From 91720a8f78d30e9b10dea048417d8ce195ffa0b8 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 21:22:55 +0100 Subject: [PATCH 01/15] Add SHA256 integrity verification --- setup_harden_debian_ubuntu.sh.sha256 | 1 + 1 file changed, 1 insertion(+) create mode 100644 setup_harden_debian_ubuntu.sh.sha256 diff --git a/setup_harden_debian_ubuntu.sh.sha256 b/setup_harden_debian_ubuntu.sh.sha256 new file mode 100644 index 0000000..9943f9f --- /dev/null +++ b/setup_harden_debian_ubuntu.sh.sha256 @@ -0,0 +1 @@ +544da099cf092741fc02c3c06b130ea1535e89ef65f9bd18f9afa8142773050f setup_harden_debian_ubuntu.sh From 573a57159d5300c52df69a45b1222c86fcc5cac4 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 21:29:44 +0100 Subject: [PATCH 02/15] Add SHA256 integrity verification --- README.md | 21 ++++++++++++++++----- setup_harden_debian_ubuntu.sh | 5 +++-- setup_harden_debian_ubuntu.sh.sha256 | 2 +- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5804f35..7019523 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Debian & Ubuntu Server Setup & Hardening Script -**Version:** 4.2 +**Version:** 4.3 **Last Updated:** 2025-06-29 @@ -45,20 +45,20 @@ This script automates the initial setup and security hardening of a fresh Debian ### 1. Download the Script -```bash +``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/main/setup_harden_debian_ubuntu.sh chmod +x setup_harden_debian_ubuntu.sh ``` ### 2. Run Interactively (Recommended) -```bash +``` sudo ./setup_harden_debian_ubuntu.sh ``` ### 3. Run in Quiet Mode (for Automation) -```bash +``` sudo ./setup_harden_debian_ubuntu.sh --quiet ``` @@ -66,6 +66,17 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet > > Ensure your VPS provider’s firewall allows the custom SSH port, backup server’s SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). +### Verify Script Integrity (Optional but Recommended) + +After downloading the script, verify its integrity: + +``` +wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh +wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh.sha256 + +sha256sum -c setup_harden_debian_ubuntu.sh.sha256 +``` + ## What It Does | Task | Description | @@ -237,4 +248,4 @@ If Tailscale fails to connect: ## [MIT](https://github.com/buildplan/setup_harden_server/blob/main/LICENSE) License -This script is open-source and provided "as is" without warranty. Use at your own risk. \ No newline at end of file +This script is open-source and provided "as is" without warranty. Use at your own risk. diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 76c4ba6..2e4e5d2 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,8 +1,9 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.2 | 2025-06-29 +# Version: 4.3 | 2025-06-29 # Changelog: +# - v4.3: Add SHA256 integrity verification # - v4.2: Added Security Audit Tools (Integrating Lynis and Optionally Debsecan) & option to do Backup Testing # Fixed debsecan compatibility (Debian-only), added global BACKUP_LOG, added backup testing # - v4.1: Added tailscale config to connect to tailscale or headscale server @@ -87,7 +88,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.2 | 2025-06-29 ║${NC}" + echo -e "${CYAN}║ v4.3 | 2025-06-29 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo diff --git a/setup_harden_debian_ubuntu.sh.sha256 b/setup_harden_debian_ubuntu.sh.sha256 index 9943f9f..e584045 100644 --- a/setup_harden_debian_ubuntu.sh.sha256 +++ b/setup_harden_debian_ubuntu.sh.sha256 @@ -1 +1 @@ -544da099cf092741fc02c3c06b130ea1535e89ef65f9bd18f9afa8142773050f setup_harden_debian_ubuntu.sh +f92a4a494689d7c9d6bc42a87ce6a325f1d40099cf1b8f3cb29c8eea9e3f6ce2 setup_harden_debian_ubuntu.sh From 9ee7512bae5e9bd6071475bd10be54fdb8810e59 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 21:41:04 +0100 Subject: [PATCH 03/15] Add combined SHA256 GitHub Action --- .github/workflows/checksum.yml | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/checksum.yml diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml new file mode 100644 index 0000000..3110cee --- /dev/null +++ b/.github/workflows/checksum.yml @@ -0,0 +1,37 @@ +name: Generate & Attach SHA256 Checksum + +on: + push: + branches: [main] + release: + types: [published] + +jobs: + generate-sha256: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Generate SHA256 + run: | + sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 + + - name: Commit SHA256 (only on push to main) + if: github.event_name == 'push' + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add setup_harden_debian_ubuntu.sh.sha256 + git commit -m "Auto-update SHA256 checksum" + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SHA256 to GitHub Release (only on release) + if: github.event_name == 'release' + uses: softprops/action-gh-release@v1 + with: + files: setup_harden_debian_ubuntu.sh.sha256 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From bd35099c2451bb39de6df33fbf6ff612cd5490f8 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 21:54:59 +0100 Subject: [PATCH 04/15] Add combined SHA256 GitHub Action --- .github/workflows/checksum.