Browse Source

Forked from daplie-snippets

master
Josh Mudge 1 year ago
commit
68db3b59f9
7 changed files with 597 additions and 0 deletions
  1. +27
    -0
      README.md
  2. +1
    -0
      VERSION
  3. +75
    -0
      create-user.bash
  4. +186
    -0
      determined-server-setup.sh
  5. +150
    -0
      harden-server.sh
  6. +22
    -0
      setup.sh
  7. +136
    -0
      sysmon.sh

+ 27
- 0
README.md View File

@@ -0,0 +1,27 @@
# determined-server-setup (dss)

determined-server-setup is a script that installs needed utilities/software on servers so you don't need to.

# Requirements

# Installation

You can install it by running:

`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash`

# Usage

This script is in the ALPHA stage. Use at your own risk.
```
dss --init # Update your server and install server utilities, setup automatic updates and harden SSH.
dss --clean # Update the server and cleanup unneeded files and programs. Use with caution.
dss --log # Print the system log.`
dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server.
dss --user USERNAME init # Setup server with server utilities and enable automatic security updates.
```
You can run: `dss help` for a list of all commands.

# Automatic Updates

When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu.

+ 1
- 0
VERSION View File

@@ -0,0 +1 @@
1.7.3 Alpha

+ 75
- 0
create-user.bash View File

@@ -0,0 +1,75 @@
#!/bin/bash
# Determined Create User Script v2.0.3
# Written by AJ Oneal -- edited by Joshua Mudge

# Exit on any error
set -e

if [ -z "$(which openssl)" ]; then
echo "ERROR: 'openssl' is not found.";
echo "Please install openssl. It is used to generate a random password."
exit 1
fi
if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
exit 1
fi
if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
exit 1
fi
# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
exit 1
fi


# exit if there are any unbound variables
set -u

USER=$1
USER=$(basename $USER .pub)

# If they try to create root, exit.

if test $USER = "root"
then
echo "You cannot create the root user, it already exists."
exit
fi

# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'

# password will be set later in the script
#adduser --disabled-password --gecos '' $USER
sudo adduser --disabled-login --gecos '' $USER
sudo adduser $USER sudo # if sudo is needed

# FAIL before getting here via set -e
sudo mkdir -p /home/$USER/.ssh
sudo chmod 700 /home/$USER/.ssh
sudo touch /home/$USER/.ssh/authorized_keys
sudo chmod 600 /home/$USER/.ssh/authorized_keys

# PRE-REQ: get the user's ssh public key and store it in whoever.pub
sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"

sudo chown $USER:$USER /home/$USER
sudo chown $USER:$USER -R /home/$USER/.ssh/

PASSWD=$(openssl rand -hex 20)
#echo "$PASSWD" | passwd "$USER" --stdin
echo "$USER:$PASSWD" | sudo chpasswd
#echo "The temporary password for '"$USER"' is '"$PASSWD"'"
sudo passwd -d $USER
echo "'$USER'" has been added with key-only authentication and a password must be set on first login
sudo chage -d 0 $USER

# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
#
# Linux
# date "+%s.%N" | md5sum
#
# macOS
# date "+%s.%N" | md5

+ 186
- 0
determined-server-setup.sh View File

@@ -0,0 +1,186 @@
#!/bin/bash
# determined-server-setup (dss)
# Written by Josh Mudge
# Ad Mejorem Dei Glorium

version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)

# Get options from CLI arguments

usr=$USER
init=0
clean=0
log=0
authlog=0
update=0
mon=0

while [[ $# -gt 0 ]]
do
key="$1"

