lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
859a750be7cdccb354f3b5eb29b39eba7bdca59e
scripts-admin-debian/miscellaneous/secure_ssh.sh
Philippe Favre 859a750be7 Actualiser miscellaneous/secure_ssh.sh
2024-11-14 03:16:20 +01:00

76 lines
2.9 KiB
Bash
Raw Blame History

#!/bin/bash
# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
# Usage:
# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# The script will automatically apply the recommended configuration changes and restart the SSH service.
# Check if the script is run as root
if [[ "$EUID" -ne 0 ]]; then
echo "This script must be run as root. Please use sudo to execute it."
exit 1
fi
# Variables
SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time
# Backup the old configuration with a timestamp
cp "$SSHD_CONFIG" "$BACKUP_FILE"
# Ask user if they want to restrict SSH access to a single IP
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
if [[ "$restrict_ip" == "yes" ]]; then
read -p "Enter the IP address to allow SSH access: " allowed_ip
allow_users="AllowUsers *@${allowed_ip}"
else
allow_users="# AllowUsers configuration not set"
fi
# Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG"
# Mozilla SSH Security Recommendations
Protocol 2
# Enable only secure ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Enable only secure key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Enable only secure MAC algorithms
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
# Disable password authentication for stronger security
PasswordAuthentication no
# Disable old host keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Restrict root access
PermitRootLogin no
# Strict connection policy
MaxAuthTries 3
LoginGraceTime 30
# Additional security recommendations
AllowTcpForwarding no
MaxSessions 2
LogLevel VERBOSE
ClientAliveInterval 300
ClientAliveCountMax 2
# IP restriction based on user input
$allow_users
EOL
# Restart the SSH service
systemctl restart sshd
echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."
Reference in New Issue View Git Blame Copy Permalink