From cbce8081f5daf7dee55443f7b07a980bfea0152e Mon Sep 17 00:00:00 2001 From: mathwhiz1212 Date: Sun, 6 Apr 2025 17:38:24 -0600 Subject: [PATCH] Import dss scripts and update them. Import scripts from https://git.coolaj86.com/josh/dss with new URL paths and with the intent of further proxmox-centric customization. --- VERSION | 1 + create-user.bash | 75 +++++++++++++++ determined-server-setup.sh | 186 +++++++++++++++++++++++++++++++++++++ harden-server.sh | 152 ++++++++++++++++++++++++++++++ josh.pub | 7 ++ setup.sh | 22 +++++ sysmon.sh | 136 +++++++++++++++++++++++++++ 7 files changed, 579 insertions(+) create mode 100644 VERSION create mode 100644 create-user.bash create mode 100755 determined-server-setup.sh create mode 100644 harden-server.sh create mode 100755 josh.pub create mode 100644 setup.sh create mode 100644 sysmon.sh diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..abb510f --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +1.7.5 Alpha \ No newline at end of file diff --git a/create-user.bash b/create-user.bash new file mode 100644 index 0000000..95e7c8b --- /dev/null +++ b/create-user.bash @@ -0,0 +1,75 @@ +#!/bin/bash +# Determined Create User Script v2.0.3 +# Written by AJ Oneal -- edited by Joshua Mudge + +# Exit on any error +set -e + +if [ -z "$(which openssl)" ]; then + echo "ERROR: 'openssl' is not found."; + echo "Please install openssl. It is used to generate a random password." + exit 1 +fi +if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then + echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config"; + exit 1 +fi +if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then + echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config"; + exit 1 +fi +# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975 +if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then + echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'"; + exit 1 +fi + + +# exit if there are any unbound variables +set -u + +USER=$1 +USER=$(basename $USER .pub) + +# If they try to create root, exit. + +if test $USER = "root" + then + echo "You cannot create the root user, it already exists." + exit +fi + +# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith' + +# password will be set later in the script +#adduser --disabled-password --gecos '' $USER +sudo adduser --disabled-login --gecos '' $USER +sudo adduser $USER sudo # if sudo is needed + +# FAIL before getting here via set -e +sudo mkdir -p /home/$USER/.ssh +sudo chmod 700 /home/$USER/.ssh +sudo touch /home/$USER/.ssh/authorized_keys +sudo chmod 600 /home/$USER/.ssh/authorized_keys + +# PRE-REQ: get the user's ssh public key and store it in whoever.pub +sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys" + +sudo chown $USER:$USER /home/$USER +sudo chown $USER:$USER -R /home/$USER/.ssh/ + +PASSWD=$(openssl rand -hex 20) +#echo "$PASSWD" | passwd "$USER" --stdin +echo "$USER:$PASSWD" | sudo chpasswd +#echo "The temporary password for '"$USER"' is '"$PASSWD"'" +sudo passwd -d $USER +echo "'$USER'" has been added with key-only authentication and a password must be set on first login +sudo chage -d 0 $USER + +# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/ +# +# Linux +# date "+%s.%N" | md5sum +# +# macOS +# date "+%s.%N" | md5 diff --git a/determined-server-setup.sh b/determined-server-setup.sh new file mode 100755 index 0000000..c433ec6 --- /dev/null +++ b/determined-server-setup.sh @@ -0,0 +1,186 @@ +#!/bin/bash +# determined-server-setup (dss) +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +version=$(curl -s https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/VERSION | cat) + +# Get options from CLI arguments + +usr=$USER +init=0 +clean=0 +log=0 +authlog=0 +update=0 +mon=0 + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + --init) + init=1 + shift # past argument + ;; + --clean) + clean=1 + shift # past argument + ;; + --log) + log=1 + shift # past argument + ;; + --authlog) + authlog="$2" + shift # past argument + ;; + --user) + usr="$2" + shift # past argument + ;; + --user2) + user2="$2" + shift # past argument + ;; + --user3) + user3="$2" + shift # past argument + ;; + --update) + update=1 + shift # past argument + ;; + --monitor) + mon=1 + shift # past argument + ;; + --mon-setup) + mon=2 + shift # past argument + ;; + --email) + email=1 + shift # past argument + ;; + --logfile) + logfile=1 + shift # past argument + ;; + blacklist) + blacklist="$2" + shift # past argument + ;; + -h|help) + echo "dss $version" + echo "Usage: dss [OPTION]" + echo "You can run the following commands:" + echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." + echo "dss --log # Print the system log." + echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." + echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." + exit 1 + ;; + -v|version) + echo "dss $version" + exit 1 + ;; + *) + # unknown option + if test -z "${unknown}" + then + unknown=$1 + else + echo "dss $version" + echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." + exit 1 + fi + ;; + esac + shift # past argument or value +done + +if test $init = 1 +then + # Update server + sudo apt-get update + sudo apt-get upgrade -y + + # Install server utilities + sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common + + # Prompt user to set up automatic security updates. + sudo apt-get install -y unattended-upgrades + sudo dpkg-reconfigure -plow unattended-upgrades + + # Harden ssh + if determined-harden-ssh --user $usr + then + echo "dss" | sudo tee /home/.dssv1.7 + else + "You cannot create root user and disable root login, that won't work... See 'dss help'" + exit + fi + +elif test $log = 1 +then + + sudo cat /var/log/syslog + +elif test $authlog = 1 + then + sudo cat /var/log/auth.log + +elif test $authlog = attacks + then + sudo cat /var/log/auth.log | grep "Invalid user" + sudo cat /var/log/auth.log | grep "Connection closed" + exit + +elif test ! -z $blacklist +then + echo "Note to self: add blacklist function, empty elif is not allowed in BASH." + # Blacklist code + +elif test $update = 1 +then + # Update Linux and determined-setup + sudo apt-get update + sudo apt-get upgrade + curl -s "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/setup.sh" | bash + +elif test $clean = 1 +then + # Update + sudo apt-get update + sudo apt-get upgrade + + # Cleanup + sudo apt-get clean + sudo apt-get autoremove + +elif test $mon = 1 +then + + cd /home + ./sysmon.sh -- email $email + +elif test $mon = 2 +then + + dss init + curl -sO "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/sysmon.sh" + sudo mv sysmon.sh /home/.sysmon.sh + ( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab - + +else + echo "dss $version" + echo "Usage: dss [OPTION]" + echo "You can run the following commands:" + echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." + echo "dss --log # Print the system log." + echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." + echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates." + exit 1 +fi diff --git a/harden-server.sh b/harden-server.sh new file mode 100644 index 0000000..c995440 --- /dev/null +++ b/harden-server.sh @@ -0,0 +1,152 @@ +#!/bin/bash +# Determined SSH Hardening +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +# Only ban password login for root, not all login for root. + +usr=$USER +version="v1.4.4 Alpha" +keyserver="https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/" + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + setup) + setup=1 + shift # past argument + ;; + --user) + usr="$2" + shift # past argument + ;; + --user2) + user2="$2" + shift # past argument + ;; + --user3) + user3="$2" + shift # past argument + ;; + --user4) + user4="$2" + shift # past argument + ;; + --user5) + user5="$2" + shift # past argument + ;; + -h|--help) + echo determined-harden-ssh $version + echo "Usage: determined-harden-ssh --user USERNAME" + exit 1 + ;; + *) + # unknown option + if [ -z "${user}" ]; then + echo determined-harden-ssh $version + echo "No admin user specified." + echo "Usage: determined-harden-ssh --user USERNAME" + else + echo "unrecognized option '$1'" + exit 1 + fi + ;; +esac +shift # past argument or value +done + +if test ! -z $usr +then + + echo "Installing fail2ban and hardening SSH configuration." + # Install fail2ban + sudo apt-get install -y fail2ban curl openssh-server > /dev/null + + echo "Creating new user by the username $usr" + + echo "Disabling password based logins in favor of SSH keys." + + # SSH keys only, no passwords. + + sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config + sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config + sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config + + mkdir .tssh + + cd .tssh + + curl -sLO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/create-user.bash + + curl -sLO https://$keyserver/$usr.pub + + sudo mv create-user.bash /usr/local/bin/determined-create-user + + sudo chmod +x /usr/local/bin/determined-create-user + + if determined-create-user $usr; + then + echo "Setting up non-root admin user(s)" + else + echo "User creation failed. Please fix the above error and try again." + cd .. + rm -rf .tssh + exit + fi + + if test ! -z $user2 + then + + curl -sLO https://$keyserver/$user2.pub + + ./create-user.bash $user2 + + fi + + if test ! -z $user3 + then + + curl -sLO https://$keyserver/$user3.pub + + ./create-user.bash $user3 + + fi + + if test ! -z $user4 + then + + curl -sLO https://$keyserver/$user4.pub + + ./create-user.bash $user4 + + fi + + if test ! -z $user5 + then + + curl -sLO https://$keyserver/$user5.pub + + ./create-user.bash $user5 + + fi + + cd .. + rm -rf .tssh + + echo "Disabling root login." + + sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config + sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config + + echo "That's it, we're done :)" + +else + + echo determined-harden-ssh $version + echo "No admin user specified." + echo "Usage: ./harden-server.sh --user USERNAME" + +fi diff --git a/josh.pub b/josh.pub new file mode 100755 index 0000000..f88eaf0 --- /dev/null +++ b/josh.pub @@ -0,0 +1,7 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCv0FjEGZWOYllCbQ1vKrWq6+jo0hkqOoj350/zitTce9QJZrD2JOC9FSRqTy8wlBwjapfTIgOLDfzv6iLA7i652HpoA5p8RUsRwOqBqj2ofhbhJyGg5lEhpWQDxLVIf8FrcN8BL07UzasS9NfrI6ElYeFnO5L6V9eDc49J5iRwYIuyIkSjuxbo+utwfZttYSHvVB9e5Y0HAYQFVH10hIvkROwoNO2KsBJ/kKM4PSuPRBsTxIObX7LRduzO54sk+NGgLXVbr9EdwcPzN7xUUNrlmwKAtgj9u0RmgzE5DQhGLumR87ntAOD6jRTqvO012T2rP5TZiO5WvgLZQ3B6OOkf josh@ltltod + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdIqdxMncwBtfH2znhNM9EdBZDkcwew+zmV8Nw0msACfi0wUpwPcBtYerNi6gt9+bSkOHj4grRyEY/S79R7YApNcThelJhbCKFh1XBVKfNtAIvs0hsO8YxzwBZlcFID5rCRof5wdwKi9OtcnzzQV6qDCJnL3l+B7bWtQJoOwwo9SGaU3baLLSCC+06F3jUQofn5vOMVKGO7HcFKK/mVgPOX8WYO7XjegSu2AP01jDZxHLp1CWldxd2iv7NsMNcBvGvsS9cW0Fq3SdjWyuLzLs12X1O1pyTRw/9bHseFXa3xpOlO5oiHsAVdYivzWk8/IddTrfw9RGc9vtu3RuuJTer josh@Mac-mini.local + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRu4QMnJbNbm2MdOPYJYQTKZQZQVsxOU5cYV63zVYKerFAGLZ+vwJeX8l5mdUcCBiVc1Px7Po+KZ7HJKygh859zz61E3a/eWTiikuvpd16XNJCDB9mKNAvkCl84m10YSfKcyn6u7jbqwAshHoQ2xCrG4f7mY6XD7EKavblYWBV4IEdeGZVdkMx5UOT2yQMOOdqldbwd56lJwa36NuBM69af0axU3VHEBQbzNeGFYuANh54HCOce++ilk733y5VM80Jq4owHZ6mdJ37Z6KB1dIVWgsWSKqJHqYEIHtdSjj4IvMGNnoPO4u9ts3/VQt66udO6dVztp1BfOKws16KYtFVMVDVRuifYBmYFXysod9cJ9/7Wr0H/PurLOy5T57sp044Nj+X7QHGjv1QYzbnr9en963nKXfX/NJI+deev71kYzBxVXsvl8ywNcAPZFhPdwMu44R69/zg+Zwfc2BSarbsGCOUAEfLy/wp8O0zcuOF+xBJcnPTmGYBEjtBtTmXHe7Eurldl5UnlRpaAMe8awdQOi/H7Y942FV2uLkJ6jIXeeojuZ4lZVOFcLfzSpor55bXcMvktHzxVvdWE/D+zTh3aakNcagB3YVin0sBrVdM1NLO9pBhlATJMWLurlplQPY+4NklsBJlSCNBWtD0H9RYbj/m8KNrH5jjPCs8/WRHVQ== root@pve1 + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDI+OURko4u2OC5FjSAEte1ylPLzXu1Jmn2U7Y1zlp3BI5r0djyM7JfQm+2KDJZBd1qi6CuqueSr2wV1tnEtMXrMjnqLy3JHEQTzyeADoTws3/jAuDaez6ddhI7tMJsrR+lkkUa8akr5Q7Wht7BIUn16oX9dWR22eXoxN5ab/rzqnv9dADqKOa7FOHqxsWx31KykIKtdSVunmG5E+sovjc69GH6fFLaTMDuFqeNaScavIv90tUVwQR1P5fJj1Ajtnu9QLWvD364tfK6krPGaiMtjOEBftKIVeOHhTHKPwu2oAWK+67W9zzxmxkeR4vrSHH1cQbaXPpAqCSPIDCI5aAlzHfHPwoHWYglZJEpXwlmuSftVJ5bgCaU1kYGX4QIUhOACNv3XVFU8Uw6+douF2s4NeDPPfGN8CIRqdeQkD1JzhfL3bcRIu55QDFmvsd3C+S0NJrnNM4L/FlMiT/1w1geJHVZHstTf19eoJSuYS0wslqeJVxrkwf13WgC5/ZEGy0P6W2xAYJ3ESvswwotFqqoWQJhS7Hl7VZ9LtB60IAIPJIBD8zxUFuhlBClhOTYKr+MV7/v7Ejd2dbbJ2FSKAVQQ4fLGTgwHDJxKYj3JUm/tkjos5XeLCVJQmwWUtL3iVjPMKg4G+hbSJ3sSE/DYsZ8Y8XD4+j1TjVKMf5rRzRTMw== root@pve2 diff --git a/setup.sh b/setup.sh new file mode 100644 index 0000000..d0f6dc2 --- /dev/null +++ b/setup.