Merge pull request #12 from buildplan/test

Fixed Ubuntu SSH socket issue
2025-12-29 16:14:59 +00:00 · 2025-06-27 19:56:54 +01:00
parent a1ecc2608c 3c0844de2e
commit f0ea7ae8df
2 changed files with 53 additions and 33 deletions
--- a/README.md
+++ b/README.md
@@ -1,14 +1,15 @@
 # Debian & Ubuntu Server Setup & Hardening Script

-**Version:** 3.12
+**Version:** 3.13

 **Last Updated:** 2025-06-27

 **Compatible With:**
+
 - Debian 12
 - Ubuntu 22.04, 24.04, 24.10

---
+* * *

 ## Overview

@@ -16,7 +17,7 @@ This script automates the initial setup and security hardening of a fresh Debian

 It runs interactively, guiding the user through critical choices while automating the tedious but essential steps of securing a new server.

---
+* * *

 ## Features

@@ -28,12 +29,12 @@ It runs interactively, guiding the user through critical choices while automatin
 - **System Stability:** Sets up NTP time synchronization with `chrony` and can configure a swap file for systems with low RAM.
 - **Safety First:** Automatically backs up all critical configuration files before modification, with simple restoration instructions.
 - **Optional Software:** Provides optional, interactive installation for:
-  - Docker & Docker Compose
-  - Tailscale (Mesh VPN)
+    - Docker & Docker Compose
+    - Tailscale (Mesh VPN)
 - **Comprehensive Logging:** All actions are logged to `/var/log/setup_harden_debian_ubuntu_*.log`.
 - **Automation-Friendly:** Includes a `--quiet` mode to suppress non-essential output for use in automated provisioning workflows.

---
+* * *

 ## Installation & Usage

@@ -43,14 +44,14 @@ It runs interactively, guiding the user through critical choices while automatin
 - Root or `sudo` privileges.
 - Internet access for downloading packages.

-### 1. Download the Script
+### 1\. Download the Script

 ```
 wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh
 chmod +x setup_harden_debian_ubuntu.sh
 ```

-### 2. Run the Script Interactively
+### 2\. Run the Script Interactively

 It is highly recommended to run the script interactively the first time.

@@ -58,40 +59,42 @@ It is highly recommended to run the script interactively the first time.
 sudo ./setup_harden_debian_ubuntu.sh
 ```

-### 3. Run in Quiet Mode (for automation - not recmmended)
+### 3\. Run in Quiet Mode (for automation - not recmmended)

