Security configurator improvement

2026-04-05 04:08:19 +00:00 · 2022-02-12 10:16:40 +07:00
parent 3eb2c69f43
commit 532fff7365
1 changed files with 15 additions and 8 deletions
--- a/scripts/secure_server.sh
+++ b/scripts/secure_server.sh
@@ -2,7 +2,7 @@

 # Basic Server Security Hardening
 # Min. Requirement  : GNU/Linux Ubuntu 18.04
-# Last Build        : 01/07/2019
+# Last Build        : 12/02/2022
 # Author            : MasEDI.Net (me@masedi.net)
 # Since Version     : 1.0.0

@@ -11,10 +11,13 @@ if [[ "$(type -t run)" != "function" ]]; then
    BASE_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )
    # shellcheck disable=SC1091
    . "${BASE_DIR}/helper.sh"
-fi

-# Make sure only root can run this installer script.
-requires_root "$@"
+    # Make sure only root can run this installer script.
+    requires_root "$@"
+
+    # Make sure only supported distribution can run this installer script.
+    preflight_system_check
+fi

 ##
 # Securing SSH server.
@@ -23,7 +26,7 @@ function securing_ssh() {
    LEMPER_USERNAME=${LEMPER_USERNAME:-"lemper"}
    SSH_PASSWORDLESS=${SSH_PASSWORDLESS:-false}

-    if "${SSH_PASSWORDLESS}"; then
+    if [[ "${SSH_PASSWORDLESS}" == true ]]; then
        echo "
 Before starting, let's create a pair of keys that some hosts ask for during installation of the server.

@@ -77,11 +80,12 @@ EOL
            run chmod 600 "/home/${LEMPER_USERNAME}/.ssh/authorized_keys"

            echo -e "\nEnable SSH password-less login..."
+
            run bash -c "echo -e '\n\n#LEMPer custom config' >> /etc/ssh/sshd_config"

            # Restrict root login directly, use sudo user instead.
            SSH_ROOT_LOGIN=${SSH_ROOT_LOGIN:-false}
-            if ! "${SSH_ROOT_LOGIN}"; then
+            if [[ "${SSH_ROOT_LOGIN}" == false ]]; then
                echo "Restricting SSH root login..."

                if grep -qwE "^PermitRootLogin\ [a-z]*" /etc/ssh/sshd_config; then
@@ -134,6 +138,7 @@ EOL

    # Securing the SSH server.
    echo "Securing your SSH server with custom port..."
+
    SSH_PORT=${SSH_PORT:-""}
    while ! [[ ${SSH_PORT} =~ ^[0-9]+$ ]]; do
        read -rp "Custom SSH port (default SSH port is 22): " -e SSH_PORT
@@ -203,8 +208,9 @@ function install_ufw() {
        run ufw allow 8083 #LEMPer port

        # Open MySQL port.
-        [[ "${MYSQL_ALLOW_REMOTE}" == true ]] && \
-        run ufw allow 3306
+        if [[ "${MYSQL_ALLOW_REMOTE}" == true ]]; then
+            run ufw allow 3306
+        fi

        # Open FTP ports.
        if [[ "${INSTALL_VSFTPD}" == true ]]; then
@@ -390,6 +396,7 @@ function install_apf() {
    run cd "${BUILD_DIR}" || return 1

    echo "Installing APF+BFD firewall..."
+
    if curl -sLI "https://github.com/rfxn/advanced-policy-firewall/archive/${APF_VERSION}.tar.gz" \
    | grep -q "HTTP/[.12]* [2].."; then
        run wget -q "https://github.com/rfxn/advanced-policy-firewall/archive/${APF_VERSION}.tar.gz" && \