New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Sharing my initial script for new idling vms.
Hi.
Sharing you with my initial script that is always executed after getting idling vms.
I'm not familiar to shell scripts.
This script, which is not same to mine, is not for generic and automation script but for letting you some jobs for safe. I'm not sure this script works well.
Only for "Debian 12"
#######################
### Environment
#######################
timezone="Etc/UTC"
hostname="hostname-example"
ipv4="127.0.0.1" # check outgoing ip : curl -4 --connect-timeout 5 ifconfig.me
ipv6="::1" #check outgoing ip : curl -6 --connect-timeout 5 ifconfig.me
ssh_port=22
sshd_config="/etc/ssh/sshd_config"
sshd_config_d="/etc/ssh/sshd_config.d"
sudo_user="arirang"
sudo_user_pub_key="................"
#######################
### General Setup
#######################
# apt-update
apt-get update -y && apt upgrade -y vim && apt upgrade -y && apt install -y ufw sudo curl ntp && apt autoremove -y
# Set timezone
sudo timedatectl set-timezone "$timezone"
# Set Hostname
sudo hostnamectl set-hostname $hostname
# Set clock to ntp
sudo dpkg-reconfigure ntp
# Set /etc/hosts
# ipv4
exist_ipv4=$(cat /etc/hosts | grep "$ipv4" | wc -l )
if [ $exist_ipv4 -eq 0 ]
then
echo "$ipv4 $hostname" >> /etc/hosts
fi
# ipv6
exist_ipv6=$(cat /etc/hosts | grep "$ipv6" | wc -l )
if [ $exist_ipv6 -eq 0 ]
then
echo "$ipv6 $hostname" >> /etc/hosts
fi
#######################
### User Setting
#######################
# Uncomment for Root Password disable
# passwd -d root && passwd -l root
# Sudo User without password
sudo adduser --disabled-password --comment "$sudo_user" $sudo_user
# add user to sudo group
sudo usermod -aG sudo $sudo_user
sudo tee -a /etc/sudoers.d/general <<EOF
$sudo_user ALL=(ALL) NOPASSWD: ALL
EOF
# Add PubKey to sudo_user
sudo mkdir /home/$sudo_user/.ssh
sudo chmod 700 /home/$sudo_user/.ssh
sudo chown $sudo_user:$sudo_user /home/$sudo_user/.ssh
sudo tee -a /home/$sudo_user/.ssh/authorized_keys <<EOF
$sudo_user_pub_key
EOF
sudo chmod 600 /home/$sudo_user/.ssh/authorized_keys
sudo chown $sudo_user:$sudo_user /home/$sudo_user/.ssh/authorized_keys
#######################
### Set sshd_config
#######################
# Port Change
sudo sed -i "0,/Port/{/.*Port.*/s//Port $ssh_port/}" $sshd_config
# Uncomment for no PermitRootLogin
# sudo sed -i '0,/PermitRootLogin/{/.*PermitRootLogin.*/s//PermitRootLogin no/}' $sshd_config
# Uncomment for allowing PubKey Auth
# sudo sed -i '0,/PubkeyAuthentication/{/.*PubkeyAuthentication.*/s//PubkeyAuthentication yes/}' $sshd_config
# Uncomment Limit Password Login
# Some provider's cloud-init is made in sshd_config.d
# sudo sed -i '0,/PasswordAuthentication/{/.*PasswordAuthentication.*/s//PasswordAuthentication no/}' $sshd_config
# Some provider's cloud-init.conf is made in sshd_config.d
# sudo sed -i '0,/PasswordAuthentication/{/.*PasswordAuthentication.*/s//#PasswordAuthentication no/}' $sshd_config_d/50-cloud-init.conf
# reload ssh
systemctl reload sshd
#######################
### Set UFW
#######################
# sudo ufw default deny incoming
# sudo ufw default allow outgoing
# sudo ufw allow $ssh_port
# sudo ufw reload
# sudo ufw status
# echo "y" | sudo ufw enable
Comments
What does “getting idling vms” mean?
Buying vms for idling.
Noob question, why would you buy VMs for idling?
That's a question for our doctor!
You don't ask, you just do it
I believe some LowEndDoctors would probably agree with one, if not all
Just in case a project appears from out of nowhere. That never happens but you never know.
Include the part where yabs is ran on cron.
Befor this comment, I manually do yabs.
I will include yabs command.
Pretty well summed up. I treat myself.
Still, I find it very hard not to renew some excellent servers.
With Black Friday coming up, it's going to be a real trial by fire
Some of the providers here are real drug dealers.
