Actualiser miscellaneous/secure_ssh.sh

2025-04-02 01:29:55 +02:00
parent f37d7bec80
commit f8034e007e
1 changed files with 73 additions and 39 deletions
--- a/miscellaneous/secure_ssh.sh
+++ b/miscellaneous/secure_ssh.sh
@@ -17,14 +17,50 @@ if [[ "$EUID" -ne 0 ]]; then
 fi

 # Define important variables
-# SSHD_CONFIG: Location of the SSH daemon configuration file
-# BACKUP_FILE: Location of the backup file with timestamp
 SSHD_CONFIG="/etc/ssh/sshd_config"
 BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"

+# Function to validate IP address
+validate_ip() {
+    local ip=$1
+    local stat=1
+
+    if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        OIFS=$IFS
+        IFS='.'
+        ip=($ip)
+        IFS=$OIFS
+        [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
+        stat=$?
+    fi
+    return $stat
+}
+
 # Create a backup of the current SSH configuration
-# This allows rollback if something goes wrong
 cp "$SSHD_CONFIG" "$BACKUP_FILE"
+echo "Current SSH configuration backed up to $BACKUP_FILE"
+
+# Configure SSH port (mandatory)
+while true; do
+    read -p "Enter the SSH port to use (between 1024 and 65535): " new_port
+    if [[ "$new_port" =~ ^[0-9]+$ ]] && [ "$new_port" -ge 1024 ] && [ "$new_port" -le 65535 ]; then
+        port_setting="Port $new_port"
+        break
+    else
+        echo "Error: Please enter a valid port number between 1024 and 65535"
+    fi
+done
+
+# Configure IP whitelist (mandatory)
+while true; do
+    read -p "Enter the IP address to whitelist for SSH access (e.g., 192.168.1.100): " allowed_ip
+    if validate_ip "$allowed_ip"; then
+        allow_users="AllowUsers *@${allowed_ip}"
+        break
+    else
+        echo "Error: Please enter a valid IP address"
+    fi
+done

 # Present authentication method options to the user
 echo "Choose authentication method:"
@@ -67,26 +103,7 @@ case $auth_choice in
        ;;
 esac

-# Configure IP restriction options
-read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
-if [[ "$restrict_ip" == "yes" ]]; then
-    read -p "Enter the IP address to allow SSH access: " allowed_ip
-    allow_users="AllowUsers *@${allowed_ip}"
-else
-    allow_users="# AllowUsers configuration not set"
-fi
-
-# Configure SSH port options
-read -p "Do you want to change the SSH port? (yes/no): " change_port
-if [[ "$change_port" == "yes" ]]; then
-    read -p "Enter the new SSH port: " new_port
-    port_setting="Port $new_port"
-else
-    port_setting="# Port configuration not changed"
-fi
-
 # Create new SSH configuration file with secure settings
-# This configuration follows Mozilla's Modern OpenSSH server recommendations
 cat <<EOL > "$SSHD_CONFIG"
 # SSH Server Configuration
 # Generated by secure_ssh.sh script
@@ -96,6 +113,12 @@ cat <<EOL > "$SSHD_CONFIG"
 # Protocol version (only SSH protocol 2 is secure)
 Protocol 2

+# Port configuration (mandatory)
+$port_setting
+
+# IP restriction settings (mandatory)
+$allow_users
+
 # Authentication configuration
 $auth_method

@@ -124,29 +147,40 @@ MaxSessions 2
 LogLevel VERBOSE
 ClientAliveInterval 300
 ClientAliveCountMax 2
-
-# IP restriction settings
-$allow_users
-
-# Port configuration
-$port_setting
 EOL

+# Configure UFW firewall if installed
+if command -v ufw >/dev/null 2>&1; then
+    echo "Configuring UFW firewall..."
+    ufw allow from "$allowed_ip" to any port "$new_port" proto tcp
+    ufw status
+fi
+
 # Restart SSH service to apply new configuration
 systemctl restart sshd

-# Display completion message and warnings
-echo "SSH configuration has been updated and backed up to $BACKUP_FILE"
-if [[ "$auth_choice" == "1" ]]; then
-    echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
-    echo "Your backup file is located at: $BACKUP_FILE"
-fi
-
-# Additional information
+# Display completion message and configuration summary
 echo "
+SSH Configuration Summary:
+-------------------------
+Port: $new_port
+Whitelisted IP: $allowed_ip
+Authentication Method: ${auth_choice == 1 ? 'SSH Key' : 'Password'}
+Backup File: $BACKUP_FILE
+
 Important notes:
-1. Keep your backup file ($BACKUP_FILE) safe
+1. Keep your backup file safe
 2. Test your new SSH configuration in a new session before logging out
 3. If you get locked out, use the backup file to restore the previous configuration
-4. For key-based authentication, ensure your public key is properly configured
-"
+4. The following command will be needed to connect:
+   ssh -p $new_port user@server_ip
+
+Next steps:
+1. Open a new terminal
+2. Try to connect using the new configuration
+3. Do NOT close this session until you confirm the new configuration works
+"
+
+if [[ "$auth_choice" == "1" ]]; then
+    echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
+fi