Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance SSH configuration in setup script with safer settings and backup restoration. Add recovery instructions for broken SSH service to README. Improve logging and error handling during SSH service restart.

Browse Source
This commit is contained in:
Sérgio
2025-09-05 13:01:40 +01:00
parent c1951eec11
commit 84ff4b318e
3 changed files with 179 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -233,6 +233,18 @@ Take a system snapshot before running the script if running on a virtual machine
3. Check SSH client configuration
4. Use verbose mode: `ssh -v sysadmin@server-ip`
### SSH Service Broken
If the setup script breaks SSH service, you can recover:
1. Access the server via console (not SSH)
2. Download the recovery script:
```bash
wget -O fix-ssh.sh "https://del-c.net/deb12-fix"
chmod +x fix-ssh.sh
su -
./fix-ssh.sh
```
3. The script will restore from backup or create a basic working configuration
### Firewall Issues
1. Check UFW status: `sudo ufw status`
2. Verify port 22 is allowed: `sudo ufw status numbered`

104
fix-ssh.sh Executable file
View File

@@ -0,0 +1,104 @@
#!/bin/bash
# SSH Recovery Script
# Run this if the main setup script broke SSH
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log() {
echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
}
warn() {
echo -e "${YELLOW}[WARNING] $1${NC}"
}
error() {
echo -e "${RED}[ERROR] $1${NC}"
}
# Check if running as root
if [[ $EUID -ne 0 ]]; then
error "This script must be run as root"
exit 1
fi
echo -e "${YELLOW}=== SSH Recovery Script ===${NC}"
echo "This script will help recover from broken SSH configuration."
echo ""
# List available backups
if ls /etc/ssh/sshd_config.backup.* 1> /dev/null 2>&1; then
echo "Available SSH configuration backups:"
ls -la /etc/ssh/sshd_config.backup.*
echo ""
read -p "Restore from backup? (Y/n): " restore_choice
if [[ ! "$restore_choice" =~ ^[Nn]$ ]]; then
# Get the most recent backup
latest_backup=$(ls -t /etc/ssh/sshd_config.backup.* | head -1)
log "Restoring SSH configuration from: $latest_backup"
cp "$latest_backup" /etc/ssh/sshd_config
log "SSH configuration restored"
fi
else
warn "No SSH configuration backups found"
echo "Restoring default SSH configuration..."
# Create a basic working SSH config
cat > /etc/ssh/sshd_config << 'EOF'
# Minimal working SSH configuration
Port 22
PermitRootLogin no
PasswordAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
log "Basic SSH configuration created"
fi
# Test configuration
log "Testing SSH configuration..."
if sshd -t; then
log "SSH configuration is valid"
# Restart SSH service
log "Restarting SSH service..."
if systemctl restart sshd; then
log "SSH service restarted successfully"
# Check if service is running
if systemctl is-active --quiet sshd; then
echo ""
echo -e "${GREEN}✓ SSH service is now running${NC}"
echo -e "${YELLOW}You should now be able to connect via SSH${NC}"
echo ""
echo "Test connection with:"
echo "ssh user@$(hostname -I | awk '{print $1}')"
else
error "SSH service is not active"
fi
else
error "Failed to restart SSH service"
fi
else
error "SSH configuration is still invalid"
echo "Manual intervention required."
fi
echo ""
echo "Current SSH status:"
systemctl status sshd --no-pager -l

98
setup.sh
View File

@@ -315,42 +315,57 @@ configure_security() {
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Configure SSH settings (remove old custom settings first)
# Configure SSH settings safely
log "Applying SSH security settings..."
# Remove previous custom settings to avoid duplicates
sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config
sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config
sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config
sed -i '/^AllowUsers /d' /etc/ssh/sshd_config
# Backup original sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S)
# Add current settings
{
echo "Protocol 2"
if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
echo "PasswordAuthentication no"
log "SSH password authentication disabled"
else
echo "PasswordAuthentication yes"
log "SSH password authentication enabled"
fi
echo "PubkeyAuthentication yes"
echo "PermitEmptyPasswords no"
echo "X11Forwarding no"
echo "MaxAuthTries 3"
echo "ClientAliveInterval 300"
echo "ClientAliveCountMax 2"
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER"
else
echo "AllowUsers $SYSADMIN_USER"
fi
} >> /etc/ssh/sshd_config
# Configure PasswordAuthentication
if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
log "SSH password authentication disabled"
else
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
log "SSH password authentication enabled"
fi
# Configure other SSH settings more safely
sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^#*X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config
# Add settings that might not exist
if ! grep -q "^ClientAliveInterval" /etc/ssh/sshd_config; then
echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
else
sed -i 's/^#*ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
fi
if ! grep -q "^ClientAliveCountMax" /etc/ssh/sshd_config; then
echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
else
sed -i 's/^#*ClientAliveCountMax.*/ClientAliveCountMax 2/' /etc/ssh/sshd_config
fi
# Configure AllowUsers (remove old entries first)
sed -i '/^AllowUsers/d' /etc/ssh/sshd_config
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config
else
echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
fi
# Test SSH configuration before proceeding
log "Testing SSH configuration..."
if ! sshd -t; then
error "SSH configuration is invalid! Restoring backup..."
mv /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) /etc/ssh/sshd_config
exit 1
fi
log "SSH configuration is valid"
# Remove/lock root password
log "Locking root password..."
@@ -625,9 +640,22 @@ show_ssh_setup_summary() {
### === CLEANUP AND FINALIZATION === ###
finalize_setup() {
# Restart SSH service
# Restart SSH service safely
log "Restarting SSH service..."
systemctl restart sshd
if ! systemctl restart sshd; then
error "Failed to restart SSH service! Check configuration and try again."
log "You can restore SSH configuration from backup if needed:"
log "ls /etc/ssh/sshd_config.backup.*"
exit 1
fi
# Verify SSH service is running
if ! systemctl is-active --quiet sshd; then
error "SSH service is not running after restart!"
exit 1
fi
log "SSH service restarted successfully"
# Clean up
log "Cleaning up..."