Actualiser miscellaneous/secure_ssh.sh
This commit is contained in:
@@ -17,14 +17,50 @@ if [[ "$EUID" -ne 0 ]]; then
|
||||
fi
|
||||
|
||||
# Define important variables
|
||||
# SSHD_CONFIG: Location of the SSH daemon configuration file
|
||||
# BACKUP_FILE: Location of the backup file with timestamp
|
||||
SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"
|
||||
|
||||
# Function to validate IP address
|
||||
validate_ip() {
|
||||
local ip=$1
|
||||
local stat=1
|
||||
|
||||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||||
OIFS=$IFS
|
||||
IFS='.'
|
||||
ip=($ip)
|
||||
IFS=$OIFS
|
||||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
||||
stat=$?
|
||||
fi
|
||||
return $stat
|
||||
}
|
||||
|
||||
# Create a backup of the current SSH configuration
|
||||
# This allows rollback if something goes wrong
|
||||
cp "$SSHD_CONFIG" "$BACKUP_FILE"
|
||||
echo "Current SSH configuration backed up to $BACKUP_FILE"
|
||||
|
||||
# Configure SSH port (mandatory)
|
||||
while true; do
|
||||
read -p "Enter the SSH port to use (between 1024 and 65535): " new_port
|
||||
if [[ "$new_port" =~ ^[0-9]+$ ]] && [ "$new_port" -ge 1024 ] && [ "$new_port" -le 65535 ]; then
|
||||
port_setting="Port $new_port"
|
||||
break
|
||||
else
|
||||
echo "Error: Please enter a valid port number between 1024 and 65535"
|
||||
fi
|
||||
done
|
||||
|
||||
# Configure IP whitelist (mandatory)
|
||||
while true; do
|
||||
read -p "Enter the IP address to whitelist for SSH access (e.g., 192.168.1.100): " allowed_ip
|
||||
if validate_ip "$allowed_ip"; then
|
||||
allow_users="AllowUsers *@${allowed_ip}"
|
||||
break
|
||||
else
|
||||
echo "Error: Please enter a valid IP address"
|
||||
fi
|
||||
done
|
||||
|
||||
# Present authentication method options to the user
|
||||
echo "Choose authentication method:"
|
||||
@@ -67,26 +103,7 @@ case $auth_choice in
|
||||
;;
|
||||
esac
|
||||
|
||||
# Configure IP restriction options
|
||||
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
|
||||
if [[ "$restrict_ip" == "yes" ]]; then
|
||||
read -p "Enter the IP address to allow SSH access: " allowed_ip
|
||||
allow_users="AllowUsers *@${allowed_ip}"
|
||||
else
|
||||
allow_users="# AllowUsers configuration not set"
|
||||
fi
|
||||
|
||||
# Configure SSH port options
|
||||
read -p "Do you want to change the SSH port? (yes/no): " change_port
|
||||
if [[ "$change_port" == "yes" ]]; then
|
||||
read -p "Enter the new SSH port: " new_port
|
||||
port_setting="Port $new_port"
|
||||
else
|
||||
port_setting="# Port configuration not changed"
|
||||
fi
|
||||
|
||||
# Create new SSH configuration file with secure settings
|
||||
# This configuration follows Mozilla's Modern OpenSSH server recommendations
|
||||
cat <<EOL > "$SSHD_CONFIG"
|
||||
# SSH Server Configuration
|
||||
# Generated by secure_ssh.sh script
|
||||
@@ -96,6 +113,12 @@ cat <<EOL > "$SSHD_CONFIG"
|
||||
# Protocol version (only SSH protocol 2 is secure)
|
||||
Protocol 2
|
||||
|
||||
# Port configuration (mandatory)
|
||||
$port_setting
|
||||
|
||||
# IP restriction settings (mandatory)
|
||||
$allow_users
|
||||
|
||||
# Authentication configuration
|
||||
$auth_method
|
||||
|
||||
@@ -124,29 +147,40 @@ MaxSessions 2
|
||||
LogLevel VERBOSE
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
|
||||
# IP restriction settings
|
||||
$allow_users
|
||||
|
||||
# Port configuration
|
||||
$port_setting
|
||||
EOL
|
||||
|
||||
# Configure UFW firewall if installed
|
||||
if command -v ufw >/dev/null 2>&1; then
|
||||
echo "Configuring UFW firewall..."
|
||||
ufw allow from "$allowed_ip" to any port "$new_port" proto tcp
|
||||
ufw status
|
||||
fi
|
||||
|
||||
# Restart SSH service to apply new configuration
|
||||
systemctl restart sshd
|
||||
|
||||
# Display completion message and warnings
|
||||
echo "SSH configuration has been updated and backed up to $BACKUP_FILE"
|
||||
if [[ "$auth_choice" == "1" ]]; then
|
||||
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
|
||||
echo "Your backup file is located at: $BACKUP_FILE"
|
||||
fi
|
||||
|
||||
# Additional information
|
||||
# Display completion message and configuration summary
|
||||
echo "
|
||||
SSH Configuration Summary:
|
||||
-------------------------
|
||||
Port: $new_port
|
||||
Whitelisted IP: $allowed_ip
|
||||
Authentication Method: ${auth_choice == 1 ? 'SSH Key' : 'Password'}
|
||||
Backup File: $BACKUP_FILE
|
||||
|
||||
Important notes:
|
||||
1. Keep your backup file ($BACKUP_FILE) safe
|
||||
1. Keep your backup file safe
|
||||
2. Test your new SSH configuration in a new session before logging out
|
||||
3. If you get locked out, use the backup file to restore the previous configuration
|
||||
4. For key-based authentication, ensure your public key is properly configured
|
||||
4. The following command will be needed to connect:
|
||||
ssh -p $new_port user@server_ip
|
||||
|
||||
Next steps:
|
||||
1. Open a new terminal
|
||||
2. Try to connect using the new configuration
|
||||
3. Do NOT close this session until you confirm the new configuration works
|
||||
"
|
||||
|
||||
if [[ "$auth_choice" == "1" ]]; then
|
||||
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
|
||||
fi
|
||||
Reference in New Issue
Block a user