Josh Mudge
5 years ago
commit
68db3b59f9
7 changed files with 597 additions and 0 deletions
@ -0,0 +1,27 @@ |
|||
# determined-server-setup (dss) |
|||
|
|||
determined-server-setup is a script that installs needed utilities/software on servers so you don't need to. |
|||
|
|||
# Requirements |
|||
|
|||
# Installation |
|||
|
|||
You can install it by running: |
|||
|
|||
`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash` |
|||
|
|||
# Usage |
|||
|
|||
This script is in the ALPHA stage. Use at your own risk. |
|||
``` |
|||
dss --init # Update your server and install server utilities, setup automatic updates and harden SSH. |
|||
dss --clean # Update the server and cleanup unneeded files and programs. Use with caution. |
|||
dss --log # Print the system log.` |
|||
dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server. |
|||
dss --user USERNAME init # Setup server with server utilities and enable automatic security updates. |
|||
``` |
|||
You can run: `dss help` for a list of all commands. |
|||
|
|||
# Automatic Updates |
|||
|
|||
When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu. |
@ -0,0 +1 @@ |
|||
1.7.3 Alpha |
@ -0,0 +1,75 @@ |
|||
#!/bin/bash |
|||
# Determined Create User Script v2.0.3 |
|||
# Written by AJ Oneal -- edited by Joshua Mudge |
|||
|
|||
# Exit on any error |
|||
set -e |
|||
|
|||
if [ -z "$(which openssl)" ]; then |
|||
echo "ERROR: 'openssl' is not found."; |
|||
echo "Please install openssl. It is used to generate a random password." |
|||
exit 1 |
|||
fi |
|||
if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then |
|||
echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config"; |
|||
exit 1 |
|||
fi |
|||
if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then |
|||
echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config"; |
|||
exit 1 |
|||
fi |
|||
# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975 |
|||
if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then |
|||
echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'"; |
|||
exit 1 |
|||
fi |
|||
|
|||
|
|||
# exit if there are any unbound variables |
|||
set -u |
|||
|
|||
USER=$1 |
|||
USER=$(basename $USER .pub) |
|||
|
|||
# If they try to create root, exit. |
|||
|
|||
if test $USER = "root" |
|||
then |
|||
echo "You cannot create the root user, it already exists." |
|||
exit |
|||
fi |
|||
|
|||
# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith' |
|||
|
|||
# password will be set later in the script |
|||
#adduser --disabled-password --gecos '' $USER |
|||
sudo adduser --disabled-login --gecos '' $USER |
|||
sudo adduser $USER sudo # if sudo is needed |
|||
|
|||
# FAIL before getting here via set -e |
|||
sudo mkdir -p /home/$USER/.ssh |
|||
sudo chmod 700 /home/$USER/.ssh |
|||
sudo touch /home/$USER/.ssh/authorized_keys |
|||
sudo chmod 600 /home/$USER/.ssh/authorized_keys |
|||
|
|||
# PRE-REQ: get the user's ssh public key and store it in whoever.pub |
|||
sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys" |
|||
|
|||
sudo chown $USER:$USER /home/$USER |
|||
sudo chown $USER:$USER -R /home/$USER/.ssh/ |
|||
|
|||
PASSWD=$(openssl rand -hex 20) |
|||
#echo "$PASSWD" | passwd "$USER" --stdin |
|||
echo "$USER:$PASSWD" | sudo chpasswd |
|||
#echo "The temporary password for '"$USER"' is '"$PASSWD"'" |
|||
sudo passwd -d $USER |
|||
echo "'$USER'" has been added with key-only authentication and a password must be set on first login |
|||
sudo chage -d 0 $USER |
|||
|
|||
# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/ |
|||
# |
|||
# Linux |
|||
# date "+%s.%N" | md5sum |
|||
# |
|||
# macOS |
|||
# date "+%s.%N" | md5 |
@ -0,0 +1,186 @@ |
|||
#!/bin/bash |
|||
# determined-server-setup (dss) |
|||
# Written by Josh Mudge |
|||
# Ad Mejorem Dei Glorium |
|||
|
|||
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) |
|||
|
|||