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Setup for determined-server-setup +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +version=$(curl -s https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/VERSION | cat) + +echo "Installing dss $version" + +curl -sO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/determined-server-setup.sh + +sudo mv determined-server-setup.sh /usr/local/bin/dss + +sudo chmod +x /usr/local/bin/dss + +curl -sO https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/harden-server.sh + +sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh + +sudo chmod +x /usr/local/bin/determined-harden-ssh + +echo "Done. Run 'dss' to use." diff --git a/sysmon.sh b/sysmon.sh new file mode 100644 index 0000000..fd1ffdb --- /dev/null +++ b/sysmon.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# Josh's Automatic System Monitor +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +update=1 +version=v1.5.3a +alpha=0 +dfh=$(df -h | grep '8[0-9]%') +dfh2=$(df -h | grep '9[0-9]%') + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + --setup) + shift # past argument + setup=1 + ;; + --no-update) + update=0 + shift # past argument + ;; + --audit) + audit=1 + shift # past argument + ;; + --email) + email="$2" + shift # past argument + ;; + -h|help) + echo "dss-mon $version" + echo "Usage: dss --monitor --email user@mailprovider.com" + exit 1 + ;; + -v|version) + echo "dss $version" + exit 1 + ;; + *) + # unknown option + if test -z "${unknown}" + then + unknown=$1 + else + echo "dss-mon $version" + echo "Usage: dss --monitor --email user@mailprovider.com" + exit 1 + fi + ;; + esac + shift # past argument or value +done + +if test $update = 1 +then + + sudo apt-get update + sudo apt-get upgrade + sudo apt-get install sysstat # Check if installed, then do this + curl -s "https://git.coolaj86.com/josh/proxmox-scripts/raw/branch/main/setup.sh" | bash + +fi + +# Cleanup + +sudo apt-get clean + +# Security Audit (Tackled by dss init before setting this up.) + +# if test ! -f /home/.dssv1.7 +# then +# +# dss init +# +# fi + +auth=$(sudo cat /var/log/auth.log | grep "Invalid user") +#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed") + +if test $alpha = 1; +then + + sudo apt-get autoremove + +fi + +# To setup email, point a domain name to your server using DNS. +# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator) +# Then run: sudo apt-get install mailutils +# Open up /etc/hosts and make sure it has: +# 127.0.1.1 mydomain.com myserverHOSTNAME +# Select "Internet Site" and enter the domain you want it to send email from. +# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS + +if test ! -z "$auth" # If set to run automatically, don't run this check every time. +then + echo "Attacks found. Sending authentication log to $email" + sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email +fi + +if test ! -z "$dfh" +then + echo "Disk usage is high, sending disk usage to $email" + echo "$dfh" | mail -s "High Disk Usage" $email +fi + +if test ! -z "$dfh2" +then + echo "Disk usage is critical, sending disk usage to $email" + echo "$dfh2" | mail -s "Critical Disk Usage" $email +fi + +for i in {1..300} # Do this 300 times. +do +CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow +CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total. +done +CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes. + + +if test $CPURESULT > 90 +then + echo "CPU usage is quite high, sending report to $email" + echo "$CPURESULT %" | mail -s "High CPU Usage" $email +fi + +USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}') + +if test $USEDRAM > 80 +then + echo "RAM usage is quite high, sending report to $email" + echo "$USEDRAM %" | mail -s "High RAM Usage" $email +fi