Ubuntu 20.04 setup script for hardening

[matteu]

Hello,

I'm just posting the script I use to automate setup of my Ubuntu 20.04 to use as hardened repository.

The script will ask you what is the disk you want to format as XFS file system and the password for the account to create.
As it, it can process only 1 disk.

Don't hesitate to say me if something is wrong or can be optimized

Code: Select all

#!/bin/bash


#This script is used to setup Ubuntu 20.04 Repository
#-Update system
#-Install perl and xfsprogs prerequesites
#-Format disk with xfs and size=4096 reflink=1 crc=1
#-Create mount point
#-Mount the disk
#-Update /etc/fstab to auto mount the disk
#-Create new account and assign right on mount point
#-Add account to sudo group 

#Variable Initialization
#Error log path
ErrLogFileNamePath=UbuntuSetupErr.log 
#Mount point for xfs disk
RepositoryPath=/repoXFS
#User to create and use in veeam as single credentials use
UserName=veeamrepo

## Server update ##
echo "###### Updating paquet list ######" | tee $ErrLogFileNamePath 
apt-get update 2>> $ErrLogFileNamePath
echo "###### Updating applications ######" | tee -a $ErrLogFileNamePath 
apt-get upgrade -y 2>> $ErrLogFileNamePath

## Prerequesites installation ##

#xfsprogs
echo "###### Installing xfsprogs package ######" | tee -a $ErrLogFileNamePath 
apt-get install xfsprogs -y 2>> $ErrLogFileNamePath
#Perls modules
echo "###### Installing perl modules ######" | tee -a $ErrLogFileNamePath 
apt-get install libsoap-lite-perl -y 2>> $ErrLogFileNamePath

## Create File system disk ##

#List disk to user
echo "###### Listing disk ######" | tee -a $ErrLogFileNamePath 
fdisk -l 
#Ask user the disk name to initialize and format
echo "What is the disk name to initialize (ex:sdb)"
read DiskName

#GPT initialization and create partition
echo "###### Initializing disk ######" | tee -a $ErrLogFileNamePath 
#g : GPT table 
#n : new partition
#w : write partition table
fdisk /dev/$DiskName << EOF 2>> $ErrLogFileNamePath
g
n



w
EOF

#Create XFS filesystem 
echo "###### Formatting xfs filesystem ######" | tee -a $ErrLogFileNamePath 
mkfs.xfs /dev/${DiskName}1 -b size=4096 -m reflink=1,crc=1 2>> $ErrLogFileNamePath

## Create and manage mount point ##

#Create repository folder
echo "###### Creating $RepositoryPath ######" | tee -a $ErrLogFileNamePath 
mkdir $RepositoryPath 2>> $ErrLogFileNamePath

#Modify /etc/fstab to mount disk
echo "###### Updating /etc/fstab to mount /dev/${DiskName}1 ######" | tee -a $ErrLogFileNamePath 
echo "/dev/${DiskName}1 $RepositoryPath xfs defaults 0 0" >> /etc/fstab 2>> $ErrLogFileNamePath

#Mount disk
echo "###### Mounting /dev/${DiskName}1 to $RepositoryPath  ######" | tee -a $ErrLogFileNamePath 
mount  /dev/${DiskName}1 2>> $ErrLogFileNamePath

#Create repository veeam service account
echo "###### Creating user $UserName ######" | tee -a $ErrLogFileNamePath 
useradd -d /home/$UserName -m $UserName 2>> $ErrLogFileNamePath
#Set password for repository veeam service account
echo "Enter password for $UserName user" 
passwd $UserName

#Set owner and permission on mount point
echo "###### Putting $UserName as owner on $RepositoryPath ######" | tee -a $ErrLogFileNamePath 
chown $UserName:$UserName $RepositoryPath 2>> $ErrLogFileNamePath
echo "###### Giving permission only to $UserName user on $RepositoryPath (700) ######" | tee -a $ErrLogFileNamePath 
chmod 700 $RepositoryPath 2>> $ErrLogFileNamePath

#Add repository veeam service account to sudo group
echo "###### Add $UserName to sudo group ######" | tee -a $ErrLogFileNamePath 
usermod -aG sudo $UserName 2>> $ErrLogFileNamePath

echo "###### Open $ErrLogFileNamePath to be sure there is no error and restart the server. ######" 
echo "###### Be sure to remove $UserName from sudo group after backup repository registration in Veeam with the command : deluser $UserName sudo ######" | tee -a $ErrLogFileNamePath 

[Gostev]

Hello - and thanks for sharing this with the community!

I would only recommend adding a reminder to remove $UserName from sudo following the backup repository registration in Veeam.

[matteu]

Hello and thanks for your answer.

I agree with you it could be a good idea...
I can display it at the end of the script on the script and again on the UbuntuSetupErr but I don't think it's a good idea to automate it because if the task doesn't launch for any reason.... it's a big security issue !
I updated the script !

[Gostev]

Agree! Moved into the original post.

[davow]

I would recommend doing away with partitioning the disk. Use LVM.

[denser]

Suggest to add list of discovered block devices. May be kinda foolish but a bit convenient for junior administrators

[matteu]

Thanks for your answer.

@davow I agree for LVM it could be an improvment .
@denser For block devices, what do you mean exactly ?

