mirror of
https://github.com/buildplan/du_setup.git
synced 2025-12-17 17:55:35 +00:00
update readme
This commit is contained in:
Ali
parent
f601ca7518
commit
f2db478e90
59
README.md
59
README.md
@ -1,6 +1,6 @@
|
||||
# Debian & Ubuntu Server Setup & Hardening Script
|
||||
|
||||
**Version:** 4.1
|
||||
**Version:** 4.2
|
||||
|
||||
**Last Updated:** 2025-06-29
|
||||
|
||||
@ -22,7 +22,9 @@ This script automates the initial setup and security hardening of a fresh Debian
|
||||
- **Automated Security Updates**: Enables `unattended-upgrades` for automatic security patches.
|
||||
- **System Stability**: Configures NTP time synchronization with `chrony` and optional swap file setup for low-RAM systems.
|
||||
- **Remote rsync Backups**: Configures automated `rsync` backups over SSH to any compatible server (e.g., Hetzner Storage Box), with SSH key automation (`sshpass` or manual), cron scheduling, ntfy/Discord notifications, and a customizable exclude file.
|
||||
- **Backup Testing**: Includes an optional test backup to verify the rsync configuration before scheduling.
|
||||
- **Tailscale VPN**: Installs Tailscale and connects to the standard Tailscale network (pre-auth key required) or a custom server (URL and key required). Configures optional flags (`--ssh`, `--advertise-exit-node`, `--accept-dns`, `--accept-routes`).
|
||||
- **Security Auditing**: Optionally runs **Lynis** for system hardening audits and **debsecan** for package vulnerability checks, with results logged for review.
|
||||
- **Safety First**: Backs up critical configuration files before modification, stored in `/root/setup_harden_backup_*`.
|
||||
- **Optional Software**: Offers interactive installation of:
|
||||
- Docker & Docker Compose
|
||||
@ -37,25 +39,26 @@ This script automates the initial setup and security hardening of a fresh Debian
|
||||
- Fresh installation of a compatible OS.
|
||||
- Root or `sudo` privileges.
|
||||
- Internet access for package downloads.
|
||||
- For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access.
|
||||
- Minimum 2GB disk space for swap file creation and temporary files.
|
||||
- For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access. For Hetzner, SSH (port 23) is used for rsync.
|
||||
- For Tailscale: A pre-auth key from https://login.tailscale.com/admin (standard, starts with `tskey-auth-`) or from a custom server (e.g., `https://ts.mydomain.cloud`).
|
||||
|
||||
### 1. Download the Script
|
||||
|
||||
```
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh
|
||||
chmod +x setup_harden_debian_ubuntu.sh
|
||||
```
|
||||
|
||||
### 2. Run Interactively (Recommended)
|
||||
|
||||
```
|
||||
```bash
|
||||
sudo ./setup_harden_debian_ubuntu.sh
|
||||
```
|
||||
|
||||
### 3. Run in Quiet Mode (for Automation)
|
||||
|
||||
```
|
||||
```bash
|
||||
sudo ./setup_harden_debian_ubuntu.sh --quiet
|
||||
```
|
||||
|
||||
@ -68,11 +71,13 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet
|
||||
| Task | Description |
|
||||
| --- | --- |
|
||||
| **System Checks** | Verifies OS compatibility, root privileges, and internet connectivity. |
|
||||
| **Package Management** | Updates packages and installs tools (`ufw`, `fail2ban`, `chrony`, `rsync`, etc.). |
|
||||
| **Package Management** | Updates packages and installs tools (`ufw`, `fail2ban`, `chrony`, `rsync`, `lynis`, `debsecan`, etc.). |
|
||||
| **Admin User Creation** | Creates a `sudo` user with a password and/or SSH public key. |
|
||||
| **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. |
|
||||
| **Firewall Setup** | Configures UFW to deny incoming traffic by default, allowing specific ports. |
|
||||
| **Remote Backup Setup** | Configures `rsync` backups to an SSH server (e.g., `u457300-sub4@u457300.your-storagebox.de:23`). Creates `/root/run_backup.sh`, `/root/rsync_exclude.txt`, and schedules a cron job. Supports ntfy/Discord notifications. |
|
||||
| **Backup Testing** | Performs an optional test backup to verify rsync configuration, logging results to `/var/log/backup_rsync.log`. |
|
||||
| **Security Auditing** | Runs optional **Lynis** and **debsecan** audits, logging results to `/var/log/setup_harden_security_audit_*.log`. |
|
||||
| **Tailscale Setup** | Installs Tailscale and connects to the standard Tailscale network (pre-auth key starting with `tskey-auth-`) or a custom server (any valid key). Configures optional flags (`--ssh`, `--advertise-exit-node`, `--accept-dns`, `--accept-routes`). |
|
||||
| **System Backups** | Saves timestamped configuration backups in `/root/setup_harden_backup_*`. |
|
||||
| **Swap File Setup** | Creates an optional swap file (e.g., 2G) with tuned settings. |
|
||||
@ -84,6 +89,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet
|
||||
|
||||
- **Log Files**: `/var/log/setup_harden_debian_ubuntu_*.log`
|
||||
- **Backup Logs**: `/var/log/backup_rsync.log` (for remote backup operations)
|
||||
- **Audit Logs**: `/var/log/setup_harden_security_audit_*.log` (for Lynis and debsecan results)
|
||||
- **Configuration Backups**: `/root/setup_harden_backup_*`
|
||||
|
||||
## Post-Reboot Verification
|
||||
@ -108,24 +114,28 @@ After rebooting, verify the setup:
|
||||
- Copy key (if not done): `ssh-copy-id -p <backup_port> -s <backup_user@backup_host>`
|
||||
- Test backup: `sudo /root/run_backup.sh`
|
||||
- Check logs: `sudo less /var/log/backup_rsync.log`
|
||||
- Verify cron job: `sudo crontab -l` (e.g., `3 3 * * * /root/run_backup.sh`)
|
||||
- Verify cron job: `sudo crontab -l` (e.g., `5 3 * * * /root/run_backup.sh`)
|
||||
- **Security Audit** (if run):
|
||||
- Check results: `sudo less /var/log/setup_harden_security_audit_*.log`
|
||||
- Review Lynis hardening index and debsecan vulnerabilities in the script’s summary output
|
||||
|
||||
## Tested On
|
||||
|
||||
- Debian 12
|
||||
- Ubuntu 22.04, 24.04, 24.10 (experimental)
|
||||
- Cloud providers: DigitalOcean, Oracle Cloud, Hetzner, Netcup
|
||||
- Backup destinations: Hetzner Storage Box, custom SSH servers
|
||||
- Backup destinations: Hetzner Storage Box (SSH, port 23), custom SSH servers
|
||||
- Tailscale: Standard network, custom self-hosted servers
|
||||
|
||||
## Important Notes
|
||||
|
||||
- **Run on a fresh system**: Designed for initial provisioning.
