Host-based backup of VMware vSphere VMs.
Post Reply
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Ubuntu 20.04 setup script for hardening

Post by matteu » 8 people like this post

Hello,

I'm just posting the script I use to automate setup of my Ubuntu 20.04 to use as hardened repository.

The script will ask you what is the disk you want to format as XFS file system and the password for the account to create.
As it, it can process only 1 disk.

Don't hesitate to say me if something is wrong or can be optimized

Code: Select all

#!/bin/bash


#This script is used to setup Ubuntu 20.04 Repository
#-Update system
#-Install perl and xfsprogs prerequesites
#-Format disk with xfs and size=4096 reflink=1 crc=1
#-Create mount point
#-Mount the disk
#-Update /etc/fstab to auto mount the disk
#-Create new account and assign right on mount point
#-Add account to sudo group 

#Variable Initialization
#Error log path
ErrLogFileNamePath=UbuntuSetupErr.log 
#Mount point for xfs disk
RepositoryPath=/repoXFS
#User to create and use in veeam as single credentials use
UserName=veeamrepo

## Server update ##
echo "###### Updating paquet list ######" | tee $ErrLogFileNamePath 
apt-get update 2>> $ErrLogFileNamePath
echo "###### Updating applications ######" | tee -a $ErrLogFileNamePath 
apt-get upgrade -y 2>> $ErrLogFileNamePath

## Prerequesites installation ##

#xfsprogs
echo "###### Installing xfsprogs package ######" | tee -a $ErrLogFileNamePath 
apt-get install xfsprogs -y 2>> $ErrLogFileNamePath
#Perls modules
echo "###### Installing perl modules ######" | tee -a $ErrLogFileNamePath 
apt-get install libsoap-lite-perl -y 2>> $ErrLogFileNamePath

## Create File system disk ##

#List disk to user
echo "###### Listing disk ######" | tee -a $ErrLogFileNamePath 
fdisk -l 
#Ask user the disk name to initialize and format
echo "What is the disk name to initialize (ex:sdb)"
read DiskName

#GPT initialization and create partition
echo "###### Initializing disk ######" | tee -a $ErrLogFileNamePath 
#g : GPT table 
#n : new partition
#w : write partition table
fdisk /dev/$DiskName << EOF 2>> $ErrLogFileNamePath
g
n



w
EOF

#Create XFS filesystem 
echo "###### Formatting xfs filesystem ######" | tee -a $ErrLogFileNamePath 
mkfs.xfs /dev/${DiskName}1 -b size=4096 -m reflink=1,crc=1 2>> $ErrLogFileNamePath

## Create and manage mount point ##

#Create repository folder
echo "###### Creating $RepositoryPath ######" | tee -a $ErrLogFileNamePath 
mkdir $RepositoryPath 2>> $ErrLogFileNamePath

#Modify /etc/fstab to mount disk
echo "###### Updating /etc/fstab to mount /dev/${DiskName}1 ######" | tee -a $ErrLogFileNamePath 
echo "/dev/${DiskName}1 $RepositoryPath xfs defaults 0 0" >> /etc/fstab 2>> $ErrLogFileNamePath

#Mount disk
echo "###### Mounting /dev/${DiskName}1 to $RepositoryPath  ######" | tee -a $ErrLogFileNamePath 
mount  /dev/${DiskName}1 2>> $ErrLogFileNamePath

#Create repository veeam service account
echo "###### Creating user $UserName ######" | tee -a $ErrLogFileNamePath 
useradd -d /home/$UserName -m $UserName 2>> $ErrLogFileNamePath
#Set password for repository veeam service account
echo "Enter password for $UserName user" 
passwd $UserName

#Set owner and permission on mount point
echo "###### Putting $UserName as owner on $RepositoryPath ######" | tee -a $ErrLogFileNamePath 
chown $UserName:$UserName $RepositoryPath 2>> $ErrLogFileNamePath
echo "###### Giving permission only to $UserName user on $RepositoryPath (700) ######" | tee -a $ErrLogFileNamePath 
chmod 700 $RepositoryPath 2>> $ErrLogFileNamePath

#Add repository veeam service account to sudo group
echo "###### Add $UserName to sudo group ######" | tee -a $ErrLogFileNamePath 
usermod -aG sudo $UserName 2>> $ErrLogFileNamePath

echo "###### Open $ErrLogFileNamePath to be sure there is no error and restart the server. ######" 
echo "###### Be sure to remove $UserName from sudo group after backup repository registration in Veeam with the command : deluser $UserName sudo ######" | tee -a $ErrLogFileNamePath 
Gostev
Chief Product Officer
Posts: 32746
Liked: 7962 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by Gostev »

Hello - and thanks for sharing this with the community!

