zlwu · April 1, 2024 04:30
diff --git a/startharden.sh b/startharden.sh
 #!/bin/bash

 #  The script creates a new sudo user hardenhost, and imports the SSH public key to the user’s authorized_keys file. 
 #  Run the script with root privilege: 
 #  $ curl -ssL 'https://hardenhost.com/start.sh' | sudo bash
 #  Or use wget in case curl is not installed:
 #  $ wget -qO- 'https://hardenhost.com/start.sh' | sudo bash

 #  To disable user hardenhost from login or remote access, you can set the user’s shell to /sbin/nologin or /bin/false. 
 #  $ sudo usermod hardenhost -s /sbin/nologin

 #  To enable user hardenhost again, you can set the user’s shell to /bin/bash. 
 #  $ sudo usermod hardenhost -s /bin/bash


 SSH_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPtdj1l3P+Up5eK0QDQJzCj0BEaODGUZUxv/O1zg/bumw72nzZhNwbrEA0CKwCvNBG+rlWX+sSFU2u9NS8gauxQ5kTlIJ8hoJljfuxrd6FxYM8fRxAbaWFN6adUMiSSzpjat/ZdzCHwNr2IK9IuxUsaJtFLBSgYZgi1tPb0pXS9bEvgYclh5whAQlgw0yqW3eAaW9R17Vl7rbK8m4Oh5KNPCHZu0NfADbnymAuhGbNmmKDMXIdjNB0b0alC3djQwuXBtYrZUJwqyEwFe198Zlalx/BuiBYGVN4A8SPSH7Obnopz0Cp4DjnTlbNB0w9Od1yyGjKf5QSnUm34jPq+YZ hardenhost@localhost"

 SUDO_USER="hardenhost"

 if [ "$(id -u)" != "0" ]; then
    echo "This script must be run as root" 
    exit 1
 fi

 # get sudo group name
 if getent group sudo >/dev/null; then
    SUDO_GROUP="sudo"
 elif getent group wheel >/dev/null; then
    SUDO_GROUP="wheel"
 else
    echo "Neither sudo nor wheel group exists"
    exit 1
 fi

 add_user()
 {
    if ! id "$SUDO_USER" > /dev/null 2>&1
    then
        echo "Creating new user $SUDO_USER."
        useradd -m "$SUDO_USER"
    else
        echo "User $SUDO_USER exists."
    fi

    usermod "$SUDO_USER" -s /bin/bash
 }

 add_sudo()
 {
    if ! id -nG "$SUDO_USER" | grep -qw "$SUDO_GROUP"; then
        echo "Adding user to group $SUDO_GROUP."
        usermod -aG "$SUDO_GROUP" "$SUDO_USER"
    else
        echo "User $SUDO_USER is already in group $SUDO_GROUP."
    fi

    # add sudoers file to make sure user $SUDO_USER can sudo without password
    if [ ! -f /etc/sudoers.d/"$SUDO_USER" ]; then
        echo "$SUDO_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$SUDO_USER"
        chmod 440 /etc/sudoers.d/"$SUDO_USER"
    else
        echo "Sudoers file already exists."
    fi
 }

 add_pub_key()
 {
    # create ssh authorized_keys if not exist
    if [ ! -f /home/"$SUDO_USER"/.ssh/authorized_keys ]; then
        mkdir -p /home/"$SUDO_USER"/.ssh
        touch /home/"$SUDO_USER"/.ssh/authorized_keys
        chown -R "$SUDO_USER":"$SUDO_USER" /home/"$SUDO_USER"/.ssh
        chmod 700 /home/"$SUDO_USER"/.ssh
        chmod 600 /home/"$SUDO_USER"/.ssh/authorized_keys
    fi

    # add ssh key if not exist
    if ! grep -qs "$SSH_PUB_KEY" /home/"$SUDO_USER"/.ssh/authorized_keys; then
        echo "Importing ssh pub key to user $SUDO_USER"
        echo "$SSH_PUB_KEY" >> /home/"$SUDO_USER"/.ssh/authorized_keys
    else
        echo "SSH key already exists."
    fi
 }

 add_user

 add_sudo

 add_pub_key

 echo "Done! sudo user $SUDO_USER configured successfully."
	#!/bin/bash

	# The script creates a new sudo user hardenhost, and imports the SSH public key to the user’s authorized_keys file.
	# Run the script with root privilege:
	# $ curl -ssL 'https://hardenhost.com/start.sh' \| sudo bash
	# Or use wget in case curl is not installed:
	# $ wget -qO- 'https://hardenhost.com/start.sh' \| sudo bash

