password authentication

2025-04-02 01:22:32 +02:00
parent 67eb731e2a
commit f37d7bec80
1 changed files with 95 additions and 33 deletions
--- a/miscellaneous/secure_ssh.sh
+++ b/miscellaneous/secure_ssh.sh
@@ -1,17 +1,14 @@
 #!/bin/bash
-# Warning: Before running this script, make sure you have created a user and an SSH key in the authorized_keys file.
+# This script configures SSH server security settings following Mozilla's guidelines
-
+# It allows choosing between SSH key and password authentication methods
-# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
+# Reference: https://infosec.mozilla.org/guidelines/openssh
 # It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
 # The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
 # These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
 # These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
 # Usage:
-# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
+# 1. Save this script as "secure_ssh.sh"
-# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
+# 2. Make it executable: chmod +x secure_ssh.sh
-# The script will automatically apply the recommended configuration changes and restart the SSH service.
+# 3. Run with root privileges: sudo ./secure_ssh.sh
 # 4. Follow the interactive prompts to configure your SSH security settings
 # Check if the script is run as root
 if [[ "$EUID" -ne 0 ]]; then
@@ -19,16 +16,59 @@ if [[ "$EUID" -ne 0 ]]; then
   exit 1
 fi
-# Variables
+# Define important variables
 # SSHD_CONFIG: Location of the SSH daemon configuration file
 # BACKUP_FILE: Location of the backup file with timestamp
 SSHD_CONFIG="/etc/ssh/sshd_config"
-BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"  # Backup with date and time
+BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"
-# Backup the old configuration with a timestamp
+# Create a backup of the current SSH configuration
 # This allows rollback if something goes wrong
 cp "$SSHD_CONFIG" "$BACKUP_FILE"
-# Ask user if they want to restrict SSH access to a single IP
+# Present authentication method options to the user
-read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
+echo "Choose authentication method:"
 echo "1) SSH key only (more secure)"
 echo "2) Password authentication"
 read -p "Enter your choice (1 or 2): " auth_choice
 # Handle authentication method selection
 case $auth_choice in
    1)
        # Configure SSH key authentication
        auth_method="PasswordAuthentication no"
        echo "SSH key authentication selected"
        # Check for existing SSH key configuration
        if [ ! -f "/root/.ssh/authorized_keys" ]; then
            read -p "No SSH key found. Would you like to add one now? (yes/no): " add_key
            if [[ "$add_key" == "yes" ]]; then
                # Create SSH directory with proper permissions
                mkdir -p /root/.ssh
                read -p "Paste your public SSH key: " ssh_key
                echo "$ssh_key" >> /root/.ssh/authorized_keys
                # Set proper permissions for SSH files
                chmod 700 /root/.ssh
                chmod 600 /root/.ssh/authorized_keys
            else
                echo "Warning: No SSH key configured. You might be locked out!"
                exit 1
            fi
        fi
        ;;
    2)
        # Configure password authentication
        auth_method="PasswordAuthentication yes"
        echo "Password authentication selected"
        ;;
    *)
        echo "Invalid choice. Exiting."
        exit 1
        ;;
 esac
 # Configure IP restriction options
 read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
 if [[ "$restrict_ip" == "yes" ]]; then
    read -p "Enter the IP address to allow SSH access: " allowed_ip
    allow_users="AllowUsers *@${allowed_ip}"
@@ -36,7 +76,7 @@ else
    allow_users="# AllowUsers configuration not set"
 fi
-# Ask user if they want to change the SSH port
+# Configure SSH port options
 read -p "Do you want to change the SSH port? (yes/no): " change_port
 if [[ "$change_port" == "yes" ]]; then
    read -p "Enter the new SSH port: " new_port
@@ -45,46 +85,68 @@ else
    port_setting="# Port configuration not changed"
 fi
-# Modify the sshd_config file
+# Create new SSH configuration file with secure settings
 # This configuration follows Mozilla's Modern OpenSSH server recommendations
 cat <<EOL > "$SSHD_CONFIG"
-# Mozilla SSH Security Recommendations
+# SSH Server Configuration
 # Generated by secure_ssh.sh script
 # Based on Mozilla's Modern OpenSSH server configuration
 # Last modified: $(date)
 # Protocol version (only SSH protocol 2 is secure)
 Protocol 2
-# Enable only secure ciphers
+
 # Authentication configuration
 $auth_method
 # Cryptographic settings
 # Only modern, secure ciphers are enabled
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-# Enable only secure key exchange algorithms
+
 # Key exchange algorithms
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-# Enable only secure MAC algorithms
+
 # Message Authentication Codes (MACs)
 MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
-# Disable password authentication for stronger security
+# Host keys
 PasswordAuthentication no
 # Disable old host keys
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
-# Restrict root access
+# Access control settings
 PermitRootLogin no
 # Strict connection policy
 MaxAuthTries 3
 LoginGraceTime 30
-# Additional security recommendations
+# Additional security measures
 AllowTcpForwarding no
 MaxSessions 2
 LogLevel VERBOSE
 ClientAliveInterval 300
 ClientAliveCountMax 2
-# IP restriction based on user input
+# IP restriction settings
 $allow_users
-# SSH port based on user input
+# Port configuration
 $port_setting
 EOL
-# Restart the SSH service
+# Restart SSH service to apply new configuration
 systemctl restart sshd
-echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."
+# Display completion message and warnings
 echo "SSH configuration has been updated and backed up to $BACKUP_FILE"
 if [[ "$auth_choice" == "1" ]]; then
    echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
    echo "Your backup file is located at: $BACKUP_FILE"
 fi
 # Additional information
 echo "
 Important notes:
 1. Keep your backup file ($BACKUP_FILE) safe
 2. Test your new SSH configuration in a new session before logging out
 3. If you get locked out, use the backup file to restore the previous configuration
 4. For key-based authentication, ensure your public key is properly configured
 "