Skip to content

Instantly share code, notes, and snippets.

@zlwu
Last active April 1, 2024 04:30
Show Gist options
  • Save zlwu/22d8d198a3422f6d9fa4b80660d256f2 to your computer and use it in GitHub Desktop.
Save zlwu/22d8d198a3422f6d9fa4b80660d256f2 to your computer and use it in GitHub Desktop.
start harden
#!/bin/bash
# The script creates a new sudo user hardenhost, and imports the SSH public key to the user’s authorized_keys file.
# Run the script with root privilege:
# $ curl -ssL 'https://hardenhost.com/start.sh' | sudo bash
# Or use wget in case curl is not installed:
# $ wget -qO- 'https://hardenhost.com/start.sh' | sudo bash
# To disable user hardenhost from login or remote access, you can set the user’s shell to /sbin/nologin or /bin/false.
# $ sudo usermod hardenhost -s /sbin/nologin
# To enable user hardenhost again, you can set the user’s shell to /bin/bash.
# $ sudo usermod hardenhost -s /bin/bash
SSH_PUB_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPtdj1l3P+Up5eK0QDQJzCj0BEaODGUZUxv/O1zg/bumw72nzZhNwbrEA0CKwCvNBG+rlWX+sSFU2u9NS8gauxQ5kTlIJ8hoJljfuxrd6FxYM8fRxAbaWFN6adUMiSSzpjat/ZdzCHwNr2IK9IuxUsaJtFLBSgYZgi1tPb0pXS9bEvgYclh5whAQlgw0yqW3eAaW9R17Vl7rbK8m4Oh5KNPCHZu0NfADbnymAuhGbNmmKDMXIdjNB0b0alC3djQwuXBtYrZUJwqyEwFe198Zlalx/BuiBYGVN4A8SPSH7Obnopz0Cp4DjnTlbNB0w9Od1yyGjKf5QSnUm34jPq+YZ hardenhost@localhost"
SUDO_USER="hardenhost"
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root"
exit 1
fi
# get sudo group name
if getent group sudo >/dev/null; then
SUDO_GROUP="sudo"
elif getent group wheel >/dev/null; then
SUDO_GROUP="wheel"
else
echo "Neither sudo nor wheel group exists"
exit 1
fi
add_user()
{
if ! id "$SUDO_USER" > /dev/null 2>&1
then
echo "Creating new user $SUDO_USER."
useradd -m "$SUDO_USER"
else
echo "User $SUDO_USER exists."
fi
usermod "$SUDO_USER" -s /bin/bash
}
add_sudo()
{
if ! id -nG "$SUDO_USER" | grep -qw "$SUDO_GROUP"; then
echo "Adding user to group $SUDO_GROUP."
usermod -aG "$SUDO_GROUP" "$SUDO_USER"
else
echo "User $SUDO_USER is already in group $SUDO_GROUP."
fi
# add sudoers file to make sure user $SUDO_USER can sudo without password
if [ ! -f /etc/sudoers.d/"$SUDO_USER" ]; then
echo "$SUDO_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$SUDO_USER"
chmod 440 /etc/sudoers.d/"$SUDO_USER"
else
echo "Sudoers file already exists."
fi
}
add_pub_key()
{
# create ssh authorized_keys if not exist
if [ ! -f /home/"$SUDO_USER"/.ssh/authorized_keys ]; then
mkdir -p /home/"$SUDO_USER"/.ssh
touch /home/"$SUDO_USER"/.ssh/authorized_keys
chown -R "$SUDO_USER":"$SUDO_USER" /home/"$SUDO_USER"/.ssh
chmod 700 /home/"$SUDO_USER"/.ssh
chmod 600 /home/"$SUDO_USER"/.ssh/authorized_keys
fi
# add ssh key if not exist
if ! grep -qs "$SSH_PUB_KEY" /home/"$SUDO_USER"/.ssh/authorized_keys; then
echo "Importing ssh pub key to user $SUDO_USER"
echo "$SSH_PUB_KEY" >> /home/"$SUDO_USER"/.ssh/authorized_keys
else
echo "SSH key already exists."
fi
}
add_user
add_sudo
add_pub_key
echo "Done! sudo user $SUDO_USER configured successfully."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment