140 lines
7.8 KiB
Bash
140 lines
7.8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# ──────────────────────────────────────────────────────────────────────────────
|
|
# Secure-SSH Hardened Setup (OpenSSH ≥9.x)
|
|
# ----------------------------------------
|
|
# ✦ Minimal Defaults + Explizite Härtung
|
|
# ✦ Unterstützt:
|
|
# - Benutzer/Gruppen-Whitelisting
|
|
# - Auto-Logoff (Idle-Timeouts)
|
|
# - Brute-Force-Rate-Limiting
|
|
# - Kein Forwarding (Agent/TCP/X11)
|
|
# ✦ Dynamisches PAM-Handling
|
|
# ──────────────────────────────────────────────────────────────────────────────
|
|
|
|
printf "\033c" # Clear terminal
|
|
|
|
# ─── Konfigurationsvariablen ─────────────────────────────────────────────────
|
|
SSH_CONFIG_DIR="/etc/ssh/sshd_config.d"
|
|
SSH_MAIN_CONFIG="/etc/ssh/sshd_config"
|
|
SSH_CONFIG_FILE="$SSH_CONFIG_DIR/secure.conf"
|
|
SSH_GROUP="ssh-access"
|
|
ED25519_KEY="/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
# ─── ANSI Colors ─────────────────────────────────────────────────────────────
|
|
RED='\033[1;31m'; GREEN='\033[1;32m'; YELLOW='\033[1;33m'; BLUE='\033[1;34m'; WHITE='\033[1;37m'; RESET='\033[0m'
|
|
log() { echo -e "${GREEN}[+] $1${RESET}"; }
|
|
warn() { echo -e "${YELLOW}[!] $1${RESET}"; }
|
|
error() { echo -e "${RED}[✗] $1${RESET}"; }
|
|
|
|
# ─── Service Manager Detection ──────────────────────────────────────────────
|
|
detect_service_manager() {
|
|
if command -v systemctl &>/dev/null; then echo "systemd"; return; fi
|
|
command -v rc-service &>/dev/null && echo "openrc" || echo "sysvinit"
|
|
}
|
|
|
|
# ─── SSH Service Handling ──────────────────────────────────────────────────
|
|
restart_ssh_service() {
|
|
local service=$1
|
|
case $(detect_service_manager) in
|
|
systemd) sudo systemctl restart "$service" ;;
|
|
openrc) sudo rc-service "$service" restart ;;
|
|
sysvinit) sudo "/etc/init.d/$service" restart 2>/dev/null ;;
|
|
*) sudo killall -HUP sshd 2>/dev/null ;;
|
|
esac || { error "Failed to restart SSH"; return 1; }
|
|
}
|
|
|
|
# ─── Paketinstallation ──────────────────────────────────────────────────────
|
|
install_package() {
|
|
local pkg=$1
|
|
warn "Installing $pkg..."
|
|
if command -v apt &>/dev/null; then
|
|
sudo apt update -qq && sudo apt install -y "$pkg" -qq
|
|
elif command -v dnf &>/dev/null; then
|
|
sudo dnf install -y "$pkg" &>/dev/null
|
|
elif command -v apk &>/dev/null; then
|
|
sudo apk add "$pkg" &>/dev/null
|
|
else
|
|
error "Package manager not found. Install $pkg manually."
|
|
return 1
|
|
fi || { error "Installation failed"; return 1; }
|
|
log "$pkg installed."
|
|
}
|
|
|
|
# ─── Hauptsetup ────────────────────────────────────────────────────────────
|
|
log "Starting Secure-SSH Setup..."
|
|
|
|
# ─── Voraussetzungen prüfen ────────────────────────────────────────────────
|
|
command -v sudo &>/dev/null || install_package sudo
|
|
command -v sshd &>/dev/null || install_package openssh-server
|
|
[ -d "$SSH_CONFIG_DIR" ] || { sudo mkdir -p "$SSH_CONFIG_DIR"; log "Created $SSH_CONFIG_DIR"; }
|
|
|
|
# ─── Host Key (Ed25519) ────────────────────────────────────────────────────
|
|
[ -f "$ED25519_KEY" ] || {
|
|
warn "Generating Ed25519 host key..."
|
|
sudo ssh-keygen -t ed25519 -f "$ED25519_KEY" -N "" -q && sudo chmod 600 "$ED25519_KEY"
|
|
log "Host key generated."
|
|
}
|
|
|
|
# ─── Benutzer/Gruppen-Abfrage ──────────────────────────────────────────────
|
|
read -rp $'\e[1;34mAllowed SSH group (leave empty if unused): \e[0m' SSH_GROUP
|
|
|
|
# ─── Konfigurationsdatei erstellen ─────────────────────────────────────────
|
|
warn "Generating hardened SSH config..."
|
|
sudo tee "$SSH_CONFIG_FILE" >/dev/null <<EOF
|
|
# ───────────────────────────────────────────────────────────────────────────
|
|
# Hardened SSH Config (generated $(date +%Y-%m-%d))
|
|
# OpenSSH ≥9.x | Auto-Logoff | Rate-Limiting | No Forwarding
|
|
# ───────────────────────────────────────────────────────────────────────────
|
|
|
|
# ─── Core Security ──────────────────────────────────────────────────────────
|
|
PermitRootLogin no
|
|
PermitEmptyPasswords no
|
|
HostKey $ED25519_KEY
|
|
|
|
# ─── Access Control ───────────────────────────────────────────────────────
|
|
AllowGroups ${SSH_GROUP}
|
|
DenyUsers root admin administrator
|
|
|
|
# ─── Authentication ───────────────────────────────────────────────────────
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
AuthenticationMethods publickey
|
|
KbdInteractiveAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
|
|
# ─── Session Hardening ────────────────────────────────────────────────────
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
LoginGraceTime 30s
|
|
MaxAuthTries 3
|
|
MaxSessions 5
|
|
MaxStartups 10:30:60
|
|
|
|
# ─── Network Restrictions ──────────────────────────────────────────────────
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
GatewayPorts no
|
|
PermitTunnel no
|
|
|
|
# ─── Logging & Auditing ───────────────────────────────────────────────────
|
|
LogLevel VERBOSE
|
|
PrintLastLog yes
|
|
SyslogFacility AUTH
|
|
EOF
|
|
|
|
# ─── PAM Handling (dynamisch) ──────────────────────────────────────────────
|
|
if [ -d /etc/pam.d ] && find / -name 'libpam.so*' -quit 2>/dev/null; then
|
|
echo -e "UsePAM yes\nPrintMotd no" | sudo tee -a "$SSH_CONFIG_FILE" >/dev/null
|
|
log "PAM support enabled."
|
|
fi
|
|
|
|
# ─── Konfiguration testen & neu starten ────────────────────────────────────
|
|
sudo sshd -t || { error "Invalid SSH config. Fix errors before restarting."; exit 1; }
|
|
restart_ssh_service $(basename "$(command -v sshd)") || exit 1
|
|
|
|
log "Hardened SSH setup complete!"
|
|
echo -e "\n${WHITE}→ Allowed Groups: ${SSH_GROUP}${RESET}"
|
|
echo -e "${WHITE}→ Active settings:${RESET}"
|
|
sudo sshd -T | grep -Ei "allowusers|allowgroups|permitroot|maxauthtries|clientalive" |