-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinstall
More file actions
executable file
·187 lines (161 loc) · 3.99 KB
/
install
File metadata and controls
executable file
·187 lines (161 loc) · 3.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#!/usr/bin/env bash
INSTALL_DIR=/root
FAIL2BAN_SSH_PATH=/etc/fail2ban/jail.d/ssh.local
if [ "$(uname)" == 'Darwin' ]
then
# /root is not available on Mac OS
INSTALL_DIR=/usr/local
fi
SCRIPT_NAME=keys4user
INSTALL_PATH=$INSTALL_DIR/$SCRIPT_NAME
SSHD_CONF=/etc/ssh/sshd_config
SSH_HARDENING=1
FAIL2BAN=1
while getopts ":hf" OPTION
do
case $OPTION in
h)
SSH_HARDENING=0
;;
f)
FAIL2BAN=0
;;
\?)
echo "Used for the help menu $OPTARG"
exit 999
;;
esac
done
read -r -d '' KEYS4USER <<'EOF'
#!/usr/bin/env bash
HOME_DIR=$(eval echo "~$1")
SSH_DIR=$HOME_DIR/.ssh
KEY_LOC=$SSH_DIR/key_locations
CACHE=$KEY_LOC.cache
AUTH_KEYS=""
which curl > /dev/null
if (("$?" == "0"))
then
DOWNLOAD="curl -sfL"
else
which wget > /dev/null
if (("$?" == "0"))
then
DOWNLOAD="wget -q -O -"
else
printf "Neither curl or wget found in path. Exiting.\n"
exit 9
fi
fi
if [ -e "$KEY_LOC" ]
then
while read URL
do
if [ ! -z "$URL" ]
then
KEY=$($DOWNLOAD "$URL")
CURL_EXIT_STATUS=$?
if [ $CURL_EXIT_STATUS != 0 ]
then
cat $CACHE
exit $?
fi
AUTH_KEYS+="$KEY$(echo)"
fi
done <$KEY_LOC
fi
if [ ! -z "$AUTH_KEYS" ]
then
touch $CACHE
chown $1:$1 $CACHE
chmod 0644 $CACHE
printf "$AUTH_KEYS" | tee "$CACHE"
fi
EOF
read -r -d '' SSH_JAIL_CONF <<'EOF'
[ssh]
enabled = true
port = ssh
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3
bantime = 900
EOF
printf_bold () {
tput bold
# shellcheck disable=SC2059
printf "$@"
tput sgr0
}
sedi () {
sed --version >/dev/null 2>&1 && (sed -i -- "$@" || sed -i "" "$@")
}
modify_config () {
# $1 file path
# $2 option
# $3 value
# $4 allow multiple
if ! grep -q "^$2 $3" "$1"
then
# Config not properly set
if [ ! "$4" ]
then
# Comment out any incorrect config lines
sedi "/^$2/ s/^#*/#/" "$SSHD_CONF"
fi
# Insert new config
printf "%s %s\\n" "$2" "$3" >> $SSHD_CONF
fi
}
install_script () {
printf_bold "Installing %s to %s...\\n" "$SCRIPT_NAME" "$INSTALL_PATH"
touch $INSTALL_PATH || exit 1
chown root $INSTALL_PATH || exit 2
chmod 0755 $INSTALL_PATH || exit 3
printf %s "$KEYS4USER" > $INSTALL_PATH || exit 4
}
install_SSH_config () {
printf_bold "Installing required config to %s...\\n" "$SSHD_CONF"
(grep "AuthorizedKeysCommand" $SSHD_CONF | grep -vq "^[\\#]" || printf "\\n\\nAuthorizedKeysCommand %s\\n" "$INSTALL_PATH" >> $SSHD_CONF) || exit 11
(grep "AuthorizedKeysCommandUser" $SSHD_CONF | grep -vq "^[\\#]" || printf "AuthorizedKeysCommandUser root\\n" >> $SSHD_CONF) || exit 12
}
install_SSH_hardening () {
printf_bold "Hardening SSH config in %s...\\n" "$SSHD_CONF"
modify_config "$SSHD_CONF" Protocol 2
modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_ed25519_key 1
modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_rsa_key 1
modify_config "$SSHD_CONF" KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
modify_config "$SSHD_CONF" Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
modify_config "$SSHD_CONF" MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
}
install_fail2ban () {
printf_bold "Installing fail2ban...\\n"
apt-get update -y || exit $?
apt-get install fail2ban -y || exit $?
touch $FAIL2BAN_SSH_PATH || exit 31
chown root $FAIL2BAN_SSH_PATH || exit 32
chmod 0755 $FAIL2BAN_SSH_PATH || exit 33
printf "%s\\n" "$SSH_JAIL_CONF" > $FAIL2BAN_SSH_PATH || exit 34
}
reload_SSH () {
printf_bold "Reloading SSH...\\n"
systemctl reload ssh || exit 41
}
install () {
install_script
install_SSH_config
if (("$SSH_HARDENING" > "0"))
then
install_SSH_hardening
fi
if (("$FAIL2BAN" > "0")) && [ "$(uname)" != 'Darwin' ]
then
install_fail2ban
fi
if [ "$(uname)" != 'Darwin' ]
then
reload_SSH
fi
}
install