@Arirang
So, you're "sharing your script" (see title as well as post), but then ...
So, it's not yours
To turn up the smell
But, well ...
Uhm, so what is it that you wanted to tell us? That you don't know much about shell scripting? If so, welcome to a rather large group then. That you do have a script of "your own", probably a script from someone else with a few slight adaptations? If so, why the hell do you not show us your script then but just some script from someone from somewhere?
Btw, I suggest to not use that script, because while it may seem to make a system more secure, it actually does not, quite the contrary (and it also misses some actually helpful settings).
Whatever, congrats for posting some script ...
Bash scripting is one of the most pleasures of system administrators. You really should play a little bit with it.
I'm confused. You found a script online, don't use it, but share it as an example, even though you don't write shell scripts yourself.
I don't own a John Deere lawn mower, nor do I repair them or cut my own grass, but here's an owner's manual I found online...
TBH I've used similar scripts in the past but today I find it easiest to use Ansible. I would say I'm an expert in shell scripts since I've been writing them for 30+ years, but with Ansible there's a lot less mucking around with quoting, testing your pipelines and tweaking them to get them right, etc.
Thanks!
I wrote this script myself. But I changed some for this post. That's why I'm not sure. I did some test on Debian 12. It worked well.
I also use ansible. Original script written by me includes ansible user and pubkey. Initial jobs for using ansible takes lots of time. That's why I wrote this like this
Yeah, the ideal in my mind is to have an SSH key added during provisioning, so you can run ansible immediately afterward. If the provider doesn't offer that, then you need a "prep for ansible" step first which is a hassle.
Just throw this script into chatgpt and ask for improvements. That’s it. I have created entire backup and restore system in bash under an hour with rsync, tar, incremental backups, diff, metadata. Just say and it will do it. Sad and astonishing.
Our script is a lot shorter:
What is that script doing that's making a system less secure than it would be without it?
Are you referring to using NTP and Sudo without a password, or something else?
Take that as a puzzle, one worth solving.
Do you mean it adds a user without a password, so anyone who guesses the username could login via SSH with root permissions?
I'm guessing not because PermitEmptyPasswords has to be enabled in the sshd_config to allow SSH connections with an empty password, (it's disabled by default so it has to be explicitly enabled to work), but I can't see what else you could be referring to.
Please also share the IPs of the machines, where it was launched.
OK, a hint
and the sudo and SSH stuff.
Btw. I do not so much look at what's written and done but rather whether I detect typical idiot attempts.
Removing the root password with "passwd -d" wouldn't allow arbitrary SSH access if PermitEmptyPasswords hasn't been explicitly enabled, and the subsequent "passwd -l" locks the account from logging in using a password anyway....so what risk do you perceive from "the sudo and SSH stuff" because you seem confused about what those commands are doing? 🤷♀️
Ansible ftw
So what if any user can log in and then get root?
Whatever, if you think that's fine I have no problem with that as long as you stay away from my servers.
I’ve had the same idea to OP, but just found in the comments about Ansible, will take a look into both.
Thanks to everyone involved.
Which part of the OP's script is going to allow "any user who can login" to become root?
None of it...and no amount of cryptic replies, condescending and being confidently wrong is going to change that 🙄
Ansible can log-in using user/pass, my initial setup for VPSes includes having it login as root, add my user/SSH key, and disable password auth
It sets up SSH login via public key.
@CloudHopper @egoror
OK, So you blindly rely on SSL/SSH being "absolutely sakkure!" - which I find a bit funny, as OP's script is expressly for debian, which has an, ... uhm, not exactly stellar track record re SSH.
Also, why then e.g.
passwd -d root && passwd -l rootwhen NOBODY except legitimate users (well, actually not really) can SSH into the system?So, no matter how "confidently wrong" and "condescending" you may find it/me I'll stay by what I said: "Btw. I do not so much look at what's written and done but rather whether I detect typical idiot attempts." I admit one mistake though: I didn't mention attempts based on simply copying and possibly adapting some script found on the internet. Apologies, I should have been more careful.
Being at "confidently wrong", how many potential 0-days in reference implementations of relevant and used crypto have you found so far? How many thousands of lines of crypto code have you written? How many crypto algorithms have you implemented and/or speed or space optimized? How many of those can fully saturate a 40 Gb/s line on a single X86-64 core?
Good luck with your blind trust in SSH (but making the server more sakkure anyway via bash) on debian and friends. You obviously are true masters of sakkurity. Shall I bow to you?