Import dss scripts and update them.

Import scripts from https://git.coolaj86.com/josh/dss with new URL paths and with the intent of further proxmox-centric customization.

VERSION

@@ -0,0 +1 @@
+1.7.5 Alpha

create-user.bash

@@ -0,0 +1,75 @@
+#!/bin/bash
+# Determined Create User Script v2.0.3
+# Written by AJ Oneal -- edited by Joshua Mudge
+
+# Exit on any error
+set -e
+
+if [ -z "$(which openssl)" ]; then
+  echo "ERROR: 'openssl' is not found.";
+  echo "Please install openssl. It is used to generate a random password."
+  exit 1
+fi
+if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
+  echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
+  exit 1
+fi
+if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
+  echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
+  exit 1
+fi
+# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
+if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
+  echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
+  exit 1
+fi
+
+
+# exit if there are any unbound variables
+set -u
+
+USER=$1
+USER=$(basename $USER .pub)
+
+# If they try to create root, exit.
+
+if test $USER = "root"
+  then
+    echo "You cannot create the root user, it already exists."
+    exit
+fi
+
+# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'
+
+# password will be set later in the script
+#adduser --disabled-password --gecos '' $USER
+sudo adduser --disabled-login --gecos '' $USER
+sudo adduser $USER sudo # if sudo is needed
+
+# FAIL before getting here via set -e
+sudo mkdir -p /home/$USER/.ssh
+sudo chmod 700 /home/$USER/.ssh
+sudo touch /home/$USER/.ssh/authorized_keys
+sudo chmod 600 /home/$USER/.ssh/authorized_keys
+
+# PRE-REQ: get the user's ssh public key and store it in whoever.pub
+sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"
+
+sudo chown $USER:$USER /home/$USER
+sudo chown $USER:$USER -R /home/$USER/.ssh/
+
+PASSWD=$(openssl rand -hex 20)
+#echo "$PASSWD" | passwd "$USER" --stdin
+echo "$USER:$PASSWD" | sudo chpasswd
+#echo "The temporary password for '"$USER"' is '"$PASSWD"'"
+sudo passwd -d $USER
+echo "'$USER'" has been added with key-only authentication and a password must be set on first login
+sudo chage -d 0 $USER
+
+# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
+#
+# Linux
+# date "+%s.%N" | md5sum
+#
+# macOS
+# date "+%s.%N" | md5

determined-server-setup.sh

@@ -0,0 +1,186 @@
+#!/bin/bash
+# determined-server-setup (dss)
+# Written by Josh Mudge
+# Ad Mejorem Dei Glorium
+
+version=$(curl -s https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/VERSION | cat)
+
+# Get options from CLI arguments
+
+usr=$USER
+init=0
+clean=0
+log=0
+authlog=0
+update=0
+mon=0
+
+while [[ $# -gt 0 ]]
+do
+  key="$1"
+
+  case $key in
+    --init)
+    init=1
+    shift # past argument
+    ;;
+    --clean)
+    clean=1
+    shift # past argument
+    ;;
+    --log)
+    log=1
+    shift # past argument
+    ;;
+    --authlog)
+    authlog="$2"
+    shift # past argument
+    ;;
+    --user)
+    usr="$2"
+    shift # past argument
+    ;;
+    --user2)
+    user2="$2"
+    shift # past argument
+    ;;
+    --user3)
+    user3="$2"
+    shift # past argument
+    ;;
+    --update)
+    update=1
+    shift # past argument
+    ;;
+    --monitor)
+    mon=1
+    shift # past argument
+    ;;
+    --mon-setup)
+    mon=2
+    shift # past argument
+    ;;
+    --email)
+    email=1
+    shift # past argument
+    ;;
+    --logfile)
+    logfile=1
+    shift # past argument
+    ;;
+    blacklist)
+    blacklist="$2"
+    shift # past argument
+    ;;
+    -h|help)
+    echo "dss $version"
+    echo "Usage: dss [OPTION]"
+    echo "You can run the following commands:"
+    echo "dss --clean  # Update the server and cleanup uneeded files and programs. Use with caution."
+    echo "dss --log # Print the system log."
+    echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
+    echo "dss --user USERNAME --init   # Setup server with server utilities and enable automatic security updates."
+    exit 1
+    ;;
+    -v|version)
+    echo "dss $version"
+    exit 1
+    ;;
+    *)
+    # unknown option
+    if test -z "${unknown}"
+    then
+      unknown=$1
+    else
+      echo "dss $version"
+      echo "dss --user USERNAME --init   # Setup server with server utilities and enable automatic security updates."
+      exit 1
+    fi
+    ;;
+  esac
+  shift # past argument or value
+done
+
+if test $init = 1
+then
+  # Update server
+  sudo apt-get update
+  sudo apt-get upgrade -y
+
+  # Install server utilities
+  sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common
+
+  # Prompt user to set up automatic security updates.
+  sudo apt-get install -y unattended-upgrades
+  sudo dpkg-reconfigure -plow unattended-upgrades
+
+  # Harden ssh
+  if determined-harden-ssh --user $usr
+  then
+    echo "dss" | sudo tee /home/.dssv1.7
+  else
+    "You cannot create root user and disable root login, that won't work... See 'dss help'"
+    exit
+  fi
+
+elif test $log = 1
+then
+
+  sudo cat /var/log/syslog
+
+elif test $authlog = 1
+  then
+    sudo cat /var/log/auth.log
+
+elif test $authlog = attacks
+  then
+    sudo cat /var/log/auth.log | grep "Invalid user"
+    sudo cat /var/log/auth.log | grep "Connection closed"
+    exit
+
+elif test ! -z $blacklist
+then
+  echo "Note to self: add blacklist function, empty elif is not allowed in BASH."
+  # Blacklist code
+
+elif test $update = 1
+then
+  # Update Linux and determined-setup
+  sudo apt-get update
+  sudo apt-get upgrade
+  curl -s "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/setup.sh" | bash
+
+elif test $clean = 1
+then
+  # Update
+  sudo apt-get update
+  sudo apt-get upgrade
+
+  # Cleanup
+  sudo apt-get clean
+  sudo apt-get autoremove
+
+elif test $mon = 1
+then
+
+  cd /home
+  ./sysmon.sh -- email $email
+
+elif test $mon = 2
+then
+
+  dss init
+  curl -sO "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/sysmon.sh"
+  sudo mv sysmon.sh /home/.sysmon.sh
+ ( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab -
+
+else
+  echo "dss $version"
+  echo "Usage: dss [OPTION]"
+  echo "You can run the following commands:"
+  echo "dss --clean  # Update the server and cleanup uneeded files and programs. Use with caution."
+  echo "dss --log # Print the system log."
+  echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server."
+  echo "dss --user USERNAME init   # Setup server with server utilities and enable automatic security updates."
+  exit 1
+fi

