lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser miscellaneous/secure_ssh.sh

Browse Source
This commit is contained in:
Philippe Favre
2024-11-14 03:16:20 +01:00
parent 56142b79c8
commit 859a750be7
1 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
miscellaneous/secure_ssh.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices. # This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# Its main purpose is to enhance the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and reducing potential attack vectors. # It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes. # The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection. # These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh # These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
@@ -11,11 +11,28 @@
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`. # After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# The script will automatically apply the recommended configuration changes and restart the SSH service. # The script will automatically apply the recommended configuration changes and restart the SSH service.
# Check if the script is run as root
if [[ "$EUID" -ne 0 ]]; then
echo "This script must be run as root. Please use sudo to execute it."
exit 1
fi
# Variables # Variables
SSHD_CONFIG="/etc/ssh/sshd_config" SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time
# Backup the old configuration # Backup the old configuration with a timestamp
cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak" cp "$SSHD_CONFIG" "$BACKUP_FILE"
# Ask user if they want to restrict SSH access to a single IP
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
if [[ "$restrict_ip" == "yes" ]]; then
read -p "Enter the IP address to allow SSH access: " allowed_ip
allow_users="AllowUsers *@${allowed_ip}"
else
allow_users="# AllowUsers configuration not set"
fi
# Modify the sshd_config file # Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG" cat <<EOL > "$SSHD_CONFIG"
@@ -41,9 +58,19 @@ PermitRootLogin no
# Strict connection policy # Strict connection policy
MaxAuthTries 3 MaxAuthTries 3
LoginGraceTime 30 LoginGraceTime 30
# Additional security recommendations
AllowTcpForwarding no
MaxSessions 2
LogLevel VERBOSE
ClientAliveInterval 300
ClientAliveCountMax 2
# IP restriction based on user input
$allow_users
EOL EOL
# Restart the SSH service # Restart the SSH service
systemctl restart sshd systemctl restart sshd
echo "SSH configuration has been updated according to Mozilla's security recommendations." echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."