|
||||
- **Run on a fresh system**: Designed for initial provisioning with at least 2GB free disk space.
|
||||
- **Reboot required**: Ensures kernel and service changes apply cleanly.
|
||||
- Test in a non-production environment (e.g., staging VM) first.
|
||||
- Maintain out-of-band console access in case of SSH lockout.
|
||||
- For Hetzner Storage Box, ensure `~/.ssh/` exists on the remote server: `ssh -p 23 <backup_user@backup_host> "mkdir -p ~/.ssh && chmod 700 ~/.ssh"`.
|
||||
- For Hetzner Storage Box, ensure `~/.ssh/` exists on the remote server: `ssh -p 23 <backup_user@backup_host> "mkdir -p ~/.ssh && chmod 700 ~/.ssh"`. Backups use SSH (port 23) for rsync, not SFTP.
|
||||
- For Tailscale, generate a pre-auth key from https://login.tailscale.com/admin (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic.
|
||||
- For security audits, review `/var/log/setup_harden_security_audit_*.log` for Lynis and debsecan recommendations.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
@ -134,18 +144,18 @@ After rebooting, verify the setup:
|
||||
If locked out, use your provider’s console:
|
||||
|
||||
1. **Remove Hardened Configuration**:
|
||||
```
|
||||
```bash
|
||||
rm /etc/ssh/sshd_config.d/99-hardening.conf
|
||||
```
|
||||
|
||||
2. **Restore Original `sshd_config`**:
|
||||
```
|
||||
```bash
|
||||
LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)
|
||||
cp "$LATEST_BACKUP"/sshd_config.backup_* /etc/ssh/sshd_config
|
||||
```
|
||||
|
||||
3. **Restart SSH**:
|
||||
```
|
||||
```bash
|
||||
systemctl restart ssh
|
||||
```
|
||||
|
||||
@ -164,14 +174,14 @@ If backups fail:
|
||||
- If automated key copy fails: `cat /tmp/ssh-copy-id.log`
|
||||
|
||||
3. **Test Backup Manually**:
|
||||
```
|
||||
```bash
|
||||
sudo /root/run_backup.sh
|
||||
```
|
||||
|
||||
4. **Verify Cron Job**:
|
||||
- Check: `sudo crontab -l`
|
||||
- Ensure: `3 3 * * * /root/run_backup.sh #-*- managed by setup_harden script -*-`
|
||||
- Test cron permissions: `echo "3 3 * * * /root/run_backup.sh" | crontab -u root -`
|
||||
- Ensure: `5 3 * * * /root/run_backup.sh #-*- managed by setup_harden script -*-`
|
||||
- Test cron permissions: `echo "5 3 * * * /root/run_backup.sh" | crontab -u root -`
|
||||
- Check permissions: `ls -l /var/spool/cron/crontabs/root` (expect `-rw------- root:crontab`)
|
||||
|
||||
5. **Network Issues**:
|
||||
@ -181,6 +191,23 @@ If backups fail:
|
||||
6. **Summary Errors**:
|
||||
- If summary shows `Remote Backup: Not configured`, verify: `ls -l /root/run_backup.sh`
|
||||
|
||||
### Security Audit Issues
|
||||
|
||||
If audits fail:
|
||||
|
||||
1. **Check Audit Log**:
|
||||
- Review: `sudo less /var/log/setup_harden_security_audit_*.log`
|
||||
- Look for Lynis errors or debsecan CVE reports
|
||||
|
||||
2. **Verify Installation**:
|
||||
- Lynis: `command -v lynis`
|
||||
- Debsecan: `command -v debsecan`
|
||||
- Reinstall if needed: `sudo apt-get install lynis debsecan`
|
||||
|
||||
3. **Run Manually**:
|
||||
- Lynis: `sudo lynis audit system --quick`
|
||||
- Debsecan: `sudo debsecan --suite $(source /etc/os-release && echo $VERSION_CODENAME)`
|
||||
|
||||
### Tailscale Issues
|
||||
|
||||
If Tailscale fails to connect:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user