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml index 3110cee..48baed4 100644 --- a/.github/workflows/checksum.yml +++ b/.github/workflows/checksum.yml @@ -1,5 +1,9 @@ name: Generate & Attach SHA256 Checksum +permissions: + contents: write + releases: write + on: push: branches: [main] @@ -13,9 +17,22 @@ jobs: - name: Checkout Repository uses: actions/checkout@v4 + - name: Check Script Existence + run: | + if [ ! -f setup_harden_debian_ubuntu.sh ]; then + echo "Error: setup_harden_debian_ubuntu.sh not found in repository root." + exit 1 + fi + + - name: Clean Existing Checksum + if: github.event_name == 'release' + run: | + rm -f setup_harden_debian_ubuntu.sh.sha256 + - name: Generate SHA256 run: | sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 + echo "Generated checksum: $(cat setup_harden_debian_ubuntu.sh.sha256)" - name: Commit SHA256 (only on push to main) if: github.event_name == 'push' @@ -29,7 +46,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SHA256 to GitHub Release (only on release) - if: github.event_name == 'release' + if: github.event_name == 'release' && github.event.action == 'published' uses: softprops/action-gh-release@v1 with: files: setup_harden_debian_ubuntu.sh.sha256 From 236a8b0c3fe2cf421f8418140d99b88b5e1c0ba6 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 22:05:09 +0100 Subject: [PATCH 05/15] Add combined SHA256 GitHub Action --- .github/workflows/checksum.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml index 48baed4..429ba0c 100644 --- a/.github/workflows/checksum.yml +++ b/.github/workflows/checksum.yml @@ -8,7 +8,7 @@ on: push: branches: [main] release: - types: [published] + types: [created, published] jobs: generate-sha256: @@ -45,10 +45,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Upload SHA256 to GitHub Release (only on release) - if: github.event_name == 'release' && github.event.action == 'published' + - name: Upload SHA256 to GitHub Release + if: github.event_name == 'release' uses: softprops/action-gh-release@v1 with: files: setup_harden_debian_ubuntu.sh.sha256 + tag_name: ${{ github.event.release.tag_name }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 289c0f80c5cd11622a2b3ff40f7427b19b5dba5b Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:11:22 +0100 Subject: [PATCH 06/15] Update checksum.yml --- .github/workflows/checksum.yml | 37 ++++------------------------------ 1 file changed, 4 insertions(+), 33 deletions(-) diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml index 429ba0c..007a185 100644 --- a/.github/workflows/checksum.yml +++ b/.github/workflows/checksum.yml @@ -1,41 +1,21 @@ -name: Generate & Attach SHA256 Checksum - -permissions: - contents: write - releases: write +name: Generate SHA256 Checksum on: push: branches: [main] - release: - types: [created, published] jobs: generate-sha256: runs-on: ubuntu-latest steps: - - name: Checkout Repository + - name: Checkout Repo uses: actions/checkout@v4 - - name: Check Script Existence - run: | - if [ ! -f setup_harden_debian_ubuntu.sh ]; then - echo "Error: setup_harden_debian_ubuntu.sh not found in repository root." - exit 1 - fi - - - name: Clean Existing Checksum - if: github.event_name == 'release' - run: | - rm -f setup_harden_debian_ubuntu.sh.sha256 - - - name: Generate SHA256 + - name: Generate SHA256 for script run: | sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 - echo "Generated checksum: $(cat setup_harden_debian_ubuntu.sh.sha256)" - - name: Commit SHA256 (only on push to main) - if: github.event_name == 'push' + - name: Commit & Push SHA256 File run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" @@ -44,12 +24,3 @@ jobs: git push env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SHA256 to GitHub Release - if: github.event_name == 'release' - uses: softprops/action-gh-release@v1 - with: - files: setup_harden_debian_ubuntu.sh.sha256 - tag_name: ${{ github.event.release.tag_name }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6154f67ef6b9847a4ba95f619768d8fa7ea0c49f Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:13:39 +0100 Subject: [PATCH 07/15] Create release-sha256.yml --- .github/workflows/release-sha256.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/release-sha256.yml diff --git a/.github/workflows/release-sha256.yml b/.github/workflows/release-sha256.yml new file mode 100644 index 0000000..acd559d --- /dev/null +++ b/.github/workflows/release-sha256.yml @@ -0,0 +1,23 @@ +name: Add SHA256 to Release + +on: + release: + types: [published] + +jobs: + attach-sha256: + runs-on: ubuntu-latest + steps: + - name: Download Source Code + uses: actions/checkout@v4 + + - name: Generate SHA256 + run: | + sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 + + - name: Upload SHA256 to Release + uses: softprops/action-gh-release@v1 + with: + files: setup_harden_debian_ubuntu.sh.sha256 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From bdac5d235f760bc8b2d8ac232090abe58bc71593 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:16:56 +0100 Subject: [PATCH 08/15] Delete .github/workflows/release-sha256.yml --- .github/workflows/release-sha256.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 .github/workflows/release-sha256.yml diff --git a/.github/workflows/release-sha256.yml b/.github/workflows/release-sha256.yml deleted file mode 100644 index acd559d..0000000 --- a/.github/workflows/release-sha256.