External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #56 from buildplan/options

Browse Source 
Add optional provider cleanup with environment detection
This commit is contained in:
buildplan
2025-10-17 23:22:54 +01:00
committed by GitHub
parent e0e475d299 8e297d287e
commit a7edeb8cd3
3 changed files with 1293 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
README.md
View File

@@ -3,13 +3,13 @@
[![Debian Compatibility](https://img.shields.io/badge/CompatibilityDebian%2012%7C13-%23A81D33?style=flat&labelColor=555&logo=debian&logoColor=white)](https://www.debian.org/releases/) [![Debian Compatibility](https://img.shields.io/badge/CompatibilityDebian%2012%7C13-%23A81D33?style=flat&labelColor=555&logo=debian&logoColor=white)](https://www.debian.org/releases/)
[![Ubuntu Compatibility](https://img.shields.io/badge/CompatibilityUbuntu%2022.04%7C24.04-%23E95420?style=flat&labelColor=555&logo=ubuntu&logoColor=white)](https://ubuntu.com/download/server) [![Ubuntu Compatibility](https://img.shields.io/badge/CompatibilityUbuntu%2022.04%7C24.04-%23E95420?style=flat&labelColor=555&logo=ubuntu&logoColor=white)](https://ubuntu.com/download/server)
[![Shell Script Linter](https://github.com/buildplan/du_setup/actions/workflows/lint.yml/badge.svg)](https://github.com/buildplan/du_setup/actions/workflows/lint.yml) [![Shell Script Linter](https://github.com/buildplan/du_setup/actions/workflows/lint.yml/badge.svg)](https://github.com/buildplan/du_setup/actions/workflows/lint.yml)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Codacy Security Scan](https://github.com/buildplan/du_setup/actions/workflows/codacy.yml/badge.svg?branch=main)](https://github.com/buildplan/du_setup/actions/workflows/codacy.yml)
[![Shell](https://img.shields.io/badge/Shell-Bash%204.4%2B-green)](https://www.gnu.org/software/bash/)
[![Type](https://img.shields.io/badge/Type-Setup%20%26%20Hardening-blue)](https://github.com/buildplan/du_setup)
**Version:** v0.69 -----
**Last Updated:** 2025-10-13 **Version:** v0.70
**Last Updated:** 2025-10-18
**Compatible With:** **Compatible With:**
@@ -51,22 +51,22 @@ This script automates the initial setup and security hardening of a fresh Debian
* For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access. For Hetzner, SSH (port 23) is used for rsync. * For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access. For Hetzner, SSH (port 23) is used for rsync.
* For Tailscale: A pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, starts with `tskey-auth-`) or from a custom server (e.g., `https://ts.mydomain.cloud`). * For Tailscale: A pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, starts with `tskey-auth-`) or from a custom server (e.g., `https://ts.mydomain.cloud`).
### 1\. Download & Prepare Script ### 1. Download & Prepare Script
``` ```bash
wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh
chmod +x du_setup.sh chmod +x du_setup.sh
``` ```
### 2\. Verify Script Integrity (Recommended) ### 2. Verify Script Integrity (Recommended)
To ensure the script has not been altered, you can verify its SHA256 checksum. To ensure the script has not been altered, you can verify its SHA256 checksum.
**Option A: Automatic Check** #### Option A: Automatic Check
This command downloads the official checksum file and automatically compares it against your downloaded script. This command downloads the official checksum file and automatically compares it against your downloaded script.
``` ```bash
# Download the official checksum file # Download the official checksum file
wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh.sha256 wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh.sha256
@@ -74,45 +74,46 @@ wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_set
sha256sum -c du_setup.sh.sha256 sha256sum -c du_setup.sh.sha256
``` ```
**Option B: Manual Check** #### Option B: Manual Check
``` ```bash
# Generate the hash of your downloaded script # Generate the hash of your downloaded script
sha256sum du_setup.sh sha256sum du_setup.sh
``` ```
Compare the output hash to the one below. They must match exactly. Compare the output hash to the one below. They must match exactly.
`8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d` `aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff`
Or echo the hash to check, it should output: `du_setup.sh: OK` Or echo the hash to check, it should output: `du_setup.sh: OK`
``` ```bash
echo 8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh | sha256sum --check - echo aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff du_setup.sh | sha256sum --check
