@ -0,0 +1,27 @@ | |||
# determined-server-setup (dss) | |||
determined-server-setup is a script that installs needed utilities/software on servers so you don't need to. | |||
# Requirements | |||
# Installation | |||
You can install it by running: | |||
`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash` | |||
# Usage | |||
This script is in the ALPHA stage. Use at your own risk. | |||
``` | |||
dss --init # Update your server and install server utilities, setup automatic updates and harden SSH. | |||
dss --clean # Update the server and cleanup unneeded files and programs. Use with caution. | |||
dss --log # Print the system log.` | |||
dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server. | |||
dss --user USERNAME init # Setup server with server utilities and enable automatic security updates. | |||
``` | |||
You can run: `dss help` for a list of all commands. | |||
# Automatic Updates | |||
When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu. |
@ -0,0 +1 @@ | |||
1.7.3 Alpha |
@ -0,0 +1,75 @@ | |||
#!/bin/bash | |||
# Determined Create User Script v2.0.3 | |||
# Written by AJ Oneal -- edited by Joshua Mudge | |||
# Exit on any error | |||
set -e | |||
if [ -z "$(which openssl)" ]; then | |||
echo "ERROR: 'openssl' is not found."; | |||
echo "Please install openssl. It is used to generate a random password." | |||
exit 1 | |||
fi | |||
if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then | |||
echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config"; | |||
exit 1 | |||
fi | |||
if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then | |||
echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config"; | |||
exit 1 | |||
fi | |||
# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975 | |||
if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then | |||
echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'"; | |||
exit 1 | |||
fi | |||
# exit if there are any unbound variables | |||
set -u | |||
USER=$1 | |||
USER=$(basename $USER .pub) | |||
# If they try to create root, exit. | |||
if test $USER = "root" | |||
then | |||
echo "You cannot create the root user, it already exists." | |||
exit | |||
fi | |||
# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith' | |||
# password will be set later in the script | |||
#adduser --disabled-password --gecos '' $USER | |||
sudo adduser --disabled-login --gecos '' $USER | |||
sudo adduser $USER sudo # if sudo is needed | |||
# FAIL before getting here via set -e | |||
sudo mkdir -p /home/$USER/.ssh | |||
sudo chmod 700 /home/$USER/.ssh | |||
sudo touch /home/$USER/.ssh/authorized_keys | |||
sudo chmod 600 /home/$USER/.ssh/authorized_keys | |||
# PRE-REQ: get the user's ssh public key and store it in whoever.pub | |||
sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys" | |||
sudo chown $USER:$USER /home/$USER | |||
sudo chown $USER:$USER -R /home/$USER/.ssh/ | |||
PASSWD=$(openssl rand -hex 20) | |||
#echo "$PASSWD" | passwd "$USER" --stdin | |||
echo "$USER:$PASSWD" | sudo chpasswd | |||
#echo "The temporary password for '"$USER"' is '"$PASSWD"'" | |||
sudo passwd -d $USER | |||
echo "'$USER'" has been added with key-only authentication and a password must be set on first login | |||
sudo chage -d 0 $USER | |||
# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/ | |||
# | |||
# Linux | |||
# date "+%s.%N" | md5sum | |||
# | |||
# macOS | |||
# date "+%s.%N" | md5 |
@ -0,0 +1,186 @@ | |||
#!/bin/bash | |||
# determined-server-setup (dss) | |||
# Written by Josh Mudge | |||
# Ad Mejorem Dei Glorium | |||
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) | |||
# Get options from CLI arguments | |||
usr=$USER | |||
init=0 | |||
clean=0 | |||
log=0 | |||
authlog=0 | |||
update=0 | |||
mon=0 | |||
while [[ $# -gt 0 ]] | |||
do | |||
key="$1" | |||
case $key in | |||
--init) | |||
init=1 | |||
shift # past argument | |||
;; | |||
--clean) | |||
clean=1 | |||
shift # past argument | |||
;; | |||
--log) | |||
log=1 | |||
shift # past argument | |||
;; | |||
--authlog) | |||
authlog="$2" | |||
shift # past argument | |||
;; | |||
--user) | |||
usr="$2" | |||
shift # past argument | |||
;; | |||
--user2) | |||
user2="$2" | |||
shift # past argument | |||
;; | |||
--user3) | |||
user3="$2" | |||
shift # past argument | |||
;; | |||
--update) | |||
update=1 | |||
shift # past argument | |||
;; | |||
--monitor) | |||
mon=1 | |||
shift # past argument | |||
;; | |||
--mon-setup) | |||
mon=2 | |||
shift # past argument | |||
;; | |||
--email) | |||
email=1 | |||
shift # past argument | |||
;; | |||
--logfile) | |||
logfile=1 | |||
shift # past argument | |||
;; | |||
blacklist) | |||
blacklist="$2" | |||
shift # past argument | |||
;; | |||
-h|help) | |||
echo "dss $version" | |||
echo "Usage: dss [OPTION]" | |||
echo "You can run the following commands:" | |||
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." | |||
