Browse Source

Forked from daplie-snippets

master
Josh Mudge 9 months ago
commit
68db3b59f9
7 changed files with 597 additions and 0 deletions
  1. 27
    0
      README.md
  2. 1
    0
      VERSION
  3. 75
    0
      create-user.bash
  4. 186
    0
      determined-server-setup.sh
  5. 150
    0
      harden-server.sh
  6. 22
    0
      setup.sh
  7. 136
    0
      sysmon.sh

+ 27
- 0
README.md View File

@@ -0,0 +1,27 @@
1
+# determined-server-setup (dss)
2
+
3
+determined-server-setup is a script that installs needed utilities/software on servers so you don't need to.
4
+
5
+# Requirements
6
+
7
+# Installation
8
+
9
+You can install it by running:
10
+
11
+`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash`
12
+
13
+# Usage
14
+
15
+This script is in the ALPHA stage. Use at your own risk.
16
+```
17
+dss --init # Update your server and install server utilities, setup automatic updates and harden SSH.
18
+dss --clean  # Update the server and cleanup unneeded files and programs. Use with caution.
19
+dss --log # Print the system log.`
20
+dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server.
21
+dss --user USERNAME init   # Setup server with server utilities and enable automatic security updates.
22
+```
23
+You can run: `dss help` for a list of all commands.
24
+
25
+# Automatic Updates
26
+
27
+When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu.

+ 1
- 0
VERSION View File

@@ -0,0 +1 @@
1
+1.7.3 Alpha

+ 75
- 0
create-user.bash View File

@@ -0,0 +1,75 @@
1
+#!/bin/bash
2
+# Determined Create User Script v2.0.3
3
+# Written by AJ Oneal -- edited by Joshua Mudge
4
+
5
+# Exit on any error
6
+set -e
7
+
8
+if [ -z "$(which openssl)" ]; then
9
+  echo "ERROR: 'openssl' is not found.";
10
+  echo "Please install openssl. It is used to generate a random password."
11
+  exit 1
12
+fi
13
+if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
14
+  echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
15
+  exit 1
16
+fi
17
+if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
18
+  echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
19
+  exit 1
20
+fi
21
+# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
22
+if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
23
+  echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
24
+  exit 1
25
+fi
26
+
27
+
28
+# exit if there are any unbound variables
29
+set -u
30
+
31
+USER=$1
32
+USER=$(basename $USER .pub)
33
+
34
+# If they try to create root, exit.
35
+
36
+if test $USER = "root"
37
+  then
38
+    echo "You cannot create the root user, it already exists."
39
+    exit
40
+fi
41
+
42
+# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'
43
+
44
+# password will be set later in the script
45
+#adduser --disabled-password --gecos '' $USER
46
+sudo adduser --disabled-login --gecos '' $USER
47
+sudo adduser $USER sudo # if sudo is needed
48
+
49
+# FAIL before getting here via set -e
50
+sudo mkdir -p /home/$USER/.ssh
51
+sudo chmod 700 /home/$USER/.ssh
52
+sudo touch /home/$USER/.ssh/authorized_keys
53
+sudo chmod 600 /home/$USER/.ssh/authorized_keys
54
+
55
+# PRE-REQ: get the user's ssh public key and store it in whoever.pub
56
+sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"
57
+
58
+sudo chown $USER:$USER /home/$USER
59
+sudo chown $USER:$USER -R /home/$USER/.ssh/
60
+
61
+PASSWD=$(openssl rand -hex 20)
62
+#echo "$PASSWD" | passwd "$USER" --stdin
63
+echo "$USER:$PASSWD" | sudo chpasswd
64
+#echo "The temporary password for '"$USER"' is '"$PASSWD"'"
65
+sudo passwd -d $USER
66
+echo "'$USER'" has been added with key-only authentication and a password must be set on first login
67
+sudo chage -d 0 $USER
68
+
69
+# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
70
+#
71
+# Linux
72
+# date "+%s.%N" | md5sum
73
+#
74
+# macOS
75
+# date "+%s.%N" | md5