# Get options from CLI arguments |
|||
|
|||
usr=$USER |
|||
init=0 |
|||
clean=0 |
|||
log=0 |
|||
authlog=0 |
|||
update=0 |
|||
mon=0 |
|||
|
|||
while [[ $# -gt 0 ]] |
|||
do |
|||
key="$1" |
|||
|
|||
case $key in |
|||
--init) |
|||
init=1 |
|||
shift # past argument |
|||
;; |
|||
--clean) |
|||
clean=1 |
|||
shift # past argument |
|||
;; |
|||
--log) |
|||
log=1 |
|||
shift # past argument |
|||
;; |
|||
--authlog) |
|||
authlog="$2" |
|||
shift # past argument |
|||
;; |
|||
--user) |
|||
usr="$2" |
|||
shift # past argument |
|||
;; |
|||
--user2) |
|||
user2="$2" |
|||
shift # past argument |
|||
;; |
|||
--user3) |
|||
user3="$2" |
|||
shift # past argument |
|||
;; |
|||
--update) |
|||
update=1 |
|||
shift # past argument |
|||
;; |
|||
--monitor) |
|||
mon=1 |
|||
shift # past argument |
|||
;; |
|||
--mon-setup) |
|||
mon=2 |
|||
shift # past argument |
|||
;; |
|||
--email) |
|||
email=1 |
|||
shift # past argument |
|||
;; |
|||
--logfile) |
|||
logfile=1 |
|||
shift # past argument |
|||
;; |
|||
blacklist) |
|||
blacklist="$2" |
|||
shift # past argument |
|||
;; |
|||
-h|help) |
|||
echo "dss $version" |
|||
echo "Usage: dss [OPTION]" |
|||
echo "You can run the following commands:" |
|||
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." |
|||
echo "dss --log # Print the system log." |
|||
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." |
|||
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." |
|||
exit 1 |
|||
;; |
|||
-v|version) |
|||
echo "dss $version" |
|||
exit 1 |
|||
;; |
|||
*) |
|||
# unknown option |
|||
if test -z "${unknown}" |
|||
then |
|||
unknown=$1 |
|||
else |
|||
echo "dss $version" |
|||
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." |
|||
exit 1 |
|||
fi |
|||
;; |
|||
esac |
|||
shift # past argument or value |
|||
done |
|||
|
|||
if test $init = 1 |
|||
then |
|||
# Update server |
|||
sudo apt-get update |
|||
sudo apt-get upgrade -y |
|||
|
|||
# Install server utilities |
|||
sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common |
|||
|
|||
# Prompt user to set up automatic security updates. |
|||
sudo apt-get install -y unattended-upgrades |
|||
sudo dpkg-reconfigure -plow unattended-upgrades |
|||
|
|||
# Harden ssh |
|||
if determined-harden-ssh --user $usr |
|||
then |
|||
echo "dss" | sudo tee /home/.dssv1.7 |
|||
else |
|||
"You cannot create root user and disable root login, that won't work... See 'dss help'" |
|||
exit |
|||
fi |
|||
|
|||
elif test $log = 1 |
|||
then |
|||
|
|||
sudo cat /var/log/syslog |
|||
|
|||
elif test $authlog = 1 |
|||
then |
|||
sudo cat /var/log/auth.log |
|||
|
|||
elif test $authlog = attacks |
|||
then |
|||
sudo cat /var/log/auth.log | grep "Invalid user" |
|||
sudo cat /var/log/auth.log | grep "Connection closed" |
|||
exit |
|||
|
|||
elif test ! -z $blacklist |
|||
then |
|||
echo "Note to self: add blacklist function, empty elif is not allowed in BASH." |
|||
# Blacklist code |
|||
|
|||
elif test $update = 1 |
|||
then |
|||
# Update Linux and determined-setup |
|||
sudo apt-get update |
|||
sudo apt-get upgrade |
|||
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash |
|||
|
|||
elif test $clean = 1 |
|||
then |
|||
# Update |
|||
sudo apt-get update |
|||
sudo apt-get upgrade |
|||
|
|||
# Cleanup |
|||
sudo apt-get clean |
|||
sudo apt-get autoremove |
|||
|
|||
elif test $mon = 1 |
|||
then |
|||
|
|||
cd /home |
|||
./sysmon.sh -- email $email |
|||
|
|||
elif test $mon = 2 |
|||
then |
|||
|
|||
dss init |
|||
curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh" |
|||
sudo mv sysmon.sh /home/.sysmon.sh |
|||
( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab - |
|||
|
|||
else |
|||
echo "dss $version" |
|||
echo "Usage: dss [OPTION]" |
|||
echo "You can run the following commands:" |
|||
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." |
|||
