diff options
| -rw-r--r-- | harden.sh | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/harden.sh b/harden.sh new file mode 100644 index 0000000..b47729a --- /dev/null +++ b/harden.sh @@ -0,0 +1,108 @@ +#!/bin/bash +# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html +# https://github.com/stribika/stribika.github.io/wiki/Secure-Secure-Shell +set -e + +SSHD_CONF_FILE="/etc/ssh/sshd_config" +DATE="$(date -u --rfc-3339=seconds | sed 's/+00:00//' | tr ' ' '_' | tr '+:' '-')" + +test "${EUID}" -ne 0 && printf "%s\n" "run as root" && exit 1 + +if ! command -v apt-get &>/dev/null; then + printf "%s\n" "[err] distro not debian-based" + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive +export DEBCONF_NOWARNINGS=yes + +printf "%s\n" "[inf] updating and installing packages" +apt-get update -yqq && \ + apt-get install --no-install-recommends -yqq unattended-upgrades tmux ufw && \ + apt-get autoremove --purge -yqq snap snapd && \ + apt-get clean && \ + apt-get autoclean + +printf "%s\n" \ + "[inf] installed unattended-upgrades, tmux, ufw" \ + "[inf] removed snap, snapd" + +>/etc/issue +>/etc/motd +printf "%s\n" "[inf] cleared /etc/issue and /etc/motd" + +if test -d /etc/update-motd.d; then + chmod -x /etc/update-motd.d/* + printf "%s\n" "[inf] removed executable flag from /etc/update-motd.d/*" +fi + +rm -f /etc/cron.deny +rm -f /etc/at.deny +touch /etc/cron.allow /etc/at.allow +chown root:root /etc/cron.allow /etc/at.allow +chmod 0600 /etc/cron.allow /etc/at.allow +printf "%s\n" "[inf] enabled root-only cron" + +cp $SSHD_CONF_FILE{,.bak-$DATE} +cat << EOF | shuf > "${SSHD_CONF_FILE}" +Port 22 +Banner /etc/issue +UsePAM yes +Protocol 2 +Subsystem sftp /usr/libexec/openssh/sftp-server +LogLevel verbose +PrintMotd no +AcceptEnv LANG LC_* +MaxSessions 5 +StrictModes yes +Compression no +MaxAuthTries 3 +IgnoreRhosts yes +PrintLastLog yes +AddressFamily inet +X11Forwarding no +PermitRootLogin yes +AllowTcpForwarding no +ClientAliveInterval 1200 +AllowAgentForwarding no +PermitEmptyPasswords no +ClientAliveCountMax 0 +GSSAPIAuthentication no +KerberosAuthentication no +#PasswordAuthentication no +IgnoreUserKnownHosts yes +PermitUserEnvironment no +ChallengeResponseAuthentication no +MACs hmac-sha2-512,hmac-sha2-256 +Ciphers aes128-ctr,aes192-ctr,aes256-ctr +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr +#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +#HostKey /etc/ssh/ssh_host_ed25519_key +#HostKey /etc/ssh/ssh_host_rsa_key +EOF + +( + cd /etc/ssh + rm ssh_host_*key* + ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null + ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null + chmod 0600 /etc/ssh/ssh_host_*_key + chmod 0644 /etc/ssh/ssh_host_*_key.pub +) + +sshd -t && systemctl restart sshd + +printf "%s\n" "[inf] hardened SSH configuration in /etc/ssh/sshd_config" + +dpkg-reconfigure --priority=low unattended-upgrades +systemctl enable --now unattended-upgrades +printf "%s\n" "[inf] enabled unattended-upgrades service" + +sed -i '/GRUB_CMDLINE_LINUX=/ s/\"$/ ipv6.disable=1\"/; s/\" /\"/' /etc/default/grub && update-grub +printf "%s\n" "[inf] disabled ipv6 in /etc/default/grub" + +ufw allow 22/tcp +ufw --force enable +systemctl enable --now ufw +printf "%s\n" "[inf] configured ufw to allow 22/tcp only" |