case $key in
--init)
init=1
shift # past argument
;;
--clean)
clean=1
shift # past argument
;;
--log)
log=1
shift # past argument
;;
--authlog)
authlog="$2"
shift # past argument
;;
--user)
usr="$2"
shift # past argument
;;
--user2)
user2="$2"
shift # past argument
;;
--user3)
user3="$2"
shift # past argument
;;
--update)
update=1
shift # past argument
;;
--monitor)
mon=1
shift # past argument
;;
--mon-setup)
mon=2
shift # past argument
;;
--email)
email=1
shift # past argument
;;
--logfile)
logfile=1
shift # past argument
;;
blacklist)
blacklist="$2"
shift # past argument
;;
-h|help)
echo "dss $version"
echo "Usage: dss [OPTION]"
echo "You can run the following commands:"
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution."
echo "dss --log # Print the system log."
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates."
exit 1
;;
-v|version)
echo "dss $version"
exit 1
;;
*)
# unknown option
if test -z "${unknown}"
then
unknown=$1
else
echo "dss $version"
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates."
exit 1
fi
;;
esac
shift # past argument or value
done

if test $init = 1
then
# Update server
sudo apt-get update
sudo apt-get upgrade -y

# Install server utilities
sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common

# Prompt user to set up automatic security updates.
sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Harden ssh
if determined-harden-ssh --user $usr
then
echo "dss" | sudo tee /home/.dssv1.7
else
"You cannot create root user and disable root login, that won't work... See 'dss help'"
exit
fi

elif test $log = 1
then

sudo cat /var/log/syslog

elif test $authlog = 1
then
sudo cat /var/log/auth.log

elif test $authlog = attacks
then
sudo cat /var/log/auth.log | grep "Invalid user"
sudo cat /var/log/auth.log | grep "Connection closed"
exit

elif test ! -z $blacklist
then
echo "Note to self: add blacklist function, empty elif is not allowed in BASH."
# Blacklist code

elif test $update = 1
then
# Update Linux and determined-setup
sudo apt-get update
sudo apt-get upgrade
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash

elif test $clean = 1
then
# Update
sudo apt-get update
sudo apt-get upgrade

# Cleanup
sudo apt-get clean
sudo apt-get autoremove

elif test $mon = 1
then

cd /home
./sysmon.sh -- email $email

elif test $mon = 2
then

dss init
curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh"
sudo mv sysmon.sh /home/.sysmon.sh
( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab -

else
echo "dss $version"
echo "Usage: dss [OPTION]"
echo "You can run the following commands:"
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution."
echo "dss --log # Print the system log."
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates."
exit 1
fi

+ 150
- 0
harden-server.sh View File

@@ -0,0 +1,150 @@
#!/bin/bash
# Determined SSH Hardening
# Written by Josh Mudge
# Ad Mejorem Dei Glorium

usr=$USER
version="v1.4.1 Alpha"
#keyserver=""

while [[ $# -gt 0 ]]
do
key="$1"

case $key in
setup)
setup=1
shift # past argument
;;
--user)
usr="$2"
shift # past argument
;;
--user2)
user2="$2"
shift # past argument
;;
--user3)
user3="$2"
shift # past argument
;;
--user4)
user4="$2"
shift # past argument
;;
--user5)
user5="$2"
shift # past argument
;;
-h|--help)
echo determined-harden-ssh $version
echo "Usage: determined-harden-ssh --user USERNAME"
exit 1
;;
*)
# unknown option
if [ -z "${user}" ]; then
echo determined-harden-ssh $version
echo "No admin user specified."
echo "Usage: determined-harden-ssh --user USERNAME"
else
echo "unrecognized option '$1'"
exit 1
fi
;;
esac
shift # past argument or value
done

if test ! -z $usr
then

echo "Installing fail2ban and hardening SSH configuration."
# Install fail2ban
sudo apt-get install -y fail2ban curl openssh-server > /dev/null

echo "Creating new user by the username $usr"

echo "Disabling password based logins in favor of SSH keys."

# SSH keys only, no passwords.

sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config
sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config

mkdir .tssh

cd .tssh

curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash

curl -sLO https://$keyserver/$usr.pub

sudo mv create-user.bash /usr/local/bin/determined-create-user

sudo chmod +x /usr/local/bin/determined-create-user

if determined-create-user $usr;
then
echo "Setting up non-root admin user(s)"
else
echo "User creation failed. Please fix the above error and try again."
cd ..
rm -rf .tssh
exit
fi

if test ! -z $user2
then

curl -sLO https://$keyserver/$user2.pub

./create-user.bash $user2

fi

if test ! -z $user3
then

curl -sLO https://$keyserver/$user3.pub

./create-user.bash $user3

fi

if test ! -z $user4
then

curl -sLO https://$keyserver/$user4.pub

./create-user.bash $user4

fi

if test ! -z $user5
then

curl -sLO https://$keyserver/$user5.pub

./create-user.bash $user5

fi

cd ..
rm -rf .tssh

echo "Disabling root login."

sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config

echo "That's it, we're done :)"

else

echo determined-harden-ssh $version
echo "No admin user specified."
echo "Usage: ./harden-server.sh --user USERNAME"

fi

+ 22
- 0
setup.sh View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Setup for determined-server-setup
# Written by Josh Mudge
# Ad Mejorem Dei Glorium

version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)

echo "Installing dss $version"

curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh

sudo mv determined-server-setup.sh /usr/local/bin/dss

sudo chmod +x /usr/local/bin/dss

curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh

sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh

sudo chmod +x /usr/local/bin/determined-harden-ssh

echo "Done. Run 'dss' to use."

+ 136
- 0
sysmon.sh View File

@@ -0,0 +1,136 @@
#!/bin/bash
# Josh's Automatic System Monitor
# Written by Josh Mudge
# Ad Mejorem Dei Glorium

update=1
version=v1.5.1a
alpha=0
dfh=$(df -h | grep '8[0-9]%')
dfh2=$(df -h | grep '9[0-9]%')

while [[ $# -gt 0 ]]
do
key="$1"

case $key in
--setup)
shift # past argument
setup=1
;;
--no-update)
update=0
shift # past argument
;;
--audit)
audit=1
shift # past argument
;;
--email)
email="$2"
shift # past argument
;;
-h|help)
echo "dss-mon $version"
echo "Usage: dss --monitor --email user@mailprovider.com"
exit 1
;;
-v|version)
echo "dss $version"
exit 1
;;
*)
# unknown option
if test -z "${unknown}"
then
unknown=$1
else
echo "dss-mon $version"
echo "Usage: dss --monitor --email user@mailprovider.com"
exit 1
fi
;;
esac
shift # past argument or value
done

if test $update = 1
then

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install sysstat # Check if installed, then do this
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash

fi

# Cleanup

sudo apt-get clean

# Security Audit (Tackled by dss init before setting this up.)

# if test ! -f /home/.dssv1.7
# then
#
# dss init
#
# fi

auth=$(sudo cat /var/log/auth.log | grep "Invalid user")
#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed")

if test $alpha = 1;
then

sudo apt-get autoremove

fi

# To setup email, point a domain name to your server using DNS.
# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator)
# Then run: sudo apt-get install mailutils
# Open up /etc/hosts and make sure it has:
# 127.0.1.1 mydomain.com myserverHOSTNAME
# Select "Internet Site" and enter the domain you want it to send email from.
# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS

if test ! -z "$auth" # If set to run automatically, don't run this check every time.
then
echo "Attacks found. Sending authentication log to $email"
sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email
fi

if test ! -z "$dfh"
then
echo "Disk usage is high, sending disk usage to $email"
echo "$dfh" | mail -s "High Disk Usage" $email
fi

if test ! -z "$dfh2"
then
echo "Disk usage is critical, sending disk usage to $email"
echo "$dfh2" | mail -s "Critical Disk Usage" $email
fi

for i in {1..300} # Do this 300 times.
do
CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow
CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total.
done
CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes.


if test $CPURESULT > 90
then
echo "CPU usage is quite high, sending report to $email"
echo "$CPURESULT %" | mail -s "High CPU Usage" $email
fi

USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}')

if test $USEDRAM > 80
then
echo "RAM usage is quite high, sending report to $email"
echo "$USEDRAM %" | mail -s "High RAM Usage" $email
fi

Loading…
Cancel
Save