I would only recommend adding a reminder to remove $UserName from sudo following the backup repository registration in Veeam.
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

Hello and thanks for your answer.

I agree with you it could be a good idea...
I can display it at the end of the script on the script and again on the UbuntuSetupErr but I don't think it's a good idea to automate it because if the task doesn't launch for any reason.... it's a big security issue !
I updated the script !
Gostev
Chief Product Officer
Posts: 32746
Liked: 7962 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by Gostev »

Agree! Moved into the original post.
davow
Influencer
Posts: 22
Liked: 2 times
Joined: Jan 25, 2013 5:05 pm
Full Name: D W
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by davow »

I would recommend doing away with partitioning the disk. Use LVM.
denser
Influencer
Posts: 10
Liked: 1 time
Joined: Sep 02, 2021 6:02 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by denser »

Suggest to add list of discovered block devices. May be kinda foolish but a bit convenient for junior administrators :)
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

Thanks for your answer.

@davow I agree for LVM it could be an improvment :).
@denser For block devices, what do you mean exactly ?
lasseoe
Service Provider
Posts: 78
Liked: 7 times
Joined: Dec 17, 2012 4:39 pm
Full Name: Lasse Osterild
Location: Denmark
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by lasseoe »

You should add something about
* Enabling UFW or IPtables
* If you want to sync time correctly, ensure chrony is setup correctly and syncing time (do NOT use ntpd). Relying on the hardware clock is a never ending source of frustration and makes it very difficult to correlate data during an incident.
* Setup some sort of push-based monitoring for disk usage, I/O performance data, changes to important config files/log files etc.
* Run tripwire as often as possible or some other similar and push results to external entity for analysis.
* Lots more could be done.

# Ensure partition is aligned on block boundaries, important for performance
parted -s -a optimal -- /dev/sdb mklabel gpt
parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
parted -s -- /dev/sdb align-check optimal 1

# Setup LVM - absolutely no reason not to.
pvcreate /dev/sdb1
vgcreate vgvdata /dev/sdb1
lvcreate --name lvdata -l 100%FREE vgvdata

# Ensure we get logfiles - earlier versions didn't create this automatically, maybe fixed?
mkdir /var/log/VeeaamBackup
chown ${username}. /var/log/VeeaamBackup
chmod 700 ${username} /var/log/VeeaamBackup
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

Thanks for your answer, to be honest, I need to look each improvment you write because I'm not linux sysadmin and I need to check what are they for !

Are you sure iptable is needed ? SSH will be disabled at the end of the setup and there is only veeam server to access to this server.
lasseoe
Service Provider
Posts: 78
Liked: 7 times
Joined: Dec 17, 2012 4:39 pm
Full Name: Lasse Osterild
Location: Denmark
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by lasseoe »

Yes, 100% sure you need IPtables, but if you use UFW it's super easy. You need to be in control of what goes in and out, you don't want anything listening by accident on a port you're not using, also seeing as it's for veeam only you can restrict outgoing traffic as well.

*ALWAYS* use hostbased firewalls, no matter the OS or what it's doing.

https://ubuntu.com/server/docs/security-firewall
davow
Influencer
Posts: 22
Liked: 2 times
Joined: Jan 25, 2013 5:05 pm
Full Name: D W
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by davow »

Unless you have a very specific use case for partitioning a disk used for backup, there is ZERO need to partition a disk only to then add it to LVM. You introduce an unnecessary extra layer and make future changes/expansion more difficult.

Just pvcreate /dev/sdb.
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

Hello and thanks for your answer.
What do you mean exactly ?
You would only use pvcreate but no vgcreate and lvcreate ?