echo "dss --log # Print the system log." | |||
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." | |||
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." | |||
exit 1 | |||
;; | |||
-v|version) | |||
echo "dss $version" | |||
exit 1 | |||
;; | |||
*) | |||
# unknown option | |||
if test -z "${unknown}" | |||
then | |||
unknown=$1 | |||
else | |||
echo "dss $version" | |||
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." | |||
exit 1 | |||
fi | |||
;; | |||
esac | |||
shift # past argument or value | |||
done | |||
if test $init = 1 | |||
then | |||
# Update server | |||
sudo apt-get update | |||
sudo apt-get upgrade -y | |||
# Install server utilities | |||
sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common | |||
# Prompt user to set up automatic security updates. | |||
sudo apt-get install -y unattended-upgrades | |||
sudo dpkg-reconfigure -plow unattended-upgrades | |||
# Harden ssh | |||
if determined-harden-ssh --user $usr | |||
then | |||
echo "dss" | sudo tee /home/.dssv1.7 | |||
else | |||
"You cannot create root user and disable root login, that won't work... See 'dss help'" | |||
exit | |||
fi | |||
elif test $log = 1 | |||
then | |||
sudo cat /var/log/syslog | |||
elif test $authlog = 1 | |||
then | |||
sudo cat /var/log/auth.log | |||
elif test $authlog = attacks | |||
then | |||
sudo cat /var/log/auth.log | grep "Invalid user" | |||
sudo cat /var/log/auth.log | grep "Connection closed" | |||
exit | |||
elif test ! -z $blacklist | |||
then | |||
echo "Note to self: add blacklist function, empty elif is not allowed in BASH." | |||
# Blacklist code | |||
elif test $update = 1 | |||
then | |||
# Update Linux and determined-setup | |||
sudo apt-get update | |||
sudo apt-get upgrade | |||
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash | |||
elif test $clean = 1 | |||
then | |||
# Update | |||
sudo apt-get update | |||
sudo apt-get upgrade | |||
# Cleanup | |||
sudo apt-get clean | |||
sudo apt-get autoremove | |||
elif test $mon = 1 | |||
then | |||
cd /home | |||
./sysmon.sh -- email $email | |||
elif test $mon = 2 | |||
then | |||
dss init | |||
curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh" | |||
sudo mv sysmon.sh /home/.sysmon.sh | |||
( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab - | |||
else | |||
echo "dss $version" | |||
echo "Usage: dss [OPTION]" | |||
echo "You can run the following commands:" | |||
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." | |||
echo "dss --log # Print the system log." | |||
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." | |||
echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates." | |||
exit 1 | |||
fi |
@ -0,0 +1,150 @@ | |||
#!/bin/bash | |||
# Determined SSH Hardening | |||
# Written by Josh Mudge | |||
# Ad Mejorem Dei Glorium | |||
usr=$USER | |||
version="v1.4.1 Alpha" | |||
#keyserver="" | |||
while [[ $# -gt 0 ]] | |||
do | |||
key="$1" | |||
case $key in | |||
setup) | |||
setup=1 | |||
shift # past argument | |||
;; | |||
--user) | |||
usr="$2" | |||
shift # past argument | |||
;; | |||
--user2) | |||
user2="$2" | |||
shift # past argument | |||
;; | |||
--user3) | |||
user3="$2" | |||
shift # past argument | |||
;; | |||
--user4) | |||
user4="$2" | |||
shift # past argument | |||
;; | |||
--user5) | |||
user5="$2" | |||
shift # past argument | |||
;; | |||
-h|--help) | |||
echo determined-harden-ssh $version | |||
echo "Usage: determined-harden-ssh --user USERNAME" | |||
exit 1 | |||
;; | |||
*) | |||
# unknown option | |||
if [ -z "${user}" ]; then | |||
echo determined-harden-ssh $version | |||
echo "No admin user specified." | |||
echo "Usage: determined-harden-ssh --user USERNAME" | |||
else | |||
echo "unrecognized option '$1'" | |||
exit 1 | |||
fi | |||
;; | |||
esac | |||
shift # past argument or value | |||
done | |||
if test ! -z $usr | |||
then | |||
echo "Installing fail2ban and hardening SSH configuration." | |||
# Install fail2ban | |||
sudo apt-get install -y fail2ban curl openssh-server > /dev/null | |||
echo "Creating new user by the username $usr" | |||
echo "Disabling password based logins in favor of SSH keys." | |||
# SSH keys only, no passwords. | |||
sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config | |||
sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config | |||
sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config | |||
mkdir .tssh | |||
cd .tssh | |||
curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash | |||
curl -sLO https://$keyserver/$usr.pub | |||
sudo mv create-user.bash /usr/local/bin/determined-create-user | |||
sudo chmod +x /usr/local/bin/determined-create-user | |||
if determined-create-user $usr; | |||
then | |||
echo "Setting up non-root admin user(s)" | |||
else | |||
echo "User creation failed. Please fix the above error and try again." | |||
cd .. | |||
rm -rf .tssh | |||
exit | |||
fi | |||