``` ```
### 3\. Run the Script ### 3. Run the Script
**Interactively (Recommended)** #### Interactively (Recommended)
Ideally run as root, if you are a sudo user you can switch to root with `sudo su` Ideally run as root, if you are a sudo user you can switch to root with `sudo su`
``` ```bash
./du_setup ./du_setup
``` ```
Alternatively run with sudo -E, -E flag preserve the environment variables. Alternatively run with sudo -E, -E flag preserve the environment variables.
``` ```bash
sudo -E ./du_setup.sh sudo -E ./du_setup.sh
``` ```
**Quiet Mode (For Automation)** #### Quiet Mode (For Automation)
``` ```bash
sudo -E ./du_setup.sh --quiet sudo -E ./du_setup.sh --quiet
``` ```
> **Warning**: The script pauses to verify SSH access on the new port before disabling old access methods. **Test the new SSH connection from a separate terminal before proceeding\!** > **Warning**: The script pauses to verify SSH access on the new port before disabling old access methods. **Test the new SSH connection from a separate terminal before proceeding!**
> >
> Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). > Ensure your VPS providers firewall allows the custom SSH port, backup servers SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
@@ -120,31 +121,46 @@ sudo -E ./du_setup.sh --quiet
| Task | Description | | Task | Description |
| :--- | :--- | | :--- | :--- |
| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. | | **Provider Package Cleanup** | Detects and optionally removes cloud provider packages, monitoring agents, and default provisioning users to reduce attack surface and unnecessary services. |
| **Package Management** | Updates packages and installs essential tools (`ufw`, `fail2ban`, `chrony`, `rsync`, etc.). | | **System Compatibility Checks** | Verifies OS compatibility, root privileges, and internet connectivity. |
| **Admin User Creation**| Creates a `sudo` user with a password and/or SSH public key. | | **Package Management** | Verifies root privileges, OS version compatibility, and internet connectivity. Prevents running on unsupported environments. |
| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port with a robust rollback mechanism. | | **Setup User Creation & Management**| Creates or uses an existing admin user with optional SSH key setup and strong password enforcement. Includes marker file for cleanup exclusion. |
| **SSH Hardening and Rollback** | Disables root login, configures key-based authentication, sets custom SSH port, and supports rollback of SSH configuration if connectivity fails. |
| **Firewall Setup** | Configures UFW to deny incoming traffic by default, allowing specific user-defined ports. | | **Firewall Setup** | Configures UFW to deny incoming traffic by default, allowing specific user-defined ports. |
| **Fail2Ban Setup** | Configures Fail2Ban to monitor SSH and UFW logs, blocking suspicious IPs. | | **Fail2Ban Setup** | Configures Fail2Ban to monitor SSH and UFW logs, blocking suspicious IPs. |
| **Auto-Updates Setup** | Enables and configures `unattended-upgrades` for automatic security patches. | | **Auto-Updates Setup** | Enables and configures `unattended-upgrades` for automatic security patches. |
| **Time Sync Setup** | Ensures `chrony` is active for accurate network time synchronization. | | **Time Sync Setup** | Ensures `chrony` is active for accurate network time synchronization. |
| **Kernel Hardening** | Applies optional `sysctl` security settings to protect against IP spoofing and SYN floods. | | **Kernel and Sysctl Hardening** | Optional improvements to kernel parameters to mitigate common network attacks and improve system hardening. |
| **Docker Install** | Installs Docker Engine and Docker Compose, then adds the admin user to the `docker` group. | | **Docker Install** | Installs Docker Engine and Docker Compose, then adds the admin user to the `docker` group. |
| **Tailscale Setup** | Installs Tailscale and connects to a mesh network using a pre-auth key, with optional advanced flags. | | **Tailscale Setup** | Installs Tailscale and connects to a mesh network using a pre-auth key, with optional advanced flags. |
| **Remote Backup Setup**| Configures `rsync` backups to an SSH server, creating `/root/run_backup.sh` and a cron job. | | **Automated Remote Backup**| Sets up cron-driven `rsync` backup script to remote SSH servers, integrates with notifications and performs backup verification. |
| **Backup Testing** | Performs an optional test backup to verify the `rsync` configuration. |