+ 186
- 0
determined-server-setup.sh View File

@@ -0,0 +1,186 @@
1
+#!/bin/bash
2
+# determined-server-setup (dss)
3
+# Written by Josh Mudge
4
+# Ad Mejorem Dei Glorium
5
+
6
+version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)
7
+
8
+# Get options from CLI arguments
9
+
10
+usr=$USER
11
+init=0
12
+clean=0
13
+log=0
14
+authlog=0
15
+update=0
16
+mon=0
17
+
18
+while [[ $# -gt 0 ]]
19
+do
20
+  key="$1"
21
+
22
+  case $key in
23
+    --init)
24
+    init=1
25
+    shift # past argument
26
+    ;;
27
+    --clean)
28
+    clean=1
29
+    shift # past argument
30
+    ;;
31
+    --log)
32
+    log=1
33
+    shift # past argument
34
+    ;;
35
+    --authlog)
36
+    authlog="$2"
37
+    shift # past argument
38
+    ;;
39
+    --user)
40
+    usr="$2"
41
+    shift # past argument
42
+    ;;
43
+    --user2)
44
+    user2="$2"
45
+    shift # past argument
46
+    ;;
47
+    --user3)
48
+    user3="$2"
49
+    shift # past argument
50
+    ;;
51
+    --update)
52
+    update=1
53
+    shift # past argument
54
+    ;;
55
+    --monitor)
56
+    mon=1
57
+    shift # past argument
58
+    ;;
59
+    --mon-setup)
60
+    mon=2
61
+    shift # past argument
62
+    ;;
63
+    --email)
64
+    email=1
65
+    shift # past argument
66
+    ;;
67
+    --logfile)
68
+    logfile=1
69
+    shift # past argument
70
+    ;;
71
+    blacklist)
72
+    blacklist="$2"
73
+    shift # past argument
74
+    ;;
75
+    -h|help)
76
+    echo "dss $version"
77
+    echo "Usage: dss [OPTION]"
78
+    echo "You can run the following commands:"
79
+    echo "dss --clean  # Update the server and cleanup uneeded files and programs. Use with caution."
80
+    echo "dss --log # Print the system log."
81
+    echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
82
+    echo "dss --user USERNAME --init   # Setup server with server utilities and enable automatic security updates."
83
+    exit 1
84
+    ;;
85
+    -v|version)
86
+    echo "dss $version"
87
+    exit 1
88
+    ;;
89
+    *)
90
+    # unknown option
91
+    if test -z "${unknown}"
92
+    then
93
+      unknown=$1
94
+    else
95
+      echo "dss $version"
96
+      echo "dss --user USERNAME --init   # Setup server with server utilities and enable automatic security updates."
97
+      exit 1
98
+    fi
99
+    ;;
100
+  esac
101
+  shift # past argument or value
102
+done
103
+
104
+if test $init = 1
105
+then
106
+  # Update server
107
+  sudo apt-get update
108
+  sudo apt-get upgrade -y
109
+
110
+  # Install server utilities
111
+  sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common
112
+
113
+  # Prompt user to set up automatic security updates.
114
+  sudo apt-get install -y unattended-upgrades
115
+  sudo dpkg-reconfigure -plow unattended-upgrades
116
+
117
+  # Harden ssh
118
+  if determined-harden-ssh --user $usr
119
+  then
120
+    echo "dss" | sudo tee /home/.dssv1.7
121
+  else
122
+    "You cannot create root user and disable root login, that won't work... See 'dss help'"
123
+    exit
124
+  fi
125
+
126
+elif test $log = 1
127
+then
128
+
129
+  sudo cat /var/log/syslog
130
+
131
+elif test $authlog = 1
132
+  then
133
+    sudo cat /var/log/auth.log
134
+
135
+elif test $authlog = attacks
136
+  then
137
+    sudo cat /var/log/auth.log | grep "Invalid user"
138
+    sudo cat /var/log/auth.log | grep "Connection closed"
139
+    exit
140
+
141
+elif test ! -z $blacklist
142
+then
143
+  echo "Note to self: add blacklist function, empty elif is not allowed in BASH."
144
+  # Blacklist code
145
+
146
+elif test $update = 1
147
+then
148
+  # Update Linux and determined-setup
149
+  sudo apt-get update
150
+  sudo apt-get upgrade
151
+  curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash
152
+
153
+elif test $clean = 1
154
+then
155
+  # Update
156
+  sudo apt-get update
157
+  sudo apt-get upgrade
158
+
159
+  # Cleanup
160
+  sudo apt-get clean
161
+  sudo apt-get autoremove
162
+
163
+elif test $mon = 1
164
+then
165
+
166
+  cd /home
167
+  ./sysmon.sh -- email $email
168
+
169
+elif test $mon = 2
170
+then
171
+
172
+  dss init
173
+  curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh"
174
+  sudo mv sysmon.sh /home/.sysmon.sh
175
+ ( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab -
176
+
177
+else
178
+  echo "dss $version"
179
+  echo "Usage: dss [OPTION]"
180
+  echo "You can run the following commands:"
181
+  echo "dss --clean  # Update the server and cleanup uneeded files and programs. Use with caution."
182
+  echo "dss --log # Print the system log."
183
+  echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
184
+  echo "dss --user USERNAME init   # Setup server with server utilities and enable automatic security updates."
185
+  exit 1
186
+fi