 ```
 sudo ./setup_harden_debian_ubuntu.sh --quiet
 ```

 > :warning: **Critical Safety Check:** The script will pause and require you to test your new SSH connection from a separate terminal before it proceeds to disable old access methods. **Do not skip this step!**
+> 
+> *Make sure to check VPS providers firewall, you will have to open your selected custom SSH port there.*

---
+* * *

 ## What It Does in Detail

-| Task                    | Description                                                                 |
-| ----------------------- | --------------------------------------------------------------------------- |
-| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity.      |
+| Task | Description |
+| --- | --- |
+| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. |
 | **Package Management** | Updates all packages and installs essential tools (`ufw`, `fail2ban`, `chrony`, etc.). |
 | **Admin User Creation** | Creates a new `sudo` user with a password and/or a provided SSH public key. |
-| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port.       |
+| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. |
 | **Firewall Setup** | Configures UFW to deny incoming traffic by default and allow specific ports. |
-| **System Backups** | Creates timestamped backups of configs in `/root/` before modification.    |
-| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size.                  |
-| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales.       |
+| **System Backups** | Creates timestamped backups of configs in `/root/` before modification. |
+| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size. |
+| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales. |
 | **Docker Install** | (Optional) Installs and configures Docker Engine and adds the user to the `docker` group. |
-| **Tailscale Install** | (Optional) Installs the Tailscale client.                                   |
-| **Final Cleanup** | Removes unused packages and reloads system daemons.                         |
+| **Tailscale Install** | (Optional) Installs the Tailscale client. |
+| **Final Cleanup** | Removes unused packages and reloads system daemons. |

---
+* * *

 ## Logs & Backups

 - **Log Files:** `/var/log/setup_harden_debian_ubuntu_*.log`
 - **Configuration Backups:** `/root/setup_harden_backup_*`

---
+* * *

 ## Tested On

@@ -99,7 +102,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet
 - Ubuntu 24.04 and 24.10
 - Cloud providers (DigitalOcean, Oracle Cloud, Hetzner, Netcup) and local VMs.

---
+* * *

 ## :exclamation: Important Notes

@@ -108,7 +111,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet
 - Always test the script in a non-production environment (like a staging VM) before deploying to a live server.
 - Ensure you have out-of-band console access to your server in case you accidentally lock yourself out.

---
+* * *

 ## Troubleshooting

@@ -117,12 +120,14 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet
 If you are locked out of SSH, use your provider's web console to perform the following steps:

 1.  **Remove the hardened configuration:**
+    
    ```
    # This file overrides the main config, so it must be removed.
    rm /etc/ssh/sshd_config.d/99-hardening.conf
    ```
-
+    
 2.  **Restore the original `sshd_config` file:**
+    
    ```
    # Find the latest backup directory
    LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)
--- a/setup_harden_debian_ubuntu.sh
+++ b/setup_harden_debian_ubuntu.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 # Debian 12 and Ubuntu Server Hardening Interactive Script
-# Version: 3.12 | 2025-06-27
+# Version: 3.13 | 2025-06-27
 # Compatible with: Debian 12 (Bookworm), Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS. 24.10 (experimental)
 # Tested on Debian 12, Ubuntu 24.04 and 24.10 at DigitalOcean, Oracle Cloud, Netcup, Hetzner and local VMs
 #
@@ -80,7 +80,7 @@ print_header() {
    echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
    echo -e "${CYAN}║                                                                 ║${NC}"
    echo -e "${CYAN}║       DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT           ║${NC}"
-    echo -e "${CYAN}║                     v3.12 | 2025-06-27                          ║${NC}"
+    echo -e "${CYAN}║                     v3.13 | 2025-06-27                          ║${NC}"
    echo -e "${CYAN}║                                                                 ║${NC}"
    echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
    echo
@@ -577,17 +577,31 @@ configure_ssh() {
    SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)"
    cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE"

-    # Use systemd drop-in for port override, preserving Ubuntu's socket activation
-    NEW_SSH_CONFIG=$(mktemp)
-    tee "$NEW_SSH_CONFIG" > /dev/null <<EOF
+    # Apply port override based on SSH service type
+    if [[ "$SSH_SERVICE" == "ssh.socket" ]]; then
+        print_info "Configuring SSH socket to listen on port $SSH_PORT..."
+        NEW_SSH_CONFIG=$(mktemp)
+        tee "$NEW_SSH_CONFIG" > /dev/null <<EOF
+[Socket]
+ListenStream=
+ListenStream=$SSH_PORT
+EOF
+        mkdir -p /etc/systemd/system/ssh.socket.d
+        mv "$NEW_SSH_CONFIG" /etc/systemd/system/ssh.socket.d/override.conf
+        chmod 644 /etc/systemd/system/ssh.socket.d/override.conf
+    else
+        print_info "Configuring SSH service to listen on port $SSH_PORT..."
+        NEW_SSH_CONFIG=$(mktemp)
+        tee "$NEW_SSH_CONFIG" > /dev/null <<EOF
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/sshd -D -p $SSH_PORT
 EOF
-    mkdir -p /etc/systemd/system/ssh.service.d
-    mv "$NEW_SSH_CONFIG" /etc/systemd/system/ssh.service.d/override.conf
-    chmod 644 /etc/systemd/system/ssh.service.d/override.conf
-
+        mkdir -p /etc/systemd/system/ssh.service.d
+        mv "$NEW_SSH_CONFIG" /etc/systemd/system/ssh.service.d/override.conf
+        chmod 644 /etc/systemd/system/ssh.service.d/override.conf
+    fi
+    
    # Apply additional hardening via sshd_config.d
    NEW_SSH_CONFIG=$(mktemp)
    tee "$NEW_SSH_CONFIG" > /dev/null <<EOF
@@ -1122,6 +1136,7 @@ generate_summary() {
    echo -e "  - Time sync:          chronyc tracking"
    echo -e "  - Fail2Ban status:    sudo fail2ban-client status sshd"
    echo -e "  - Swap status:        sudo swapon --show && free -h"
+    echo -e "  - Hostname:  	     hostnamectl"
    if command -v docker >/dev/null 2>&1; then
        echo -e "  - Docker status:      docker ps"
    fi