1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
#!/bin/bash
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
# https://github.com/stribika/stribika.github.io/wiki/Secure-Secure-Shell
set -e
SSHD_CONF_FILE="/etc/ssh/sshd_config"
DATE="$(date -u --rfc-3339=seconds | sed 's/+00:00//' | tr ' ' '_' | tr '+:' '-')"
test "${EUID}" -ne 0 && printf "%s\n" "run as root" && exit 1
if ! command -v apt-get &>/dev/null; then
printf "%s\n" "[err] distro not debian-based"
exit 1
fi
export DEBIAN_FRONTEND=noninteractive
export DEBCONF_NOWARNINGS=yes
printf "%s\n" "[inf] updating and installing packages"
apt-get update -yqq && \
apt-get install --no-install-recommends -yqq unattended-upgrades tmux ufw && \
apt-get autoremove --purge -yqq snap snapd && \
apt-get clean && \
apt-get autoclean
printf "%s\n" \
"[inf] installed unattended-upgrades, tmux, ufw" \
"[inf] removed snap, snapd"
>/etc/issue
>/etc/motd
printf "%s\n" "[inf] cleared /etc/issue and /etc/motd"
if test -d /etc/update-motd.d; then
chmod -x /etc/update-motd.d/*
printf "%s\n" "[inf] removed executable flag from /etc/update-motd.d/*"
fi
rm -f /etc/cron.deny
rm -f /etc/at.deny
touch /etc/cron.allow /etc/at.allow
chown root:root /etc/cron.allow /etc/at.allow
chmod 0600 /etc/cron.allow /etc/at.allow
printf "%s\n" "[inf] enabled root-only cron"
cp $SSHD_CONF_FILE{,.bak-$DATE}
cat << EOF | shuf > "${SSHD_CONF_FILE}"
Port 22
Banner /etc/issue
UsePAM yes
Protocol 2
Subsystem sftp /usr/libexec/openssh/sftp-server
LogLevel verbose
PrintMotd no
AcceptEnv LANG LC_*
MaxSessions 5
StrictModes yes
Compression no
MaxAuthTries 3
IgnoreRhosts yes
PrintLastLog yes
AddressFamily inet
X11Forwarding no
PermitRootLogin yes
AllowTcpForwarding no
ClientAliveInterval 1200
AllowAgentForwarding no
PermitEmptyPasswords no
ClientAliveCountMax 0
GSSAPIAuthentication no
KerberosAuthentication no
#PasswordAuthentication no
IgnoreUserKnownHosts yes
PermitUserEnvironment no
ChallengeResponseAuthentication no
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
#HostKey /etc/ssh/ssh_host_ed25519_key
#HostKey /etc/ssh/ssh_host_rsa_key
EOF
(
cd /etc/ssh
rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null
chmod 0600 /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
)
sshd -t && systemctl restart sshd
printf "%s\n" "[inf] hardened SSH configuration in /etc/ssh/sshd_config"
dpkg-reconfigure --priority=low unattended-upgrades
systemctl enable --now unattended-upgrades
printf "%s\n" "[inf] enabled unattended-upgrades service"
sed -i '/GRUB_CMDLINE_LINUX=/ s/\"$/ ipv6.disable=1\"/; s/\" /\"/' /etc/default/grub && update-grub
printf "%s\n" "[inf] disabled ipv6 in /etc/default/grub"
ufw allow 22/tcp
ufw --force enable
systemctl enable --now ufw
printf "%s\n" "[inf] configured ufw to allow 22/tcp only"
|