From 68db3b59f9deb6181a5163467c4f733d0fc3809c Mon Sep 17 00:00:00 2001 From: Josh Mudge Date: Fri, 11 Jan 2019 20:50:24 -0700 Subject: [PATCH] Forked from daplie-snippets --- README.md | 27 ++++++ VERSION | 1 + create-user.bash | 75 +++++++++++++++ determined-server-setup.sh | 186 +++++++++++++++++++++++++++++++++++++ harden-server.sh | 150 ++++++++++++++++++++++++++++++ setup.sh | 22 +++++ sysmon.sh | 136 +++++++++++++++++++++++++++ 7 files changed, 597 insertions(+) create mode 100644 README.md create mode 100644 VERSION create mode 100644 create-user.bash create mode 100755 determined-server-setup.sh create mode 100644 harden-server.sh create mode 100644 setup.sh create mode 100644 sysmon.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..35776e1 --- /dev/null +++ b/README.md @@ -0,0 +1,27 @@ +# determined-server-setup (dss) + +determined-server-setup is a script that installs needed utilities/software on servers so you don't need to. + +# Requirements + +# Installation + +You can install it by running: + +`curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash` + +# Usage + +This script is in the ALPHA stage. Use at your own risk. +``` +dss --init # Update your server and install server utilities, setup automatic updates and harden SSH. +dss --clean # Update the server and cleanup unneeded files and programs. Use with caution. +dss --log # Print the system log.` +dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server. +dss --user USERNAME init # Setup server with server utilities and enable automatic security updates. +``` +You can run: `dss help` for a list of all commands. + +# Automatic Updates + +When prompted to setup automatic updates, hit "yes" and when prompted with a text box, replace all references to "Debian" with the name of your distro. If you're running Ubuntu, you should replace all references of Debian with Ubuntu. diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..6359fb9 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +1.7.3 Alpha diff --git a/create-user.bash b/create-user.bash new file mode 100644 index 0000000..95e7c8b --- /dev/null +++ b/create-user.bash @@ -0,0 +1,75 @@ +#!/bin/bash +# Determined Create User Script v2.0.3 +# Written by AJ Oneal -- edited by Joshua Mudge + +# Exit on any error +set -e + +if [ -z "$(which openssl)" ]; then + echo "ERROR: 'openssl' is not found."; + echo "Please install openssl. It is used to generate a random password." + exit 1 +fi +if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then + echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config"; + exit 1 +fi +if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then + echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config"; + exit 1 +fi +# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975 +if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then + echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'"; + exit 1 +fi + + +# exit if there are any unbound variables +set -u + +USER=$1 +USER=$(basename $USER .pub) + +# If they try to create root, exit. + +if test $USER = "root" + then + echo "You cannot create the root user, it already exists." + exit +fi + +# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith' + +# password will be set later in the script +#adduser --disabled-password --gecos '' $USER +sudo adduser --disabled-login --gecos '' $USER +sudo adduser $USER sudo # if sudo is needed + +# FAIL before getting here via set -e +sudo mkdir -p /home/$USER/.ssh +sudo chmod 700 /home/$USER/.ssh +sudo touch /home/$USER/.ssh/authorized_keys +sudo chmod 600 /home/$USER/.ssh/authorized_keys + +# PRE-REQ: get the user's ssh public key and store it in whoever.pub +sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys" + +sudo chown $USER:$USER /home/$USER +sudo chown $USER:$USER -R /home/$USER/.ssh/ + +PASSWD=$(openssl rand -hex 20) +#echo "$PASSWD" | passwd "$USER" --stdin +echo "$USER:$PASSWD" | sudo chpasswd +#echo "The temporary password for '"$USER"' is '"$PASSWD"'" +sudo passwd -d $USER +echo "'$USER'" has been added with key-only authentication and a password must be set on first login +sudo chage -d 0 $USER + +# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/ +# +# Linux +# date "+%s.