-
Notifications
You must be signed in to change notification settings - Fork 0
/
vpshard.sh
309 lines (244 loc) · 10.5 KB
/
vpshard.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
#!/bin/bash
# Script to Harden Security on Ubuntu
#
# 1. USER SETUP / Add new user (amega) / Add to sudo group
# 2. SSH CONFIG / Change SSH port , disable root login
# 3. CONFIG FIREWALL / UFW - add IN rules, default IN / OUT rules, Enable firewall
# 4. ADD FAIL2BAN / install F2B, edit config to enable new SSH port
# 5. RUBY ON RAILS / install node.js , install ruby, rails,
# Add to log command
# echo "`date +%d.%m.%Y" "%H:%M:%S` : $MESSAGE" >> $LOGFILE 2>&1
# SKIP output: > /dev/null 2>&1
# Set Vars
LOGFILE='/var/log/server_hardening.log'
SSHDFILE='/etc/ssh/sshd_config'
SSHPORT='55522'
SSHUSER='sshusr'
# Update Log File
echo /n >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- Server Hardening Script Started -----------">> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo -e "------------------------------------------------ \n" >> $LOGFILE 2>&1
##########################
## 1. UPDATE & UPGRADE ###
##########################
echo ------------------------------------------------
echo "--- 1. UPDATE and UPGRADE ------------------------"
echo -e "------------------------------------------------ \n"
# Add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 1. UPDATE and UPGRADE ------------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "`date +%d.%m.%Y_%H:%M:%S` : INITIALISE SYSTEM UPDATE ">> $LOGFILE 2>&1
apt-get update
echo ------------------------------------------------
# add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "`date +%d.%m.%Y_%H:%M:%S` : INITIALISE SYSTEM UPGRADE ">> $LOGFILE 2>&1
apt-get upgrade -y
echo -e "------------------------------------------------ \n"
# add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "`date +%d.%m.%Y_%H:%M:%S` : SYSTEM UPDATED and UPGRADED SUCCESSFULLY " >> $LOGFILE 2>&1
####################
## 2. USER SETUP ###
####################
echo ------------------------------------------------
echo "--- 2. USER SETUP ------------------------------"
echo -e "------------------------------------------------ \n"
# Add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 2. USER SETUP ------------------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo -e "\n"
read -p "Enter New USERNAME: " uname
id -u $SSHUSER >> $LOGFILE > /dev/null 2>&1
if [ $? -eq 0 ]
then
echo " SKIPPING. User Already Exists."
echo ------------------------------------------------
echo "`date +%d.%m.%Y_%H:%M:%S` : SKIPPING : User amega Already Exists ! " >> $LOGFILE 2>&1
else
adduser $SSHUSER
usermod -aG sudo $SSHUSER >> $LOGFILE 2>&1
echo " SUCCESS : User $SSHUSER has been created and Added to SUDO group ! "
echo "`date +%d.%m.%Y_%H:%M:%S` : SUCCESS : User $SSHUSER has been created and Added to SUDO group ! " >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
fi
echo -e "------------------------------------------------ \n"
####################
## 3. SSH CONFIG ##
####################
echo ------------------------------------------------
echo "--- 3. SSH CONFIG ------------------------------"
echo -e "------------------------------------------------ \n"
# Add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 3. SSH CONFIG ------------------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
# Take a backup of the existing config
cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.$(date +%F_%R).bak >> $LOGFILE 2>&1
echo " SSH Config File Backed up "
# Give user amega permissions to all files in /etc/ssh/sshd_config
chmod 777 /etc/ssh/sshd_config.$(date +%F_%R).bak >> $LOGFILE 2>&1
echo -e "------------------------------------------------ \n"
# Add to log
echo "`date +%d.%m.%Y_%H:%M:%S` : SSH Config File Backed up " >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
# Change default Port
sed -i "s/Port 22/Port $SSHPORT/" /etc/ssh/sshd_config >> $LOGFILE 2>&1
# Error Handling
if [ $? -eq 0 ]
then
echo " SUCCESS : SSH Port changed to $SSHPORT "
echo "`date +%d.%m.%Y_%H:%M:%S` : SUCCESS : SSH Port changed to $SSHPORT " >> $LOGFILE 2>&1
else
echo " ERROR: SSH Port couldn't be changed. Check log file for details."
echo "`date +%d.%m.%Y_%H:%M:%S` : ERROR: SSH Port couldn't be changed " >> $LOGFILE 2>&1;
fi
# Deny Root login
#sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config >> $LOGFILE 2>&1
# Error Handling
#if [ $? -eq 0 ]
#then
#echo " SUCCESS : Permit Root login changed to NO "
#echo "`date +%d.%m.%Y_%H:%M:%S` : SUCCESS : Permit Root login changed to NO " >> $LOGFILE 2>&1
#else
#echo " ERROR: Permit Root login couldn't be changed."
