ソースを参照

Forked from daplie-snippets

master
Josh Mudge 5年前
コミット
68db3b59f9
  1. 27
      README.md
  2. 1
      VERSION
  3. 75
      create-user.bash
  4. 186
      determined-server-setup.sh
  5. 150
      harden-server.sh
  6. 22
      setup.sh
  7. 136
      sysmon.sh

27
README.md

@ -0,0 +1,27 @@
# determined-server-setup (dss)
determined-server-setup is a script that installs needed utilities/software on servers so you don't need to.
# Requirements
# Installation
You can install it by running:
`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash`
# Usage
This script is in the ALPHA stage. Use at your own risk.
```
dss --init # Update your server and install server utilities, setup automatic updates and harden SSH.
dss --clean # Update the server and cleanup unneeded files and programs. Use with caution.
dss --log # Print the system log.`
dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server.
dss --user USERNAME init # Setup server with server utilities and enable automatic security updates.
```
You can run: `dss help` for a list of all commands.
# Automatic Updates
When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu.

1
VERSION

@ -0,0 +1 @@
1.7.3 Alpha

75
create-user.bash

@ -0,0 +1,75 @@
#!/bin/bash
# Determined Create User Script v2.0.3
# Written by AJ Oneal -- edited by Joshua Mudge
# Exit on any error
set -e
if [ -z "$(which openssl)" ]; then
echo "ERROR: 'openssl' is not found.";
echo "Please install openssl. It is used to generate a random password."
exit 1
fi
if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
exit 1
fi
if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
exit 1
fi
# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
exit 1
fi
# exit if there are any unbound variables
set -u
USER=$1
USER=$(basename $USER .pub)
# If they try to create root, exit.
if test $USER = "root"
then
echo "You cannot create the root user, it already exists."
exit
fi
# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'
# password will be set later in the script
#adduser --disabled-password --gecos '' $USER
sudo adduser --disabled-login --gecos '' $USER
sudo adduser $USER sudo # if sudo is needed
# FAIL before getting here via set -e
sudo mkdir -p /home/$USER/.ssh
sudo chmod 700 /home/$USER/.ssh
sudo touch /home/$USER/.ssh/authorized_keys
sudo chmod 600 /home/$USER/.ssh/authorized_keys
# PRE-REQ: get the user's ssh public key and store it in whoever.pub
sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"
sudo chown $USER:$USER /home/$USER
sudo chown $USER:$USER -R /home/$USER/.ssh/
PASSWD=$(openssl rand -hex 20)
#echo "$PASSWD" | passwd "$USER" --stdin
echo "$USER:$PASSWD" | sudo chpasswd
#echo "The temporary password for '"$USER"' is '"$PASSWD"'"
sudo passwd -d $USER
echo "'$USER'" has been added with key-only authentication and a password must be set on first login
sudo chage -d 0 $USER
# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
#
# Linux
# date "+%s.%N" | md5sum
#
# macOS
# date "+%s.%N" | md5

186
determined-server-setup.sh

@ -0,0 +1,186 @@
#!/bin/bash
# determined-server-setup (dss)
# Written by Josh Mudge
# Ad Mejorem Dei Glorium
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)
# Get options from CLI arguments
usr=$USER
init=0
clean=0
log=0
authlog=0
update=0
mon=0
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
--init)
init=1
shift # past argument
;;
--clean)
clean=1
shift # past argument
;;
--log)
log=1
shift # past argument
;;
--authlog)
authlog="$2"
shift # past argument
;;
--user)
usr="$2"
shift # past argument
;;
--user2)
user2="$2"
shift # past argument
;;
--user3)
user3="$2"
shift # past argument
;;
--update)
update=1
shift # past argument
;;
--monitor)
mon=1
shift # past argument
;;
--mon-setup)
mon=2
shift # past argument
;;
--email)
email=1
shift # past argument
;;
--logfile)
logfile=1
shift # past argument
;;
blacklist)
blacklist="$2"
shift # past argument
;;
-h|help)
echo "dss $version"
echo "Usage: dss [OPTION]"
echo "You can run the following commands:"
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution."
echo "dss --log # Print the system log."
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates."
exit 1
;;
-v|version)
echo "dss $version"
exit 1
;;
*)
# unknown option
if test -z "${unknown}"
then
unknown=$1
else
echo "dss $version"
echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates."
exit 1
fi
;;
esac
shift # past argument or value
done
if test $init = 1
then
# Update server
sudo apt-get update
sudo apt-get upgrade -y
# Install server utilities
sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common
# Prompt user to set up automatic security updates.
sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# Harden ssh
if determined-harden-ssh --user $usr
then
echo "dss" | sudo tee /home/.dssv1.7
else
"You cannot create root user and disable root login, that won't work... See 'dss help'"
exit
fi
elif test $log = 1
then
sudo cat /var/log/syslog
elif test $authlog = 1
then
sudo cat /var/log/auth.log
elif test $authlog = attacks
then
sudo cat /var/log/auth.log | grep "Invalid user"
sudo cat /var/log/auth.log | grep "Connection closed"
exit
elif test ! -z $blacklist
then
echo "Note to self: add blacklist function, empty elif is not allowed in BASH."
# Blacklist code
elif test $update = 1
then
# Update Linux and determined-setup
sudo apt-get update
sudo apt-get upgrade
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash
elif test $clean = 1
then
# Update
sudo apt-get update
sudo apt-get upgrade
# Cleanup
sudo apt-get clean
sudo apt-get autoremove
elif test $mon = 1
then
cd /home
./sysmon.sh -- email $email
elif test $mon = 2
then
dss init
curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh"
sudo mv sysmon.sh /home/.sysmon.sh
( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab -
else
echo "dss $version"
echo "Usage: dss [OPTION]"
echo "You can run the following commands:"
echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution."
echo "dss --log # Print the system log."
echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates."
exit 1
fi