I want to look at all the linux recommandation this afternoon if I have time :)
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

lasseoe wrote: Sep 06, 2021 8:30 am You should add something about
* Enabling UFW or IPtables
* If you want to sync time correctly, ensure chrony is setup correctly and syncing time (do NOT use ntpd). Relying on the hardware clock is a never ending source of frustration and makes it very difficult to correlate data during an incident.
* Setup some sort of push-based monitoring for disk usage, I/O performance data, changes to important config files/log files etc.
* Run tripwire as often as possible or some other similar and push results to external entity for analysis.
* Lots more could be done.

# Ensure partition is aligned on block boundaries, important for performance
parted -s -a optimal -- /dev/sdb mklabel gpt
parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
parted -s -- /dev/sdb align-check optimal 1

# Setup LVM - absolutely no reason not to.
pvcreate /dev/sdb1
vgcreate vgvdata /dev/sdb1
lvcreate --name lvdata -l 100%FREE vgvdata

# Ensure we get logfiles - earlier versions didn't create this automatically, maybe fixed?
mkdir /var/log/VeeaamBackup
chown ${username}. /var/log/VeeaamBackup
chmod 700 ${username} /var/log/VeeaamBackup
So, I tried some of what you write :

-parted and then LVM and it seems working. Is it the good order? then I need to use mkfs on my logical volume right ?
-For veeam logfiles I suppose it's fixed because I saw it several times.
-For firewall, I don't see how I could automate it... Each customer use different server name or network.
-Why is better to use chrony than ntpd ? Do I need to change default time source ?
-To monitor disk space and I/O I will not do it on this script. There are solution tools dedicated to this job.
-tripwire seems to be an excellent tools for companies with big sensitives data !
denser
Influencer
Posts: 10
Liked: 1 time
Joined: Sep 02, 2021 6:02 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by denser »

matteu wrote: Sep 06, 2021 7:18 am Thanks for your answer.

@davow I agree for LVM it could be an improvment :).
@denser For block devices, what do you mean exactly ?
I mean this:
echo "What is the disk name to initialize (ex:sdb)"
read DiskName
in "ex:" block suggest existent block devices detected via this script.
May be like this:

Code: Select all

lsblk
or

Code: Select all

mount | grep /dev/sd
mriesenbeck
Enthusiast
Posts: 47
Liked: 6 times
Joined: Apr 07, 2021 10:07 am
Full Name: Michael Riesenbeck
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by mriesenbeck »

I'm using veeamhubrepo for this, very happy with that.
Gostev
Chief Product Officer
Posts: 32746
Liked: 7962 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by Gostev »

jasonede
Service Provider
Posts: 136
Liked: 32 times
Joined: Jan 04, 2018 4:51 pm
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by jasonede »

Might be an idea on this when enabling SSH to update the ssh config to use modern encryption i.e. as from https://infosec.mozilla.org/guidelines/openssh.

Mainly thinking of

Code: Select all

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Although enabling the verbose logging is also good.
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

Hello,
Why would you like improve SSH encryption because SSH will be used only once and then disable on this setup.
I think your idea is good for standard linux repository but I don't know if it's usefull on hardening repository with ssh disabled ?
olafurh
Service Provider
Posts: 28
Liked: 16 times
Joined: Oct 29, 2014 9:41 am
Full Name: Olafur Helgi Haraldsson
Location: Iceland
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by olafurh »

Don't forget to forward ALL logs to another location, when (not if, when) something happens it's critical to have evidence outside your environment, or have your SIEM alert you when something is out of the ordinary happens.

A black box that does not send any information out or no one can monitor is a case of Schrödinger's cat.
Gostev
Chief Product Officer
Posts: 32746
Liked: 7962 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by Gostev »

No one but Veeam ONE! Pun intended. Although you may be talking about some different kind of monitoring Veeam ONE does not do.
matteu
Veeam Legend
Posts: 893
Liked: 141 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Ubuntu 20.04 setup script for hardening

Post by matteu »

You're totally right, firewall need to be open for monitoring too . I don't have lot's of customer with veeam one unfortunately.
They use nagios or other tools and they monitor basic stuff like cpu / ram / uptime ...
SIEM is really rare on my customer. I know it's not good but unfortunately they have bigger problem to solve first and we try to help them to better manage it but security become more and more the main topic :)
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests