /dev/null 2>&1 || true
log "Attempted cleanup of remote test file: ${REMOTE_BACKUP_PATH}$(basename "$TEST_FILE")"
else else
print_warning "The backup test failed. This is not critical, and the script will continue." print_warning "The backup test (single file transfer) failed. This is not critical, and the script will continue."
print_info "You can troubleshoot this after the server setup is complete." print_info "You can troubleshoot this after the server setup is complete."
if [[ $RSYNC_EXIT_CODE -eq 124 ]]; then if [[ $RSYNC_EXIT_CODE -eq 124 ]]; then
@@ -3021,15 +3031,29 @@ test_backup() {
else else
print_error "Test backup failed (exit code: $RSYNC_EXIT_CODE). See $BACKUP_LOG for details." print_error "Test backup failed (exit code: $RSYNC_EXIT_CODE). See $BACKUP_LOG for details."
log "Test backup failed with exit code $RSYNC_EXIT_CODE." log "Test backup failed with exit code $RSYNC_EXIT_CODE."
# Hints based on common rsync errors
case "$RSYNC_OUTPUT" in
*"Permission denied"*)
print_info "Hint: Check SSH key authentication and permissions on the remote path."
;;
*"Connection timed out"*|*"Connection refused"*|*"Network is unreachable"*)
print_info "Hint: Check network connectivity, firewall rules (local and remote), and the SSH port."
;;
*"No such file or directory"*)
print_info "Hint: Verify the remote path '${REMOTE_BACKUP_PATH}' is correct and accessible."
;;
esac
fi fi
print_info "Common troubleshooting steps:" print_info "Common troubleshooting steps:"
print_info " - Ensure the root SSH key is copied to the destination: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\"" print_info " - Ensure the root SSH key is copied: ssh-copy-id -p \"$BACKUP_PORT\" -i \"$SSH_KEY.pub\" \"$BACKUP_DEST\""
print_info " - Check firewall rules on both this server and the destination." print_info " - Manually test SSH connection: ssh -p \"$BACKUP_PORT\" -i \"$SSH_KEY\" \"$BACKUP_DEST\""
print_info " - Check permissions on the remote path: '${REMOTE_BACKUP_PATH}'"
fi fi
# Clean up the temporary test directory # Clean up the local temporary test directory and file
rm -rf "$TEST_DIR" 2>/dev/null rm -rf "$TEST_DIR" 2>/dev/null
print_info "Local test directory cleaned up."
print_success "Backup test completed." print_success "Backup test completed."
log "Backup test completed." log "Backup test completed."
return 0 return 0

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
783ca8fe4dcac69a75099d71d7c403f7f7477fbd94d84ebfae63bbaf1be4fca8 du_setup.sh dfc27413d157a29510f2f516cf594a9940942ec8622d292d94a3936b4490a2a6 du_setup.sh