+ 150
- 0
harden-server.sh View File

@@ -0,0 +1,150 @@
1
+#!/bin/bash
2
+# Determined SSH Hardening
3
+# Written by Josh Mudge
4
+# Ad Mejorem Dei Glorium
5
+
6
+usr=$USER
7
+version="v1.4.1 Alpha"
8
+#keyserver=""
9
+
10
+while [[ $# -gt 0 ]]
11
+do
12
+key="$1"
13
+
14
+case $key in
15
+    setup)
16
+    setup=1
17
+    shift # past argument
18
+    ;;
19
+    --user)
20
+    usr="$2"
21
+    shift # past argument
22
+    ;;
23
+    --user2)
24
+    user2="$2"
25
+    shift # past argument
26
+    ;;
27
+    --user3)
28
+    user3="$2"
29
+    shift # past argument
30
+    ;;
31
+    --user4)
32
+    user4="$2"
33
+    shift # past argument
34
+    ;;
35
+    --user5)
36
+    user5="$2"
37
+    shift # past argument
38
+    ;;
39
+    -h|--help)
40
+      echo determined-harden-ssh $version
41
+      echo "Usage: determined-harden-ssh --user USERNAME"
42
+      exit 1
43
+    ;;
44
+    *)
45
+      # unknown option
46
+      if [ -z "${user}" ]; then
47
+        echo determined-harden-ssh $version
48
+        echo "No admin user specified."
49
+        echo "Usage: determined-harden-ssh --user USERNAME"
50
+      else
51
+        echo "unrecognized option '$1'"
52
+        exit 1
53
+      fi
54
+    ;;
55
+esac
56
+shift # past argument or value
57
+done
58
+
59
+if test ! -z $usr
60
+then
61
+
62
+  echo "Installing fail2ban and hardening SSH configuration."
63
+  # Install fail2ban
64
+  sudo apt-get install -y fail2ban curl openssh-server > /dev/null
65
+
66
+  echo "Creating new user by the username $usr"
67
+
68
+  echo "Disabling password based logins in favor of SSH keys."
69
+
70
+  # SSH keys only, no passwords.
71
+
72
+  sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
73
+  sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config
74
+  sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config
75
+
76
+  mkdir .tssh
77
+
78
+  cd .tssh
79
+
80
+  curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash
81
+
82
+  curl -sLO https://$keyserver/$usr.pub
83
+
84
+  sudo mv create-user.bash /usr/local/bin/determined-create-user
85
+
86
+  sudo chmod +x /usr/local/bin/determined-create-user
87
+
88
+  if determined-create-user $usr;
89
+  then
90
+  echo "Setting up non-root admin user(s)"
91
+  else
92
+    echo "User creation failed. Please fix the above error and try again."
93
+    cd ..
94
+    rm -rf .tssh
95
+    exit
96
+  fi
97
+
98
+  if test ! -z $user2
99
+  then
100
+
101
+    curl -sLO https://$keyserver/$user2.pub
102
+
103
+    ./create-user.bash $user2
104
+
105
+  fi
106
+
107
+  if test ! -z $user3
108
+  then
109
+
110
+    curl -sLO https://$keyserver/$user3.pub
111
+
112
+    ./create-user.bash $user3
113
+
114
+  fi
115
+
116
+  if test ! -z $user4
117
+  then
118
+
119
+    curl -sLO https://$keyserver/$user4.pub
120
+
121
+    ./create-user.bash $user4
122
+
123
+  fi
124
+
125
+  if test ! -z $user5
126
+  then
127
+
128
+    curl -sLO https://$keyserver/$user5.pub
129
+
130
+    ./create-user.bash $user5
131
+
132
+  fi
133
+
134
+  cd ..
135
+  rm -rf .tssh
136
+
137
+  echo "Disabling root login."
138
+
139
+  sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
140
+  sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config
141
+
142
+  echo "That's it, we're done :)"
143
+
144
+else
145
+
146
+  echo determined-harden-ssh $version
147
+  echo "No admin user specified."
148
+  echo "Usage: ./harden-server.sh --user USERNAME"
149
+
150
+fi

+ 22
- 0
setup.sh View File

@@ -0,0 +1,22 @@
1
+#!/bin/bash
2
+# Setup for determined-server-setup
3
+# Written by Josh Mudge
4
+# Ad Mejorem Dei Glorium
5
+
6
+version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)
7
+
8
+echo "Installing dss $version"
9
+
10
+curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh
11
+
12
+sudo mv determined-server-setup.sh /usr/local/bin/dss
13
+
14
+sudo chmod +x /usr/local/bin/dss
15
+
16
+curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh
17
+
18
+sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh
19
+
20
+sudo chmod +x /usr/local/bin/determined-harden-ssh
21
+
22
+echo "Done. Run 'dss' to use."

