-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #42 from prudvikeshav/linux
Linux
- Loading branch information
Showing
1 changed file
with
48 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,87 +1,65 @@ | ||
| # Problem Statement | ||
| Following security audits, the xFusionCorp Industries security team has rolled out new protocols, including the restriction of direct root SSH login. | ||
| In a bid to automate backup processes, the xFusionCorp Industries sysadmin team has developed a new bash script named *xfusioncorp.sh*. While the script has been distributed to all necessary servers, it lacks executable permissions on *App Server 3* within the Stratos Datacenter. | ||
|
|
||
| Your task is to disable direct SSH root login on all app servers within the Stratos Datacenter. | ||
| ## Solution | ||
| Your task is to grant executable permissions to the */tmp/xfusioncorp.sh* script on *App Server 3.* Additionally, ensure that all users have the capability to execute it. | ||
|
|
||
| To address this requirement, we need to automate the process of disabling direct root SSH login on multiple servers. The solution involves the following steps: | ||
| # Solution: | ||
|
|
||
| 1. **Define Server Details**: Create arrays to store the server names, SSH usernames, and corresponding passwords. | ||
|
|
||
| 2. **Iterate Through Servers**: Loop through each server, using the respective username and password to perform SSH operations. | ||
| #### **1. Connect to App Server 3** | ||
|
|
||
| 3. **Disable Root Login**: | ||
| - **Connect to Server**: Use `sshpass` to manage SSH login with passwords, avoiding manual intervention. | ||
| - **Update SSH Configuration**: Modify the SSH configuration file (`/etc/ssh/sshd_config`) to disable root login. This involves: | ||
| - Commenting out any existing `PermitRootLogin` directives. | ||
| - Adding or updating the `PermitRootLogin no` directive to restrict root access. | ||
| - **Restart SSH Service**: Apply the changes by restarting the SSH service to ensure that the new configuration takes effect. | ||
| Start by connecting to App Server 3 via SSH using the `banner` account. | ||
|
|
||
| 4. **Error Handling and Reporting**: Check the success or failure of each operation and provide appropriate feedback. | ||
| ```bash | ||
| ssh banner@stapp03 | ||
| ``` | ||
|
|
||
|
|
||
| #### **2. Switch to the Superuser (Root)** | ||
|
|
||
| Once logged in, switch to the root user to modify the script's permissions. | ||
|
|
||
| ```bash | ||
| sudo su | ||
| ``` | ||
|
|
||
|
|
||
| #### **3. Check the Current Permissions** | ||
|
|
||
| Verify the current permissions of the script to understand its current state. | ||
|
|
||
| ```bash | ||
| ls -al /tmp/xfusioncorp.sh | ||
| ``` | ||
|
|
||
| Here is the enhanced script that implements the above solution: | ||
|
|
||
| #### **4. Grant Executable Permissions** | ||
|
|
||
| Update the permissions of the script so that all users can execute it. | ||
|
|
||
| ```bash | ||
| #!/bin/bash | ||
|
|
||
| # Define lists of servers, usernames, and passwords | ||
| servers=("stapp01" "stapp02" "stapp03") | ||
| users=("tony" "steve" "banner") | ||
| passwords=("Ir0nM@n" "Am3ric@" "BigGr33n") | ||
|
|
||
| # Loop through each server to apply changes | ||
| for i in "${!servers[@]}"; do | ||
| server="${servers[$i]}" | ||
| user="${users[$i]}" | ||
| password="${passwords[$i]}" | ||
|
|
||
| echo "Processing $server..." | ||
|
|
||
| # SSH into the server and execute commands | ||
| sshpass -p "$password" ssh -o StrictHostKeyChecking=no "$user@$server" <<EOF | ||
| # Disable root login in the SSH configuration | ||
| echo "$password" | sudo -S bash -c " | ||
| # Backup the current SSH configuration | ||
| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak | ||
| # Disable root login | ||
| sed -i 's/^#PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config | ||
| sed -i 's/^PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config | ||
| # Restart SSH service to apply changes | ||
| systemctl restart sshd | ||
| " | ||
| EOF | ||
|
|
||
| # Check the exit status of the SSH command | ||
| if [ $? -eq 0 ]; then | ||
| echo "Successfully disabled root login on $server" | ||
| else | ||
| echo "Failed to update $server" | ||
| fi | ||
|
|
||
| echo "---------------------------------" | ||
| done | ||
| chmod 755 /tmp/xfusioncorp.sh | ||
| ``` | ||
|
|
||
| ### Explanation of the Script | ||
| - **Explanation**: | ||
| - `chmod 755`: This command sets the permissions of the file to `rwxr-xr-x`. | ||
| - `rwx` (read, write, execute) for the owner (root). | ||
| - `r-x` (read, execute) for the group (root). | ||
| - `r-x` (read, execute) for others (all users). | ||
|
|
||
| 1. **Variables**: | ||
| - `servers`, `users`, and `passwords` arrays store the necessary details for each server. | ||
| #### **5. Verify the Permissions** | ||
|
|
||
| 2. **SSH Operations**: | ||
| - `sshpass -p "$password"`: Manages password-based SSH authentication. | ||
| - `ssh -o StrictHostKeyChecking=no "$user@$server"`: Connects to each server, bypassing host key checks for automation purposes. | ||
| Check the permissions again to ensure that they have been updated correctly. | ||
|
|
||
| 3. **Commands Execution**: | ||
| - **Backup Configuration**: Creates a backup of the current SSH configuration file to safeguard against potential issues. | ||
| - **Modify Configuration**: Updates the SSH configuration to disable root login. | ||
| - **Restart SSH Service**: Ensures that the new configuration is applied immediately. | ||
| ```bash | ||
| ls -al /tmp/xfusioncorp.sh | ||
| ``` | ||
|
|
||
|
|
||
| #### **6. Execute the Script** | ||
|
|
||
| 4. **Error Handling**: | ||
| - Checks the success of each SSH command and reports accordingly. | ||
| Run the script to ensure it works as expected. | ||
|
|
||
| **Security Considerations**: | ||
| ```bash | ||
| . /tmp/xfusioncorp.sh | ||
| ``` | ||
|
|
||
| - **Password Handling**: The script uses passwords directly, which could be a security risk. Consider using SSH keys and configuring `sudo` for passwordless access to specific commands for a more secure solution. | ||
| - **Testing**: Before deploying the script in a production environment, thoroughly test it in a controlled setting to verify its functionality and avoid unintended disruptions. |