scripts-admin-debian/miscellaneous/secure_ssh.sh

#!/bin/bash

# Warning: Before running this script, make sure you have created a user and an SSH key in the authorized_keys file.

# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh

# Usage:
# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# The script will automatically apply the recommended configuration changes and restart the SSH service.

# Check if the script is run as root
if [[ "$EUID" -ne 0 ]]; then
   echo "This script must be run as root. Please use sudo to execute it."
   exit 1
fi

# Variables
SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"  # Backup with date and time

# Backup the old configuration with a timestamp
cp "$SSHD_CONFIG" "$BACKUP_FILE"

# Ask user if they want to restrict SSH access to a single IP
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip

if [[ "$restrict_ip" == "yes" ]]; then
    read -p "Enter the IP address to allow SSH access: " allowed_ip
    allow_users="AllowUsers *@${allowed_ip}"
else
    allow_users="# AllowUsers configuration not set"
fi

# Ask user if they want to change the SSH port
read -p "Do you want to change the SSH port? (yes/no): " change_port
if [[ "$change_port" == "yes" ]]; then
    read -p "Enter the new SSH port: " new_port
    port_setting="Port $new_port"
else
    port_setting="# Port configuration not changed"
fi

# Ask user if they want to use password or key-based authentication
read -p "Do you want to use password or key-based authentication? (password/key): " auth_method
if [[ "$auth_method" == "password" ]]; then
    password_auth="PasswordAuthentication yes"
    key_auth="# PasswordAuthentication no"
else
    password_auth="# PasswordAuthentication no"
    key_auth="PubkeyAuthentication yes"
fi

# Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG"
# Mozilla SSH Security Recommendations
Protocol 2
# Enable only secure ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Enable only secure key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Enable only secure MAC algorithms
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

# Authentication method based on user input
$password_auth
$key_auth

# Disable old host keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Restrict root access
PermitRootLogin no

# Strict connection policy
MaxAuthTries 3
LoginGraceTime 30

# Additional security recommendations
AllowTcpForwarding no
MaxSessions 2
LogLevel VERBOSE
ClientAliveInterval 300
ClientAliveCountMax 2

# IP restriction based on user input
$allow_users

# SSH port based on user input
$port_setting
EOL

# Restart the SSH service
systemctl restart sshd

echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."