[lasseoe]

You should add something about
* Enabling UFW or IPtables
* If you want to sync time correctly, ensure chrony is setup correctly and syncing time (do NOT use ntpd). Relying on the hardware clock is a never ending source of frustration and makes it very difficult to correlate data during an incident.
* Setup some sort of push-based monitoring for disk usage, I/O performance data, changes to important config files/log files etc.
* Run tripwire as often as possible or some other similar and push results to external entity for analysis.
* Lots more could be done.

# Ensure partition is aligned on block boundaries, important for performance
parted -s -a optimal -- /dev/sdb mklabel gpt
parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
parted -s -- /dev/sdb align-check optimal 1

# Setup LVM - absolutely no reason not to.
pvcreate /dev/sdb1
vgcreate vgvdata /dev/sdb1
lvcreate --name lvdata -l 100%FREE vgvdata

# Ensure we get logfiles - earlier versions didn't create this automatically, maybe fixed?
mkdir /var/log/VeeaamBackup
chown ${username}. /var/log/VeeaamBackup
chmod 700 ${username} /var/log/VeeaamBackup

[matteu]

Thanks for your answer, to be honest, I need to look each improvment you write because I'm not linux sysadmin and I need to check what are they for !

Are you sure iptable is needed ? SSH will be disabled at the end of the setup and there is only veeam server to access to this server.

[lasseoe]

Yes, 100% sure you need IPtables, but if you use UFW it's super easy. You need to be in control of what goes in and out, you don't want anything listening by accident on a port you're not using, also seeing as it's for veeam only you can restrict outgoing traffic as well.

*ALWAYS* use hostbased firewalls, no matter the OS or what it's doing.

https://ubuntu.com/server/docs/security-firewall

[davow]

Unless you have a very specific use case for partitioning a disk used for backup, there is ZERO need to partition a disk only to then add it to LVM. You introduce an unnecessary extra layer and make future changes/expansion more difficult.

Just pvcreate /dev/sdb.

[matteu]

Hello and thanks for your answer.
What do you mean exactly ?
You would only use pvcreate but no vgcreate and lvcreate ?

I want to look at all the linux recommandation this afternoon if I have time

[matteu]

You should add something about
* Enabling UFW or IPtables
* If you want to sync time correctly, ensure chrony is setup correctly and syncing time (do NOT use ntpd). Relying on the hardware clock is a never ending source of frustration and makes it very difficult to correlate data during an incident.
* Setup some sort of push-based monitoring for disk usage, I/O performance data, changes to important config files/log files etc.
* Run tripwire as often as possible or some other similar and push results to external entity for analysis.
* Lots more could be done.

# Ensure partition is aligned on block boundaries, important for performance
parted -s -a optimal -- /dev/sdb mklabel gpt
parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
parted -s -- /dev/sdb align-check optimal 1

# Setup LVM - absolutely no reason not to.
pvcreate /dev/sdb1
vgcreate vgvdata /dev/sdb1
lvcreate --name lvdata -l 100%FREE vgvdata

# Ensure we get logfiles - earlier versions didn't create this automatically, maybe fixed?
mkdir /var/log/VeeaamBackup
chown ${username}. /var/log/VeeaamBackup
chmod 700 ${username} /var/log/VeeaamBackup

So, I tried some of what you write :

-parted and then LVM and it seems working. Is it the good order? then I need to use mkfs on my logical volume right ?
-For veeam logfiles I suppose it's fixed because I saw it several times.
-For firewall, I don't see how I could automate it... Each customer use different server name or network.
-Why is better to use chrony than ntpd ? Do I need to change default time source ?
-To monitor disk space and I/O I will not do it on this script. There are solution tools dedicated to this job.
-tripwire seems to be an excellent tools for companies with big sensitives data !

[denser]

Thanks for your answer.

@davow I agree for LVM it could be an improvment .
@denser For block devices, what do you mean exactly ?

I mean this:

echo "What is the disk name to initialize (ex:sdb)"
read DiskName

in "ex:" block suggest existent block devices detected via this script.
May be like this:

Code: Select all

lsblk

or

Code: Select all

mount | grep /dev/sd

[mriesenbeck]

I'm using veeamhubrepo for this, very happy with that.

[Gostev]

https://github.com/tdewin/veeamhubrepo

[jasonede]

Might be an idea on this when enabling SSH to update the ssh config to use modern encryption i.e. as from https://infosec.mozilla.org/guidelines/openssh.

Mainly thinking of

Code: Select all

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Although enabling the verbose logging is also good.

[matteu]

Hello,
Why would you like improve SSH encryption because SSH will be used only once and then disable on this setup.
I think your idea is good for standard linux repository but I don't know if it's usefull on hardening repository with ssh disabled ?

[olafurh]

Don't forget to forward ALL logs to another location, when (not if, when) something happens it's critical to have evidence outside your environment, or have your SIEM alert you when something is out of the ordinary happens.

A black box that does not send any information out or no one can monitor is a case of Schrödinger's cat.

[Gostev]

No one but Veeam ONE! Pun intended. Although you may be talking about some different kind of monitoring Veeam ONE does not do.

[matteu]

You're totally right, firewall need to be open for monitoring too . I don't have lot's of customer with veeam one unfortunately.
They use nagios or other tools and they monitor basic stuff like cpu / ram / uptime ...
SIEM is really rare on my customer. I know it's not good but unfortunately they have bigger problem to solve first and we try to help them to better manage it but security become more and more the main topic