| **Swap File Setup** | Creates an optional swap file with tuned `swappiness` and `vfs_cache_pressure` settings. | | **Swap File Setup** | Creates an optional swap file with tuned `swappiness` and `vfs_cache_pressure` settings. |
| **Security Auditing** | Runs optional **Lynis** and **debsecan** audits and logs the results. | | **Security Auditing** | Runs optional **Lynis** and **debsecan** vulnerability audits and logs the results for review. |
| **System Backups** | Saves timestamped backups of modified configuration files in `/root/setup_harden_backup_*`. | | **Logging and Reporting** | Logs all actions and generates a detailed report of setup and cleanup in `/var/log` and backup directories. Saves timestamped backups of modified configuration files in `/root/setup_harden_backup_*`. |
| **Cleanup & Maintenance** | Performs `autoremove` and `autoclean` of unused packages and services after setup or cleanup phases. |
| **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. | | **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
| **Final Cleanup** | Removes unused packages and reloads system daemons. |
## Logs & Backups ## Provider Package Cleanup (Since v0.70)
* **Log Files**: `/var/log/du_setup_*.log` Detects and optionally removes provider-installed packages, monitoring agents, and default provisioning users to enhance server security.
* **Backup Logs**: `/var/log/backup_rsync.log` (for remote backup operations)
* **Audit Logs**: `/var/log/setup_harden_security_audit_*.log` (for Lynis and debsecan results) Cleanup is optional but recommended for commercial VPS environments to reduce attack surface. Review preview outputs carefully before applying cleanup.
* **Configuration Backups**: `/root/setup_harden_backup_*`
### Usage
* **Preview cleanup actions:** `sudo ./du_setup.sh --cleanup-preview`
Shows what would be removed without making changes.
* **Run cleanup only:** `sudo ./du_setup.sh --cleanup-only`
Executes provider cleanup on existing servers without full setup.
* **Skip cleanup:** `sudo ./du_setup.sh --skip-cleanup`
Runs full setup but skips the cleanup phase.
### What it detects
* Common cloud provider monitoring agents (e.g., DigitalOcean, Hetzner, Vultr)
* Virtualization guest tools (qemu-guest-agent, cloud-init)
* Default provisioning users (ubuntu, debian, admin, cloud-user)
* Unexpected SSH keys in `/root/.ssh/authorized_keys`
## Post-Reboot Verification ## Post-Reboot Verification
@@ -201,16 +217,21 @@ After rebooting, verify the setup:
If locked out, use your providers console: If locked out, use your providers console:
1. **Remove Hardened Configuration**: 1. **Remove Hardened Configuration**:
```
```bash
sudo rm /etc/ssh/sshd_config.d/99-hardening.conf sudo rm /etc/ssh/sshd_config.d/99-hardening.conf
``` ```
2. **Restore Original `sshd_config`**: 2. **Restore Original `sshd_config`**:
```
```bash
LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1) LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)
sudo cp "$LATEST_BACKUP"/sshd_config.backup_* /etc/ssh/sshd_config sudo cp "$LATEST_BACKUP"/sshd_config.backup_* /etc/ssh/sshd_config
``` ```
3. **Restart SSH**: 3. **Restart SSH**:
```
```bash
sudo systemctl restart ssh sudo systemctl restart ssh
``` ```
@@ -227,9 +248,11 @@ If backups fail:
* Review: `sudo less /var/log/backup_rsync.log` * Review: `sudo less /var/log/backup_rsync.log`
* If automated key copy fails: `cat /tmp/ssh-copy-id.log` * If automated key copy fails: `cat /tmp/ssh-copy-id.log`
3. **Test Backup Manually**: 3. **Test Backup Manually**:
```
```bash
sudo /root/run_backup.sh sudo /root/run_backup.sh
``` ```
4. **Verify Cron Job**: 4. **Verify Cron Job**:
* Check: `sudo crontab -l` * Check: `sudo crontab -l`
* Ensure: `5 3 * * * /root/run_backup.sh #-*- managed by setup_harden script -*-` * Ensure: `5 3 * * * /root/run_backup.sh #-*- managed by setup_harden script -*-`
@@ -279,6 +302,6 @@ If Tailscale fails to connect:
* Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641` * Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
* Check VPS firewall for Tailscale traffic. * Check VPS firewall for Tailscale traffic.
## [MIT](https://github.com/buildplan/du_setup/blob/main/LICENSE) License ## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
This script is open-source and provided "as is" without warranty. Use at your own risk. This script is open-source and provided "as is" without warranty. Use at your own risk.

1304
du_setup.sh
View File

File diff suppressed because it is too large Load Diff

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh aa9a576fa8c8390d2068088932bb97d4c5f84a1bea203cadb21b09a1303669ff du_setup.sh