From 84ff4b318e193bcfcf99439b39db6bed520466fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Barbosa?= Date: Fri, 5 Sep 2025 13:01:40 +0100 Subject: [PATCH] Enhance SSH configuration in setup script with safer settings and backup restoration. Add recovery instructions for broken SSH service to README. Improve logging and error handling during SSH service restart. --- README.md | 12 +++++++ fix-ssh.sh | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++ setup.sh | 98 ++++++++++++++++++++++++++++++++------------------ 3 files changed, 179 insertions(+), 35 deletions(-) create mode 100755 fix-ssh.sh diff --git a/README.md b/README.md index 3184e63..1a099a2 100644 --- a/README.md +++ b/README.md @@ -233,6 +233,18 @@ Take a system snapshot before running the script if running on a virtual machine 3. Check SSH client configuration 4. Use verbose mode: `ssh -v sysadmin@server-ip` +### SSH Service Broken +If the setup script breaks SSH service, you can recover: +1. Access the server via console (not SSH) +2. Download the recovery script: + ```bash + wget -O fix-ssh.sh "https://del-c.net/deb12-fix" + chmod +x fix-ssh.sh + su - + ./fix-ssh.sh + ``` +3. The script will restore from backup or create a basic working configuration + ### Firewall Issues 1. Check UFW status: `sudo ufw status` 2. Verify port 22 is allowed: `sudo ufw status numbered` diff --git a/fix-ssh.sh b/fix-ssh.sh new file mode 100755 index 0000000..5b9d37b --- /dev/null +++ b/fix-ssh.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# SSH Recovery Script +# Run this if the main setup script broke SSH + +set -euo pipefail + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +log() { + echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}" +} + +warn() { + echo -e "${YELLOW}[WARNING] $1${NC}" +} + +error() { + echo -e "${RED}[ERROR] $1${NC}" +} + +# Check if running as root +if [[ $EUID -ne 0 ]]; then + error "This script must be run as root" + exit 1 +fi + +echo -e "${YELLOW}=== SSH Recovery Script ===${NC}" +echo "This script will help recover from broken SSH configuration." +echo "" + +# List available backups +if ls /etc/ssh/sshd_config.backup.* 1> /dev/null 2>&1; then + echo "Available SSH configuration backups:" + ls -la /etc/ssh/sshd_config.backup.* + echo "" + + read -p "Restore from backup? (Y/n): " restore_choice + if [[ ! "$restore_choice" =~ ^[Nn]$ ]]; then + # Get the most recent backup + latest_backup=$(ls -t /etc/ssh/sshd_config.backup.* | head -1) + log "Restoring SSH configuration from: $latest_backup" + + cp "$latest_backup" /etc/ssh/sshd_config + log "SSH configuration restored" + fi +else + warn "No SSH configuration backups found" + echo "Restoring default SSH configuration..." + + # Create a basic working SSH config + cat > /etc/ssh/sshd_config << 'EOF' +# Minimal working SSH configuration +Port 22 +PermitRootLogin no +PasswordAuthentication yes +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +PermitEmptyPasswords no +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding no +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +EOF + log "Basic SSH configuration created" +fi + +# Test configuration +log "Testing SSH configuration..." +if sshd -t; then + log "SSH configuration is valid" + + # Restart SSH service + log "Restarting SSH service..." + if systemctl restart sshd; then + log "SSH service restarted successfully" + + # Check if service is running + if systemctl is-active --quiet sshd; then + echo "" + echo -e "${GREEN}✓ SSH service is now running${NC}" + echo -e "${YELLOW}You should now be able to connect via SSH${NC}" + echo "" + echo "Test connection with:" + echo "ssh user@$(hostname -I | awk '{print $1}')" + else + error "SSH service is not active" + fi + else + error "Failed to restart SSH service" + fi +else + error "SSH configuration is still invalid" + echo "Manual intervention required." +fi + +echo "" +echo "Current SSH status:" +systemctl status sshd --no-pager -l \ No newline at end of file diff --git a/setup.sh b/setup.sh index 4a47dd9..d31a125 100755 --- a/setup.sh +++ b/setup.sh @@ -315,42 +315,57 @@ configure_security() { sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config - # Configure SSH settings (remove old custom settings first) + # Configure SSH settings safely log "Applying SSH security settings..." - # Remove previous custom settings to avoid duplicates - sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config - sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config - sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config - sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config - sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config - sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config - sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config - sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config - sed -i '/^AllowUsers /d' /etc/ssh/sshd_config + # Backup original sshd_config + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) - # Add current settings - { - echo "Protocol 2" - if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then - echo "PasswordAuthentication no" - log "SSH password authentication disabled" - else - echo "PasswordAuthentication yes" - log "SSH password authentication enabled" - fi - echo "PubkeyAuthentication yes" - echo "PermitEmptyPasswords no" - echo "X11Forwarding no" - echo "MaxAuthTries 3" - echo "ClientAliveInterval 300" - echo "ClientAliveCountMax 2" - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then - echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" - else - echo "AllowUsers $SYSADMIN_USER" - fi - } >> /etc/ssh/sshd_config + # Configure PasswordAuthentication + if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then + sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config + log "SSH password authentication disabled" + else + sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config + log "SSH password authentication enabled" + fi + + # Configure other SSH settings more safely + sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config + sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config + sed -i 's/^#*X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config + sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config + + # Add settings that might not exist + if ! grep -q "^ClientAliveInterval" /etc/ssh/sshd_config; then + echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config + else + sed -i 's/^#*ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config + fi + + if ! grep -q "^ClientAliveCountMax" /etc/ssh/sshd_config; then + echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config + else + sed -i 's/^#*ClientAliveCountMax.*/ClientAliveCountMax 2/' /etc/ssh/sshd_config + fi + + # Configure AllowUsers (remove old entries first) + sed -i '/^AllowUsers/d' /etc/ssh/sshd_config + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config + else + echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config + fi + + # Test SSH configuration before proceeding + log "Testing SSH configuration..." + if ! sshd -t; then + error "SSH configuration is invalid! Restoring backup..." + mv /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) /etc/ssh/sshd_config + exit 1 + fi + + log "SSH configuration is valid" # Remove/lock root password log "Locking root password..." @@ -625,9 +640,22 @@ show_ssh_setup_summary() { ### === CLEANUP AND FINALIZATION === ### finalize_setup() { - # Restart SSH service + # Restart SSH service safely log "Restarting SSH service..." - systemctl restart sshd + if ! systemctl restart sshd; then + error "Failed to restart SSH service! Check configuration and try again." + log "You can restore SSH configuration from backup if needed:" + log "ls /etc/ssh/sshd_config.backup.*" + exit 1 + fi + + # Verify SSH service is running + if ! systemctl is-active --quiet sshd; then + error "SSH service is not running after restart!" + exit 1 + fi + + log "SSH service restarted successfully" # Clean up log "Cleaning up..."