echo "dss --log # Print the system log." |
|||
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." |
|||
echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates." |
|||
exit 1 |
|||
fi |
@ -0,0 +1,150 @@ |
|||
#!/bin/bash |
|||
# Determined SSH Hardening |
|||
# Written by Josh Mudge |
|||
# Ad Mejorem Dei Glorium |
|||
|
|||
usr=$USER |
|||
version="v1.4.1 Alpha" |
|||
#keyserver="" |
|||
|
|||
while [[ $# -gt 0 ]] |
|||
do |
|||
key="$1" |
|||
|
|||
case $key in |
|||
setup) |
|||
setup=1 |
|||
shift # past argument |
|||
;; |
|||
--user) |
|||
usr="$2" |
|||
shift # past argument |
|||
;; |
|||
--user2) |
|||
user2="$2" |
|||
shift # past argument |
|||
;; |
|||
--user3) |
|||
user3="$2" |
|||
shift # past argument |
|||
;; |
|||
--user4) |
|||
user4="$2" |
|||
shift # past argument |
|||
;; |
|||
--user5) |
|||
user5="$2" |
|||
shift # past argument |
|||
;; |
|||
-h|--help) |
|||
echo determined-harden-ssh $version |
|||
echo "Usage: determined-harden-ssh --user USERNAME" |
|||
exit 1 |
|||
;; |
|||
*) |
|||
# unknown option |
|||
if [ -z "${user}" ]; then |
|||
echo determined-harden-ssh $version |
|||
echo "No admin user specified." |
|||
echo "Usage: determined-harden-ssh --user USERNAME" |
|||
else |
|||
echo "unrecognized option '$1'" |
|||
exit 1 |
|||
fi |
|||
;; |
|||
esac |
|||
shift # past argument or value |
|||
done |
|||
|
|||
if test ! -z $usr |
|||
then |
|||
|
|||
echo "Installing fail2ban and hardening SSH configuration." |
|||
# Install fail2ban |
|||
sudo apt-get install -y fail2ban curl openssh-server > /dev/null |
|||
|
|||
echo "Creating new user by the username $usr" |
|||
|
|||
echo "Disabling password based logins in favor of SSH keys." |
|||
|
|||
# SSH keys only, no passwords. |
|||
|
|||
sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config |
|||
sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config |
|||
sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config |
|||
|
|||
mkdir .tssh |
|||
|
|||
cd .tssh |
|||
|
|||
curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash |
|||
|
|||
curl -sLO https://$keyserver/$usr.pub |
|||
|
|||
sudo mv create-user.bash /usr/local/bin/determined-create-user |
|||
|
|||
sudo chmod +x /usr/local/bin/determined-create-user |
|||
|
|||
if determined-create-user $usr; |
|||
then |
|||
echo "Setting up non-root admin user(s)" |
|||
else |
|||
echo "User creation failed. Please fix the above error and try again." |
|||
cd .. |
|||
rm -rf .tssh |
|||
exit |
|||
fi |
|||
|
|||
if test ! -z $user2 |
|||
then |
|||
|
|||
curl -sLO https://$keyserver/$user2.pub |
|||
|
|||
./create-user.bash $user2 |
|||
|
|||
fi |
|||
|
|||
if test ! -z $user3 |
|||
then |
|||
|
|||
curl -sLO https://$keyserver/$user3.pub |
|||
|
|||
./create-user.bash $user3 |
|||
|
|||
fi |
|||
|
|||
if test ! -z $user4 |
|||
then |
|||
|
|||
curl -sLO https://$keyserver/$user4.pub |
|||
|
|||
./create-user.bash $user4 |
|||
|
|||
fi |
|||
|
|||
if test ! -z $user5 |
|||
then |
|||
|
|||
curl -sLO https://$keyserver/$user5.pub |
|||
|
|||
./create-user.bash $user5 |
|||
|
|||
fi |
|||
|
|||
cd .. |
|||
rm -rf .tssh |
|||
|
|||
echo "Disabling root login." |
|||
|
|||
sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config |
|||
sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config |
|||
|
|||
echo "That's it, we're done :)" |
|||
|
|||
else |
|||
|
|||
echo determined-harden-ssh $version |
|||
echo "No admin user specified." |
|||
echo "Usage: ./harden-server.sh --user USERNAME" |
|||
|
|||
fi |
@ -0,0 +1,22 @@ |
|||
#!/bin/bash |
|||
# Setup for determined-server-setup |
|||
# Written by Josh Mudge |
|||
# Ad Mejorem Dei Glorium |
|||
|
|||
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) |
|||
|
|||
echo "Installing dss $version" |
|||
|
|||
curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh |
|||
|
|||
sudo mv determined-server-setup.sh /usr/local/bin/dss |