if test ! -z $user2 | |||
then | |||
curl -sLO https://$keyserver/$user2.pub | |||
./create-user.bash $user2 | |||
fi | |||
if test ! -z $user3 | |||
then | |||
curl -sLO https://$keyserver/$user3.pub | |||
./create-user.bash $user3 | |||
fi | |||
if test ! -z $user4 | |||
then | |||
curl -sLO https://$keyserver/$user4.pub | |||
./create-user.bash $user4 | |||
fi | |||
if test ! -z $user5 | |||
then | |||
curl -sLO https://$keyserver/$user5.pub | |||
./create-user.bash $user5 | |||
fi | |||
cd .. | |||
rm -rf .tssh | |||
echo "Disabling root login." | |||
sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config | |||
sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config | |||
echo "That's it, we're done :)" | |||
else | |||
echo determined-harden-ssh $version | |||
echo "No admin user specified." | |||
echo "Usage: ./harden-server.sh --user USERNAME" | |||
fi |
@ -0,0 +1,22 @@ | |||
#!/bin/bash | |||
# Setup for determined-server-setup | |||
# Written by Josh Mudge | |||
# Ad Mejorem Dei Glorium | |||
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) | |||
echo "Installing dss $version" | |||
curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh | |||
sudo mv determined-server-setup.sh /usr/local/bin/dss | |||
sudo chmod +x /usr/local/bin/dss | |||
curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh | |||
sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh | |||
sudo chmod +x /usr/local/bin/determined-harden-ssh | |||
echo "Done. Run 'dss' to use." |
@ -0,0 +1,136 @@ | |||
#!/bin/bash | |||
# Josh's Automatic System Monitor | |||
# Written by Josh Mudge | |||
# Ad Mejorem Dei Glorium | |||
update=1 | |||
version=v1.5.1a | |||
alpha=0 | |||
dfh=$(df -h | grep '8[0-9]%') | |||
dfh2=$(df -h | grep '9[0-9]%') | |||
while [[ $# -gt 0 ]] | |||
do | |||
key="$1" | |||
case $key in | |||
--setup) | |||
shift # past argument | |||
setup=1 | |||
;; | |||
--no-update) | |||
update=0 | |||
shift # past argument | |||
;; | |||
--audit) | |||
audit=1 | |||
shift # past argument | |||
;; | |||
--email) | |||
email="$2" | |||
shift # past argument | |||
;; | |||
-h|help) | |||
echo "dss-mon $version" | |||
echo "Usage: dss --monitor --email user@mailprovider.com" | |||
exit 1 | |||
;; | |||
-v|version) | |||
echo "dss $version" | |||
exit 1 | |||
;; | |||
*) | |||
# unknown option | |||
if test -z "${unknown}" | |||
then | |||
unknown=$1 | |||
else | |||
echo "dss-mon $version" | |||
echo "Usage: dss --monitor --email user@mailprovider.com" | |||
exit 1 | |||
fi | |||
;; | |||
esac | |||
shift # past argument or value | |||
done | |||
if test $update = 1 | |||
then | |||
sudo apt-get update | |||
sudo apt-get upgrade | |||
sudo apt-get install sysstat # Check if installed, then do this | |||
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash | |||
fi | |||
# Cleanup | |||
sudo apt-get clean | |||
# Security Audit (Tackled by dss init before setting this up.) | |||
# if test ! -f /home/.dssv1.7 | |||
# then | |||
# | |||
# dss init | |||
# | |||
# fi | |||
auth=$(sudo cat /var/log/auth.log | grep "Invalid user") | |||
#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed") | |||
if test $alpha = 1; | |||
then | |||
sudo apt-get autoremove | |||
fi | |||
# To setup email, point a domain name to your server using DNS. | |||
# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator) | |||
# Then run: sudo apt-get install mailutils | |||
# Open up /etc/hosts and make sure it has: | |||
# 127.0.1.1 mydomain.com myserverHOSTNAME | |||
# Select "Internet Site" and enter the domain you want it to send email from. | |||
# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS | |||
if test ! -z "$auth" # If set to run automatically, don't run this check every time. | |||
then | |||
echo "Attacks found. Sending authentication log to $email" | |||
sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email | |||
fi | |||
if test ! -z "$dfh" | |||
then | |||
echo "Disk usage is high, sending disk usage to $email" | |||
echo "$dfh" | mail -s "High Disk Usage" $email | |||
fi | |||
if test ! -z "$dfh2" | |||
then | |||
echo "Disk usage is critical, sending disk usage to $email" | |||
echo "$dfh2" | mail -s "Critical Disk Usage" $email | |||
fi | |||
for i in {1..300} # Do this 300 times. | |||
do | |||
CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow | |||
CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total. | |||
done | |||
CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes. | |||
if test $CPURESULT > 90 | |||
then | |||
echo "CPU usage is quite high, sending report to $email" | |||
echo "$CPURESULT %" | mail -s "High CPU Usage" $email | |||
fi | |||
USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}') | |||
if test $USEDRAM > 80 | |||
then | |||
echo "RAM usage is quite high, sending report to $email" | |||
echo "$USEDRAM %" | mail -s "High RAM Usage" $email | |||
fi |