password authentication
This commit is contained in:
@@ -1,17 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Warning: Before running this script, make sure you have created a user and an SSH key in the authorized_keys file.
|
||||
|
||||
# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
|
||||
# It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
|
||||
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
|
||||
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
|
||||
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
|
||||
# This script configures SSH server security settings following Mozilla's guidelines
|
||||
# It allows choosing between SSH key and password authentication methods
|
||||
# Reference: https://infosec.mozilla.org/guidelines/openssh
|
||||
|
||||
# Usage:
|
||||
# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
|
||||
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
|
||||
# The script will automatically apply the recommended configuration changes and restart the SSH service.
|
||||
# 1. Save this script as "secure_ssh.sh"
|
||||
# 2. Make it executable: chmod +x secure_ssh.sh
|
||||
# 3. Run with root privileges: sudo ./secure_ssh.sh
|
||||
# 4. Follow the interactive prompts to configure your SSH security settings
|
||||
|
||||
# Check if the script is run as root
|
||||
if [[ "$EUID" -ne 0 ]]; then
|
||||
@@ -19,16 +16,59 @@ if [[ "$EUID" -ne 0 ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Variables
|
||||
# Define important variables
|
||||
# SSHD_CONFIG: Location of the SSH daemon configuration file
|
||||
# BACKUP_FILE: Location of the backup file with timestamp
|
||||
SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time
|
||||
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"
|
||||
|
||||
# Backup the old configuration with a timestamp
|
||||
# Create a backup of the current SSH configuration
|
||||
# This allows rollback if something goes wrong
|
||||
cp "$SSHD_CONFIG" "$BACKUP_FILE"
|
||||
|
||||
# Ask user if they want to restrict SSH access to a single IP
|
||||
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
|
||||
# Present authentication method options to the user
|
||||
echo "Choose authentication method:"
|
||||
echo "1) SSH key only (more secure)"
|
||||
echo "2) Password authentication"
|
||||
read -p "Enter your choice (1 or 2): " auth_choice
|
||||
|
||||
# Handle authentication method selection
|
||||
case $auth_choice in
|
||||
1)
|
||||
# Configure SSH key authentication
|
||||
auth_method="PasswordAuthentication no"
|
||||
echo "SSH key authentication selected"
|
||||
|
||||
# Check for existing SSH key configuration
|
||||
if [ ! -f "/root/.ssh/authorized_keys" ]; then
|
||||
read -p "No SSH key found. Would you like to add one now? (yes/no): " add_key
|
||||
if [[ "$add_key" == "yes" ]]; then
|
||||
# Create SSH directory with proper permissions
|
||||
mkdir -p /root/.ssh
|
||||
read -p "Paste your public SSH key: " ssh_key
|
||||
echo "$ssh_key" >> /root/.ssh/authorized_keys
|
||||
# Set proper permissions for SSH files
|
||||
chmod 700 /root/.ssh
|
||||
chmod 600 /root/.ssh/authorized_keys
|
||||
else
|
||||
echo "Warning: No SSH key configured. You might be locked out!"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
2)
|
||||
# Configure password authentication
|
||||
auth_method="PasswordAuthentication yes"
|
||||
echo "Password authentication selected"
|
||||
;;
|
||||
*)
|
||||
echo "Invalid choice. Exiting."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Configure IP restriction options
|
||||
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
|
||||
if [[ "$restrict_ip" == "yes" ]]; then
|
||||
read -p "Enter the IP address to allow SSH access: " allowed_ip
|
||||
allow_users="AllowUsers *@${allowed_ip}"
|
||||
@@ -36,7 +76,7 @@ else
|
||||
allow_users="# AllowUsers configuration not set"
|
||||
fi
|
||||
|
||||
# Ask user if they want to change the SSH port
|
||||
# Configure SSH port options
|
||||
read -p "Do you want to change the SSH port? (yes/no): " change_port
|
||||
if [[ "$change_port" == "yes" ]]; then
|
||||
read -p "Enter the new SSH port: " new_port
|
||||
@@ -45,46 +85,68 @@ else
|
||||
port_setting="# Port configuration not changed"
|
||||
fi
|
||||
|
||||
# Modify the sshd_config file
|
||||
# Create new SSH configuration file with secure settings
|
||||
# This configuration follows Mozilla's Modern OpenSSH server recommendations
|
||||
cat <<EOL > "$SSHD_CONFIG"
|
||||
# Mozilla SSH Security Recommendations
|
||||
# SSH Server Configuration
|
||||
# Generated by secure_ssh.sh script
|
||||
# Based on Mozilla's Modern OpenSSH server configuration
|
||||
# Last modified: $(date)
|
||||
|
||||
# Protocol version (only SSH protocol 2 is secure)
|
||||
Protocol 2
|
||||
# Enable only secure ciphers
|
||||
|
||||
# Authentication configuration
|
||||
$auth_method
|
||||
|
||||
# Cryptographic settings
|
||||
# Only modern, secure ciphers are enabled
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
# Enable only secure key exchange algorithms
|
||||
|
||||
# Key exchange algorithms
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
# Enable only secure MAC algorithms
|
||||
|
||||
# Message Authentication Codes (MACs)
|
||||
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
|
||||
|
||||
# Disable password authentication for stronger security
|
||||
PasswordAuthentication no
|
||||
|
||||
# Disable old host keys
|
||||
# Host keys
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
# Restrict root access
|
||||
# Access control settings
|
||||
PermitRootLogin no
|
||||
|
||||
# Strict connection policy
|
||||
MaxAuthTries 3
|
||||
LoginGraceTime 30
|
||||
|
||||
# Additional security recommendations
|
||||
# Additional security measures
|
||||
AllowTcpForwarding no
|
||||
MaxSessions 2
|
||||
LogLevel VERBOSE
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
|
||||
# IP restriction based on user input
|
||||
# IP restriction settings
|
||||
$allow_users
|
||||
|
||||
# SSH port based on user input
|
||||
# Port configuration
|
||||
$port_setting
|
||||
EOL
|
||||
|
||||
# Restart the SSH service
|
||||
# Restart SSH service to apply new configuration
|
||||
systemctl restart sshd
|
||||
|
||||
echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."
|
||||
# Display completion message and warnings
|
||||
echo "SSH configuration has been updated and backed up to $BACKUP_FILE"
|
||||
if [[ "$auth_choice" == "1" ]]; then
|
||||
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
|
||||
echo "Your backup file is located at: $BACKUP_FILE"
|
||||
fi
|
||||
|
||||
# Additional information
|
||||
echo "
|
||||
Important notes:
|
||||
1. Keep your backup file ($BACKUP_FILE) safe
|
||||
2. Test your new SSH configuration in a new session before logging out
|
||||
3. If you get locked out, use the backup file to restore the previous configuration
|
||||
4. For key-based authentication, ensure your public key is properly configured
|
||||
"
|
||||
Reference in New Issue
Block a user