lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser miscellaneous/secure_ssh.sh

Browse Source
This commit is contained in:
Philippe Favre
2025-04-02 01:36:50 +02:00
parent f8034e007e
commit ed53d4cb1f
1 changed files with 60 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
miscellaneous/secure_ssh.sh
View File

@@ -1,14 +1,17 @@
#!/bin/bash #!/bin/bash
# This script configures SSH server security settings following Mozilla's guidelines # Warning: Before running this script, make sure you have created a user and an SSH key in the authorized_keys file.
# It allows choosing between SSH key and password authentication methods
# Reference: https://infosec.mozilla.org/guidelines/openssh # This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
# Usage: # Usage:
# 1. Save this script as "secure_ssh.sh" # To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
# 2. Make it executable: chmod +x secure_ssh.sh # After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# 3. Run with root privileges: sudo ./secure_ssh.sh # The script will automatically apply the recommended configuration changes and restart the SSH service.
# 4. Follow the interactive prompts to configure your SSH security settings
# Check if the script is run as root # Check if the script is run as root
if [[ "$EUID" -ne 0 ]]; then if [[ "$EUID" -ne 0 ]]; then
@@ -16,171 +19,83 @@ if [[ "$EUID" -ne 0 ]]; then
exit 1 exit 1
fi fi
# Define important variables # Variables
SSHD_CONFIG="/etc/ssh/sshd_config" SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time
# Function to validate IP address # Backup the old configuration with a timestamp
validate_ip() {
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
# Create a backup of the current SSH configuration
cp "$SSHD_CONFIG" "$BACKUP_FILE" cp "$SSHD_CONFIG" "$BACKUP_FILE"
echo "Current SSH configuration backed up to $BACKUP_FILE"
# Configure SSH port (mandatory) # Ask user if they want to restrict SSH access to a single IP
while true; do read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
read -p "Enter the SSH port to use (between 1024 and 65535): " new_port
if [[ "$new_port" =~ ^[0-9]+$ ]] && [ "$new_port" -ge 1024 ] && [ "$new_port" -le 65535 ]; then
port_setting="Port $new_port"
break
else
echo "Error: Please enter a valid port number between 1024 and 65535"
fi
done
# Configure IP whitelist (mandatory) if [[ "$restrict_ip" == "yes" ]]; then
while true; do read -p "Enter the IP address to allow SSH access: " allowed_ip
read -p "Enter the IP address to whitelist for SSH access (e.g., 192.168.1.100): " allowed_ip allow_users="AllowUsers *@${allowed_ip}"
if validate_ip "$allowed_ip"; then else
allow_users="AllowUsers *@${allowed_ip}" allow_users="# AllowUsers configuration not set"
break fi
else
echo "Error: Please enter a valid IP address"
fi
done
# Present authentication method options to the user # Ask user if they want to change the SSH port
echo "Choose authentication method:" read -p "Do you want to change the SSH port? (yes/no): " change_port
echo "1) SSH key only (more secure)" if [[ "$change_port" == "yes" ]]; then
echo "2) Password authentication" read -p "Enter the new SSH port: " new_port
read -p "Enter your choice (1 or 2): " auth_choice port_setting="Port $new_port"
else
port_setting="# Port configuration not changed"
fi
# Handle authentication method selection # Ask user if they want to use password or key-based authentication
case $auth_choice in read -p "Do you want to use password or key-based authentication? (password/key): " auth_method
1) if [[ "$auth_method" == "password" ]]; then
# Configure SSH key authentication password_auth="PasswordAuthentication yes"
auth_method="PasswordAuthentication no" key_auth="# PasswordAuthentication no"
echo "SSH key authentication selected" else
password_auth="# PasswordAuthentication no"
# Check for existing SSH key configuration key_auth="PubkeyAuthentication yes"
if [ ! -f "/root/.ssh/authorized_keys" ]; then fi
read -p "No SSH key found. Would you like to add one now? (yes/no): " add_key
if [[ "$add_key" == "yes" ]]; then
# Create SSH directory with proper permissions
mkdir -p /root/.ssh
read -p "Paste your public SSH key: " ssh_key
echo "$ssh_key" >> /root/.ssh/authorized_keys
# Set proper permissions for SSH files
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
else
echo "Warning: No SSH key configured. You might be locked out!"
exit 1
fi
fi
;;
2)
# Configure password authentication
auth_method="PasswordAuthentication yes"
echo "Password authentication selected"
;;
*)
echo "Invalid choice. Exiting."
exit 1
;;
esac
# Create new SSH configuration file with secure settings # Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG" cat <<EOL > "$SSHD_CONFIG"
# SSH Server Configuration # Mozilla SSH Security Recommendations
# Generated by secure_ssh.sh script
# Based on Mozilla's Modern OpenSSH server configuration
# Last modified: $(date)
# Protocol version (only SSH protocol 2 is secure)
Protocol 2 Protocol 2
# Enable only secure ciphers
# Port configuration (mandatory)
$port_setting
# IP restriction settings (mandatory)
$allow_users
# Authentication configuration
$auth_method
# Cryptographic settings
# Only modern, secure ciphers are enabled
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Enable only secure key exchange algorithms
# Key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Enable only secure MAC algorithms
# Message Authentication Codes (MACs)
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
# Host keys # Authentication method based on user input
$password_auth
$key_auth
# Disable old host keys
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key
# Access control settings # Restrict root access
PermitRootLogin no PermitRootLogin no
# Strict connection policy
MaxAuthTries 3 MaxAuthTries 3
LoginGraceTime 30 LoginGraceTime 30
# Additional security measures # Additional security recommendations
AllowTcpForwarding no AllowTcpForwarding no
MaxSessions 2 MaxSessions 2
LogLevel VERBOSE LogLevel VERBOSE
ClientAliveInterval 300 ClientAliveInterval 300
ClientAliveCountMax 2 ClientAliveCountMax 2
# IP restriction based on user input
$allow_users
# SSH port based on user input
$port_setting
EOL EOL
# Configure UFW firewall if installed # Restart the SSH service
if command -v ufw >/dev/null 2>&1; then
echo "Configuring UFW firewall..."
ufw allow from "$allowed_ip" to any port "$new_port" proto tcp
ufw status
fi
# Restart SSH service to apply new configuration
systemctl restart sshd systemctl restart sshd
# Display completion message and configuration summary echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."
echo "
SSH Configuration Summary:
-------------------------
Port: $new_port
Whitelisted IP: $allowed_ip
Authentication Method: ${auth_choice == 1 ? 'SSH Key' : 'Password'}
Backup File: $BACKUP_FILE
Important notes:
1. Keep your backup file safe
2. Test your new SSH configuration in a new session before logging out
3. If you get locked out, use the backup file to restore the previous configuration
4. The following command will be needed to connect:
ssh -p $new_port user@server_ip
Next steps:
1. Open a new terminal
2. Try to connect using the new configuration
3. Do NOT close this session until you confirm the new configuration works
"
if [[ "$auth_choice" == "1" ]]; then
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
fi