From db8f38badbecb1439d4fa94616cd1519d5b32edf Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Fri, 27 Jun 2025 19:23:28 +0100 Subject: [PATCH 1/4] Update setup_harden_debian_ubuntu.sh --- setup_harden_debian_ubuntu.sh | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 123c612..ec11f73 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -577,17 +577,31 @@ configure_ssh() { SSHD_BACKUP_FILE="$BACKUP_DIR/sshd_config.backup_$(date +%Y%m%d_%H%M%S)" cp /etc/ssh/sshd_config "$SSHD_BACKUP_FILE" - # Use systemd drop-in for port override, preserving Ubuntu's socket activation - NEW_SSH_CONFIG=$(mktemp) - tee "$NEW_SSH_CONFIG" > /dev/null < /dev/null < /dev/null < /dev/null < Date: Fri, 27 Jun 2025 19:32:52 +0100 Subject: [PATCH 2/4] Update setup_harden_debian_ubuntu.sh --- setup_harden_debian_ubuntu.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index ec11f73..a7b9fe4 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1136,6 +1136,7 @@ generate_summary() { echo -e " - Time sync: chronyc tracking" echo -e " - Fail2Ban status: sudo fail2ban-client status sshd" echo -e " - Swap status: sudo swapon --show && free -h" + echo -e " - Hostname: hostnamectl" if command -v docker >/dev/null 2>&1; then echo -e " - Docker status: docker ps" fi From 64bab89f176849bc56b66e54bd121bde0c162d8c Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Fri, 27 Jun 2025 19:33:26 +0100 Subject: [PATCH 3/4] Update setup_harden_debian_ubuntu.sh --- setup_harden_debian_ubuntu.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index a7b9fe4..da040ed 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,7 +1,7 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 3.12 | 2025-06-27 +# Version: 3.13 | 2025-06-27 # Compatible with: Debian 12 (Bookworm), Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS. 24.10 (experimental) # Tested on Debian 12, Ubuntu 24.04 and 24.10 at DigitalOcean, Oracle Cloud, Netcup, Hetzner and local VMs # @@ -80,7 +80,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v3.12 | 2025-06-27 ║${NC}" + echo -e "${CYAN}║ v3.13 | 2025-06-27 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo From 3c0844de2ef2e6b05b610953c6520e3e15a5aebc Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Fri, 27 Jun 2025 19:35:27 +0100 Subject: [PATCH 4/4] Update README.md --- README.md | 53 +++++++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 63f73ef..a13d7c8 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,15 @@ # Debian & Ubuntu Server Setup & Hardening Script -**Version:** 3.12 +**Version:** 3.13 **Last Updated:** 2025-06-27 **Compatible With:** + - Debian 12 - Ubuntu 22.04, 24.04, 24.10 ---- +* * * ## Overview @@ -16,7 +17,7 @@ This script automates the initial setup and security hardening of a fresh Debian It runs interactively, guiding the user through critical choices while automating the tedious but essential steps of securing a new server. ---- +* * * ## Features @@ -28,12 +29,12 @@ It runs interactively, guiding the user through critical choices while automatin - **System Stability:** Sets up NTP time synchronization with `chrony` and can configure a swap file for systems with low RAM. - **Safety First:** Automatically backs up all critical configuration files before modification, with simple restoration instructions. - **Optional Software:** Provides optional, interactive installation for: - - Docker & Docker Compose - - Tailscale (Mesh VPN) + - Docker & Docker Compose + - Tailscale (Mesh VPN) - **Comprehensive Logging:** All actions are logged to `/var/log/setup_harden_debian_ubuntu_*.log`. - **Automation-Friendly:** Includes a `--quiet` mode to suppress non-essential output for use in automated provisioning workflows. ---- +* * * ## Installation & Usage @@ -43,14 +44,14 @@ It runs interactively, guiding the user through critical choices while automatin - Root or `sudo` privileges. - Internet access for downloading packages. -### 1. Download the Script +### 1\. Download the Script ``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh chmod +x setup_harden_debian_ubuntu.sh ``` -### 2. Run the Script Interactively +### 2\. Run the Script Interactively It is highly recommended to run the script interactively the first time. @@ -58,40 +59,42 @@ It is highly recommended to run the script interactively the first time. sudo ./setup_harden_debian_ubuntu.sh ``` -### 3. Run in Quiet Mode (for automation - not recmmended) +### 3\. Run in Quiet Mode (for automation - not recmmended) ``` sudo ./setup_harden_debian_ubuntu.sh --quiet ``` > :warning: **Critical Safety Check:** The script will pause and require you to test your new SSH connection from a separate terminal before it proceeds to disable old access methods. **Do not skip this step!** +> +> *Make sure to check VPS providers firewall, you will have to open your selected custom SSH port there.* ---- +* * * ## What It Does in Detail -| Task | Description | -| ----------------------- | --------------------------------------------------------------------------- | -| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. | +| Task | Description | +| --- | --- | +| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. | | **Package Management** | Updates all packages and installs essential tools (`ufw`, `fail2ban`, `chrony`, etc.). | | **Admin User Creation** | Creates a new `sudo` user with a password and/or a provided SSH public key. | -| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. | +| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. | | **Firewall Setup** | Configures UFW to deny incoming traffic by default and allow specific ports. | -| **System Backups** | Creates timestamped backups of configs in `/root/` before modification. | -| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size. | -| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales. | +| **System Backups** | Creates timestamped backups of configs in `/root/` before modification. | +| **Swap File Setup** | (Optional) Creates a swap file with a user-selected size. | +| **Timezone & Locales** | (Optional) Interactive configuration for timezone and system locales. | | **Docker Install** | (Optional) Installs and configures Docker Engine and adds the user to the `docker` group. | -| **Tailscale Install** | (Optional) Installs the Tailscale client. | -| **Final Cleanup** | Removes unused packages and reloads system daemons. | +| **Tailscale Install** | (Optional) Installs the Tailscale client. | +| **Final Cleanup** | Removes unused packages and reloads system daemons. | ---- +* * * ## Logs & Backups - **Log Files:** `/var/log/setup_harden_debian_ubuntu_*.log` - **Configuration Backups:** `/root/setup_harden_backup_*` ---- +* * * ## Tested On @@ -99,7 +102,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet - Ubuntu 24.04 and 24.10 - Cloud providers (DigitalOcean, Oracle Cloud, Hetzner, Netcup) and local VMs. ---- +* * * ## :exclamation: Important Notes @@ -108,7 +111,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet - Always test the script in a non-production environment (like a staging VM) before deploying to a live server. - Ensure you have out-of-band console access to your server in case you accidentally lock yourself out. ---- +* * * ## Troubleshooting @@ -117,12 +120,14 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet If you are locked out of SSH, use your provider's web console to perform the following steps: 1. **Remove the hardened configuration:** + ``` # This file overrides the main config, so it must be removed. rm /etc/ssh/sshd_config.d/99-hardening.conf ``` - + 2. **Restore the original `sshd_config` file:** + ``` # Find the latest backup directory LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)