+ 136
- 0
sysmon.sh View File

@@ -0,0 +1,136 @@
1
+#!/bin/bash
2
+# Josh's Automatic System Monitor
3
+# Written by Josh Mudge
4
+# Ad Mejorem Dei Glorium
5
+
6
+update=1
7
+version=v1.5.1a
8
+alpha=0
9
+dfh=$(df -h | grep '8[0-9]%')
10
+dfh2=$(df -h | grep '9[0-9]%')
11
+
12
+while [[ $# -gt 0 ]]
13
+do
14
+  key="$1"
15
+
16
+  case $key in
17
+    --setup)
18
+    shift # past argument
19
+    setup=1
20
+    ;;
21
+    --no-update)
22
+    update=0
23
+    shift # past argument
24
+    ;;
25
+    --audit)
26
+    audit=1
27
+    shift # past argument
28
+    ;;
29
+    --email)
30
+    email="$2"
31
+    shift # past argument
32
+    ;;
33
+    -h|help)
34
+    echo "dss-mon $version"
35
+    echo "Usage: dss --monitor --email user@mailprovider.com"
36
+    exit 1
37
+    ;;
38
+    -v|version)
39
+    echo "dss $version"
40
+    exit 1
41
+    ;;
42
+    *)
43
+    # unknown option
44
+    if test -z "${unknown}"
45
+    then
46
+      unknown=$1
47
+    else
48
+      echo "dss-mon $version"
49
+      echo "Usage: dss --monitor --email user@mailprovider.com"
50
+      exit 1
51
+    fi
52
+    ;;
53
+  esac
54
+  shift # past argument or value
55
+done
56
+
57
+if test $update = 1
58
+then
59
+
60
+  sudo apt-get update
61
+  sudo apt-get upgrade
62
+  sudo apt-get install sysstat # Check if installed, then do this
63
+  curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash
64
+
65
+fi
66
+
67
+# Cleanup
68
+
69
+sudo apt-get clean
70
+
71
+# Security Audit (Tackled by dss init before setting this up.)
72
+
73
+# if test ! -f /home/.dssv1.7
74
+# then
75
+#
76
+#   dss init
77
+#
78
+# fi
79
+
80
+auth=$(sudo cat /var/log/auth.log | grep "Invalid user")
81
+#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed")
82
+
83
+if test $alpha = 1;
84
+then
85
+
86
+  sudo apt-get autoremove
87
+
88
+fi
89
+
90
+# To setup email, point a domain name to your server using DNS.
91
+# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator)
92
+# Then run: sudo apt-get install mailutils
93
+# Open up /etc/hosts and make sure it has:
94
+# 127.0.1.1 mydomain.com myserverHOSTNAME
95
+# Select "Internet Site" and enter the domain you want it to send email from.
96
+# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS
97
+
98
+if test ! -z "$auth" # If set to run automatically, don't run this check every time.
99
+then
100
+  echo "Attacks found. Sending authentication log to $email"
101
+  sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email
102
+fi
103
+
104
+if test ! -z "$dfh"
105
+then
106
+  echo "Disk usage is high, sending disk usage to $email"
107
+  echo "$dfh" | mail -s "High Disk Usage" $email
108
+fi
109
+
110
+if test ! -z "$dfh2"
111
+then
112
+  echo "Disk usage is critical, sending disk usage to $email"
113
+  echo "$dfh2" | mail -s "Critical Disk Usage" $email
114
+fi
115
+
116
+for i in {1..300} # Do this 300 times.
117
+do
118
+CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow
119
+CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total.
120
+done
121
+CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes.
122
+
123
+
124
+if test $CPURESULT > 90
125
+then
126
+  echo "CPU usage is quite high, sending report to $email"
127
+  echo "$CPURESULT %" | mail -s "High CPU Usage" $email
128
+fi
129
+
130
+USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}')
131
+
132
+if test $USEDRAM > 80
133
+then
134
+  echo "RAM usage is quite high, sending report to $email"
135
+  echo "$USEDRAM %" | mail -s "High RAM Usage" $email
136
+fi

Loading…
Cancel
Save