#echo "`date +%d.%m.%Y_%H:%M:%S` : ERROR: Permit Root login couldn't be changed : " >> $LOGFILE 2>&1
#fi
echo -e "------------------------------------------------ \n"
####################
## 4. FW CONFIG ###
####################
echo ------------------------------------------------
echo "--- 4. FW CONFIG -------------------------------"
echo -e "------------------------------------------------ \n"
#add to Log File
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 4. FW CONFIG -------------------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
# Chech if installed
ufw status > /dev/null 2>&1
if [ $? -eq 0 ]
then
echo " SKIPPING : UFW already installed."
echo "`date +%d.%m.%Y_%H:%M:%S` : SKIPPING : UFW already installed." >> $LOGFILE 2>&1
else
echo " INFO : UFW NOT installed. Installing now... !"
echo "`date +%d.%m.%Y_%H:%M:%S` : INFO : UFW NOT installed. Installing now... ! " >> $LOGFILE 2>&1
apt-get install ufw -y >> $LOGFILE 2>&1
# Add fw rules
ufw allow 80 >> $LOGFILE 2>&1
ufw allow 443 >> $LOGFILE 2>&1
ufw allow 55522 >> $LOGFILE 2>&1
ufw default allow outgoing >> $LOGFILE 2>&1
ufw default deny incoming >> $LOGFILE 2>&1
echo "Current Firewall Rules:"
echo ------------------------------------------------
ufw show added
echo -e "------------------------------------------------ \n"
# Enable firewall question
read -p "Enable the Firewall ? [y/n]" fwenable
if [ $fwenable = "Y" ] || [ $fwenable = "y" ]
then
ufw enable
else
echo "Firewall NOT Enabled"
fi
fi
echo -e "------------------------------------------------ \n"
####################
## 5. F2B Config ##
####################
#echo "--- 5. F2B Config ------------------------------" >> $LOGFILE 2>&1
#echo ------------------------------------------------ >> $LOGFILE 2>&1
######################
## 6. Ruby Install ##
######################
#echo "--- 6. Ruby Install ----------------------------" >> $LOGFILE 2>&1
#echo ------------------------------------------------ >> $LOGFILE 2>&1
###########################
## 9. NEOFETCH Install ##
###########################
echo ------------------------------------------------
echo "--- 9. NEOFETCH Install -----------------------"
echo -e "------------------------------------------------ \n"
# Add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 9. NEOFETCH Install -----------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
# Chech if installed
neofetch > /dev/null 2>&1
if [ $? -eq 0 ]
then
echo "SKIPPING : NEOFETCH already installed. Moving on... ! "
echo "`date +%d.%m.%Y_%H:%M:%S` : SKIPPING : NEOFETCH already installed. Moving on... ! " >> $LOGFILE 2>&1
else
echo " INFO : NEOFETCH NOT installed. Installing now... !"
echo "`date +%d.%m.%Y_%H:%M:%S` : INFO : NEOFETCH NOT installed. Installing now... ! " >> $LOGFILE 2>&1
add-apt-repository ppa:dawidd0811/neofetch
apt update
apt install neofetch
echo -e ' \n'
# Adding NEOFETCH to MOTD
if [ -e /etc/update-motd.d/59-neofetch ]
then
echo " SKIPPING : NEOFETCH Already added to MOTD"
echo "`date +%d.%m.%Y_%H:%M:%S` : SKIPPING : NEOFETCH Already added to MOTD" >> $LOGFILE 2>&1
else
echo " INFO : Adding NEOFETCH to MOTD"
echo "`date +%d.%m.%Y_%H:%M:%S` : INFO : Adding NEOFETCH to MOTD" >> $LOGFILE 2>&1
add-apt-repository ppa:dawidd0811/neofetch >> $LOGFILE 2>&1
apt update >> $LOGFILE 2>&1
apt install neofetch >> $LOGFILE 2>&1
echo "#!/bin/bash" >> /etc/update-motd.d/59-neofetch >> $LOGFILE 2>&1
echo "echo -e ' \n'" >> /etc/update-motd.d/59-neofetch >> $LOGFILE 2>&1
echo neofetch >> /etc/update-motd.d/59-neofetch >> $LOGFILE 2>&1
echo "echo -e ' \n'" >> /etc/update-motd.d/59-neofetch >> $LOGFILE 2>&1
chmod +x /etc/update-motd.d/59-neofetch >> $LOGFILE 2>&1
fi
fi
# Commands
echo -e "------------------------------------------------ \n"
########################
## 10. MOTD Cleanup ##
########################
echo ------------------------------------------------
echo "--- 10. MOTD Cleanup ----------------------------"
echo -e "------------------------------------------------ \n"
# Add to log
echo ------------------------------------------------ >> $LOGFILE 2>&1
echo "--- 10. MOTD Cleanup ----------------------------" >> $LOGFILE 2>&1
echo ------------------------------------------------ >> $LOGFILE 2>&1
# Check for header file
if [ -e /etc/update-motd.d/00-header ]
then
echo "MOTD Header file Found. DELETING..."
echo "MOTD Header file Found. DELETING..." >> $LOGFILE 2>&1
rm /etc/update-motd.d/00-header -f >> $LOGFILE 2>&1
else
echo "MOTD Help file NOT Found. SKIPPING..."
echo "MOTD Help file NOT Found. SKIPPING..." >> $LOGFILE 2>&1
fi
# Check for help file
if [ -e /etc/update-motd.d/10-help-text ]
then
echo "MOTD Help file Found. DELETING..."
echo "MOTD Help file Found. DELETING..." >> $LOGFILE 2>&1
rm /etc/update-motd.d/10-help-text -f >> $LOGFILE 2>&1
else
echo "MOTD Help file NOT Found. SKIPPING..."
echo "MOTD Help file NOT Found. SKIPPING..." >> $LOGFILE 2>&1
fi
# Check for legal file
if [ -e /etc/legal ]
then
echo "MOTD Legal file Found. DELETING..."
echo "MOTD Legal file Found. DELETING..." >> $LOGFILE 2>&1
rm /etc/legal -f >> $LOGFILE 2>&1
else
echo "MOTD Legal file NOT Found. SKIPPING..."
echo "MOTD Legal file NOT Found. SKIPPING..." >> $LOGFILE 2>&1
fi