150
harden-server.sh

@ -0,0 +1,150 @@
#!/bin/bash
# Determined SSH Hardening
# Written by Josh Mudge
# Ad Mejorem Dei Glorium
usr=$USER
version="v1.4.1 Alpha"
#keyserver=""
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
setup)
setup=1
shift # past argument
;;
--user)
usr="$2"
shift # past argument
;;
--user2)
user2="$2"
shift # past argument
;;
--user3)
user3="$2"
shift # past argument
;;
--user4)
user4="$2"
shift # past argument
;;
--user5)
user5="$2"
shift # past argument
;;
-h|--help)
echo determined-harden-ssh $version
echo "Usage: determined-harden-ssh --user USERNAME"
exit 1
;;
*)
# unknown option
if [ -z "${user}" ]; then
echo determined-harden-ssh $version
echo "No admin user specified."
echo "Usage: determined-harden-ssh --user USERNAME"
else
echo "unrecognized option '$1'"
exit 1
fi
;;
esac
shift # past argument or value
done
if test ! -z $usr
then
echo "Installing fail2ban and hardening SSH configuration."
# Install fail2ban
sudo apt-get install -y fail2ban curl openssh-server > /dev/null
echo "Creating new user by the username $usr"
echo "Disabling password based logins in favor of SSH keys."
# SSH keys only, no passwords.
sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config
sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config
mkdir .tssh
cd .tssh
curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash
curl -sLO https://$keyserver/$usr.pub
sudo mv create-user.bash /usr/local/bin/determined-create-user
sudo chmod +x /usr/local/bin/determined-create-user
if determined-create-user $usr;
then
echo "Setting up non-root admin user(s)"
else
echo "User creation failed. Please fix the above error and try again."
cd ..
rm -rf .tssh
exit
fi
if test ! -z $user2
then
curl -sLO https://$keyserver/$user2.pub
./create-user.bash $user2
fi
if test ! -z $user3
then
curl -sLO https://$keyserver/$user3.pub
./create-user.bash $user3
fi
if test ! -z $user4
then
curl -sLO https://$keyserver/$user4.pub
./create-user.bash $user4
fi
if test ! -z $user5
then
curl -sLO https://$keyserver/$user5.pub
./create-user.bash $user5
fi
cd ..
rm -rf .tssh
echo "Disabling root login."
sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config
echo "That's it, we're done :)"
else
echo determined-harden-ssh $version
echo "No admin user specified."
echo "Usage: ./harden-server.sh --user USERNAME"
fi

22
setup.sh

@ -0,0 +1,22 @@
#!/bin/bash
# Setup for determined-server-setup
# Written by Josh Mudge
# Ad Mejorem Dei Glorium
version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat)
echo "Installing dss $version"
curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh
sudo mv determined-server-setup.sh /usr/local/bin/dss
sudo chmod +x /usr/local/bin/dss
curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh
sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh
sudo chmod +x /usr/local/bin/determined-harden-ssh
echo "Done. Run 'dss' to use."

136
sysmon.sh

@ -0,0 +1,136 @@
#!/bin/bash
# Josh's Automatic System Monitor
# Written by Josh Mudge
# Ad Mejorem Dei Glorium
update=1
version=v1.5.1a
alpha=0
dfh=$(df -h | grep '8[0-9]%')
dfh2=$(df -h | grep '9[0-9]%')
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
--setup)
shift # past argument
setup=1
;;
--no-update)
update=0
shift # past argument
;;
--audit)
audit=1
shift # past argument
;;
--email)
email="$2"
shift # past argument
;;
-h|help)
echo "dss-mon $version"
echo "Usage: dss --monitor --email user@mailprovider.com"
exit 1
;;
-v|version)
echo "dss $version"
exit 1
;;
*)
# unknown option
if test -z "${unknown}"
then
unknown=$1
else
echo "dss-mon $version"
echo "Usage: dss --monitor --email user@mailprovider.com"
exit 1
fi
;;
esac
shift # past argument or value
done
if test $update = 1
then
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install sysstat # Check if installed, then do this
curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash
fi
# Cleanup
sudo apt-get clean
# Security Audit (Tackled by dss init before setting this up.)
# if test ! -f /home/.dssv1.7
# then
#
# dss init
#
# fi
auth=$(sudo cat /var/log/auth.log | grep "Invalid user")
#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed")
if test $alpha = 1;
then
sudo apt-get autoremove
fi
# To setup email, point a domain name to your server using DNS.
# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator)
# Then run: sudo apt-get install mailutils
# Open up /etc/hosts and make sure it has:
# 127.0.1.1 mydomain.com myserverHOSTNAME
# Select "Internet Site" and enter the domain you want it to send email from.
# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS
if test ! -z "$auth" # If set to run automatically, don't run this check every time.
then
echo "Attacks found. Sending authentication log to $email"
sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email
fi
if test ! -z "$dfh"
then
echo "Disk usage is high, sending disk usage to $email"
echo "$dfh" | mail -s "High Disk Usage" $email
fi
if test ! -z "$dfh2"
then
echo "Disk usage is critical, sending disk usage to $email"
echo "$dfh2" | mail -s "Critical Disk Usage" $email
fi
for i in {1..300} # Do this 300 times.
do
CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow
CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total.
done
CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes.
if test $CPURESULT > 90
then
echo "CPU usage is quite high, sending report to $email"
echo "$CPURESULT %" | mail -s "High CPU Usage" $email
fi
USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}')
if test $USEDRAM > 80
then
echo "RAM usage is quite high, sending report to $email"
echo "$USEDRAM %" | mail -s "High RAM Usage" $email
fi
読み込み中…
キャンセル
保存