harden-server.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+# Determined SSH Hardening
+# Written by Josh Mudge
+# Ad Mejorem Dei Glorium
+
+# Only ban password login for root, not all login for root.
+
+usr=$USER
+version="v1.4.4 Alpha"
+keyserver="https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/"
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    setup)
+    setup=1
+    shift # past argument
+    ;;
+    --user)
+    usr="$2"
+    shift # past argument
+    ;;
+    --user2)
+    user2="$2"
+    shift # past argument
+    ;;
+    --user3)
+    user3="$2"
+    shift # past argument
+    ;;
+    --user4)
+    user4="$2"
+    shift # past argument
+    ;;
+    --user5)
+    user5="$2"
+    shift # past argument
+    ;;
+    -h|--help)
+      echo determined-harden-ssh $version
+      echo "Usage: determined-harden-ssh --user USERNAME"
+      exit 1
+    ;;
+    *)
+      # unknown option
+      if [ -z "${user}" ]; then
+        echo determined-harden-ssh $version
+        echo "No admin user specified."
+        echo "Usage: determined-harden-ssh --user USERNAME"
+      else
+        echo "unrecognized option '$1'"
+        exit 1
+      fi
+    ;;
+esac
+shift # past argument or value
+done
+
+if test ! -z $usr
+then
+
+  echo "Installing fail2ban and hardening SSH configuration."
+  # Install fail2ban
+  sudo apt-get install -y fail2ban curl openssh-server > /dev/null
+
+  echo "Creating new user by the username $usr"
+
+  echo "Disabling password based logins in favor of SSH keys."
+
+  # SSH keys only, no passwords.
+
+  sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+  sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config
+  sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config
+
+  mkdir .tssh
+
+  cd .tssh
+
+  curl -sLO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/create-user.bash
+
+  curl -sLO https://$keyserver/$usr.pub
+
+  sudo mv create-user.bash /usr/local/bin/determined-create-user
+
+  sudo chmod +x /usr/local/bin/determined-create-user
+
+  if determined-create-user $usr;
+  then
+  echo "Setting up non-root admin user(s)"
+  else
+    echo "User creation failed. Please fix the above error and try again."
+    cd ..
+    rm -rf .tssh
+    exit
+  fi
+
+  if test ! -z $user2
+  then
+
+    curl -sLO https://$keyserver/$user2.pub
+
+    ./create-user.bash $user2
+
+  fi
+
+  if test ! -z $user3
+  then
+
+    curl -sLO https://$keyserver/$user3.pub
+
+    ./create-user.bash $user3
+
+  fi
+
+  if test ! -z $user4
+  then
+
+    curl -sLO https://$keyserver/$user4.pub
+
+    ./create-user.bash $user4
+
+  fi
+
+  if test ! -z $user5
+  then
+
+    curl -sLO https://$keyserver/$user5.pub
+
+    ./create-user.bash $user5
+
+  fi
+
+  cd ..
+  rm -rf .tssh
+
+  echo "Disabling root login."
+
+  sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config
+  sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config
+
+  echo "That's it, we're done :)"
+
+else
+
+  echo determined-harden-ssh $version
+  echo "No admin user specified."
+  echo "Usage: ./harden-server.sh --user USERNAME"
+
+fi

