Add Linux/SSH/README.md
This commit is contained in:
137
Linux/SSH/README.md
Normal file
137
Linux/SSH/README.md
Normal file
@@ -0,0 +1,137 @@
|
|||||||
|
# Erstellen einer sicheren SSH Anmeldung
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
SSH_CONFIG_DIR="/etc/ssh/sshd_config.d"
|
||||||
|
SSH_MAIN_CONFIG="/etc/ssh/sshd_config"
|
||||||
|
SSH_CONFIG_FILE="$SSH_CONFIG_DIR/secure.conf"
|
||||||
|
|
||||||
|
# Überprüfe und installiere sudo, falls nicht vorhanden
|
||||||
|
if ! command -v sudo &> /dev/null; then
|
||||||
|
echo "sudo ist nicht installiert. Versuche, sudo zu installieren..."
|
||||||
|
|
||||||
|
if command -v apt &> /dev/null; then
|
||||||
|
apt update && apt install -y sudo
|
||||||
|
elif command -v dnf &> /dev/null; then
|
||||||
|
dnf install -y sudo
|
||||||
|
elif command -v apk &> /dev/null; then
|
||||||
|
apk add sudo
|
||||||
|
else
|
||||||
|
echo "Nicht unterstütztes System. Bitte sudo manuell installieren."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "sudo ist bereits installiert."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Installiere OpenSSH-Server, falls nicht vorhanden
|
||||||
|
if ! command -v sshd &> /dev/null; then
|
||||||
|
echo "OpenSSH-Server wird installiert..."
|
||||||
|
|
||||||
|
if command -v apt &> /dev/null; then
|
||||||
|
sudo apt update && sudo apt install -y openssh-server
|
||||||
|
elif command -v dnf &> /dev/null; then
|
||||||
|
sudo dnf install -y openssh-server
|
||||||
|
elif command -v apk &> /dev/null; then
|
||||||
|
sudo apk add openssh
|
||||||
|
else
|
||||||
|
echo "Nicht unterstütztes System. Bitte OpenSSH manuell installieren."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "OpenSSH-Server ist bereits installiert."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# SSHD-Konfigurationsverzeichnis sicherstellen und alte Konfigs löschen
|
||||||
|
echo "Lösche bestehende Konfigurationen in $SSH_CONFIG_DIR ..."
|
||||||
|
sudo mkdir -p $SSH_CONFIG_DIR
|
||||||
|
sudo rm -f $SSH_CONFIG_DIR/*
|
||||||
|
|
||||||
|
# Haupt-sshd_config aufräumen und Include setzen
|
||||||
|
echo "Passe die Haupt-sshd_config an..."
|
||||||
|
|
||||||
|
sudo tee $SSH_MAIN_CONFIG > /dev/null <<EOL
|
||||||
|
# Minimale SSHD-Konfiguration
|
||||||
|
Include $SSH_CONFIG_DIR/*.conf
|
||||||
|
EOL
|
||||||
|
|
||||||
|
# Benutzer abfragen, die sich per SSH anmelden dürfen
|
||||||
|
read -p "Welche Benutzer dürfen sich per SSH anmelden? (Benutzer durch Leerzeichen trennen): " SSH_USERS
|
||||||
|
|
||||||
|
# Benutzer verifizieren
|
||||||
|
VALID_USERS=""
|
||||||
|
for user in $SSH_USERS; do
|
||||||
|
if id "$user" &>/dev/null; then
|
||||||
|
echo "Benutzer $user existiert."
|
||||||
|
VALID_USERS+="$user "
|
||||||
|
else
|
||||||
|
read -p "Benutzer $user existiert nicht. Soll dieser erstellt werden? (y/n): " CREATE_USER
|
||||||
|
if [ "$CREATE_USER" == "y" ]; then
|
||||||
|
sudo adduser $user
|
||||||
|
sudo passwd $user
|
||||||
|
sudo usermod -aG wheel $user
|
||||||
|
echo "Benutzer $user wurde erstellt und zur sudo-Gruppe hinzugefügt."
|
||||||
|
|
||||||
|
# SSH-Verzeichnis und authorized_keys erstellen
|
||||||
|
sudo mkdir -p /home/$user/.ssh
|
||||||
|
sudo touch /home/$user/.ssh/authorized_keys
|
||||||
|
sudo chown -R $user:$user /home/$user/.ssh
|
||||||
|
sudo chmod 700 /home/$user/.ssh
|
||||||
|
sudo chmod 600 /home/$user/.ssh/authorized_keys
|
||||||
|
|
||||||
|
read -p "Möchtest du einen SSH Public Key für $user hinzufügen? (y/n): " ADD_KEY
|
||||||
|
if [ "$ADD_KEY" == "y" ]; then
|
||||||
|
read -p "Füge den SSH Public Key hier ein: " SSH_KEY
|
||||||
|
echo "$SSH_KEY" | sudo tee -a /home/$user/.ssh/authorized_keys
|
||||||
|
fi
|
||||||
|
VALID_USERS+="$user "
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# SSH-Konfigurationsdatei erstellen
|
||||||
|
echo "Erstelle SSH-Konfigurationsdatei..."
|
||||||
|
|
||||||
|
sudo tee $SSH_CONFIG_FILE > /dev/null <<EOL
|
||||||
|
# SSH Config Datei mit max Security
|
||||||
|
|
||||||
|
# SSHD Config – Maximale Sicherheit (Nur IPv4)
|
||||||
|
|
||||||
|
AddressFamily inet
|
||||||
|
Port 22
|
||||||
|
Protocol 2
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group14-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
|
MACs hmac-sha2-512,hmac-sha2-256
|
||||||
|
|
||||||
|
SyslogFacility AUTHPRIV
|
||||||
|
LogLevel VERBOSE
|
||||||
|
|
||||||
|
LoginGraceTime 30s
|
||||||
|
PermitRootLogin no
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
PasswordAuthentication no
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
UsePAM yes
|
||||||
|
X11Forwarding no
|
||||||
|
PrintMotd no
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
ClientAliveInterval 300
|
||||||
|
ClientAliveCountMax 2
|
||||||
|
|
||||||
|
AllowUsers $VALID_USERS
|
||||||
|
EOL
|
||||||
|
|
||||||
|
# SSH-Konfigurationsprüfung und Neustart
|
||||||
|
echo "Prüfe SSH-Konfiguration..."
|
||||||
|
sudo sshd -t && sudo systemctl restart sshd && echo "SSH-Dienst erfolgreich neu gestartet."
|
||||||
|
|
||||||
|
echo "Setup abgeschlossen! Nur folgende Benutzer dürfen sich per SSH anmelden: $VALID_USERS"
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user