#!/bin/bash # This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices. # It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access. # The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes. # These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection. # These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh # Usage: # To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`. # After that, execute it with root privileges using: `sudo ./secure_ssh.sh`. # The script will automatically apply the recommended configuration changes and restart the SSH service. # Check if the script is run as root if [[ "$EUID" -ne 0 ]]; then echo "This script must be run as root. Please use sudo to execute it." exit 1 fi # Variables SSHD_CONFIG="/etc/ssh/sshd_config" BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time # Backup the old configuration with a timestamp cp "$SSHD_CONFIG" "$BACKUP_FILE" # Ask user if they want to restrict SSH access to a single IP read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip if [[ "$restrict_ip" == "yes" ]]; then read -p "Enter the IP address to allow SSH access: " allowed_ip allow_users="AllowUsers *@${allowed_ip}" else allow_users="# AllowUsers configuration not set" fi # Modify the sshd_config file cat < "$SSHD_CONFIG" # Mozilla SSH Security Recommendations Protocol 2 # Enable only secure ciphers Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr # Enable only secure key exchange algorithms KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Enable only secure MAC algorithms MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 # Disable password authentication for stronger security PasswordAuthentication no # Disable old host keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key # Restrict root access PermitRootLogin no # Strict connection policy MaxAuthTries 3 LoginGraceTime 30 # Additional security recommendations AllowTcpForwarding no MaxSessions 2 LogLevel VERBOSE ClientAliveInterval 300 ClientAliveCountMax 2 # IP restriction based on user input $allow_users EOL # Restart the SSH service systemctl restart sshd echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."