josh.pub

@@ -0,0 +1,7 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCv0FjEGZWOYllCbQ1vKrWq6+jo0hkqOoj350/zitTce9QJZrD2JOC9FSRqTy8wlBwjapfTIgOLDfzv6iLA7i652HpoA5p8RUsRwOqBqj2ofhbhJyGg5lEhpWQDxLVIf8FrcN8BL07UzasS9NfrI6ElYeFnO5L6V9eDc49J5iRwYIuyIkSjuxbo+utwfZttYSHvVB9e5Y0HAYQFVH10hIvkROwoNO2KsBJ/kKM4PSuPRBsTxIObX7LRduzO54sk+NGgLXVbr9EdwcPzN7xUUNrlmwKAtgj9u0RmgzE5DQhGLumR87ntAOD6jRTqvO012T2rP5TZiO5WvgLZQ3B6OOkf josh@ltltod
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdIqdxMncwBtfH2znhNM9EdBZDkcwew+zmV8Nw0msACfi0wUpwPcBtYerNi6gt9+bSkOHj4grRyEY/S79R7YApNcThelJhbCKFh1XBVKfNtAIvs0hsO8YxzwBZlcFID5rCRof5wdwKi9OtcnzzQV6qDCJnL3l+B7bWtQJoOwwo9SGaU3baLLSCC+06F3jUQofn5vOMVKGO7HcFKK/mVgPOX8WYO7XjegSu2AP01jDZxHLp1CWldxd2iv7NsMNcBvGvsS9cW0Fq3SdjWyuLzLs12X1O1pyTRw/9bHseFXa3xpOlO5oiHsAVdYivzWk8/IddTrfw9RGc9vtu3RuuJTer josh@Mac-mini.local
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRu4QMnJbNbm2MdOPYJYQTKZQZQVsxOU5cYV63zVYKerFAGLZ+vwJeX8l5mdUcCBiVc1Px7Po+KZ7HJKygh859zz61E3a/eWTiikuvpd16XNJCDB9mKNAvkCl84m10YSfKcyn6u7jbqwAshHoQ2xCrG4f7mY6XD7EKavblYWBV4IEdeGZVdkMx5UOT2yQMOOdqldbwd56lJwa36NuBM69af0axU3VHEBQbzNeGFYuANh54HCOce++ilk733y5VM80Jq4owHZ6mdJ37Z6KB1dIVWgsWSKqJHqYEIHtdSjj4IvMGNnoPO4u9ts3/VQt66udO6dVztp1BfOKws16KYtFVMVDVRuifYBmYFXysod9cJ9/7Wr0H/PurLOy5T57sp044Nj+X7QHGjv1QYzbnr9en963nKXfX/NJI+deev71kYzBxVXsvl8ywNcAPZFhPdwMu44R69/zg+Zwfc2BSarbsGCOUAEfLy/wp8O0zcuOF+xBJcnPTmGYBEjtBtTmXHe7Eurldl5UnlRpaAMe8awdQOi/H7Y942FV2uLkJ6jIXeeojuZ4lZVOFcLfzSpor55bXcMvktHzxVvdWE/D+zTh3aakNcagB3YVin0sBrVdM1NLO9pBhlATJMWLurlplQPY+4NklsBJlSCNBWtD0H9RYbj/m8KNrH5jjPCs8/WRHVQ== root@pve1
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDI+OURko4u2OC5FjSAEte1ylPLzXu1Jmn2U7Y1zlp3BI5r0djyM7JfQm+2KDJZBd1qi6CuqueSr2wV1tnEtMXrMjnqLy3JHEQTzyeADoTws3/jAuDaez6ddhI7tMJsrR+lkkUa8akr5Q7Wht7BIUn16oX9dWR22eXoxN5ab/rzqnv9dADqKOa7FOHqxsWx31KykIKtdSVunmG5E+sovjc69GH6fFLaTMDuFqeNaScavIv90tUVwQR1P5fJj1Ajtnu9QLWvD364tfK6krPGaiMtjOEBftKIVeOHhTHKPwu2oAWK+67W9zzxmxkeR4vrSHH1cQbaXPpAqCSPIDCI5aAlzHfHPwoHWYglZJEpXwlmuSftVJ5bgCaU1kYGX4QIUhOACNv3XVFU8Uw6+douF2s4NeDPPfGN8CIRqdeQkD1JzhfL3bcRIu55QDFmvsd3C+S0NJrnNM4L/FlMiT/1w1geJHVZHstTf19eoJSuYS0wslqeJVxrkwf13WgC5/ZEGy0P6W2xAYJ3ESvswwotFqqoWQJhS7Hl7VZ9LtB60IAIPJIBD8zxUFuhlBClhOTYKr+MV7/v7Ejd2dbbJ2FSKAVQQ4fLGTgwHDJxKYj3JUm/tkjos5XeLCVJQmwWUtL3iVjPMKg4G+hbSJ3sSE/DYsZ8Y8XD4+j1TjVKMf5rRzRTMw== root@pve2