%N" | md5sum +# +# macOS +# date "+%s.%N" | md5 diff --git a/determined-server-setup.sh b/determined-server-setup.sh new file mode 100755 index 0000000..4273e50 --- /dev/null +++ b/determined-server-setup.sh @@ -0,0 +1,186 @@ +#!/bin/bash +# determined-server-setup (dss) +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) + +# Get options from CLI arguments + +usr=$USER +init=0 +clean=0 +log=0 +authlog=0 +update=0 +mon=0 + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + --init) + init=1 + shift # past argument + ;; + --clean) + clean=1 + shift # past argument + ;; + --log) + log=1 + shift # past argument + ;; + --authlog) + authlog="$2" + shift # past argument + ;; + --user) + usr="$2" + shift # past argument + ;; + --user2) + user2="$2" + shift # past argument + ;; + --user3) + user3="$2" + shift # past argument + ;; + --update) + update=1 + shift # past argument + ;; + --monitor) + mon=1 + shift # past argument + ;; + --mon-setup) + mon=2 + shift # past argument + ;; + --email) + email=1 + shift # past argument + ;; + --logfile) + logfile=1 + shift # past argument + ;; + blacklist) + blacklist="$2" + shift # past argument + ;; + -h|help) + echo "dss $version" + echo "Usage: dss [OPTION]" + echo "You can run the following commands:" + echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." + echo "dss --log # Print the system log." + echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." + echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." + exit 1 + ;; + -v|version) + echo "dss $version" + exit 1 + ;; + *) + # unknown option + if test -z "${unknown}" + then + unknown=$1 + else + echo "dss $version" + echo "dss --user USERNAME --init # Setup server with server utilities and enable automatic security updates." + exit 1 + fi + ;; + esac + shift # past argument or value +done + +if test $init = 1 +then + # Update server + sudo apt-get update + sudo apt-get upgrade -y + + # Install server utilities + sudo apt-get install -y screen curl nano htop fail2ban rsync man shellcheck git software-properties-common + + # Prompt user to set up automatic security updates. + sudo apt-get install -y unattended-upgrades + sudo dpkg-reconfigure -plow unattended-upgrades + + # Harden ssh + if determined-harden-ssh --user $usr + then + echo "dss" | sudo tee /home/.dssv1.7 + else + "You cannot create root user and disable root login, that won't work... See 'dss help'" + exit + fi + +elif test $log = 1 +then + + sudo cat /var/log/syslog + +elif test $authlog = 1 + then + sudo cat /var/log/auth.log + +elif test $authlog = attacks + then + sudo cat /var/log/auth.log | grep "Invalid user" + sudo cat /var/log/auth.log | grep "Connection closed" + exit + +elif test ! -z $blacklist +then + echo "Note to self: add blacklist function, empty elif is not allowed in BASH." + # Blacklist code + +elif test $update = 1 +then + # Update Linux and determined-setup + sudo apt-get update + sudo apt-get upgrade + curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash + +elif test $clean = 1 +then + # Update + sudo apt-get update + sudo apt-get upgrade + + # Cleanup + sudo apt-get clean + sudo apt-get autoremove + +elif test $mon = 1 +then + + cd /home + ./sysmon.sh -- email $email + +elif test $mon = 2 +then + + dss init + curl -sO "https://git.coolaj86.com/josh/raw/master/dss/sysmon.sh" + sudo mv sysmon.sh /home/.sysmon.sh + ( sudo crontab -l ; echo "14 1 * * * /bin/bash -c "/home/.sysmon.sh --email $email"" &> "$logfile" ) | sudo crontab - + +else + echo "dss $version" + echo "Usage: dss [OPTION]" + echo "You can run the following commands:" + echo "dss --clean # Update the server and cleanup uneeded files and programs. Use with caution." + echo "dss --log # Print the system log." + echo "dss --authlog 1 # Print the SSH authentication log. Use 'dss authlog attacks' to show attacks on your SSH server." + echo "dss --user USERNAME init # Setup server with server utilities and enable automatic security updates." + exit 1 +fi diff --git a/harden-server.sh b/harden-server.sh new file mode 100644 index 0000000..0d560f1 --- /dev/null +++ b/harden-server.sh @@ -0,0 +1,150 @@ +#!/bin/bash +# Determined SSH Hardening +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +usr=$USER +version="v1.4.1 Alpha" +#keyserver="" + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + setup) + setup=1 + shift # past argument + ;; + --user) + usr="$2" + shift # past argument + ;; + --user2) + user2="$2" + shift # past argument + ;; + --user3) + user3="$2" + shift # past argument + ;; + --user4) + user4="$2" + shift # past argument + ;; + --user5) + user5="$2" + shift # past argument + ;; + -h|--help) + echo determined-harden-ssh $version + echo "Usage: determined-harden-ssh --user USERNAME" + exit 1 + ;; + *) + # unknown option + if [ -z "${user}" ]; then + echo determined-harden-ssh $version + echo "No admin user specified." + echo "Usage: determined-harden-ssh --user USERNAME" + else + echo "unrecognized option '$1'" + exit 1 + fi + ;; +esac +shift # past argument or value +done + +if test ! -z $usr +then + + echo "Installing fail2ban and hardening SSH configuration." + # Install fail2ban + sudo apt-get install -y fail2ban curl openssh-server > /dev/null + + echo "Creating new user by the username $usr" + + echo "Disabling password based logins in favor of SSH keys." + + # SSH keys only, no passwords. + + sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config + sudo sed -i "s/#PasswordAuthentication no/PasswordAuthentication no/g" /etc/ssh/sshd_config + sudo sed -i "s/PermitRootLogin yes/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config + + mkdir .tssh + + cd .tssh + + curl -sLO https://git.coolaj86.com/josh/raw/master/dss/create-user.bash + + curl -sLO https://$keyserver/$usr.pub + + sudo mv create-user.bash /usr/local/bin/determined-create-user + + sudo chmod +x /usr/local/bin/determined-create-user + + if determined-create-user $usr; + then + echo "Setting up non-root admin user(s)" + else + echo "User creation failed. Please fix the above error and try again." + cd .. + rm -rf .tssh + exit + fi + + if test ! -z $user2 + then + + curl -sLO https://$keyserver/$user2.pub + + ./create-user.bash $user2 + + fi + + if test ! -z $user3 + then + + curl -sLO https://$keyserver/$user3.pub + + ./create-user.bash $user3 + + fi + + if test ! -z $user4 + then + + curl -sLO https://$keyserver/$user4.pub + + ./create-user.bash $user4 + + fi + + if test ! -z $user5 + then + + curl -sLO https://$keyserver/$user5.pub + + ./create-user.bash $user5 + + fi + + cd .. + rm -rf .tssh + + echo "Disabling root login." + + sudo sed -i "s/PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config + sudo sed -i "s/PermitRootLogin without-password/PermitRootLogin no/g" /etc/ssh/sshd_config + + echo "That's it, we're done :)" + +else + + echo determined-harden-ssh $version + echo "No admin user specified." + echo "Usage: ./harden-server.sh --user USERNAME" + +fi diff --git a/setup.sh b/setup.sh new file mode 100644 index 0000000..b079977 --- /dev/null +++ b/setup.