168 lines
4.6 KiB
Bash
168 lines
4.6 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# SSH hardening module
|
|
# =============================================================================
|
|
|
|
# Set script directory
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# Source common functions and variables
|
|
source "./common.sh"
|
|
|
|
# Function to create SSH keys for root user
|
|
create_root_ssh_keys() {
|
|
local ssh_dir="/root/.ssh"
|
|
local authorized_keys="$ssh_dir/authorized_keys"
|
|
local ssh_key_doc="/root/root-ssh-keys-documentation.txt"
|
|
|
|
# Create .ssh directory if it doesn't exist
|
|
mkdir -p "$ssh_dir"
|
|
chmod 700 "$ssh_dir"
|
|
|
|
# Create or backup authorized_keys file
|
|
if [ -f "$authorized_keys" ]; then
|
|
backup_file "$authorized_keys"
|
|
else
|
|
touch "$authorized_keys"
|
|
fi
|
|
|
|
chmod 600 "$authorized_keys"
|
|
|
|
# Create documentation
|
|
log_message "INFO" "Creating SSH key documentation for root user"
|
|
|
|
cat > "$ssh_key_doc" << EOF
|
|
# Root SSH Keys Documentation
|
|
#
|
|
# To add SSH public keys for root user, add them to the authorized_keys file:
|
|
# $authorized_keys
|
|
#
|
|
# Format:
|
|
# ssh-rsa AAAAB3NzaC1yc2EA... comment
|
|
#
|
|
# For security:
|
|
# - Key-based authentication is more secure than password-based authentication
|
|
# - Use strong, unique keys for each user or service
|
|
# - Regularly rotate SSH keys
|
|
# - Remove keys that are no longer needed
|
|
#
|
|
# Remember to maintain proper permissions:
|
|
# chmod 700 $ssh_dir
|
|
# chmod 600 $authorized_keys
|
|
EOF
|
|
|
|
log_message "SUCCESS" "SSH key documentation for root user created at $ssh_key_doc"
|
|
}
|
|
|
|
# Function to create SSH keys for non-root users
|
|
create_non_root_ssh_keys() {
|
|
local ssh_key_doc="/etc/skel/.ssh-documentation.txt"
|
|
|
|
# Create /etc/skel/.ssh directory
|
|
mkdir -p "/etc/skel/.ssh"
|
|
chmod 700 "/etc/skel/.ssh"
|
|
touch "/etc/skel/.ssh/authorized_keys"
|
|
chmod 600 "/etc/skel/.ssh/authorized_keys"
|
|
|
|
# Create documentation
|
|
log_message "INFO" "Creating SSH key documentation for non-root users"
|
|
|
|
cat > "$ssh_key_doc" << EOF
|
|
# User SSH Keys Documentation
|
|
#
|
|
# To add SSH public keys for this user, add them to the authorized_keys file:
|
|
# ~/.ssh/authorized_keys
|
|
#
|
|
# Format:
|
|
# ssh-rsa AAAAB3NzaC1yc2EA... comment
|
|
#
|
|
# For security:
|
|
# - Key-based authentication is more secure than password-based authentication
|
|
# - Use strong, unique keys for each user or service
|
|
# - Regularly rotate SSH keys
|
|
# - Remove keys that are no longer needed
|
|
#
|
|
# Remember to maintain proper permissions:
|
|
# chmod 700 ~/.ssh
|
|
# chmod 600 ~/.ssh/authorized_keys
|
|
EOF
|
|
|
|
log_message "SUCCESS" "SSH key documentation for non-root users created at $ssh_key_doc"
|
|
}
|
|
|
|
# Function to harden SSH configuration
|
|
harden_ssh_config() {
|
|
local ssh_config="/etc/ssh/sshd_config"
|
|
local ssh_config_backup="$BACKUP_DIR/etc/ssh/sshd_config"
|
|
|
|
# Backup current SSH configuration
|
|
backup_file "$ssh_config"
|
|
|
|
log_message "INFO" "Hardening SSH configuration"
|
|
|
|
# Create a new SSH configuration with hardened settings
|
|
cat > "$ssh_config" << EOF
|
|
# SSH Server Configuration
|
|
# Hardened configuration from security script
|
|
|
|
# Basic SSH server settings
|
|
Port 2222
|
|
AddressFamily inet
|
|
ListenAddress 0.0.0.0
|
|
|
|
# Authentication settings
|
|
#AuthorizedKeysFile /root/.ssh/authorized_keys/%u
|
|
PermitRootLogin prohibit-password
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
|
|
# Security settings
|
|
X11Forwarding no
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
# Hardening options
|
|
LoginGraceTime 30
|
|
MaxAuthTries 3
|
|
MaxSessions 5
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 3
|
|
|
|
# Disable weak crypto
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
EOF
|
|
|
|
log_message "INFO" "Configured SSH to use port 2222 and disabled root password login"
|
|
log_message "SUCCESS" "SSH configuration hardened"
|
|
|
|
# Restart SSH service to apply changes
|
|
log_message "INFO" "Restarting SSH service"
|
|
systemctl restart sshd
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_message "SUCCESS" "SSH service restarted successfully"
|
|
else
|
|
log_message "ERROR" "Failed to restart SSH service"
|
|
# Revert to backup
|
|
cp "$ssh_config_backup" "$ssh_config"
|
|
systemctl restart sshd
|
|
log_message "WARNING" "Reverted to original SSH configuration"
|
|
fi
|
|
}
|
|
|
|
# Main execution for SSH hardening
|
|
create_root_ssh_keys
|
|
create_non_root_ssh_keys
|
|
harden_ssh_config
|
|
|
|
log_message "SUCCESS" "SSH hardening completed" |