setup.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Setup for determined-server-setup
+# Written by Josh Mudge
+# Ad Mejorem Dei Glorium
+
+version=$(curl -s https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/VERSION | cat)
+
+echo "Installing dss $version"
+
+curl -sO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/determined-server-setup.sh
+
+sudo mv determined-server-setup.sh /usr/local/bin/dss
+
+sudo chmod +x /usr/local/bin/dss
+
+curl -sO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/harden-server.sh
+
+sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh
+
+sudo chmod +x /usr/local/bin/determined-harden-ssh
+
+echo "Done. Run 'dss' to use."

sysmon.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+# Josh's Automatic System Monitor
+# Written by Josh Mudge
+# Ad Mejorem Dei Glorium
+
+update=1
+version=v1.5.3a
+alpha=0
+dfh=$(df -h | grep '8[0-9]%')
+dfh2=$(df -h | grep '9[0-9]%')
+
+while [[ $# -gt 0 ]]
+do
+  key="$1"
+
+  case $key in
+    --setup)
+    shift # past argument
+    setup=1
+    ;;
+    --no-update)
+    update=0
+    shift # past argument
+    ;;
+    --audit)
+    audit=1
+    shift # past argument
+    ;;
+    --email)
+    email="$2"
+    shift # past argument
+    ;;
+    -h|help)
+    echo "dss-mon $version"
+    echo "Usage: dss --monitor --email user@mailprovider.com"
+    exit 1
+    ;;
+    -v|version)
+    echo "dss $version"
+    exit 1
+    ;;
+    *)
+    # unknown option
+    if test -z "${unknown}"
+    then
+      unknown=$1
+    else
+      echo "dss-mon $version"
+      echo "Usage: dss --monitor --email user@mailprovider.com"
+      exit 1
+    fi
+    ;;
+  esac
+  shift # past argument or value
+done
+
+if test $update = 1
+then
+
+  sudo apt-get update
+  sudo apt-get upgrade
+  sudo apt-get install sysstat # Check if installed, then do this
+  curl -s "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/setup.sh" | bash
+
+fi
+
+# Cleanup
+
+sudo apt-get clean
+
+# Security Audit (Tackled by dss init before setting this up.)
+
+# if test ! -f /home/.dssv1.7
+# then
+#
+#   dss init
+#
+# fi
+
+auth=$(sudo cat /var/log/auth.log | grep "Invalid user")
+#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed")
+
+if test $alpha = 1;
+then
+
+  sudo apt-get autoremove
+
+fi
+
+# To setup email, point a domain name to your server using DNS.
+# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator)
+# Then run: sudo apt-get install mailutils
+# Open up /etc/hosts and make sure it has:
+# 127.0.1.1 mydomain.com myserverHOSTNAME
+# Select "Internet Site" and enter the domain you want it to send email from.
+# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS
+
+if test ! -z "$auth" # If set to run automatically, don't run this check every time.
+then
+  echo "Attacks found. Sending authentication log to $email"
+  sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email
+fi
+
+if test ! -z "$dfh"
+then
+  echo "Disk usage is high, sending disk usage to $email"
+  echo "$dfh" | mail -s "High Disk Usage" $email
+fi
+
+if test ! -z "$dfh2"
+then
+  echo "Disk usage is critical, sending disk usage to $email"
+  echo "$dfh2" | mail -s "Critical Disk Usage" $email
+fi
+
+for i in {1..300} # Do this 300 times.
+do
+CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow
+CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total.
+done
+CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes.
+
+
+if test $CPURESULT > 90
+then
+  echo "CPU usage is quite high, sending report to $email"
+  echo "$CPURESULT %" | mail -s "High CPU Usage" $email
+fi
+
+USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}')
+
+if test $USEDRAM > 80
+then
+  echo "RAM usage is quite high, sending report to $email"
+  echo "$USEDRAM %" | mail -s "High RAM Usage" $email
+fi