	# To disable user hardenhost from login or remote access, you can set the user’s shell to /sbin/nologin or /bin/false.
	# $ sudo usermod hardenhost -s /sbin/nologin

	# To enable user hardenhost again, you can set the user’s shell to /bin/bash.
	# $ sudo usermod hardenhost -s /bin/bash


	SSH_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPtdj1l3P+Up5eK0QDQJzCj0BEaODGUZUxv/O1zg/bumw72nzZhNwbrEA0CKwCvNBG+rlWX+sSFU2u9NS8gauxQ5kTlIJ8hoJljfuxrd6FxYM8fRxAbaWFN6adUMiSSzpjat/ZdzCHwNr2IK9IuxUsaJtFLBSgYZgi1tPb0pXS9bEvgYclh5whAQlgw0yqW3eAaW9R17Vl7rbK8m4Oh5KNPCHZu0NfADbnymAuhGbNmmKDMXIdjNB0b0alC3djQwuXBtYrZUJwqyEwFe198Zlalx/BuiBYGVN4A8SPSH7Obnopz0Cp4DjnTlbNB0w9Od1yyGjKf5QSnUm34jPq+YZ hardenhost@localhost"

	SUDO_USER="hardenhost"

	if [ "$(id -u)" != "0" ]; then
	echo "This script must be run as root"
	exit 1
	fi

	# get sudo group name
	if getent group sudo >/dev/null; then
	SUDO_GROUP="sudo"
	elif getent group wheel >/dev/null; then
	SUDO_GROUP="wheel"
	else
	echo "Neither sudo nor wheel group exists"
	exit 1
	fi

	add_user()
	{
	if ! id "$SUDO_USER" > /dev/null 2>&1
	then
	echo "Creating new user $SUDO_USER."
	useradd -m "$SUDO_USER"
	else
	echo "User $SUDO_USER exists."
	fi

	usermod "$SUDO_USER" -s /bin/bash
	}

	add_sudo()
	{
	if ! id -nG "$SUDO_USER" \| grep -qw "$SUDO_GROUP"; then
	echo "Adding user to group $SUDO_GROUP."
	usermod -aG "$SUDO_GROUP" "$SUDO_USER"
	else
	echo "User $SUDO_USER is already in group $SUDO_GROUP."
	fi

	# add sudoers file to make sure user $SUDO_USER can sudo without password
	if [ ! -f /etc/sudoers.d/"$SUDO_USER" ]; then
	echo "$SUDO_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$SUDO_USER"
	chmod 440 /etc/sudoers.d/"$SUDO_USER"
	else
	echo "Sudoers file already exists."
	fi
	}

	add_pub_key()
	{
	# create ssh authorized_keys if not exist
	if [ ! -f /home/"$SUDO_USER"/.ssh/authorized_keys ]; then
	mkdir -p /home/"$SUDO_USER"/.ssh
	touch /home/"$SUDO_USER"/.ssh/authorized_keys
	chown -R "$SUDO_USER":"$SUDO_USER" /home/"$SUDO_USER"/.ssh
	chmod 700 /home/"$SUDO_USER"/.ssh
	chmod 600 /home/"$SUDO_USER"/.ssh/authorized_keys
	fi

	# add ssh key if not exist
	if ! grep -qs "$SSH_PUB_KEY" /home/"$SUDO_USER"/.ssh/authorized_keys; then
	echo "Importing ssh pub key to user $SUDO_USER"
	echo "$SSH_PUB_KEY" >> /home/"$SUDO_USER"/.ssh/authorized_keys
	else
	echo "SSH key already exists."
	fi
	}

	add_user

	add_sudo

	add_pub_key

	echo "Done! sudo user $SUDO_USER configured successfully."