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Add SHA256 to Release - -on: - release: - types: [published] - -jobs: - attach-sha256: - runs-on: ubuntu-latest - steps: - - name: Download Source Code - uses: actions/checkout@v4 - - - name: Generate SHA256 - run: | - sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 - - - name: Upload SHA256 to Release - uses: softprops/action-gh-release@v1 - with: - files: setup_harden_debian_ubuntu.sh.sha256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ac228a507c089a1d6ecaab56945f779418527c9e Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:19:26 +0100 Subject: [PATCH 09/15] Delete .github/workflows directory --- .github/workflows/checksum.yml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 .github/workflows/checksum.yml diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml deleted file mode 100644 index 007a185..0000000 --- a/.github/workflows/checksum.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Generate SHA256 Checksum - -on: - push: - branches: [main] - -jobs: - generate-sha256: - runs-on: ubuntu-latest - steps: - - name: Checkout Repo - uses: actions/checkout@v4 - - - name: Generate SHA256 for script - run: | - sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256 - - - name: Commit & Push SHA256 File - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add setup_harden_debian_ubuntu.sh.sha256 - git commit -m "Auto-update SHA256 checksum" - git push - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 9ed78a67102ec48086b8363c66fec3d16e45a8d4 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 22:23:19 +0100 Subject: [PATCH 10/15] Add SHA256 --- setup_harden_debian_ubuntu.sh.sha256 | 1 - 1 file changed, 1 deletion(-) delete mode 100644 setup_harden_debian_ubuntu.sh.sha256 diff --git a/setup_harden_debian_ubuntu.sh.sha256 b/setup_harden_debian_ubuntu.sh.sha256 deleted file mode 100644 index e584045..0000000 --- a/setup_harden_debian_ubuntu.sh.sha256 +++ /dev/null @@ -1 +0,0 @@ -f92a4a494689d7c9d6bc42a87ce6a325f1d40099cf1b8f3cb29c8eea9e3f6ce2 setup_harden_debian_ubuntu.sh From 7f8c177ed2ea0a2eaa1d26a435eab2515d0ba8a9 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 22:24:54 +0100 Subject: [PATCH 11/15] Add SHA256 integrity verification --- setup_harden_debian_ubuntu.sh.sha256 | 1 + 1 file changed, 1 insertion(+) create mode 100644 setup_harden_debian_ubuntu.sh.sha256 diff --git a/setup_harden_debian_ubuntu.sh.sha256 b/setup_harden_debian_ubuntu.sh.sha256 new file mode 100644 index 0000000..e584045 --- /dev/null +++ b/setup_harden_debian_ubuntu.sh.sha256 @@ -0,0 +1 @@ +f92a4a494689d7c9d6bc42a87ce6a325f1d40099cf1b8f3cb29c8eea9e3f6ce2 setup_harden_debian_ubuntu.sh From 0ce32397e83923cd51435a59d87ad85f0fd7c14e Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:42:59 +0100 Subject: [PATCH 12/15] Update README.md --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7019523..6ef1457 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,15 @@ wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/ chmod +x setup_harden_debian_ubuntu.sh ``` +After downloading the script, verify its integrity: + +``` +wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh +wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh.sha256 + +sha256sum -c setup_harden_debian_ubuntu.sh.sha256 +``` + ### 2. Run Interactively (Recommended) ``` @@ -68,14 +77,6 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet ### Verify Script Integrity (Optional but Recommended) -After downloading the script, verify its integrity: - -``` -wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh -wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh.sha256 - -sha256sum -c setup_harden_debian_ubuntu.sh.sha256 -``` ## What It Does From 6b16f565e8e5f9275fc2e817e8d50bf22feb1089 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:43:45 +0100 Subject: [PATCH 13/15] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ef1457..e6a19b1 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/ chmod +x setup_harden_debian_ubuntu.sh ``` -After downloading the script, verify its integrity: + After downloading the script, verify its integrity: ``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh From 7531abfb652e0a176f60ba7ea86993790950fcf0 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:45:04 +0100 Subject: [PATCH 14/15] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e6a19b1..e58270d 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/ chmod +x setup_harden_debian_ubuntu.sh ``` - After downloading the script, verify its integrity: + After downloading the script, verify its integrity: ``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh From 8d73fa091731f82fe3de97c6846070885c57b868 Mon Sep 17 00:00:00 2001 From: buildplan <170122315+buildplan@users.noreply.github.com> Date: Sun, 29 Jun 2025 22:47:09 +0100 Subject: [PATCH 15/15] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e58270d..75f6936 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,9 @@ wget https://raw.githubusercontent.com/buildplan/setup_harden_server/refs/heads/ chmod +x setup_harden_debian_ubuntu.sh ``` - After downloading the script, verify its integrity: +#### Verify Script Integrity (Optional but Recommended) + +After downloading the script, verify its integrity: ``` wget https://raw.githubusercontent.com/buildplan/setup_harden_server/main/setup_harden_debian_ubuntu.sh @@ -75,8 +77,6 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet > > Ensure your VPS provider’s firewall allows the custom SSH port, backup server’s SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). -### Verify Script Integrity (Optional but Recommended) - ## What It Does