|||
|
|||
sudo chmod +x /usr/local/bin/dss |
|||
|
|||
curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh |
|||
|
|||
sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh |
|||
|
|||
sudo chmod +x /usr/local/bin/determined-harden-ssh |
|||
|
|||
echo "Done. Run 'dss' to use." |
@ -0,0 +1,136 @@ |
|||
#!/bin/bash |
|||
# Josh's Automatic System Monitor |
|||
# Written by Josh Mudge |
|||
# Ad Mejorem Dei Glorium |
|||
|
|||
update=1 |
|||
version=v1.5.1a |
|||
alpha=0 |
|||
dfh=$(df -h | grep '8[0-9]%') |
|||
dfh2=$(df -h | grep '9[0-9]%') |
|||
|
|||
while [[ $# -gt 0 ]] |
|||
do |
|||
key="$1" |
|||
|
|||
case $key in |
|||
--setup) |
|||
shift # past argument |
|||
setup=1 |
|||
;; |
|||
--no-update) |
|||
update=0 |
|||
shift # past argument |
|||
;; |
|||
--audit) |
|||
audit=1 |
|||
shift # past argument |
|||
;; |
|||
--email) |
|||
email="$2" |
|||
shift # past argument |
|||
;; |
|||
-h|help) |
|||
echo "dss-mon $version" |
|||
echo "Usage: dss --monitor --email user@mailprovider.com" |
|||
exit 1 |
|||
;; |
|||
-v|version) |
|||
echo "dss $version" |
|||
exit 1 |
|||
;; |
|||
*) |
|||
# unknown option |
|||
if test -z "${unknown}" |
|||
then |
|||
unknown=$1 |
|||
else |
|||
echo "dss-mon $version" |
|||
echo "Usage: dss --monitor --email user@mailprovider.com" |
|||
exit 1 |
|||
fi |
|||
;; |
|||
esac |
|||
shift # past argument or value |
|||
done |
|||
|
|||
if test $update = 1 |
|||
then |
|||
|
|||
sudo apt-get update |
|||
sudo apt-get upgrade |
|||
sudo apt-get install sysstat # Check if installed, then do this |
|||
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash |
|||
|
|||
fi |
|||
|
|||
# Cleanup |
|||
|
|||
sudo apt-get clean |
|||
|
|||
# Security Audit (Tackled by dss init before setting this up.) |
|||
|
|||
# if test ! -f /home/.dssv1.7 |
|||
# then |
|||
# |
|||
# dss init |
|||
# |
|||
# fi |
|||
|
|||
auth=$(sudo cat /var/log/auth.log | grep "Invalid user") |
|||
#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed") |
|||
|
|||
if test $alpha = 1; |
|||
then |
|||
|
|||
sudo apt-get autoremove |
|||
|
|||
fi |
|||
|
|||
# To setup email, point a domain name to your server using DNS. |
|||
# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator) |
|||
# Then run: sudo apt-get install mailutils |
|||
# Open up /etc/hosts and make sure it has: |
|||
# 127.0.1.1 mydomain.com myserverHOSTNAME |
|||
# Select "Internet Site" and enter the domain you want it to send email from. |
|||
# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS |
|||
|
|||
if test ! -z "$auth" # If set to run automatically, don't run this check every time. |
|||
then |
|||
echo "Attacks found. Sending authentication log to $email" |
|||
sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email |
|||
fi |
|||
|
|||
if test ! -z "$dfh" |
|||
then |
|||
echo "Disk usage is high, sending disk usage to $email" |
|||
echo "$dfh" | mail -s "High Disk Usage" $email |
|||
fi |
|||
|
|||
if test ! -z "$dfh2" |
|||
then |
|||
echo "Disk usage is critical, sending disk usage to $email" |
|||
echo "$dfh2" | mail -s "Critical Disk Usage" $email |
|||
fi |
|||
|
|||
for i in {1..300} # Do this 300 times. |
|||
do |
|||
CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow |
|||
CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total. |
|||
done |
|||
CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes. |
|||
|
|||
|
|||
if test $CPURESULT > 90 |
|||
then |
|||
echo "CPU usage is quite high, sending report to $email" |
|||
echo "$CPURESULT %" | mail -s "High CPU Usage" $email |
|||
fi |
|||
|
|||
USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}') |
|||
|
|||
if test $USEDRAM > 80 |
|||
then |
|||
echo "RAM usage is quite high, sending report to $email" |
|||
echo "$USEDRAM %" | mail -s "High RAM Usage" $email |
|||
fi |
Loading…
Reference in new issue