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Setup for determined-server-setup +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +version=$(curl -s https://git.coolaj86.com/josh/raw/master/dss/VERSION | cat) + +echo "Installing dss $version" + +curl -sO https://git.coolaj86.com/josh/raw/master/dss/determined-server-setup.sh + +sudo mv determined-server-setup.sh /usr/local/bin/dss + +sudo chmod +x /usr/local/bin/dss + +curl -sO https://git.coolaj86.com/josh/raw/master/dss/harden-server.sh + +sudo mv harden-server.sh /usr/local/bin/determined-harden-ssh + +sudo chmod +x /usr/local/bin/determined-harden-ssh + +echo "Done. Run 'dss' to use." diff --git a/sysmon.sh b/sysmon.sh new file mode 100644 index 0000000..09a22ef --- /dev/null +++ b/sysmon.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# Josh's Automatic System Monitor +# Written by Josh Mudge +# Ad Mejorem Dei Glorium + +update=1 +version=v1.5.1a +alpha=0 +dfh=$(df -h | grep '8[0-9]%') +dfh2=$(df -h | grep '9[0-9]%') + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + --setup) + shift # past argument + setup=1 + ;; + --no-update) + update=0 + shift # past argument + ;; + --audit) + audit=1 + shift # past argument + ;; + --email) + email="$2" + shift # past argument + ;; + -h|help) + echo "dss-mon $version" + echo "Usage: dss --monitor --email user@mailprovider.com" + exit 1 + ;; + -v|version) + echo "dss $version" + exit 1 + ;; + *) + # unknown option + if test -z "${unknown}" + then + unknown=$1 + else + echo "dss-mon $version" + echo "Usage: dss --monitor --email user@mailprovider.com" + exit 1 + fi + ;; + esac + shift # past argument or value +done + +if test $update = 1 +then + + sudo apt-get update + sudo apt-get upgrade + sudo apt-get install sysstat # Check if installed, then do this + curl -s "https://git.coolaj86.com/josh/raw/master/dss/setup.sh" | bash + +fi + +# Cleanup + +sudo apt-get clean + +# Security Audit (Tackled by dss init before setting this up.) + +# if test ! -f /home/.dssv1.7 +# then +# +# dss init +# +# fi + +auth=$(sudo cat /var/log/auth.log | grep "Invalid user") +#auth2=$(sudo cat /var/log/auth.log | grep "Connection closed") + +if test $alpha = 1; +then + + sudo apt-get autoremove + +fi + +# To setup email, point a domain name to your server using DNS. +# Disable any firewall rules that block port 25 (You may have to go to a server admin panel or contact your system administrator) +# Then run: sudo apt-get install mailutils +# Open up /etc/hosts and make sure it has: +# 127.0.1.1 mydomain.com myserverHOSTNAME +# Select "Internet Site" and enter the domain you want it to send email from. +# Then you can send email like this: echo "Body of email" | mail -s "subject" EMAILADDRESS + +if test ! -z "$auth" # If set to run automatically, don't run this check every time. +then + echo "Attacks found. Sending authentication log to $email" + sudo cat /var/log/auth.log | grep "Invalid user" | mail -s "Invalid User Login" $email +fi + +if test ! -z "$dfh" +then + echo "Disk usage is high, sending disk usage to $email" + echo "$dfh" | mail -s "High Disk Usage" $email +fi + +if test ! -z "$dfh2" +then + echo "Disk usage is critical, sending disk usage to $email" + echo "$dfh2" | mail -s "Critical Disk Usage" $email +fi + +for i in {1..300} # Do this 300 times. +do +CPU=$(mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }') # Find CPU usage for the last 10 seconds. Code credit: Stackoverflow +CPUT=$(($CPUT + $CPU)) # Add each 1 second record to the total. +done +CPURESULT=$(($CPUT / 300)) # Divide the total by 300 seconds to find average CPU usage over the last 5 minutes. + + +if test $CPURESULT > 90 +then + echo "CPU usage is quite high, sending report to $email" + echo "$CPURESULT %" | mail -s "High CPU Usage" $email +fi + +USEDRAM=$(free | grep Mem | awk '{print ($2 -$7) / $2 * 100.0}') + +if test $USEDRAM > 80 +then + echo "RAM usage is quite high, sending report to $email" + echo "$USEDRAM %" | mail -s "High RAM Usage" $email +fi